aniani/irssi
1
0
Fork 0
mirror of https://github.com/irssi/irssi.git synced 2024-11-03 04:27:19 -05:00
Code

Restrict port range available in capability mode.

Browse Source 
Signed-off-by: Edward Tomasz Napierala <trasz@FreeBSD.org>
This commit is contained in:
Edward Tomasz Napierala 2017-07-29 11:41:56 +01:00
parent e777ae986d
commit c00d4753ae
1 changed files with 27 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/core/capsicum.c
View File

@ -40,6 +40,8 @@ static char *irclogs_path;
static size_t irclogs_path_len; static size_t irclogs_path_len;
static int irclogs_fd; static int irclogs_fd;
static int symbiontfds[2]; static int symbiontfds[2];
static int port_min;
static int port_max;
gboolean capsicum_enabled(void) gboolean capsicum_enabled(void)
{ {
@ -90,6 +92,13 @@ int capsicum_net_connect_ip(IPADDR *ip, int port, IPADDR *my_ip)
} }
saved_errno = nvlist_get_number(nvl, "errno"); saved_errno = nvlist_get_number(nvl, "errno");
nvlist_destroy(nvl); nvlist_destroy(nvl);
if (sock == -1 && (port < port_min || port > port_max)) {
g_warning("Access restricted to ports between %d and %d "
"due to capability mode",
port_min, port_max);
}
errno = saved_errno; errno = saved_errno;
return sock; return sock;
@ -205,9 +214,19 @@ nvlist_t *symbiont_connect(const nvlist_t *request)
else else
my_ip = NULL; my_ip = NULL;
/* Connect. */ /*
sock = net_connect_ip_handle(ip, port, my_ip); * Check if the port is in allowed range. This is to minimize
saved_errno = errno; * the chance of the attacker rooting another system in case of
* compromise.
*/
if (port < port_min || port > port_max) {
sock = -1;
saved_errno = EPERM;
} else {
/* Connect. */
sock = net_connect_ip_handle(ip, port, my_ip);
saved_errno = errno;
}
/* Send back the socket fd. */ /* Send back the socket fd. */
response = nvlist_create(0); response = nvlist_create(0);
@ -326,6 +345,9 @@ static void cmd_capsicum_enter(void)
return; return;
} }
port_min = settings_get_int("capsicum_port_min");
port_max = settings_get_int("capsicum_port_max");
irclogs_path = convert_home(settings_get_str("capsicum_irclogs_path")); irclogs_path = convert_home(settings_get_str("capsicum_irclogs_path"));
g_mkdir_with_parents(irclogs_path, log_dir_create_mode); g_mkdir_with_parents(irclogs_path, log_dir_create_mode);
irclogs_path_len = strlen(irclogs_path); irclogs_path_len = strlen(irclogs_path);
@ -375,6 +397,8 @@ void capsicum_init(void)
{ {
settings_add_bool("misc", "capsicum", FALSE); settings_add_bool("misc", "capsicum", FALSE);
settings_add_str("misc", "capsicum_irclogs_path", "~/irclogs"); settings_add_str("misc", "capsicum_irclogs_path", "~/irclogs");
settings_add_int("misc", "capsicum_port_min", 6667);
settings_add_int("misc", "capsicum_port_max", 6697);
signal_add("irssi init finished", (SIGNAL_FUNC) sig_init_finished); signal_add("irssi init finished", (SIGNAL_FUNC) sig_init_finished);