diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2019-12-06 09:27:13 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2019-12-06 09:27:13 +0000 |
| commit | 8fbd7851a98a4d46db86ee5fc9e9bd80354ed999 (patch) | |
| tree | 633104bd56e3c0a22da1bfe526dcb7ff3c9c7dda | |
| parent | d1dea0abcde59475229a12b798b72ebcf068f472 (diff) | |
Don't hardcode the cache directory for rpki-client. If started as root
rpki-client will use the defaults for cache and output directory. If not
started as root users need to provide both directories as arguments.
While there switch from absolute path names to relative ones. For this
the parser and rsync process do a chdir(2) to the cache directory on startup.
OK benno@
| -rw-r--r-- | usr.sbin/rpki-client/extern.h | 5 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/main.c | 80 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/output.c | 5 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/rpki-client.8 | 11 |
4 files changed, 61 insertions, 40 deletions
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 5a47403f7d3..127db60fa37 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.22 2019/12/04 12:40:17 deraadt Exp $ */ +/* $OpenBSD: extern.h,v 1.23 2019/12/06 09:27:12 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -381,6 +381,7 @@ int output_json(FILE *, struct vrp_tree *); void logx(const char *fmt, ...) __attribute__((format(printf, 1, 2))); -#define _PATH_ROA_DIR "/var/db/rpki-client" +#define RPKI_PATH_OUT_DIR "/var/db/rpki-client" +#define RPKI_PATH_BASE_DIR "/var/cache/rpki-client" #endif /* ! EXTERN_H */ diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c index e9a16a493f2..14385a6d432 100644 --- a/usr.sbin/rpki-client/main.c +++ b/usr.sbin/rpki-client/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.54 2019/12/05 11:21:58 tb Exp $ */ +/* $OpenBSD: main.c,v 1.55 2019/12/06 09:27:12 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -77,11 +77,6 @@ #define TALSZ_MAX 8 /* - * Base directory for where we'll look for all media. - */ -#define BASE_DIR "/var/cache/rpki-client" - -/* * Statistics collected during run-time. */ struct stats { @@ -418,15 +413,13 @@ queue_add_from_mft(int fd, struct entityq *q, const char *mft, size_t sz; char *cp, *nfile; - assert(strncmp(mft, BASE_DIR, strlen(BASE_DIR)) == 0); - /* Construct local path from filename. */ sz = strlen(file->file) + strlen(mft); if ((nfile = calloc(sz + 1, 1)) == NULL) err(1, "calloc"); - /* We know this is BASE_DIR/host/module/... */ + /* We know this is host/module/... */ strlcpy(nfile, mft, sz + 1); cp = strrchr(nfile, '/'); @@ -525,8 +518,7 @@ queue_add_from_tal(int proc, int rsync, struct entityq *q, repo = repo_lookup(rsync, rt, uri); uri += 8 + strlen(repo->host) + 1 + strlen(repo->module) + 1; - if (asprintf(&nfile, "%s/%s/%s/%s", - BASE_DIR, repo->host, repo->module, uri) == -1) + if (asprintf(&nfile, "%s/%s/%s", repo->host, repo->module, uri) == -1) err(1, "asprintf"); entityq_add(proc, q, nfile, RTYPE_CER, repo, NULL, tal->pkey, @@ -558,8 +550,7 @@ queue_add_from_cert(int proc, int rsync, struct entityq *q, repo = repo_lookup(rsync, rt, uri); uri += 8 + strlen(repo->host) + 1 + strlen(repo->module) + 1; - if (asprintf(&nfile, "%s/%s/%s/%s", - BASE_DIR, repo->host, repo->module, uri) == -1) + if (asprintf(&nfile, "%s/%s/%s", repo->host, repo->module, uri) == -1) err(1, "asprintf"); entityq_add(proc, q, nfile, type, repo, NULL, NULL, 0, NULL, eid); @@ -636,8 +627,8 @@ proc_rsync(char *prog, char *bind_addr, int fd, int noop) /* Unveil the repository directory and terminate unveiling. */ - if (unveil(BASE_DIR, "c") == -1) - err(1, "%s: unveil", BASE_DIR); + if (unveil(".", "c") == -1) + err(1, "unveil"); if (unveil(NULL, NULL) == -1) err(1, "unveil"); } @@ -717,13 +708,10 @@ proc_rsync(char *prog, char *bind_addr, int fd, int noop) * will not build the destination for us. */ - if (asprintf(&dst, "%s/%s", BASE_DIR, host) == -1) - err(1, NULL); - if (mkdir(dst, 0700) == -1 && EEXIST != errno) - err(1, "%s", dst); - free(dst); + if (mkdir(host, 0700) == -1 && EEXIST != errno) + err(1, "%s", host); - if (asprintf(&dst, "%s/%s/%s", BASE_DIR, host, mod) == -1) + if (asprintf(&dst, "%s/%s", host, mod) == -1) err(1, NULL); if (mkdir(dst, 0700) == -1 && EEXIST != errno) err(1, "%s", dst); @@ -1362,22 +1350,22 @@ entity_process(int proc, int rsync, struct stats *st, static size_t tal_load_default(const char *tals[], size_t max) { - static const char *basedir = "/etc/rpki"; + static const char *confdir = "/etc/rpki"; size_t s = 0; char *path; DIR *dirp; struct dirent *dp; - dirp = opendir(basedir); + dirp = opendir(confdir); if (dirp == NULL) - err(1, "open %s", basedir); + err(1, "open %s", confdir); while ((dp = readdir(dirp)) != NULL) { if (fnmatch("*.tal", dp->d_name, FNM_PERIOD) == FNM_NOMATCH) continue; if (s >= max) err(1, "too many tal files found in %s", - basedir); - if (asprintf(&path, "%s/%s", basedir, dp->d_name) == -1) + confdir); + if (asprintf(&path, "%s/%s", confdir, dp->d_name) == -1) err(1, "asprintf"); tals[s++] = path; } @@ -1402,6 +1390,7 @@ main(int argc, char *argv[]) struct roa **out = NULL; char *rsync_prog = "openrsync"; char *bind_addr = NULL; + const char *cachedir = NULL; const char *tals[TALSZ_MAX]; struct vrp_tree v = RB_INITIALIZER(&v); @@ -1416,12 +1405,15 @@ main(int argc, char *argv[]) setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1 || setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1) err(1, "unable to revoke privs"); + + cachedir = RPKI_PATH_BASE_DIR; + outputdir = RPKI_PATH_OUT_DIR; } if (pledge("stdio rpath wpath cpath fattr proc exec unveil", NULL) == -1) err(1, "pledge"); - while ((c = getopt(argc, argv, "b:Bce:fjnot:T:v")) != -1) + while ((c = getopt(argc, argv, "b:Bcd:e:fjnot:T:v")) != -1) switch (c) { case 'b': bind_addr = optarg; @@ -1432,6 +1424,9 @@ main(int argc, char *argv[]) case 'c': outformats |= FORMAT_CSV; break; + case 'd': + cachedir = optarg; + break; case 'e': rsync_prog = optarg; break; @@ -1470,6 +1465,15 @@ main(int argc, char *argv[]) else if (argc > 1) goto usage; + if (cachedir == NULL) { + warnx("cache directory required"); + goto usage; + } + if (outputdir == NULL) { + warnx("output directory required"); + goto usage; + } + if (outformats == 0) outformats = FORMAT_OPENBGPD; @@ -1495,9 +1499,14 @@ main(int argc, char *argv[]) if (procpid == 0) { close(fd[1]); - /* Only allow access to BASE_DIR. */ - if (unveil(BASE_DIR, "r") == -1) - err(1, "%s: unveil", BASE_DIR); + + /* change working directory to the cache directory */ + if (chdir(cachedir) == -1) + err(1, "%s: chdir", cachedir); + + /* Only allow access to the cache directory. */ + if (unveil(cachedir, "r") == -1) + err(1, "%s: unveil", cachedir); if (pledge("stdio rpath", NULL) == -1) err(1, "pledge"); proc_parser(fd[0], force); @@ -1522,6 +1531,11 @@ main(int argc, char *argv[]) if (rsyncpid == 0) { close(proc); close(fd[1]); + + /* change working directory to the cache directory */ + if (chdir(cachedir) == -1) + err(1, "%s: chdir", cachedir); + if (pledge("stdio rpath cpath proc exec unveil", NULL) == -1) err(1, "pledge"); @@ -1597,8 +1611,8 @@ main(int argc, char *argv[]) assert(i < rt.reposz); assert(!rt.repos[i].loaded); rt.repos[i].loaded = 1; - logx("%s/%s/%s: loaded", BASE_DIR, - rt.repos[i].host, rt.repos[i].module); + logx("%s/%s: loaded", rt.repos[i].host, + rt.repos[i].module); stats.repos++; entityq_flush(proc, &q, &rt.repos[i]); } @@ -1619,7 +1633,7 @@ main(int argc, char *argv[]) } assert(TAILQ_EMPTY(&q)); - logx("all files parsed: exiting"); + logx("all files parsed: generating output"); rc = 0; /* diff --git a/usr.sbin/rpki-client/output.c b/usr.sbin/rpki-client/output.c index 0dfcc1f0fa9..c62b3b0a1ae 100644 --- a/usr.sbin/rpki-client/output.c +++ b/usr.sbin/rpki-client/output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: output.c,v 1.3 2019/12/04 23:03:05 benno Exp $ */ +/* $OpenBSD: output.c,v 1.4 2019/12/06 09:27:12 claudio Exp $ */ /* * Copyright (c) 2019 Theo de Raadt <deraadt@openbsd.org> * @@ -28,8 +28,7 @@ #include "extern.h" -char *outputdir = _PATH_ROA_DIR; -FILE *output = NULL; +char *outputdir; char output_tmpname[PATH_MAX]; char output_name[PATH_MAX]; diff --git a/usr.sbin/rpki-client/rpki-client.8 b/usr.sbin/rpki-client/rpki-client.8 index 3e41a233e22..cea3bdec720 100644 --- a/usr.sbin/rpki-client/rpki-client.8 +++ b/usr.sbin/rpki-client/rpki-client.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: rpki-client.8,v 1.15 2019/12/04 16:42:34 job Exp $ +.\" $OpenBSD: rpki-client.8,v 1.16 2019/12/06 09:27:12 claudio Exp $ .\" .\" Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 4 2019 $ +.Dd $Mdocdate: December 6 2019 $ .Dt RPKI-CLIENT 8 .Os .Sh NAME @@ -24,6 +24,7 @@ .Nm .Op Fl Bcfjnov .Op Fl b Ar bind_addr +.Op Fl d Ar cachedir .Op Fl e Ar rsync_prog .Op Fl T Ar table .Op Fl t Ar tal @@ -61,6 +62,12 @@ Create output in the file in the output directory as comma-separated values of the prefix in slash notation, the maximum prefix length, the autonomous system number, and an abbreviation for the trust anchor the entry is derived from. +.It Fl d Ar cachedir +The directory where +.Nm +will store the cached repository data. +Defaults to +.Pa /var/db/rpki-client/ . .It Fl e Ar rsync_prog Use .Ar rsync_prog |