Narrow down privsep interface. Remove ui_init to monitor. So we can get rid of

monitor_mkfifo.

Work in progress.

ok ho@

5 files changed, 111 insertions, 126 deletions

diff --git a/sbin/isakmpd/init.c b/sbin/isakmpd/init.c
index 7e320e14393..5bbe8f0ac4e 100644
--- a/sbin/isakmpd/init.c
+++ b/sbin/isakmpd/init.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: init.c,v 1.31 2004/06/20 17:17:35 ho Exp $	 */
+/* $OpenBSD: init.c,v 1.32 2004/06/25 00:58:39 hshoexer Exp $	 */
 /* $EOM: init.c,v 1.25 2000/03/30 14:27:24 ho Exp $	 */
 
 /*
@@ -47,6 +47,7 @@
 #include "libcrypto.h"
 #include "log.h"
 #include "math_group.h"
+#include "monitor.h"
 #include "sa.h"
 #include "timer.h"
 #include "transport.h"
@@ -102,7 +103,7 @@ init(void)
 	nat_t_init();
 	udp_encap_init();
 #endif
-	ui_init();
+	monitor_ui_init();
 }
 
 /* Reinitialize, either after a SIGHUP reception or by FIFO UI cmd.  */
diff --git a/sbin/isakmpd/log.c b/sbin/isakmpd/log.c
index 469f238c319..000530cd9c6 100644
--- a/sbin/isakmpd/log.c
+++ b/sbin/isakmpd/log.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: log.c,v 1.47 2004/06/21 16:37:30 ho Exp $	 */
+/* $OpenBSD: log.c,v 1.48 2004/06/25 00:58:39 hshoexer Exp $	 */
 /* $EOM: log.c,v 1.30 2000/09/29 08:19:23 niklas Exp $	 */
 
 /*
@@ -382,7 +382,11 @@ log_fatal(const char *fmt, ...)
 	va_start(ap, fmt);
 	_log_print(1, LOG_CRIT, fmt, ap, LOG_PRINT, 0);
 	va_end(ap);
+#ifdef USE_PRIVSEP
+	monitor_exit(1);
+#else
 	exit(1);
+#endif
 }
 
 #ifdef USE_DEBUG
diff --git a/sbin/isakmpd/monitor.c b/sbin/isakmpd/monitor.c
index 913025aba47..25eb1f2a059 100644
--- a/sbin/isakmpd/monitor.c
+++ b/sbin/isakmpd/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.25 2004/06/24 17:02:48 hshoexer Exp $	 */
+/* $OpenBSD: monitor.c,v 1.26 2004/06/25 00:58:39 hshoexer Exp $	 */
 
 /*
  * Copyright (c) 2003 Håkan Olsson.  All rights reserved.
@@ -50,6 +50,7 @@
 #include "log.h"
 #include "monitor.h"
 #include "policy.h"
+#include "ui.h"
 #include "util.h"
 
 struct monitor_state {
@@ -62,8 +63,6 @@ volatile sig_atomic_t sigchlded = 0;
 extern volatile sig_atomic_t sigtermed;
 static volatile sig_atomic_t cur_state = STATE_INIT;
 
-extern char    *ui_fifo;
-
 /* Private functions.  */
 int             m_write_int32(int, int32_t);
 int             m_write_raw(int, char *, size_t);
@@ -75,13 +74,14 @@ static void     m_priv_getfd(int);
 static void     m_priv_getsocket(int);
 static void     m_priv_setsockopt(int);
 static void     m_priv_bind(int);
-static void     m_priv_mkfifo(int);
 static int      m_priv_local_sanitize_path(char *, size_t, int);
 static int      m_priv_check_sockopt(int, int);
 static int      m_priv_check_bind(const struct sockaddr *, socklen_t);
 static void     m_priv_increase_state(int);
 static void     m_priv_test_state(int);
 
+static void	m_priv_ui_init(int);
+
 /*
  * Public functions, unprivileged.
  */
@@ -143,6 +143,44 @@ monitor_init(int debug)
 	return m_state.pid;
 }
 
+void
+monitor_exit(int code)
+{
+	if (m_state.pid != 0)
+		kill(m_state.pid, SIGKILL);
+
+	exit(code);
+}
+
+void
+monitor_ui_init(void)
+{
+	int32_t	err;
+
+	if (m_write_int32(m_state.s, MONITOR_UI_INIT))
+		goto errout;
+
+	if (m_read_int32(m_state.s, &err))
+		goto errout;
+
+	if (err != 0) {
+		log_fatal("monitor_ui_init: parent could not create FIFO "
+		    "\"%s\"", ui_fifo);
+		exit(1);
+	}
+
+	ui_socket = mm_receive_fd(m_state.s);
+	if (ui_socket < 0)
+		log_fatal("monitor_ui_init: parent could not create FIFO "
+		    "\"%s\"", ui_fifo);
+
+	return;
+
+errout:
+	log_error("monitor_ui_init: problem talking to privileged process");
+	return;
+}
+
 int
 monitor_open(const char *path, int flags, mode_t mode)
 {
@@ -361,48 +399,6 @@ errout:
 	return -1;
 }
 
-int
-monitor_mkfifo(const char *path, mode_t mode)
-{
-	int32_t	ret, err;
-	char	realpath[MAXPATHLEN];
-
-	/* Only the child process is supposed to run this.  */
-	if (m_state.pid)
-		log_fatal("[priv] bad call to monitor_mkfifo");
-
-	if (path[0] == '/')
-		strlcpy(realpath, path, sizeof realpath);
-	else
-		snprintf(realpath, sizeof realpath, "%s/%s", m_state.root,
-		    path);
-
-	if (m_write_int32(m_state.s, MONITOR_MKFIFO))
-		goto errout;
-
-	if (m_write_raw(m_state.s, realpath, strlen(realpath) + 1))
-		goto errout;
-
-	ret = (int32_t)mode;
-	if (m_write_int32(m_state.s, ret))
-		goto errout;
-
-	if (m_read_int32(m_state.s, &err))
-		goto errout;
-
-	if (err != 0)
-		errno = (int)err;
-
-	if (m_read_int32(m_state.s, &ret))
-		goto errout;
-
-	return (int)ret;
-
-errout:
-	log_print("monitor_mkfifo: read/write error");
-	return -1;
-}
-
 struct monitor_dirents *
 monitor_opendir(const char *path)
 {
@@ -600,6 +596,14 @@ monitor_loop(int debug)
 						m_priv_getfd(m_state.s);
 						break;
 
+					case MONITOR_UI_INIT:
+						LOG_DBG((LOG_MISC, 80,
+						    "%s: MONITOR_UI_INIT",
+						    __func__));
+						m_priv_test_state(STATE_INIT);
+						m_priv_ui_init(m_state.s);
+						break;
+
 					case MONITOR_GET_SOCKET:
 						LOG_DBG((LOG_MISC, 80,
 						    "%s: MONITOR_GET_SOCKET",
@@ -624,14 +628,6 @@ monitor_loop(int debug)
 						m_priv_bind(m_state.s);
 						break;
 
-					case MONITOR_MKFIFO:
-						LOG_DBG((LOG_MISC, 80,
-						    "%s: MONITOR_MKFIFO",
-						    __func__));
-						m_priv_test_state(STATE_INIT);
-						m_priv_mkfifo(m_state.s);
-						break;
-
 					case MONITOR_INIT_DONE:
 						LOG_DBG((LOG_MISC, 80,
 						    "%s: MONITOR_INIT_DONE",
@@ -661,6 +657,38 @@ monitor_loop(int debug)
 	exit(0);
 }
 
+
+/* Privileged: called by monitor_loop.  */
+static void
+m_priv_ui_init(int s)
+{
+	int32_t err;
+
+	ui_init();
+
+	if (ui_socket >= 0)
+		err = 0;
+	else
+		err = -1;
+
+	if (m_write_int32(s, err))
+		goto errout;
+
+	if (ui_socket >= 0 && mm_send_fd(s, ui_socket)) {
+		close(ui_socket);
+		goto errout;
+	}
+
+	/* In case of stdin, we do not close the socket. */
+	if (ui_socket > 0)
+		close(ui_socket);
+	return;
+
+errout:
+	log_error("m_priv_ui_init: read/write operation failed");
+	return;
+}
+
 /* Privileged: called by monitor_loop.  */
 static void
 m_priv_getfd(int s)
@@ -871,54 +899,6 @@ errout:
 	return;
 }
 
-/* Privileged: called by monitor_loop.  */
-static void
-m_priv_mkfifo(int s)
-{
-	char	path[MAXPATHLEN];
-	mode_t	mode;
-	int32_t	v, err;
-
-	if (m_read_raw(s, path, MAXPATHLEN))
-		goto errout;
-
-	if (m_read_int32(s, &v))
-		goto errout;
-	mode = (mode_t) v;
-
-	/*
-	 * ui_fifo is set before creation of the unpriv'ed child.  So path
-	 * should exactly match ui_fifo.  It's also restricted to /var/run.
-	 */
-	if (m_priv_local_sanitize_path(path, sizeof path, O_RDWR) != 0
-	    || strncmp(ui_fifo, path, strlen(ui_fifo))) {
-		err = EACCES;
-		v = -1;
-	} else {
-		unlink(path);	/* XXX See ui.c:ui_init() */
-
-		err = 0;
-		v = (int32_t)mkfifo(path, mode);
-		if (v) {
-			log_error("m_priv_mkfifo: mkfifo(\"%s\", %o) failed",
-			    path, mode);
-			err = (int32_t)errno;
-		}
-	}
-
-	if (m_write_int32(s, err))
-		goto errout;
-
-	if (m_write_int32(s, v))
-		goto errout;
-
-	return;
-
-errout:
-	log_print("m_priv_mkfifo: read/write error");
-	return;
-}
-
 /*
  * Help functions, used by both privileged and unprivileged code
  */
diff --git a/sbin/isakmpd/monitor.h b/sbin/isakmpd/monitor.h
index 39f20b39c47..fb7332f9420 100644
--- a/sbin/isakmpd/monitor.h
+++ b/sbin/isakmpd/monitor.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.h,v 1.9 2004/06/20 15:03:35 ho Exp $	 */
+/* $OpenBSD: monitor.h,v 1.10 2004/06/25 00:58:39 hshoexer Exp $	 */
 
 /*
  * Copyright (c) 2003 Håkan Olsson.  All rights reserved.
@@ -39,6 +39,7 @@
 #define ISAKMP_PORT_DEFAULT	500
 
 enum monitor_reqtypes {
+	MONITOR_UI_INIT,
 	MONITOR_GET_FD,
 	MONITOR_GET_SOCKET,
 	MONITOR_SETSOCKOPT,
@@ -77,18 +78,24 @@ struct dirent  *monitor_readdir(struct monitor_dirents *);
 int             monitor_closedir(struct monitor_dirents *);
 void            monitor_init_done(void);
 
+void		monitor_ui_init(void);
+void		monitor_exit(int);
+
 #else				/* !USE_PRIVSEP */
 
-#define monitor_fopen fopen
-#define monitor_open open
-#define monitor_stat stat
-#define monitor_socket socket
+#define monitor_fopen	fopen
+#define monitor_open	open
+#define monitor_stat	stat
+#define monitor_socket	socket
 #define monitor_setsockopt setsockopt
-#define monitor_bind bind
-#define monitor_mkfifo mkfifo
-#define monitor_opendir opendir
-#define monitor_readdir readdir
+#define monitor_bind	bind
+#define monitor_mkfifo	mkfifo
+#define monitor_opendir	opendir
+#define monitor_readdir	readdir
 #define monitor_closedir closedir
 
+#define monitor_ui_init	ui_init
+#define monitor_exit	exit
+
 #endif				/* USE_PRIVSEP */
 #endif				/* _MONITOR_H_ */
diff --git a/sbin/isakmpd/ui.c b/sbin/isakmpd/ui.c
index 6a091c224ac..bc4a1f17d1e 100644
--- a/sbin/isakmpd/ui.c
+++ b/sbin/isakmpd/ui.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ui.c,v 1.40 2004/05/23 18:17:56 hshoexer Exp $	 */
+/* $OpenBSD: ui.c,v 1.41 2004/06/25 00:58:39 hshoexer Exp $	 */
 /* $EOM: ui.c,v 1.43 2000/10/05 09:25:12 niklas Exp $	 */
 
 /*
@@ -79,16 +79,9 @@ ui_init(void)
 		ui_socket = 0;
 		return;
 	}
-	/*
-	 * Don't overwrite a file, i.e '-f
-	 * /etc/isakmpd/isakmpd.conf'.
-	 */
-#if defined (USE_PRIVSEP)
-	/* XXX This is a fstat! */
-	if (monitor_stat(ui_fifo, &st) == 0) {
-#else
+
+	/* Don't overwrite a file, i.e '-f /etc/isakmpd/isakmpd.conf'.  */
 	if (lstat(ui_fifo, &st) == 0) {
-#endif
 		if ((st.st_mode & S_IFMT) == S_IFREG) {
 			errno = EEXIST;
 			log_fatal("ui_init: could not create FIFO \"%s\"",
@@ -98,10 +91,10 @@ ui_init(void)
 
 	/* No need to know about errors.  */
 	unlink(ui_fifo);
-	if (monitor_mkfifo(ui_fifo, 0600) == -1)
+	if (mkfifo(ui_fifo, 0600) == -1)
 		log_fatal("ui_init: mkfifo (\"%s\", 0600) failed", ui_fifo);
 
-	ui_socket = monitor_open(ui_fifo, O_RDWR | O_NONBLOCK, 0);
+	ui_socket = open(ui_fifo, O_RDWR | O_NONBLOCK, 0);
 	if (ui_socket == -1)
 		log_fatal("ui_init: open (\"%s\", O_RDWR | O_NONBLOCK, 0) "
 		    "failed", ui_fifo);