diff options
author | Dave Brolley <brolley@redhat.com> | 2010-02-17 16:18:10 -0500 |
---|---|---|
committer | Dave Brolley <brolley@redhat.com> | 2010-02-17 17:13:05 -0500 |
commit | 2ba4c606b0e7ddbc38633a4f9d5b5ee9739a48a7 (patch) | |
tree | 42a9893d963b5d2ed7196410f51ce621b0fddf4d | |
parent | d9f58253e30ea80e57d8f54e41e9cd114cc13973 (diff) | |
download | systemtap-steved-2ba4c606b0e7ddbc38633a4f9d5b5ee9739a48a7.tar.gz systemtap-steved-2ba4c606b0e7ddbc38633a4f9d5b5ee9739a48a7.tar.xz systemtap-steved-2ba4c606b0e7ddbc38633a4f9d5b5ee9739a48a7.zip |
Improved server certificate management. ulimit for stap-server only.
- Server now generates a new certificate when old one expires.
- Certificates now valid for 1 year.
- ulimit for stap-server-connect now only set for stap-server
user and only when override variable is not set.
-rwxr-xr-x | stap-authorize-cert | 2 | ||||
-rwxr-xr-x | stap-env | 1 | ||||
-rw-r--r-- | stap-server-connect.c | 35 | ||||
-rwxr-xr-x | stap-serverd | 90 | ||||
-rwxr-xr-x | stap-start-server | 4 |
5 files changed, 85 insertions, 47 deletions
diff --git a/stap-authorize-cert b/stap-authorize-cert index 21af2ce0..6aad48a0 100755 --- a/stap-authorize-cert +++ b/stap-authorize-cert @@ -46,4 +46,6 @@ if ! chmod +r $certdb/*.db; then echo "Warning: unable to make the client certificate database $certdb readable by others" >&2 fi +echo "Certificate $certfile added to database $certdb" + exit 0 @@ -41,7 +41,6 @@ fi stap_signing_db=$stap_sysconfdir/systemtap/staprun stap_certfile=stap.cert -stap_old_certfile=stap-server.cert function stap_get_arch { # PR4186: Copy logic from coreutils uname (uname -i) to squash diff --git a/stap-server-connect.c b/stap-server-connect.c index bbf5ade7..0f07d987 100644 --- a/stap-server-connect.c +++ b/stap-server-connect.c @@ -79,7 +79,9 @@ exitErr(char *function) /* Exit gracefully. */ /* ignoring return value of NSS_Shutdown as code exits with 1*/ (void) NSS_Shutdown(); +#if 0 /* PR_Cleanup is known to hang on some systems */ PR_Cleanup(); +#endif exit(1); } @@ -248,7 +250,7 @@ setupSSLSocket(PRFileDesc *tcpSocket) secStatus = SSL_SetPKCS11PinArg(sslSocket, password); if (secStatus != SECSuccess) { - errWarn("SSL_HandshakeCallback"); + errWarn("SSL_SetPKCS11PinArg"); goto loser; } @@ -837,9 +839,10 @@ accept_connection(PRFileDesc *listenSocket) PRNetAddr addr; PRStatus prStatus; PRFileDesc *tcpSocket; -#if 0 - SECStatus result; -#endif + SECStatus secStatus; + CERTCertDBHandle *dbHandle; + + dbHandle = CERT_GetDefaultCertDB(); while (PR_TRUE) { @@ -868,7 +871,7 @@ accept_connection(PRFileDesc *listenSocket) /* XXX: fork() or somesuch to handle concurrent requests. */ /* Accepted the connection, now handle it. */ - /*result =*/ handle_connection (tcpSocket); + handle_connection (tcpSocket); printf ("Request from %d.%d.%d.%d:%d complete\n", (addr.inet.ip ) & 0xff, @@ -877,15 +880,31 @@ accept_connection(PRFileDesc *listenSocket) (addr.inet.ip >> 24) & 0xff, addr.inet.port); fflush (stdout); + + /* If our certificate is no longer valid (e.g. has expired), + then exit. The daemon, (stap-serverd) will generate a new + certificate and restart the connection. */ + secStatus = CERT_VerifyCertNow(dbHandle, cert, PR_TRUE/*checkSig*/, + certUsageSSLServer, NULL/*wincx*/); + if (secStatus != SECSuccess) + { + errWarn ("CERT_VerifyCertNow"); + break; + } } #if DEBUG fprintf(stderr, "Closing listen socket.\n"); + fflush (stderr); #endif prStatus = PR_Close(listenSocket); if (prStatus != PR_SUCCESS) exitErr("PR_Close"); +#if DEBUG + fprintf(stderr, "Closed listen socket.\n"); + fflush (stderr); +#endif return SECSuccess; } @@ -896,7 +915,7 @@ accept_connection(PRFileDesc *listenSocket) * */ static void -server_main(unsigned short port, SECKEYPrivateKey *privKey, CERTCertificate *cert) +server_main(unsigned short port, SECKEYPrivateKey *privKey) { SECStatus secStatus; PRStatus prStatus; @@ -1090,11 +1109,13 @@ main(int argc, char **argv) SSL_ConfigMPServerSIDCache(256, 0, 0, NULL); /* Launch server. */ - server_main(port, privKey, cert); + server_main(port, privKey); /* Shutdown NSS and exit NSPR gracefully. */ NSS_Shutdown(); +#if 0 /* PR_Cleanup is known to hang on some systems */ PR_Cleanup(); +#endif return 0; } diff --git a/stap-serverd b/stap-serverd index 5820286f..b93f5e41 100755 --- a/stap-serverd +++ b/stap-serverd @@ -20,13 +20,15 @@ trap 'terminate' SIGTERM SIGINT . ${PKGLIBEXECDIR}stap-env # PR11197: security prophylactics +set_ulimits=0 if [ -z "$STAP_PR11197_OVERRIDE" ]; then # 1) reject use as root, except via a special environment variable if [ `id -u` -eq 0 ]; then echo "For security reasons, invocation of stap-server as root is not supported." 1>&2 exit 1 fi - # 2) ... etc ... + # 2) resource limits should be set if the user is the 'stap-server' daemon + test `id -un` = "stap-server" && set_ulimits=1 fi @@ -63,38 +65,6 @@ function initialization { # Where is the ssl certificate/key database? if test "X$ssl_db" = "X"; then ssl_db=$stap_ssl_db/server - # Update the certificate file if it is old. - if test -f $ssl_db/$stap_old_certfile; then - if ! test -e $ssl_db/$stap_certfile; then - mv $ssl_db/$stap_old_certfile $ssl_db/$stap_certfile - else - rm -fr $ssl_db/$stap_old_certfile - fi - fi - # If no certificate/key database has been specified, then find/create - # a local one. - if ! test -f $ssl_db/$stap_certfile; then - ${stap_pkglibexecdir}stap-gen-cert $ssl_db >> $logfile 2>&1 || exit 1 - # Now add the server's certificate to the client's database, - # making it a trusted peer. Do this only if the client has been installed. - if test -f `which ${stap_exec_prefix}stap-client 2>/dev/null` -a \ - -x `which ${stap_exec_prefix}stap-client 2>/dev/null`; then - ${stap_exec_prefix}stap-authorize-server-cert $ssl_db/$stap_certfile >> $logfile 2>&1 - fi - else - echo "Certificate found in database $ssl_db" >> $logfile - certutil -L -d "$ssl_db" -n stap-server | \ - awk '/Validity|Not After|Not Before/ { print $0 }' | \ - sed 's/^ */ /' >> $logfile - if ! test -f $stap_ssl_db/client/cert8.db; then - # If the client's database does not exist, then initialize it with our certificate. - # Do this only if the client has been installed. - if test -f `which ${stap_exec_prefix}stap-client 2>/dev/null` -a \ - -x `which ${stap_exec_prefix}stap-client 2>/dev/null`; then - ${stap_exec_prefix}stap-authorize-server-cert $ssl_db/$stap_certfile >> $logfile 2>&1 - fi - fi - fi fi nss_pw=$ssl_db/pw @@ -327,6 +297,46 @@ function process_r { fi } +# function: check_cert +# +# Ensure that our certificate exists and is valid. +# Generate a new one if not. +function check_cert { + # If our certificate exists, log some information about it. + if test -f $ssl_db/cert8.db; then + echo "Certificate found in database $ssl_db" >> $logfile + certutil -L -d "$ssl_db" -n $nss_cert | \ + awk '/Validity|Not After|Not Before/ { print $0 }' | \ + sed 's/^ */ /' >> $logfile + fi + + # If the certificate does not exist or the certificate + # is not valid, then generate a new one. + if test ! -d $ssl_db -o ! -f $ssl_db/$stap_certfile -o ! -f $ssl_db/cert8.db || \ + ! certutil -V -n $nss_cert -u V -d $ssl_db -e -f $nss_pw \ + -b `date +%g%m%d%H%M%S`+0005 >> $logfile 2>&1; then + # Our certificate does not exist or is not valid. + # Generate a new certificate database. + ${stap_pkglibexecdir}stap-gen-cert $ssl_db >> $logfile 2>&1 || exit 1 + + # Now add the new certificate to the client's database, + # making it a trusted peer for this user. + # Do this only if the client has been installed. + if test -f `which ${stap_exec_prefix}stap-client 2>/dev/null` -a \ + -x `which ${stap_exec_prefix}stap-client 2>/dev/null`; then + ${stap_exec_prefix}stap-authorize-server-cert $ssl_db/$stap_certfile >> $logfile 2>&1 + fi + elif ! test -f $stap_ssl_db/client/cert8.db; then + # Our certificate exists and is valid. + # If the client's database does not exist, then initialize it with our certificate. + # Do this only if the client has been installed. + if test -f `which ${stap_exec_prefix}stap-client 2>/dev/null` -a \ + -x `which ${stap_exec_prefix}stap-client 2>/dev/null`; then + ${stap_exec_prefix}stap-authorize-server-cert $ssl_db/$stap_certfile >> $logfile 2>&1 + fi + fi +} + # function: advertise_presence # # Advertise the availability of the server on the network. @@ -334,7 +344,7 @@ function advertise_presence { # Build up a strings representing our server's properties. # The service name must differ for each server, so put the port number # in it. - local service_name="Systemtap Compile Server on port $port" + service_name="Systemtap Compile Server on port $port" local sysinfo="sysinfo=$uname_r $arch" local optinfo="optinfo=" @@ -350,8 +360,6 @@ function advertise_presence { # Call avahi-publish-service to advertise our presence. avahi-publish-service "$service_name" \ $stap_avahi_service_tag $port "$sysinfo" "$optinfo" >> $logfile 2>&1 & - - echo "$service_name listening on port $port" >> $logfile } # function: listen @@ -362,14 +370,20 @@ function listen { # accepting requests. # CVE-2009-4273 ... or at least, until resource limits fire while true; do # NB: loop to avoid DoS by deliberate rlimit-induced halt + # Ensure that our certificate is valid. Generate a new one if + # not. + check_cert + # NB: impose resource limits in case of mischevious data inducing # too much / long computation - (ulimit -f 50000 -s 1000 -t 60 -u 20 -v 500000; + (test $set_ulimits = 1 && ulimit -f 50000 -s 1000 -t 60 -u 20 -v 500000; exec ${stap_pkglibexecdir}stap-server-connect \ -p $port -n $nss_cert -d $ssl_db -w $nss_pw \ -s "$stap_options") & stap_server_connect_pid=$! - wait + echo "$service_name ready" + wait $stap_server_connect_pid + # NB: avoid superfast spinning in case of a ulimit or other failure sleep 1 done >> $logfile 2>&1 diff --git a/stap-start-server b/stap-start-server index 1225902d..b3926b9c 100755 --- a/stap-start-server +++ b/stap-start-server @@ -18,7 +18,7 @@ startup_timeout=20 # start the server -${stap_pkglibexecdir}stap-serverd "$@" </dev/null >/dev/null 2>&1 & +${stap_pkglibexecdir}stap-serverd "$@" </dev/null & server_pid=$! # Make sure the server is started @@ -30,6 +30,8 @@ do # Has the server started? if ! (ps -e | grep stap-serverd | grep $server_pid) >/dev/null 2>&1; then + # The stap-serverd script should start right away + test $server_started = 0 -a $attempt -gt 1 && break sleep 1 continue fi |