You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2015/02/23 21:14:09 UTC
trafficserver git commit: TS-3358: peer credential checking on the
management socket
Repository: trafficserver
Updated Branches:
refs/heads/master d4263b1f7 -> 5f332c4b9
TS-3358: peer credential checking on the management socket
Add peer credential checking to the management API socket. This
allows non-privileged processes to perform read-only operations,
reducing the need to run traffic_line as root, and reducing the
level of privilege needed by monitoring tools.
Factor out common unix domain socket creation. Add
proxy.config.admin.api.restricted configuration option to retain
the original socket permissions.
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/5f332c4b
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/5f332c4b
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/5f332c4b
Branch: refs/heads/master
Commit: 5f332c4b9a9f471af4a043f041e02ab8766f0c50
Parents: d4263b1
Author: James Peach <jp...@apache.org>
Authored: Thu Jan 29 19:06:38 2015 -0800
Committer: James Peach <jp...@apache.org>
Committed: Mon Feb 23 12:13:36 2015 -0800
----------------------------------------------------------------------
CHANGES | 2 +
build/common.m4 | 22 ++++
cmd/traffic_line/traffic_line.cc | 5 +-
configure.ac | 37 ++----
.../configuration/records.config.en.rst | 17 +++
lib/perl/lib/Apache/TS/AdminClient.pm | 6 +-
lib/ts/ink_config.h.in | 1 +
lib/ts/ink_sock.cc | 49 ++++++++
lib/ts/ink_sock.h | 1 +
mgmt/LocalManager.cc | 38 +-----
mgmt/MgmtDefs.h | 2 +-
mgmt/RecordsConfig.cc | 2 +
mgmt/api/CoreAPIShared.h | 3 +
mgmt/api/EventControlMain.cc | 11 ++
mgmt/api/INKMgmtAPI.cc | 3 +
mgmt/api/NetworkMessage.cc | 67 ++++++++++
mgmt/api/NetworkMessage.h | 3 +
mgmt/api/NetworkUtilsRemote.cc | 10 +-
mgmt/api/NetworkUtilsRemote.h | 3 +
mgmt/api/TSControlMain.cc | 122 +++++++++++--------
mgmt/api/include/mgmtapi.h | 1 +
mgmt/utils/MgmtSocket.cc | 56 +++++++++
mgmt/utils/MgmtSocket.h | 6 +
mgmt/web2/WebIntrMain.cc | 108 +++++-----------
24 files changed, 371 insertions(+), 204 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index ea982c8..da96344 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache Traffic Server 5.3.0
+ *) [TS-3358] Add access checking to the management API.
+
*) [TS-3400] Use common FNV hash code everywhere.
*) [TS-3334] Restore default for proxy.config.proxy_name.
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/build/common.m4
----------------------------------------------------------------------
diff --git a/build/common.m4 b/build/common.m4
index 83796c9..627cb3a 100644
--- a/build/common.m4
+++ b/build/common.m4
@@ -567,3 +567,25 @@ AC_DEFUN([TS_SEARCH_LIBRARY], [
LIBS="$__saved_LIBS"
unset __saved_LIBS
])
+
+dnl TS_CHECK_SOCKOPT(socket-option, [action-if-found], [action-if-not-found]
+AC_DEFUN([TS_CHECK_SOCKOPT], [
+ AC_MSG_CHECKING([for $1 socket option])
+ AC_COMPILE_IFELSE([
+ AC_LANG_PROGRAM([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+ ], [
+ setsockopt(0, SOL_SOCKET, $1, (void*)0, 0);
+ ])], [
+ AC_MSG_RESULT(yes)
+ $2
+ ], [
+ AC_MSG_RESULT(no)
+ $3
+ ])
+])
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/cmd/traffic_line/traffic_line.cc
----------------------------------------------------------------------
diff --git a/cmd/traffic_line/traffic_line.cc b/cmd/traffic_line/traffic_line.cc
index 0872113..5416471 100644
--- a/cmd/traffic_line/traffic_line.cc
+++ b/cmd/traffic_line/traffic_line.cc
@@ -378,8 +378,11 @@ main(int /* argc ATS_UNUSED */, const char **argv)
TSTerminate();
if (TS_ERR_OKAY != status) {
+ char * msg = TSGetErrorMessage(status);
if (ReadVar[0] == '\0' && SetVar[0] == '\0')
- fprintf(stderr, "error: the requested command failed\n");
+ fprintf(stderr, "error: the requested command failed: %s\n", msg);
+
+ TSfree(msg);
exit(1);
}
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/configure.ac
----------------------------------------------------------------------
diff --git a/configure.ac b/configure.ac
index 51efd14..11cadf1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1191,7 +1191,7 @@ fi
AC_CHECK_FUNCS([clock_gettime kqueue epoll_ctl posix_memalign posix_fadvise posix_madvise posix_fallocate inotify_init])
AC_CHECK_FUNCS([lrand48_r srand48_r port_create strlcpy strlcat sysconf getpagesize])
-AC_CHECK_FUNCS([getreuid getresuid getresgid setreuid setresuid])
+AC_CHECK_FUNCS([getreuid getresuid getresgid setreuid setresuid getpeereid getpeerucred])
AC_CHECK_FUNCS([strsignal psignal psiginfo])
# Check for eventfd() and sys/eventfd.h (both must exist ...)
@@ -1495,7 +1495,8 @@ AC_CHECK_HEADERS([sys/types.h \
net/ppp_defs.h \
ifaddrs.h\
readline/readline.h \
- editline/readline.h ])
+ editline/readline.h \
+ ucred.h ])
AC_SUBST(sys_epollh)
AC_SUBST(sys_eventh)
@@ -1783,35 +1784,13 @@ AS_IF([test "x$enable_tproxy" != "xno"], [
AC_SUBST(use_tproxy)
AC_SUBST(ip_transparent)
-AC_MSG_CHECKING([for SO_MARK])
-AC_TRY_COMPILE([
-#include <sys/socket.h>
-], [
-if( SO_MARK > 0) return 0;
-else return 1;
-], [has_so_mark=1]
-msg=yes, [
-has_so_mark=0
-msg=no ] )
-
-AC_MSG_RESULT([$msg])
-AC_SUBST(has_so_mark)
+TS_CHECK_SOCKOPT(SO_PEERCRED, [has_so_peercred=1], [has_so_peercred=0])
+TS_CHECK_SOCKOPT(SO_MARK, [has_so_mark=1], [has_so_mark=0])
+TS_CHECK_SOCKOPT(IP_TOS, [has_ip_tos=1], [has_ip_tos=0])
-AC_MSG_CHECKING([for IP_TOS])
-AC_TRY_COMPILE([
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-],[
-if( IP_TOS > 0) return 0;
-else return 1;
-], [has_ip_tos=1]
-msg=yes, [
-has_ip_tos=0
-msg=no ] )
-
-AC_MSG_RESULT([$msg])
+AC_SUBST(has_so_mark)
AC_SUBST(has_ip_tos)
+AC_SUBST(has_so_peercred)
TS_CHECK_LOOPBACK_IFACE
TS_CHECK_GETHOSTBYNAME_R_STYLE
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/doc/reference/configuration/records.config.en.rst
----------------------------------------------------------------------
diff --git a/doc/reference/configuration/records.config.en.rst b/doc/reference/configuration/records.config.en.rst
index 176d60d..4cad8e8 100644
--- a/doc/reference/configuration/records.config.en.rst
+++ b/doc/reference/configuration/records.config.en.rst
@@ -424,6 +424,23 @@ bypass that restriction
* Specify ``-DBIG_SECURITY_HOLE`` in ``CXXFLAGS`` during compilation.
* Set the ``user_id=#-1`` and start trafficserver as root.
+.. ts:cv:: CONFIG proxy.config.admin.api.restricted INT 1
+
+This setting specifies whether the management API should be restricted
+to root processes. If this is set to ``0``, then on platforms that
+support passing process credentials, non-root processes will be
+allowed to make read-only management API calls. Any management API
+calls that modify server state (eg. setting a configuration variable)
+will still be restricted to root processes.
+
+This setting is not reloadable, since it is must be applied when
+program:`traffic_manager` initializes.
+
+.. note::
+
+ In Traffic Server 6.0, the default value of
+ :ts:cv:`proxy.config.admin.api.restricted` will be changed to ``0``.
+
Process Manager
===============
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/lib/perl/lib/Apache/TS/AdminClient.pm
----------------------------------------------------------------------
diff --git a/lib/perl/lib/Apache/TS/AdminClient.pm b/lib/perl/lib/Apache/TS/AdminClient.pm
index dbceabc..05c2981 100644
--- a/lib/perl/lib/Apache/TS/AdminClient.pm
+++ b/lib/perl/lib/Apache/TS/AdminClient.pm
@@ -80,10 +80,10 @@ use constant {
# Semi-intelligent way of finding the mgmtapi socket.
sub _find_socket {
my $path = shift || "";
- my $name = shift || "mgmtapisocket";
+ my $name = shift || "mgmtapi.sock";
my @sockets_def = (
$path,
- Apache::TS::PREFIX . '/' . Apache::TS::REL_RUNTIMEDIR . '/' . 'mgmtapisocket',
+ Apache::TS::PREFIX . '/' . Apache::TS::REL_RUNTIMEDIR . '/' . 'mgmtapi.sock',
'/usr/local/var/trafficserver',
'/usr/local/var/run/trafficserver',
'/usr/local/var/run',
@@ -279,7 +279,7 @@ For example:
This would make the module look for the 'Unix Domain Socket' in the directory '/var/trafficserver'. The path
-can optionally include the name of the Socket file, without it the constructor defaults to 'mgmtapisocket'.
+can optionally include the name of the Socket file, without it the constructor defaults to 'mgmtapi.sock'.
=back
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/lib/ts/ink_config.h.in
----------------------------------------------------------------------
diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in
index 68364dd..da2fa17 100644
--- a/lib/ts/ink_config.h.in
+++ b/lib/ts/ink_config.h.in
@@ -75,6 +75,7 @@
#define TS_USE_TLS_ECKEY @use_tls_eckey@
#define TS_USE_LINUX_NATIVE_AIO @use_linux_native_aio@
#define TS_USE_INTERIM_CACHE @has_interim_cache@
+#define TS_HAS_SO_PEERCRED @has_so_peercred@
#define TS_USE_REMOTE_UNWINDING @use_remote_unwinding@
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/lib/ts/ink_sock.cc
----------------------------------------------------------------------
diff --git a/lib/ts/ink_sock.cc b/lib/ts/ink_sock.cc
index a57efe5..f1e699f 100644
--- a/lib/ts/ink_sock.cc
+++ b/lib/ts/ink_sock.cc
@@ -262,3 +262,52 @@ read_socket(int s, char *buffer, int length)
{
return read(s, (void *) buffer, length);
}
+
+int
+bind_unix_domain_socket(const char * path, mode_t mode)
+{
+ int sockfd;
+ struct sockaddr_un sockaddr;
+ socklen_t socklen;
+
+ (void)unlink(path);
+
+ sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
+ if (sockfd < 0) {
+ return sockfd;
+ }
+
+ ink_zero(sockaddr);
+ sockaddr.sun_family = AF_UNIX;
+ ink_strlcpy(sockaddr.sun_path, path, sizeof(sockaddr.sun_path));
+
+#if defined(darwin) || defined(freebsd)
+ socklen = sizeof(struct sockaddr_un);
+#else
+ socklen = strlen(sockaddr.sun_path) + sizeof(sockaddr.sun_family);
+#endif
+
+ safe_setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, SOCKOPT_ON, sizeof(int));
+ fcntl(sockfd, F_SETFD, 1);
+
+ if (bind(sockfd, (struct sockaddr *)&sockaddr, socklen) < 0) {
+ goto fail;
+ }
+
+ if (chmod(path, mode) < 0) {
+ goto fail;
+ }
+
+ if (listen(sockfd, 5) < 0) {
+ goto fail;
+ }
+
+ return sockfd;
+
+fail:
+ int errsav = errno;
+ close(sockfd);
+ errno = errsav;
+ return -1;
+}
+
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/lib/ts/ink_sock.h
----------------------------------------------------------------------
diff --git a/lib/ts/ink_sock.h b/lib/ts/ink_sock.h
index 0f6660d..859d0b8 100644
--- a/lib/ts/ink_sock.h
+++ b/lib/ts/ink_sock.h
@@ -63,5 +63,6 @@ int read_socket(int s, char *buffer, int length);
inkcoreapi uint32_t ink_inet_addr(const char *s);
+int bind_unix_domain_socket(const char * path, mode_t mode);
#endif /* _ink_sock_h_ */
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/mgmt/LocalManager.cc
----------------------------------------------------------------------
diff --git a/mgmt/LocalManager.cc b/mgmt/LocalManager.cc
index 6bd1acf..8d9ba0c 100644
--- a/mgmt/LocalManager.cc
+++ b/mgmt/LocalManager.cc
@@ -372,9 +372,8 @@ void
LocalManager::initMgmtProcessServer()
{
ats_scoped_str rundir(RecConfigReadRuntimeDir());
- char fpath[MAXPATHLEN];
- int servlen, one = 1;
- struct sockaddr_un serv_addr;
+ ats_scoped_str sockpath(Layout::relative_to(rundir, LM_CONNECTION_SERVER));
+ mode_t oldmask = umask(0);
#if TS_HAS_WCCP
if (wccp_cache.isConfigured()) {
@@ -382,37 +381,12 @@ LocalManager::initMgmtProcessServer()
}
#endif
- ink_filepath_make(fpath, sizeof(fpath), rundir, LM_CONNECTION_SERVER);
-
- unlink(fpath);
- if ((process_server_sockfd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) {
- mgmt_fatal(stderr, errno, "[LocalManager::initMgmtProcessServer] Unable to open socket exiting\n");
- }
-
- if (fcntl(process_server_sockfd, F_SETFD, 1) < 0) {
- mgmt_fatal(stderr, errno, "[LocalManager::initMgmtProcessServer] Unable to set close-on-exec\n");
- }
-
- memset(&serv_addr, 0, sizeof(serv_addr));
- serv_addr.sun_family = AF_UNIX;
- ink_strlcpy(serv_addr.sun_path, fpath, sizeof(serv_addr.sun_path));
-#if defined(darwin) || defined(freebsd)
- servlen = sizeof(struct sockaddr_un);
-#else
- servlen = strlen(serv_addr.sun_path) + sizeof(serv_addr.sun_family);
-#endif
- if (setsockopt(process_server_sockfd, SOL_SOCKET, SO_REUSEADDR, (char *) &one, sizeof(int)) < 0) {
- mgmt_fatal(stderr, errno, "[LocalManager::initMgmtProcessServer] Unable to set socket options.\n");
- }
-
- if ((bind(process_server_sockfd, (struct sockaddr *) &serv_addr, servlen)) < 0) {
- mgmt_fatal(stderr, errno, "[LocalManager::initMgmtProcessServer] Unable to bind '%s' socket exiting\n", fpath);
- }
-
- if ((listen(process_server_sockfd, 5)) < 0) {
- mgmt_fatal(stderr, errno, "[LocalManager::initMgmtProcessServer] Unable to listen on socket exiting\n");
+ process_server_sockfd = bind_unix_domain_socket(sockpath, 00700);
+ if (process_server_sockfd == -1) {
+ mgmt_fatal(stderr, errno, "[LocalManager::initMgmtProcessServer] failed to bind socket at %s\n", (const char *)sockpath);
}
+ umask(oldmask);
RecSetRecordInt("proxy.node.restarts.manager.start_time", manager_started_at);
}
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/mgmt/MgmtDefs.h
----------------------------------------------------------------------
diff --git a/mgmt/MgmtDefs.h b/mgmt/MgmtDefs.h
index ff8650d..d1eab0a 100644
--- a/mgmt/MgmtDefs.h
+++ b/mgmt/MgmtDefs.h
@@ -64,7 +64,7 @@ typedef void *(*MgmtCallback) (void *opaque_cb_data, char *data_raw, int data_le
#define MGMT_SEMID_DEFAULT 11452
#define MGMT_DB_FILENAME "mgmt_db"
-#define LM_CONNECTION_SERVER "process_server"
+#define LM_CONNECTION_SERVER "processerver.sock"
/* Structs used in Average Statistics calculations */
struct StatTwoIntSamples
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/mgmt/RecordsConfig.cc
----------------------------------------------------------------------
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 0e6df65..aeebcf1 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -261,6 +261,8 @@ static const RecordElement RecordsConfig[] =
,
{RECT_CONFIG, "proxy.config.admin.cli_path", RECD_STRING, "cli", RECU_NULL, RR_NULL, RECC_NULL, NULL, RECA_NULL}
,
+ {RECT_CONFIG, "proxy.config.admin.api.restricted", RECD_INT, "1", RECU_RESTART_TM, RR_NULL, RECC_NULL, NULL, RECA_NULL}
+ ,
//##############################################################################
//#
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/mgmt/api/CoreAPIShared.h
----------------------------------------------------------------------
diff --git a/mgmt/api/CoreAPIShared.h b/mgmt/api/CoreAPIShared.h
index 959f221..71d1554 100644
--- a/mgmt/api/CoreAPIShared.h
+++ b/mgmt/api/CoreAPIShared.h
@@ -71,6 +71,9 @@
#define HTTP_PORT 80
#define BUFSIZE 1024
+// Flags for management API behaviour.
+#define MGMT_API_PRIVILEGED 0x0001u
+
// used by TSReadFromUrl
TSMgmtError parseHTTPResponse(char *buffer, char **header, int *hdr_size, char **body, int *bdy_size);
TSMgmtError readHTTPResponse(int sock, char *buffer, int bufsize, uint64_t timeout);
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/mgmt/api/EventControlMain.cc
----------------------------------------------------------------------
diff --git a/mgmt/api/EventControlMain.cc b/mgmt/api/EventControlMain.cc
index 2797c45..be717d6 100644
--- a/mgmt/api/EventControlMain.cc
+++ b/mgmt/api/EventControlMain.cc
@@ -558,6 +558,17 @@ handle_event_message(EventClientT * client, void * req, size_t reqlen)
goto fail;
}
+ if (mgmt_has_peereid()) {
+ uid_t euid = -1;
+ gid_t egid = -1;
+
+ // For now, all event messages require privilege. This is compatible with earlier
+ // versions of Traffic Server that
+ if (mgmt_get_peereid(client->fd, &euid, &egid) == -1 || euid != 0) {
+ return TS_ERR_PERMISSION_DENIED;
+ }
+ }
+
return handlers[optype](client, req, reqlen);
fail:
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/mgmt/api/INKMgmtAPI.cc
----------------------------------------------------------------------
diff --git a/mgmt/api/INKMgmtAPI.cc b/mgmt/api/INKMgmtAPI.cc
index 4abeba1..55a2e41 100644
--- a/mgmt/api/INKMgmtAPI.cc
+++ b/mgmt/api/INKMgmtAPI.cc
@@ -1894,6 +1894,9 @@ TSGetErrorMessage(TSMgmtError err_id)
case TS_ERR_NOT_SUPPORTED:
snprintf(msg, sizeof(msg), "[%d] Operation not supported on this platform.", err_id);
break;
+ case TS_ERR_PERMISSION_DENIED:
+ snprintf(msg, sizeof(msg), "[%d] Operation not permitted.", err_id);
+ break;
default:
snprintf(msg, sizeof(msg), "[%d] Invalid error type.", err_id);
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/mgmt/api/NetworkMessage.cc
----------------------------------------------------------------------
diff --git a/mgmt/api/NetworkMessage.cc b/mgmt/api/NetworkMessage.cc
index c0c0b4c..828be32 100644
--- a/mgmt/api/NetworkMessage.cc
+++ b/mgmt/api/NetworkMessage.cc
@@ -175,6 +175,73 @@ send_mgmt_request(int fd, OpType optype, ...)
return TS_ERR_OKAY;
}
+TSMgmtError
+send_mgmt_error(int fd, OpType optype, TSMgmtError error)
+{
+ MgmtMarshallInt ecode = error;
+ MgmtMarshallInt intval = 0;
+ MgmtMarshallData dataval = { NULL, 0 };
+ MgmtMarshallString strval = NULL;
+
+ // Switch on operations, grouped by response format.
+ switch (optype) {
+ case FILE_WRITE:
+ case PROXY_STATE_SET:
+ case RECONFIGURE:
+ case RESTART:
+ case BOUNCE:
+ case EVENT_RESOLVE:
+ case SNAPSHOT_TAKE:
+ case SNAPSHOT_RESTORE:
+ case SNAPSHOT_REMOVE:
+ case STATS_RESET_NODE:
+ case STATS_RESET_CLUSTER:
+ case STORAGE_DEVICE_CMD_OFFLINE:
+ ink_release_assert(responses[optype].nfields == 1);
+ return send_mgmt_response(fd, optype, &ecode);
+
+ case RECORD_SET:
+ case PROXY_STATE_GET:
+ case EVENT_ACTIVE:
+ ink_release_assert(responses[optype].nfields == 2);
+ return send_mgmt_response(fd, optype, &ecode, &intval);
+
+ case EVENT_GET_MLT:
+ case SNAPSHOT_GET_MLT:
+ case SERVER_BACKTRACE:
+ ink_release_assert(responses[optype].nfields == 2);
+ return send_mgmt_response(fd, optype, &ecode, &strval);
+
+ case FILE_READ:
+ ink_release_assert(responses[optype].nfields == 3);
+ return send_mgmt_response(fd, optype, &ecode, &intval, &dataval);
+
+ case RECORD_GET:
+ case RECORD_MATCH_GET:
+ ink_release_assert(responses[optype].nfields == 4);
+ return send_mgmt_response(fd, optype, &ecode, &intval, &strval, &dataval);
+
+ case EVENT_REG_CALLBACK:
+ case EVENT_UNREG_CALLBACK:
+ case EVENT_NOTIFY:
+ case DIAGS:
+ case API_PING:
+ /* no response for these */
+ ink_release_assert(responses[optype].nfields == 0);
+ return TS_ERR_OKAY;
+
+ case UNDEFINED_OP:
+ return TS_ERR_OKAY;
+ }
+
+ // We should never get here unless OpTypes are added without
+ // updating the switch statement above. Don't do that; this
+ // code must be able to handle every OpType.
+
+ ink_fatal("missing generic error support for type %d management message", optype);
+ return TS_ERR_FAIL;
+}
+
// Send a management message response. We don't need to worry about retransmitting the message if we get
// disconnected, so this is much simpler. We can directly marshall the response as a data object.
TSMgmtError
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/mgmt/api/NetworkMessage.h
----------------------------------------------------------------------
diff --git a/mgmt/api/NetworkMessage.h b/mgmt/api/NetworkMessage.h
index e8dd58c..feb34cd 100644
--- a/mgmt/api/NetworkMessage.h
+++ b/mgmt/api/NetworkMessage.h
@@ -73,6 +73,9 @@ struct mgmt_message_sender
TSMgmtError send_mgmt_request(const mgmt_message_sender& snd, OpType optype, ...);
TSMgmtError send_mgmt_request(int fd, OpType optype, ...);
+// Marshall and send an error respose for this operation type.
+TSMgmtError send_mgmt_error(int fd, OpType op, TSMgmtError error);
+
// Parse a request message from a buffer.
TSMgmtError recv_mgmt_request(void * buf, size_t buflen, OpType optype, ...);
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/mgmt/api/NetworkUtilsRemote.cc
----------------------------------------------------------------------
diff --git a/mgmt/api/NetworkUtilsRemote.cc b/mgmt/api/NetworkUtilsRemote.cc
index 8c0f544..8ae37d3 100644
--- a/mgmt/api/NetworkUtilsRemote.cc
+++ b/mgmt/api/NetworkUtilsRemote.cc
@@ -39,8 +39,8 @@ int main_socket_fd = -1;
int event_socket_fd = -1;
// need to store for reconnecting scenario
-char *main_socket_path = NULL; // "<path>/mgmtapisocket"
-char *event_socket_path = NULL; // "<path>/eventapisocket"
+char *main_socket_path = NULL; // "<path>/mgmtapi.sock"
+char *event_socket_path = NULL; // "<path>/eventapi.sock"
static void * event_callback_thread(void * arg);
@@ -55,10 +55,10 @@ set_socket_paths(const char *path)
ats_free(event_socket_path);
// construct paths based on user input
- // form by replacing "mgmtapisocket" with "eventapisocket"
+ // form by replacing "mgmtapi.sock" with "eventapi.sock"
if (path) {
- main_socket_path = Layout::relative_to(path, "mgmtapisocket");
- event_socket_path = Layout::relative_to(path, "eventapisocket");
+ main_socket_path = Layout::relative_to(path, MGMTAPI_MGMT_SOCKET_NAME);
+ event_socket_path = Layout::relative_to(path, MGMTAPI_EVENT_SOCKET_NAME);
} else {
main_socket_path = NULL;
event_socket_path = NULL;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/mgmt/api/NetworkUtilsRemote.h
----------------------------------------------------------------------
diff --git a/mgmt/api/NetworkUtilsRemote.h b/mgmt/api/NetworkUtilsRemote.h
index dfa3e74..13d3a1c 100644
--- a/mgmt/api/NetworkUtilsRemote.h
+++ b/mgmt/api/NetworkUtilsRemote.h
@@ -74,6 +74,9 @@ struct mgmtapi_sender : public mgmt_message_sender
#define MGMTAPI_SEND_MESSAGE(fd, optype, ...) send_mgmt_request(mgmtapi_sender(fd), (optype), __VA_ARGS__)
+#define MGMTAPI_MGMT_SOCKET_NAME "mgmtapi.sock"
+#define MGMTAPI_EVENT_SOCKET_NAME "eventapi.sock"
+
/*****************************************************************************
* Marshalling (create requests)
*****************************************************************************/
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/mgmt/api/TSControlMain.cc
----------------------------------------------------------------------
diff --git a/mgmt/api/TSControlMain.cc b/mgmt/api/TSControlMain.cc
index 2b694cc..495287d 100644
--- a/mgmt/api/TSControlMain.cc
+++ b/mgmt/api/TSControlMain.cc
@@ -214,6 +214,9 @@ ts_ctrl_main(void *arg)
if (ret != TS_ERR_OKAY) {
Debug("ts_main", "[ts_ctrl_main] ERROR: sending response for message (%d)", ret);
+
+ // XXX this doesn't actually send a error response ...
+
remove_client(client_entry, accepted_con);
con_entry = ink_hash_table_iterator_next(accepted_con, &con_state);
continue;
@@ -260,17 +263,6 @@ ts_ctrl_main(void *arg)
*/
static TSMgmtError
-send_record_get_error(int fd, TSMgmtError ecode)
-{
- MgmtMarshallInt err = ecode;
- MgmtMarshallInt type = TS_REC_UNDEFINED;
- MgmtMarshallString name = NULL;
- MgmtMarshallData value = { NULL, 0 };
-
- return send_mgmt_response(fd, RECORD_GET, &err, &type, &name, &value);
-}
-
-static TSMgmtError
send_record_get_response(int fd, TSRecordT rec_type, const char * rec_name, const void * rec_data, size_t data_len)
{
MgmtMarshallInt err = TS_ERR_OKAY;
@@ -278,7 +270,6 @@ send_record_get_response(int fd, TSRecordT rec_type, const char * rec_name, cons
MgmtMarshallString name = const_cast<MgmtMarshallString>(rec_name);
MgmtMarshallData value = { const_cast<void *>(rec_data), data_len };
-
return send_mgmt_response(fd, RECORD_GET, &err, &type, &name, &value);
}
@@ -302,12 +293,12 @@ handle_record_get(int fd, void * req, size_t reqlen)
ret = recv_mgmt_request(req, reqlen, RECORD_GET, &optype, &name);
if (ret != TS_ERR_OKAY) {
- return send_record_get_error(fd, ret);
+ return ret;
}
if (strlen(name) == 0) {
ats_free(name);
- return send_record_get_error(fd, TS_ERR_FAIL);
+ return ret;
}
// call CoreAPI call on Traffic Manager side
@@ -316,8 +307,7 @@ handle_record_get(int fd, void * req, size_t reqlen)
ats_free(name);
if (ret != TS_ERR_OKAY) {
- TSRecordEleDestroy(ele);
- return send_record_get_error(fd, ret);
+ goto done;
}
// create and send reply back to client
@@ -340,10 +330,10 @@ handle_record_get(int fd, void * req, size_t reqlen)
}
break;
default: // invalid record type
- TSRecordEleDestroy(ele);
- return send_record_get_error(fd, TS_ERR_FAIL);
+ ret = TS_ERR_FAIL;
}
+done:
TSRecordEleDestroy(ele);
return ret;
}
@@ -399,17 +389,17 @@ handle_record_match(int fd, void * req, size_t reqlen)
ret = recv_mgmt_request(req, reqlen, RECORD_MATCH_GET, &optype, &name);
if (ret != TS_ERR_OKAY) {
- return send_record_get_error(fd, ret);
+ return ret;
}
if (strlen(name) == 0) {
ats_free(name);
- return send_record_get_error(fd, TS_ERR_FAIL);
+ return TS_ERR_FAIL;
}
if (match.regex.compile(name, RE_CASE_INSENSITIVE | RE_UNANCHORED) != 0) {
ats_free(name);
- return send_record_get_error(fd, TS_ERR_FAIL);
+ return TS_ERR_FAIL;
}
ats_free(name);
@@ -488,7 +478,7 @@ handle_file_read(int fd, void * req, size_t reqlen)
err = recv_mgmt_request(req, reqlen, FILE_READ, &optype, &fid);
if (err != TS_ERR_OKAY) {
- return send_mgmt_response(fd, FILE_READ, &err, &version, &data);
+ return (TSMgmtError)err;
}
// make CoreAPI call on Traffic Manager side
@@ -540,7 +530,6 @@ done:
return send_mgmt_response(fd, FILE_WRITE, &err);
}
-
/**************************************************************************
* handle_proxy_state_get
*
@@ -768,7 +757,6 @@ done:
return send_mgmt_response(fd, EVENT_ACTIVE, &err, &bval);
}
-
/**************************************************************************
* handle_snapshot
*
@@ -864,7 +852,6 @@ done:
return send_mgmt_response(fd, SNAPSHOT_GET_MLT, &err, &list);
}
-
/**************************************************************************
* handle_diags
*
@@ -984,52 +971,79 @@ handle_server_backtrace(int fd, void * req, size_t reqlen)
return (TSMgmtError)err;
}
-typedef TSMgmtError (*control_message_handler)(int, void *, size_t);
+struct control_message_handler
+{
+ unsigned flags;
+ TSMgmtError (*handler)(int, void *, size_t);
+};
static const control_message_handler handlers[] = {
- handle_file_read, // FILE_READ
- handle_file_write, // FILE_WRITE
- handle_record_set, // RECORD_SET
- handle_record_get, // RECORD_GET
- handle_proxy_state_get, // PROXY_STATE_GET
- handle_proxy_state_set, // PROXY_STATE_SET
- handle_reconfigure, // RECONFIGURE
- handle_restart, // RESTART
- handle_restart, // BOUNCE
- handle_event_resolve, // EVENT_RESOLVE
- handle_event_get_mlt, // EVENT_GET_MLT
- handle_event_active, // EVENT_ACTIVE
- NULL, // EVENT_REG_CALLBACK
- NULL, // EVENT_UNREG_CALLBACK
- NULL, // EVENT_NOTIFY
- handle_snapshot, // SNAPSHOT_TAKE
- handle_snapshot, // SNAPSHOT_RESTORE
- handle_snapshot, // SNAPSHOT_REMOVE
- handle_snapshot_get_mlt, // SNAPSHOT_GET_MLT
- handle_diags, // DIAGS
- handle_stats_reset, // STATS_RESET_NODE
- handle_stats_reset, // STATS_RESET_CLUSTER
- handle_storage_device_cmd_offline, // STORAGE_DEVICE_CMD_OFFLINE
- handle_record_match, // RECORD_MATCH_GET
- handle_api_ping, // API_PING
- handle_server_backtrace // SERVER_BACKTRACE
+ /* FILE_READ */ { MGMT_API_PRIVILEGED, handle_file_read },
+ /* FILE_WRITE */ { MGMT_API_PRIVILEGED, handle_file_write },
+ /* RECORD_SET */ { MGMT_API_PRIVILEGED, handle_record_set },
+ /* RECORD_GET */ { MGMT_API_PRIVILEGED, handle_record_get },
+ /* PROXY_STATE_GET */ { 0, handle_proxy_state_get },
+ /* PROXY_STATE_SET */ { MGMT_API_PRIVILEGED, handle_proxy_state_set },
+ /* RECONFIGURE */ { MGMT_API_PRIVILEGED, handle_reconfigure },
+ /* RESTART */ { MGMT_API_PRIVILEGED, handle_restart },
+ /* BOUNCE */ { MGMT_API_PRIVILEGED, handle_restart },
+ /* EVENT_RESOLVE */ { MGMT_API_PRIVILEGED, handle_event_resolve },
+ /* EVENT_GET_MLT */ { 0, handle_event_get_mlt },
+ /* EVENT_ACTIVE */ { 0, handle_event_active },
+ /* EVENT_REG_CALLBACK */ { 0, NULL },
+ /* EVENT_UNREG_CALLBACK */ { 0, NULL },
+ /* EVENT_NOTIFY */ { 0, NULL },
+ /* SNAPSHOT_TAKE */ { MGMT_API_PRIVILEGED, handle_snapshot },
+ /* SNAPSHOT_RESTORE */ { MGMT_API_PRIVILEGED, handle_snapshot },
+ /* SNAPSHOT_REMOVE */ { MGMT_API_PRIVILEGED, handle_snapshot },
+ /* SNAPSHOT_GET_MLT */ { 0, handle_snapshot_get_mlt },
+ /* DIAGS */ { MGMT_API_PRIVILEGED, handle_diags },
+ /* STATS_RESET_NODE */ { MGMT_API_PRIVILEGED, handle_stats_reset },
+ /* STATS_RESET_CLUSTER */ { MGMT_API_PRIVILEGED, handle_stats_reset },
+ /* STORAGE_DEVICE_CMD_OFFLINE */ { MGMT_API_PRIVILEGED, handle_storage_device_cmd_offline },
+ /* RECORD_MATCH_GET */ { 0, handle_record_match },
+ /* API_PING */ { 0, handle_api_ping },
+ /* SERVER_BACKTRACE */ { MGMT_API_PRIVILEGED, handle_server_backtrace }
};
static TSMgmtError
handle_control_message(int fd, void * req, size_t reqlen)
{
OpType optype = extract_mgmt_request_optype(req, reqlen);
+ TSMgmtError error;
if (optype < 0 || static_cast<unsigned>(optype) >= countof(handlers)) {
goto fail;
}
- if (handlers[optype] == NULL) {
+ if (handlers[optype].handler == NULL) {
goto fail;
}
+ if (mgmt_has_peereid()) {
+ uid_t euid = -1;
+ gid_t egid = -1;
+
+ // For privileged calls, ensure we have caller credentials and that the caller is root.
+ if (handlers[optype].flags & MGMT_API_PRIVILEGED) {
+ if (mgmt_get_peereid(fd, &euid, &egid) == -1 || euid != 0) {
+ Debug("ts_main", "denied privileged API access on fd=%d for uid=%d gid=%d", fd, euid, egid);
+ return send_mgmt_error(fd, optype, TS_ERR_PERMISSION_DENIED);
+ }
+ }
+ }
+
Debug("ts_main", "handling message type=%d ptr=%p len=%zu on fd=%d", optype, req, reqlen, fd);
- return handlers[optype](fd, req, reqlen);
+
+ error = handlers[optype].handler(fd, req, reqlen);
+ if (error != TS_ERR_OKAY) {
+ // NOTE: if the error was produced by the handler sending a response, this could attempt to
+ // send a response again. However, this would only happen if sending the response failed, so
+ // it is safe to fail to send it again here ...
+ return send_mgmt_error(fd, optype, error);
+ }
+
+ return TS_ERR_OKAY;
fail:
mgmt_elog(0, "%s: missing handler for type %d control message\n", __func__, (int)optype);
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/mgmt/api/include/mgmtapi.h
----------------------------------------------------------------------
diff --git a/mgmt/api/include/mgmtapi.h b/mgmt/api/include/mgmtapi.h
index b71a166..2b78693 100644
--- a/mgmt/api/include/mgmtapi.h
+++ b/mgmt/api/include/mgmtapi.h
@@ -72,6 +72,7 @@ extern "C"
TS_ERR_PARAMS, /* Invalid parameters for a fn */
TS_ERR_NOT_SUPPORTED, /* Operation not supported */
+ TS_ERR_PERMISSION_DENIED, /* Operation not permitted */
TS_ERR_FAIL
} TSMgmtError;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/mgmt/utils/MgmtSocket.cc
----------------------------------------------------------------------
diff --git a/mgmt/utils/MgmtSocket.cc b/mgmt/utils/MgmtSocket.cc
index fa73aaa..e1c2d8f 100644
--- a/mgmt/utils/MgmtSocket.cc
+++ b/mgmt/utils/MgmtSocket.cc
@@ -24,6 +24,10 @@
#include "ink_platform.h"
#include "MgmtSocket.h"
+#if HAVE_UCRED_H
+#include <ucred.h>
+#endif
+
//-------------------------------------------------------------------------
// defines
//-------------------------------------------------------------------------
@@ -262,3 +266,55 @@ mgmt_read_timeout(int fd, int sec, int usec)
return mgmt_select(fd + 1, &readSet, NULL, NULL, &timeout);
}
+
+bool
+mgmt_has_peereid(void)
+{
+#if HAVE_GETPEEREID
+ return true;
+#elif HAVE_GETPEERUCRED
+ return true;
+#elif TS_HAS_SO_PEERCRED
+ return true;
+#else
+ return false;
+#endif
+}
+
+int
+mgmt_get_peereid(int fd, uid_t * euid, gid_t * egid)
+{
+ *euid = -1;
+ *egid = -1;
+
+#if HAVE_GETPEEREID
+ int err = getpeereid(fd, euid, egid);
+ fprintf(stderr, "getpeereid -> %d (%d, %s)", err, errno, strerror(errno));
+ return err;
+#elif HAVE_GETPEERUCRED
+ ucred_t * ucred;
+
+ if (getpeerucred(fd, &ucred) == -1) {
+ return -1;
+ }
+
+ *euid = ucred_geteuid(ucred);
+ *guid = ucred_getegid(ucred);
+ ucred_free(ucred);
+ return 0;
+#elif TS_HAS_SO_PEERCRED
+ struct ucred cred;
+ socklen_t credsz = sizeof(cred);
+ if (getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cred, &credsz) == -1) {
+ return -1;
+ }
+
+ *euid = cred.uid;
+ *egid = cred.gid;
+ return 0;
+#else
+ (void)fd;
+ errno = ENOTSUP;
+ return -1;
+#endif
+}
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/mgmt/utils/MgmtSocket.h
----------------------------------------------------------------------
diff --git a/mgmt/utils/MgmtSocket.h b/mgmt/utils/MgmtSocket.h
index 09ceced..f67fd66 100644
--- a/mgmt/utils/MgmtSocket.h
+++ b/mgmt/utils/MgmtSocket.h
@@ -94,4 +94,10 @@ int mgmt_write_timeout(int fd, int sec, int usec);
//-------------------------------------------------------------------------
int mgmt_read_timeout(int fd, int sec, int usec);
+// Do we support passing Unix domain credentials on this platform?
+bool mgmt_has_peereid(void);
+
+// Get the Unix domain peer credentials.
+int mgmt_get_peereid(int fd, uid_t * euid, gid_t * egid);
+
#endif // _MGMT_SOCKET_H_
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5f332c4b/mgmt/web2/WebIntrMain.cc
----------------------------------------------------------------------
diff --git a/mgmt/web2/WebIntrMain.cc b/mgmt/web2/WebIntrMain.cc
index d356854..113e9fc 100644
--- a/mgmt/web2/WebIntrMain.cc
+++ b/mgmt/web2/WebIntrMain.cc
@@ -40,6 +40,7 @@
#include "WebIntrMain.h"
#include "Diags.h"
#include "MgmtSocket.h"
+#include "NetworkUtilsRemote.h"
//INKqa09866
#include "TSControlMain.h"
@@ -132,71 +133,6 @@ checkWebContext(WebContext * wctx, const char *desc)
return 0;
}
-
-// fd newUNIXsocket(char* fpath)
-//
-// returns a file descriptor associated with a new socket
-// with the specified file path
-//
-// returns -1 if socket could not be created
-//
-// Thread Safe: NO! Call only from main Web interface thread
-//
-static fd
-newUNIXsocket(char *fpath)
-{
- // coverity[var_decl]
- struct sockaddr_un serv_addr;
- int servlen;
- fd socketFD;
- int one = 1;
-
- unlink(fpath);
- socketFD = socket(AF_UNIX, SOCK_STREAM, 0);
-
- if (socketFD < 0) {
- mgmt_log(stderr, "[newUNIXsocket] Unable to create socket: %s", strerror(errno));
- return socketFD;
- }
-
- ink_zero(serv_addr);
- serv_addr.sun_family = AF_UNIX;
- ink_strlcpy(serv_addr.sun_path, fpath, sizeof(serv_addr.sun_path));
-#if defined(darwin) || defined(freebsd)
- servlen = sizeof(struct sockaddr_un);
-#else
- servlen = strlen(serv_addr.sun_path) + sizeof(serv_addr.sun_family);
-#endif
- if (setsockopt(socketFD, SOL_SOCKET, SO_REUSEADDR, (char *) &one, sizeof(int)) < 0) {
- mgmt_log(stderr, "[newUNIXsocket] Unable to set socket options: %s\n", strerror(errno));
- }
-
- if ((bind(socketFD, (struct sockaddr *) &serv_addr, servlen)) < 0) {
- mgmt_log(stderr, "[newUNIXsocket] Unable to bind socket: %s\n", strerror(errno));
- close_socket(socketFD);
- return -1;
- }
-
- if (chmod(fpath, 00755) < 0) {
- mgmt_log(stderr, "[newUNIXsocket] Unable to chmod unix-domain socket: %s\n", strerror(errno));
- close_socket(socketFD);
- return -1;
- }
-
- if ((listen(socketFD, 5)) < 0) {
- mgmt_log(stderr, "[newUNIXsocket] Unable to listen on socket: %s", strerror(errno));
- close_socket(socketFD);
- return -1;
- }
- // Set the close on exec flag so our children do not
- // have this socket open
- if (fcntl(socketFD, F_SETFD, 1) < 0) {
- mgmt_elog(stderr, errno, "[newUNIXSocket] Unable to set close on exec flag\n");
- }
-
- return socketFD;
-}
-
// fd newTcpSocket(int port)
//
// returns a file descriptor associated with a new socket
@@ -308,6 +244,22 @@ serviceThrReaper(void * /* arg ATS_UNUSED */)
return NULL;
} // END serviceThrReaper()
+static bool
+api_socket_is_restricted()
+{
+ RecInt intval;
+
+ // If the socket is not administratively restricted, check whether we have platform
+ // support. Otherwise, default to making it restricted.
+ if (RecGetRecordInt("proxy.config.admin.api.restricted", &intval) == REC_ERR_OKAY) {
+ if (intval == 0) {
+ return !mgmt_has_peereid();
+ }
+ }
+
+ return true;
+}
+
void *
webIntr_main(void *)
{
@@ -408,28 +360,26 @@ webIntr_main(void *)
// INKqa09866
// fire up interface for ts configuration through API; use absolute path from root to
// set up socket paths;
- char api_sock_path[1024];
- char event_sock_path[1024];
ats_scoped_str rundir(RecConfigReadRuntimeDir());
+ ats_scoped_str apisock(Layout::relative_to(rundir, MGMTAPI_MGMT_SOCKET_NAME));
+ ats_scoped_str eventsock(Layout::relative_to(rundir, MGMTAPI_EVENT_SOCKET_NAME));
- bzero(api_sock_path, 1024);
- bzero(event_sock_path, 1024);
- snprintf(api_sock_path, sizeof(api_sock_path), "%s/mgmtapisocket", (const char *)rundir);
- snprintf(event_sock_path, sizeof(event_sock_path), "%s/eventapisocket", (const char *)rundir);
+ mode_t oldmask = umask(0);
+ mode_t newmode = api_socket_is_restricted() ? 00700 : 00777;
- // INKqa12562: MgmtAPI sockets should be created with 775 permission
- mode_t oldmask = umask(S_IWOTH);
- if ((mgmtapiFD = newUNIXsocket(api_sock_path)) < 0) {
+ mgmtapiFD = bind_unix_domain_socket(apisock, newmode);
+ if (mgmtapiFD == -1) {
mgmt_log(stderr, "[WebIntrMain] Unable to set up socket for handling management API calls. API socket path = %s\n",
- api_sock_path);
+ (const char *)apisock);
lmgmt->alarm_keeper->signalAlarm(MGMT_ALARM_WEB_ERROR, mgmtapiFailMsg);
}
- if ((eventapiFD = newUNIXsocket(event_sock_path)) < 0) {
- mgmt_log(stderr,
- "[WebIntrMain] Unable to set up so for handling management API event calls. Event Socket path: %s\n",
- event_sock_path);
+ eventapiFD = bind_unix_domain_socket(eventsock, newmode);
+ if (eventapiFD == -1) {
+ mgmt_log(stderr, "[WebIntrMain] Unable to set up so for handling management API event calls. Event Socket path: %s\n",
+ (const char *)eventsock);
}
+
umask(oldmask);
// launch threads