Improved server certificate management. ulimit for stap-server only.

- Server now generates a new certificate when old one expires. - Certificates now valid for 1 year. - ulimit for stap-server-connect now only set for stap-server user and only when override variable is not set.
author: Dave Brolley <brolley@redhat.com> 2010-02-17 16:18:10 -0500
committer: Dave Brolley <brolley@redhat.com> 2010-02-17 17:13:05 -0500
commit: 2ba4c606b0e7ddbc38633a4f9d5b5ee9739a48a7 (patch)
tree: 42a9893d963b5d2ed7196410f51ce621b0fddf4d
parent: d9f58253e30ea80e57d8f54e41e9cd114cc13973 (diff)
download: systemtap-steved-2ba4c606b0e7ddbc38633a4f9d5b5ee9739a48a7.tar.gz
systemtap-steved-2ba4c606b0e7ddbc38633a4f9d5b5ee9739a48a7.tar.xz
systemtap-steved-2ba4c606b0e7ddbc38633a4f9d5b5ee9739a48a7.zip
5 files changed, 85 insertions, 47 deletions
diff --git a/stap-authorize-cert b/stap-authorize-cert
index 21af2ce0..6aad48a0 100755
--- a/stap-authorize-cert
+++ b/stap-authorize-cert
@@ -46,4 +46,6 @@ if ! chmod +r $certdb/*.db; then
     echo "Warning: unable to make the client certificate database $certdb readable by others" >&2
 fi
 
+echo "Certificate $certfile added to database $certdb"
+
 exit 0
diff --git a/stap-env b/stap-env
index 40aca53e..b02e96b6 100755
--- a/stap-env
+++ b/stap-env
@@ -41,7 +41,6 @@ fi
 
 stap_signing_db=$stap_sysconfdir/systemtap/staprun
 stap_certfile=stap.cert
-stap_old_certfile=stap-server.cert
 
 function stap_get_arch {
   # PR4186: Copy logic from coreutils uname (uname -i) to squash
diff --git a/stap-server-connect.c b/stap-server-connect.c
index bbf5ade7..0f07d987 100644
--- a/stap-server-connect.c
+++ b/stap-server-connect.c
@@ -79,7 +79,9 @@ exitErr(char *function)
   /* Exit gracefully. */
   /* ignoring return value of NSS_Shutdown as code exits with 1*/
   (void) NSS_Shutdown();
+#if 0 /* PR_Cleanup is known to hang on some systems */
   PR_Cleanup();
+#endif
   exit(1);
 }
 
@@ -248,7 +250,7 @@ setupSSLSocket(PRFileDesc *tcpSocket)
   secStatus = SSL_SetPKCS11PinArg(sslSocket, password);
   if (secStatus != SECSuccess)
     {
-      errWarn("SSL_HandshakeCallback");
+      errWarn("SSL_SetPKCS11PinArg");
       goto loser;
     }
 
@@ -837,9 +839,10 @@ accept_connection(PRFileDesc *listenSocket)
   PRNetAddr   addr;
   PRStatus    prStatus;
   PRFileDesc *tcpSocket;
-#if 0
-  SECStatus   result;
-#endif
+  SECStatus   secStatus;
+  CERTCertDBHandle *dbHandle;
+
+  dbHandle = CERT_GetDefaultCertDB();
 
   while (PR_TRUE)
     {
@@ -868,7 +871,7 @@ accept_connection(PRFileDesc *listenSocket)
       /* XXX: fork() or somesuch to handle concurrent requests. */
 
       /* Accepted the connection, now handle it. */
-      /*result =*/ handle_connection (tcpSocket);
+      handle_connection (tcpSocket);
 
       printf ("Request from %d.%d.%d.%d:%d complete\n",
 	      (addr.inet.ip      ) & 0xff,
@@ -877,15 +880,31 @@ accept_connection(PRFileDesc *listenSocket)
 	      (addr.inet.ip >> 24) & 0xff,
 	      addr.inet.port);
       fflush (stdout);
+
+      /* If our certificate is no longer valid (e.g. has expired),
+	 then exit. The daemon, (stap-serverd) will generate a new
+	 certificate and restart the connection.  */
+      secStatus = CERT_VerifyCertNow(dbHandle, cert, PR_TRUE/*checkSig*/,
+				     certUsageSSLServer, NULL/*wincx*/);
+      if (secStatus != SECSuccess)
+	{
+	  errWarn ("CERT_VerifyCertNow");
+	  break;
+	}
     }
 
 #if DEBUG
   fprintf(stderr, "Closing listen socket.\n");
+  fflush (stderr);
 #endif
   prStatus = PR_Close(listenSocket);
   if (prStatus != PR_SUCCESS)
     exitErr("PR_Close");
 
+#if DEBUG
+  fprintf(stderr, "Closed listen socket.\n");
+  fflush (stderr);
+#endif
   return SECSuccess;
 }
 
@@ -896,7 +915,7 @@ accept_connection(PRFileDesc *listenSocket)
  *
  */
 static void
-server_main(unsigned short port, SECKEYPrivateKey *privKey, CERTCertificate *cert)
+server_main(unsigned short port, SECKEYPrivateKey *privKey)
 {
   SECStatus           secStatus;
   PRStatus            prStatus;
@@ -1090,11 +1109,13 @@ main(int argc, char **argv)
   SSL_ConfigMPServerSIDCache(256, 0, 0, NULL);
 
   /* Launch server. */
-  server_main(port, privKey, cert);
+  server_main(port, privKey);
 
   /* Shutdown NSS and exit NSPR gracefully. */
   NSS_Shutdown();
+#if 0 /* PR_Cleanup is known to hang on some systems */
   PR_Cleanup();
+#endif
 
   return 0;
 }
diff --git a/stap-serverd b/stap-serverd
index 5820286f..b93f5e41 100755
--- a/stap-serverd
+++ b/stap-serverd
@@ -20,13 +20,15 @@ trap 'terminate' SIGTERM SIGINT
 . ${PKGLIBEXECDIR}stap-env
 
 # PR11197: security prophylactics
+set_ulimits=0
 if [ -z "$STAP_PR11197_OVERRIDE" ]; then
     # 1) reject use as root, except via a special environment variable
     if [ `id -u` -eq 0 ]; then
         echo "For security reasons, invocation of stap-server as root is not supported." 1>&2
         exit 1
     fi 
-    # 2) ... etc ...
+    # 2) resource limits should be set if the user is the 'stap-server' daemon
+    test `id -un` = "stap-server" && set_ulimits=1
 fi
 
 
@@ -63,38 +65,6 @@ function initialization {
     # Where is the ssl certificate/key database?
     if test "X$ssl_db" = "X"; then
 	ssl_db=$stap_ssl_db/server
-	# Update the certificate file if it is old.
-	if test -f $ssl_db/$stap_old_certfile; then
-	    if ! test -e $ssl_db/$stap_certfile; then
-		mv $ssl_db/$stap_old_certfile $ssl_db/$stap_certfile
-	    else
-		rm -fr $ssl_db/$stap_old_certfile
-	    fi
-	fi
-	# If no certificate/key database has been specified, then find/create
-	# a local one.
-	if ! test -f $ssl_db/$stap_certfile; then
-	    ${stap_pkglibexecdir}stap-gen-cert $ssl_db >> $logfile 2>&1 || exit 1
-            # Now add the server's certificate to the client's database,
-	    # making it a trusted peer. Do this only if the client has been installed.
-	    if test -f `which ${stap_exec_prefix}stap-client 2>/dev/null` -a \
-		    -x `which ${stap_exec_prefix}stap-client 2>/dev/null`; then
-		${stap_exec_prefix}stap-authorize-server-cert $ssl_db/$stap_certfile >> $logfile 2>&1
-	    fi
-	else
-	    echo "Certificate found in database $ssl_db" >> $logfile
-	    certutil -L -d "$ssl_db" -n stap-server | \
-		awk '/Validity|Not After|Not Before/ { print $0 }' | \
-		sed 's/^ */  /' >> $logfile
-	    if ! test -f $stap_ssl_db/client/cert8.db; then
-		# If the client's database does not exist, then initialize it with our certificate.
-		# Do this only if the client has been installed.
-		if test -f `which ${stap_exec_prefix}stap-client 2>/dev/null` -a \
-                    -x `which ${stap_exec_prefix}stap-client 2>/dev/null`; then
-		    ${stap_exec_prefix}stap-authorize-server-cert $ssl_db/$stap_certfile >> $logfile 2>&1
-		fi
-	    fi
-	fi
     fi
 
     nss_pw=$ssl_db/pw
@@ -327,6 +297,46 @@ function process_r {
     fi
 }
 
+# function: check_cert
+#
+# Ensure that our certificate exists and is valid.
+# Generate a new one if not.
+function check_cert {
+    # If our certificate exists, log some information about it.
+    if test -f $ssl_db/cert8.db; then
+	echo "Certificate found in database $ssl_db" >> $logfile
+	certutil -L -d "$ssl_db" -n $nss_cert | \
+	    awk '/Validity|Not After|Not Before/ { print $0 }' | \
+	    sed 's/^ */  /' >> $logfile
+    fi
+
+    # If the certificate does not exist or the certificate
+    # is not valid, then generate a new one.
+    if test ! -d $ssl_db -o ! -f $ssl_db/$stap_certfile -o ! -f $ssl_db/cert8.db || \
+       ! certutil -V -n $nss_cert -u V -d $ssl_db -e -f $nss_pw \
+                     -b `date +%g%m%d%H%M%S`+0005 >> $logfile 2>&1; then
+	# Our certificate does not exist or is not valid.
+	# Generate a new certificate database.
+	${stap_pkglibexecdir}stap-gen-cert $ssl_db >> $logfile 2>&1 || exit 1
+
+        # Now add the new certificate to the client's database,
+        # making it a trusted peer for this user.
+	# Do this only if the client has been installed.
+	if test -f `which ${stap_exec_prefix}stap-client 2>/dev/null` -a \
+	        -x `which ${stap_exec_prefix}stap-client 2>/dev/null`; then
+	    ${stap_exec_prefix}stap-authorize-server-cert $ssl_db/$stap_certfile >> $logfile 2>&1
+	fi
+    elif ! test -f $stap_ssl_db/client/cert8.db; then
+	# Our certificate exists and is valid.
+	# If the client's database does not exist, then initialize it with our certificate.
+	# Do this only if the client has been installed.
+	if test -f `which ${stap_exec_prefix}stap-client 2>/dev/null` -a \
+	    -x `which ${stap_exec_prefix}stap-client 2>/dev/null`; then
+	    ${stap_exec_prefix}stap-authorize-server-cert $ssl_db/$stap_certfile >> $logfile 2>&1
+	fi
+    fi
+}
+
 # function: advertise_presence
 #
 # Advertise the availability of the server on the network.
@@ -334,7 +344,7 @@ function advertise_presence {
     # Build up a strings representing our server's properties.
     # The service name must differ for each server, so put the port number
     # in it.
-    local service_name="Systemtap Compile Server on port $port"
+    service_name="Systemtap Compile Server on port $port"
 
     local sysinfo="sysinfo=$uname_r $arch"
     local optinfo="optinfo="
@@ -350,8 +360,6 @@ function advertise_presence {
     # Call avahi-publish-service to advertise our presence.
     avahi-publish-service "$service_name" \
 	$stap_avahi_service_tag $port "$sysinfo" "$optinfo" >> $logfile 2>&1 &
-
-    echo "$service_name listening on port $port" >> $logfile
 }
 
 # function: listen
@@ -362,14 +370,20 @@ function listen {
     # accepting requests.
     # CVE-2009-4273 ... or at least, until resource limits fire
     while true; do # NB: loop to avoid DoS by deliberate rlimit-induced halt
+	# Ensure that our certificate is valid. Generate a new one if
+	# not.
+	check_cert
+
         # NB: impose resource limits in case of mischevious data inducing
         # too much / long computation
-        (ulimit -f 50000 -s 1000 -t 60 -u 20 -v 500000;
+        (test $set_ulimits = 1 && ulimit -f 50000 -s 1000 -t 60 -u 20 -v 500000;
          exec ${stap_pkglibexecdir}stap-server-connect \
 	   -p $port -n $nss_cert -d $ssl_db -w $nss_pw \
 	   -s "$stap_options") &
         stap_server_connect_pid=$!
-        wait
+	echo "$service_name ready"
+        wait $stap_server_connect_pid
+
         # NB: avoid superfast spinning in case of a ulimit or other failure
         sleep 1
     done >> $logfile 2>&1
diff --git a/stap-start-server b/stap-start-server
index 1225902d..b3926b9c 100755
--- a/stap-start-server
+++ b/stap-start-server
@@ -18,7 +18,7 @@
 startup_timeout=20
 
 # start the server
-${stap_pkglibexecdir}stap-serverd "$@" </dev/null >/dev/null 2>&1 &
+${stap_pkglibexecdir}stap-serverd "$@" </dev/null &
 server_pid=$!
 
 # Make sure the server is started
@@ -30,6 +30,8 @@ do
 
     # Has the server started?
     if ! (ps -e | grep stap-serverd | grep $server_pid) >/dev/null 2>&1; then
+	# The stap-serverd script should start right away
+	test $server_started = 0 -a $attempt -gt 1 && break
         sleep 1
         continue
     fi
author	Dave Brolley <brolley@redhat.com>	2010-02-17 16:18:10 -0500
committer	Dave Brolley <brolley@redhat.com>	2010-02-17 17:13:05 -0500
commit	2ba4c606b0e7ddbc38633a4f9d5b5ee9739a48a7 (patch)
tree	42a9893d963b5d2ed7196410f51ce621b0fddf4d
parent	d9f58253e30ea80e57d8f54e41e9cd114cc13973 (diff)
download	systemtap-steved-2ba4c606b0e7ddbc38633a4f9d5b5ee9739a48a7.tar.gz systemtap-steved-2ba4c606b0e7ddbc38633a4f9d5b5ee9739a48a7.tar.xz systemtap-steved-2ba4c606b0e7ddbc38633a4f9d5b5ee9739a48a7.zip