Got Mirror

Blob

Date:: Mon May 6 17:41:34 2024 UTC
Message:: don't leak the existence of gotd repositories to unrelated user accounts In particular, this prevents anonymous user accounts from discovering the existence of other private repositories served by gotd by correctly guessing the name of a private repository. They still wouldn't have read or write access but in some cases even knowledge about the existence of a particular repository could be cause for concern. ok op@
Actions:: History | Blame | Raw File
1 /*
2  * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
3  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include <sys/types.h>
19 #include <sys/socket.h>
20 #include <sys/queue.h>
21 #include <sys/uio.h>
22 
23 #include <errno.h>
24 #include <event.h>
25 #include <limits.h>
26 #include <pwd.h>
27 #include <grp.h>
28 #include <sha1.h>
29 #include <sha2.h>
30 #include <signal.h>
31 #include <stdint.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <imsg.h>
36 #include <unistd.h>
37 
38 #include "got_error.h"
39 #include "got_path.h"
40 
41 #include "gotd.h"
42 #include "log.h"
43 #include "auth.h"
44 
45 static struct gotd_auth {
46 	pid_t pid;
47 	const char *title;
48 	struct gotd_repo *repo;
49 } gotd_auth;
50 
51 static void auth_shutdown(void);
52 
53 static void
54 auth_sighdlr(int sig, short event, void *arg)
55 {
56 	/*
57 	 * Normal signal handler rules don't apply because libevent
58 	 * decouples for us.
59 	 */
60 
61 	switch (sig) {
62 	case SIGHUP:
63 		break;
64 	case SIGUSR1:
65 		break;
66 	case SIGTERM:
67 	case SIGINT:
68 		auth_shutdown();
69 		/* NOTREACHED */
70 		break;
71 	default:
72 		fatalx("unexpected signal");
73 	}
74 }
75 
76 static int
77 uidcheck(const char *s, uid_t desired)
78 {
79 	uid_t uid;
80 
81 	if (gotd_parseuid(s, &uid) != 0)
82 		return -1;
83 	if (uid != desired)
84 		return -1;
85 	return 0;
86 }
87 
88 static int
89 parsegid(const char *s, gid_t *gid)
90 {
91 	struct group *gr;
92 	const char *errstr;
93 
94 	if ((gr = getgrnam(s)) != NULL) {
95 		*gid = gr->gr_gid;
96 		if (*gid == GID_MAX)
97 			return -1;
98 		return 0;
99 	}
100 	*gid = strtonum(s, 0, GID_MAX - 1, &errstr);
101 	if (errstr)
102 		return -1;
103 	return 0;
104 }
105 
106 static int
107 match_identifier(const char *identifier, gid_t *groups, int ngroups,
108     uid_t euid, gid_t egid)
109 {
110 	int i;
111 
112 	if (identifier[0] == ':') {
113 		gid_t rgid;
114 		if (parsegid(identifier + 1, &rgid) == -1)
115 			return 0;
116 		if (rgid == egid)
117 			return 1;
118 		for (i = 0; i < ngroups; i++) {
119 			if (rgid == groups[i])
120 				break;
121 		}
122 		if (i == ngroups)
123 			return 0;
124 	} else if (uidcheck(identifier, euid) != 0)
125 		return 0;
126 
127 	return 1;
128 }
129 
130 static const struct got_error *
131 auth_check(char **username, struct gotd_access_rule_list *rules,
132     const char *repo_name, uid_t euid, gid_t egid, int required_auth)
133 {
134 	struct gotd_access_rule *rule;
135 	enum gotd_access access = GOTD_ACCESS_DENIED;
136 	struct passwd *pw;
137 	gid_t groups[NGROUPS_MAX];
138 	int ngroups = NGROUPS_MAX;
139 	int matched_user = 0;
140 
141 	*username = NULL;
142 
143 	pw = getpwuid(euid);
144 	if (pw == NULL) {
145 		if (errno)
146 			return got_error_from_errno("getpwuid");
147 		else
148 			return got_error_set_errno(EACCES, repo_name);
149 	}
150 
151 	*username = strdup(pw->pw_name);
152 	if (*username == NULL)
153 		return got_error_from_errno("strdup");
154 
155 	if (getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups) == -1)
156 		log_warnx("group membership list truncated");
157 
158 	STAILQ_FOREACH(rule, rules, entry) {
159 		if (!match_identifier(rule->identifier, groups, ngroups,
160 		    euid, egid))
161 			continue;
162 
163 		matched_user = 1;
164 		access = rule->access;
165 		if (rule->access == GOTD_ACCESS_PERMITTED &&
166 		    (rule->authorization & required_auth) != required_auth)
167 			access = GOTD_ACCESS_DENIED;
168 	}
169 
170 	if (access == GOTD_ACCESS_DENIED) {
171 		/*
172 		 * If a user has no explicit read or write access then
173 		 * do not leak the existence of a repository to them.
174 		 */
175 		if (!matched_user)
176 			return got_error(GOT_ERR_NOT_GIT_REPO);
177 		else
178 			return got_error_set_errno(EACCES, repo_name);
179 	}
180 
181 	if (access == GOTD_ACCESS_PERMITTED)
182 		return NULL;
183 
184 	/* should not happen, this would be a bug */
185 	return got_error_msg(GOT_ERR_NOT_IMPL, "bad access rule");
186 }
187 
188 static const struct got_error *
189 recv_authreq(struct imsg *imsg, struct gotd_imsgev *iev)
190 {
191 	const struct got_error *err;
192 	struct imsgbuf *ibuf = &iev->ibuf;
193 	struct gotd_imsg_auth iauth;
194 	size_t datalen;
195 	uid_t euid;
196 	gid_t egid;
197 	char *username = NULL;
198 	size_t len;
199 	const size_t maxlen = MAX_IMSGSIZE - IMSG_HEADER_SIZE;
200 	int fd = -1;
201 
202 	log_debug("authentication request received");
203 
204 	datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
205 	if (datalen != sizeof(iauth))
206 		return got_error(GOT_ERR_PRIVSEP_LEN);
207 
208 	memcpy(&iauth, imsg->data, datalen);
209 
210 	fd = imsg_get_fd(imsg);
211 	if (fd == -1)
212 		return got_error(GOT_ERR_PRIVSEP_NO_FD);
213 
214 	if (getpeereid(fd, &euid, &egid) == -1)
215 		return got_error_from_errno("getpeerid");
216 
217 	if (iauth.euid != euid)
218 		return got_error(GOT_ERR_UID);
219 	if (iauth.egid != egid)
220 		return got_error(GOT_ERR_GID);
221 
222 	log_debug("authenticating uid %d gid %d", euid, egid);
223 
224 	err = auth_check(&username, &gotd_auth.repo->rules,
225 	    gotd_auth.repo->name, iauth.euid, iauth.egid, iauth.required_auth);
226 	if (err) {
227 		gotd_imsg_send_error(ibuf, PROC_AUTH, iauth.client_id, err);
228 		goto done;
229 	}
230 
231 	len = strlen(username);
232 	if (len > maxlen)
233 		len = maxlen;
234 
235 	if (gotd_imsg_compose_event(iev, GOTD_IMSG_ACCESS_GRANTED,
236 	    PROC_AUTH, -1, username, len) == -1)
237 		err = got_error_from_errno("imsg compose ACCESS_GRANTED");
238 done:
239 	free(username);
240 	return err;
241 }
242 
243 static void
244 auth_dispatch(int fd, short event, void *arg)
245 {
246 	const struct got_error *err = NULL;
247 	struct gotd_imsgev *iev = arg;
248 	struct imsgbuf *ibuf = &iev->ibuf;
249 	struct imsg imsg;
250 	ssize_t n;
251 	int shut = 0;
252 
253 	if (event & EV_READ) {
254 		if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
255 			fatal("imsg_read error");
256 		if (n == 0)	/* Connection closed. */
257 			shut = 1;
258 	}
259 
260 	if (event & EV_WRITE) {
261 		n = msgbuf_write(&ibuf->w);
262 		if (n == -1 && errno != EAGAIN)
263 			fatal("msgbuf_write");
264 		if (n == 0)	/* Connection closed. */
265 			shut = 1;
266 	}
267 
268 	for (;;) {
269 		if ((n = imsg_get(ibuf, &imsg)) == -1)
270 			fatal("%s: imsg_get", __func__);
271 		if (n == 0)	/* No more messages. */
272 			break;
273 
274 		switch (imsg.hdr.type) {
275 		case GOTD_IMSG_AUTHENTICATE:
276 			err = recv_authreq(&imsg, iev);
277 			if (err)
278 				log_warnx("%s", err->msg);
279 			break;
280 		default:
281 			log_debug("unexpected imsg %d", imsg.hdr.type);
282 			break;
283 		}
284 
285 		imsg_free(&imsg);
286 	}
287 
288 	if (!shut) {
289 		gotd_imsg_event_add(iev);
290 	} else {
291 		/* This pipe is dead. Remove its event handler */
292 		event_del(&iev->ev);
293 		event_loopexit(NULL);
294 	}
295 }
296 
297 void
298 auth_main(const char *title, struct gotd_repolist *repos,
299     const char *repo_path)
300 {
301 	struct gotd_repo *repo = NULL;
302 	struct gotd_imsgev iev;
303 	struct event evsigint, evsigterm, evsighup, evsigusr1;
304 
305 	gotd_auth.title = title;
306 	gotd_auth.pid = getpid();
307 	TAILQ_FOREACH(repo, repos, entry) {
308 		if (got_path_cmp(repo->path, repo_path,
309 		    strlen(repo->path), strlen(repo_path)) == 0)
310 			break;
311 	}
312 	if (repo == NULL)
313 		fatalx("repository %s not found in config", repo_path);
314 	gotd_auth.repo = repo;
315 
316 	signal_set(&evsigint, SIGINT, auth_sighdlr, NULL);
317 	signal_set(&evsigterm, SIGTERM, auth_sighdlr, NULL);
318 	signal_set(&evsighup, SIGHUP, auth_sighdlr, NULL);
319 	signal_set(&evsigusr1, SIGUSR1, auth_sighdlr, NULL);
320 	signal(SIGPIPE, SIG_IGN);
321 
322 	signal_add(&evsigint, NULL);
323 	signal_add(&evsigterm, NULL);
324 	signal_add(&evsighup, NULL);
325 	signal_add(&evsigusr1, NULL);
326 
327 	imsg_init(&iev.ibuf, GOTD_FILENO_MSG_PIPE);
328 	iev.handler = auth_dispatch;
329 	iev.events = EV_READ;
330 	iev.handler_arg = NULL;
331 	event_set(&iev.ev, iev.ibuf.fd, EV_READ, auth_dispatch, &iev);
332 	if (event_add(&iev.ev, NULL) == -1)
333 		fatalx("event add");
334 
335 	event_dispatch();
336 
337 	auth_shutdown();
338 }
339 
340 static void
341 auth_shutdown(void)
342 {
343 	log_debug("%s: shutting down", gotd_auth.title);
344 	exit(0);
345 }