From 5ef8b13a4a3859a822f05c497d8d818a9fe640f2 Mon Sep 17 00:00:00 2001 From: Philipp Schafft Date: Thu, 22 Sep 2022 10:00:29 +0000 Subject: [PATCH 1/4] Update: Inform about chroot()/chuid on dashboard --- src/admin.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/admin.c b/src/admin.c index f106c0e3..b2d7eb61 100644 --- a/src/admin.c +++ b/src/admin.c @@ -1783,6 +1783,22 @@ static void command_dashboard (client_t *client, source_t *source, adm if (config->config_problems & CONFIG_PROBLEM_VALIDATION) __reportxml_add_maintenance(reportnode, config->reportxml_db, "8fc33086-274d-4ccb-b32f-599b3fa0f41a", "error", "The configuration did not validate. See the error.log for details and update your configuration accordingly.", NULL); + if (config->chroot) { +#if HAVE_CHROOT + __reportxml_add_maintenance(reportnode, config->reportxml_db, "1c69ae7a-af2c-4a41-81c4-163e63f7ef62", "info", "chroot configured.", NULL); +#else + __reportxml_add_maintenance(reportnode, config->reportxml_db, "1a3fea5c-3352-4cb5-85cc-51ab9bd6ea83", "error", "chroot configured but not supported by operating system.", NULL); +#endif + } + + if(config->chuid) { +#if HAVE_SETUID + __reportxml_add_maintenance(reportnode, config->reportxml_db, "95f59593-be32-4f17-9a8c-0a51e41acfbf", "info", "Change of UID/GID configured.", NULL); +#else + __reportxml_add_maintenance(reportnode, config->reportxml_db, "afcaa756-b91c-4496-a9e2-44400a18789c", "error", "Change of UID/GID configured but not supported by operating system.", NULL); +#endif + } + if (!has_sources) __reportxml_add_maintenance(reportnode, config->reportxml_db, "f68dd8a3-22b1-4118-aba6-b039f2c5b51e", "info", "Currently no sources are connected to this server.", NULL); From 7c5d01a1a27d97c3072c27d2259f3b99fb6a92f7 Mon Sep 17 00:00:00 2001 From: Philipp Schafft Date: Sat, 24 Sep 2022 10:22:51 +0000 Subject: [PATCH 2/4] Update: Record result from chroot/chuid --- src/global.h | 5 +++++ src/main.c | 39 +++++++++++++++++++++++---------------- 2 files changed, 28 insertions(+), 16 deletions(-) diff --git a/src/global.h b/src/global.h index 6217d9f7..4d141b20 100644 --- a/src/global.h +++ b/src/global.h @@ -46,6 +46,11 @@ typedef struct ice_global_tag relay_t *master_relays; module_container_t *modulecontainer; + + + /* state */ + bool chroot_succeeded; + bool chuid_succeeded; } ice_global_t; extern ice_global_t global; diff --git a/src/main.c b/src/main.c index e6734e97..90c8dbbf 100644 --- a/src/main.c +++ b/src/main.c @@ -479,34 +479,36 @@ static void _ch_root_uid_setup(void) } #endif + /* ensure a valid initial state */ + global.chroot_succeeded = false; + global.chuid_succeeded = false; + #if HAVE_CHROOT - if (conf->chroot) - { - if(getuid()) /* root check */ - { + if (conf->chroot) { + if (getuid()) { /* root check */ fprintf(stderr, "WARNING: Cannot change server root unless running as root.\n"); } - if(chroot(conf->base_dir) == -1 || chdir("/") == -1) - { + + if(chroot(conf->base_dir) == -1 || chdir("/") == -1) { fprintf(stderr,"WARNING: Couldn't change server root: %s\n", strerror(errno)); return; - } - else + } else { fprintf(stdout, "Changed root successfully to \"%s\".\n", conf->base_dir); - + global.chroot_succeeded = true; + } } #endif #if HAVE_SETUID - if(conf->chuid) - { - if(getuid()) /* root check */ - { + if(conf->chuid) { + if (getuid()) { /* root check */ fprintf(stderr, "WARNING: Can't change user id unless you are root.\n"); return; } - if(uid != (uid_t)-1 && gid != (gid_t)-1) { + if (uid != (uid_t)-1 && gid != (gid_t)-1) { + global.chuid_succeeded = true; + #ifdef HAVE_SETRESGID if(!setresgid(gid, gid, gid)) { #else @@ -515,11 +517,15 @@ static void _ch_root_uid_setup(void) fprintf(stdout, "Changed groupid to %i.\n", (int)gid); } else { fprintf(stdout, "Error changing groupid: %s.\n", strerror(errno)); + global.chuid_succeeded = false; } - if(!initgroups(conf->user, gid)) + if(!initgroups(conf->user, gid)) { fprintf(stdout, "Changed supplementary groups based on user: %s.\n", conf->user); - else + } else { fprintf(stdout, "Error changing supplementary groups: %s.\n", strerror(errno)); + global.chuid_succeeded = false; + } + #ifdef HAVE_SETRESUID if(!setresuid(uid, uid, uid)) { #else @@ -528,6 +534,7 @@ static void _ch_root_uid_setup(void) fprintf(stdout, "Changed userid to %i.\n", (int)uid); } else { fprintf(stdout, "Error changing userid: %s.\n", strerror(errno)); + global.chuid_succeeded = false; } } } From 236acc122330763d780d97a3cc683d9fc9ffe4d4 Mon Sep 17 00:00:00 2001 From: Philipp Schafft Date: Sat, 24 Sep 2022 10:29:35 +0000 Subject: [PATCH 3/4] Feature: Report the actual status of chroot/chuid on the dashboard --- src/admin.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/admin.c b/src/admin.c index b2d7eb61..3bcfaa32 100644 --- a/src/admin.c +++ b/src/admin.c @@ -1785,7 +1785,11 @@ static void command_dashboard (client_t *client, source_t *source, adm if (config->chroot) { #if HAVE_CHROOT - __reportxml_add_maintenance(reportnode, config->reportxml_db, "1c69ae7a-af2c-4a41-81c4-163e63f7ef62", "info", "chroot configured.", NULL); + if (global.chroot_succeeded) { + __reportxml_add_maintenance(reportnode, config->reportxml_db, "6830cbf7-cd68-4c0c-ab5a-81499c70fd34", "info", "chroot configured and active.", NULL); + } else { + __reportxml_add_maintenance(reportnode, config->reportxml_db, "2d584a76-e67c-4268-b7e8-139b0b9b1131", "error", "chroot configured but failed.", NULL); + } #else __reportxml_add_maintenance(reportnode, config->reportxml_db, "1a3fea5c-3352-4cb5-85cc-51ab9bd6ea83", "error", "chroot configured but not supported by operating system.", NULL); #endif @@ -1793,7 +1797,11 @@ static void command_dashboard (client_t *client, source_t *source, adm if(config->chuid) { #if HAVE_SETUID - __reportxml_add_maintenance(reportnode, config->reportxml_db, "95f59593-be32-4f17-9a8c-0a51e41acfbf", "info", "Change of UID/GID configured.", NULL); + if (global.chuid_succeeded) { + __reportxml_add_maintenance(reportnode, config->reportxml_db, "bab05e81-fd03-4773-9fc5-c4609883a5e3", "info", "Change of UID/GID configured and active.", NULL); + } else { + __reportxml_add_maintenance(reportnode, config->reportxml_db, "4f856dd4-7aac-44b4-95b5-b6798f547603", "error", "Change of UID/GID configured but failed.", NULL); + } #else __reportxml_add_maintenance(reportnode, config->reportxml_db, "afcaa756-b91c-4496-a9e2-44400a18789c", "error", "Change of UID/GID configured but not supported by operating system.", NULL); #endif From a571256c790feb8a8bed2248af2e00c90c266c18 Mon Sep 17 00:00:00 2001 From: Philipp Schafft Date: Thu, 22 Sep 2022 10:12:57 +0000 Subject: [PATCH 4/4] Update: Report an noisy environment if there is one --- src/admin.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/admin.c b/src/admin.c index 3bcfaa32..92d6e2f6 100644 --- a/src/admin.c +++ b/src/admin.c @@ -1826,6 +1826,19 @@ static void command_dashboard (client_t *client, source_t *source, adm } #endif + if (true) { + /* A list of environment variables that will normally not be seen in a daemon environment. */ + static const char * const keys[] = {"DISPLAY", "LS_COLORS", "TERM", "XDG_RUNTIME_DIR"}; + size_t i; + + for (i = 0; i < (sizeof(keys)/sizeof(*keys)); i++) { + if (getenv(keys[i])) { + __reportxml_add_maintenance(reportnode, config->reportxml_db, "dc91ce96-f473-41d1-bfff-379666306911", "info", "Environment is noisy.", NULL); + break; + } + } + } + reportxml_helper_add_value_health(resource, "status", health); reportxml_node_add_child(incident, resource);