From 7dfac00cffc08f62ca827c5fae1f04cb3920d625 Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Thu, 23 Jul 2009 01:57:09 +0100 Subject: net.server: Set sslctx to false when SSL wrapping fails, to avoid attempting to wrap clients with a broken context --- net/server.lua | 1 + 1 file changed, 1 insertion(+) diff --git a/net/server.lua b/net/server.lua index e31333e2..b0e0eb78 100644 --- a/net/server.lua +++ b/net/server.lua @@ -189,6 +189,7 @@ wrapserver = function( listeners, socket, ip, serverport, pattern, sslctx, maxco end end if not ssl then + sslctx = false; out_put("server.lua: ", "ssl not enabled on ", serverport); end -- cgit v1.2.3 From 49705c8ca43919c3c6474159a5474e18b2649193 Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Thu, 23 Jul 2009 02:32:00 +0100 Subject: mod_console: Set default_interface to 127.0.0.1 --- plugins/mod_console.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/mod_console.lua b/plugins/mod_console.lua index 3248ca8c..3e978900 100644 --- a/plugins/mod_console.lua +++ b/plugins/mod_console.lua @@ -14,7 +14,7 @@ local prosody = _G.prosody; local hosts = prosody.hosts; local connlisteners_register = require "net.connlisteners".register; -local console_listener = { default_port = 5582; default_mode = "*l"; }; +local console_listener = { default_port = 5582; default_mode = "*l"; default_interface = "127.0.0.1" }; require "util.iterators"; local jid_bare = require "util.jid".bare; -- cgit v1.2.3 From 43d40acd96caab4feff63dbb1797efa1158285ac Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Thu, 23 Jul 2009 02:33:10 +0100 Subject: prosody: Correctly allow console ports to be changed through the config --- prosody | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/prosody b/prosody index 404dc3ea..b6247f21 100755 --- a/prosody +++ b/prosody @@ -188,6 +188,7 @@ end -- start listening on sockets function net_activate_ports(option, listener, default, conntype) + if not cl.get(listener) then return; end local ports = config.get("*", "core", option.."_ports") or default; if type(ports) == "number" then ports = {ports} end; @@ -215,10 +216,7 @@ net_activate_ports("c2s", "xmppclient", {5222}, (global_ssl_ctx and "tls") or "t net_activate_ports("s2s", "xmppserver", {5269}, "tcp"); net_activate_ports("component", "xmppcomponent", {}, "tcp"); net_activate_ports("legacy_ssl", "xmppclient", {}, "ssl"); - -if cl.get("console") then - cl.start("console", { interface = config.get("*", "core", "console_interface") or "127.0.0.1" }) -end +net_activate_ports("console", "console", {5582}, "tcp"); -- Catch global accesses -- local locked_globals_mt = { __index = function (t, k) error("Attempt to read a non-existent global '"..k.."'", 2); end, __newindex = function (t, k, v) error("Attempt to set a global: "..tostring(k).." = "..tostring(v), 2); end } -- cgit v1.2.3 From 70f4cd7cb7da874196044c896d338b9dcda60e7b Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Thu, 23 Jul 2009 03:06:49 +0100 Subject: net.server: Remove listener from listeners table when calling removeserver --- net/server.lua | 1 + 1 file changed, 1 insertion(+) diff --git a/net/server.lua b/net/server.lua index b0e0eb78..6ff39926 100644 --- a/net/server.lua +++ b/net/server.lua @@ -690,6 +690,7 @@ removeserver = function( port ) return nil, "no server found on port '" .. tostring( port ) "'" end handler.close( ) + _server[ port ] = nil return true end -- cgit v1.2.3 From 1e86adb61962b913395c373d60982c0061a7b4e7 Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Thu, 23 Jul 2009 03:40:01 +0100 Subject: pposix: Add setgid() function --- util-src/pposix.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/util-src/pposix.c b/util-src/pposix.c index 70c15281..993e6e87 100644 --- a/util-src/pposix.c +++ b/util-src/pposix.c @@ -25,6 +25,7 @@ #include #include +#include #include #include @@ -291,6 +292,64 @@ int lc_setuid(lua_State* L) return 2; } +int lc_setgid(lua_State* L) +{ + int gid = -1; + if(lua_gettop(L) < 1) + return 0; + if(!lua_isnumber(L, 1) && lua_tostring(L, 1)) + { + /* Passed GID is actually a string, so look up the GID */ + struct group *g; + g = getgrnam(lua_tostring(L, 1)); + if(!g) + { + lua_pushboolean(L, 0); + lua_pushstring(L, "no-such-group"); + return 2; + } + gid = g->gr_gid; + } + else + { + gid = lua_tonumber(L, 1); + } + + if(gid>-1) + { + /* Ok, attempt setgid */ + errno = 0; + if(setgid(gid)) + { + /* Fail */ + lua_pushboolean(L, 0); + switch(errno) + { + case EINVAL: + lua_pushstring(L, "invalid-gid"); + break; + case EPERM: + lua_pushstring(L, "permission-denied"); + break; + default: + lua_pushstring(L, "unknown-error"); + } + return 2; + } + else + { + /* Success! */ + lua_pushboolean(L, 1); + return 1; + } + } + + /* Seems we couldn't find a valid GID to switch to */ + lua_pushboolean(L, 0); + lua_pushstring(L, "invalid-gid"); + return 2; +} + /* Like POSIX's setrlimit()/getrlimit() API functions. * * Syntax: @@ -420,9 +479,13 @@ int luaopen_util_pposix(lua_State *L) lua_pushcfunction(L, lc_getuid); lua_setfield(L, -2, "getuid"); + lua_pushcfunction(L, lc_getgid); + lua_setfield(L, -2, "getgid"); lua_pushcfunction(L, lc_setuid); lua_setfield(L, -2, "setuid"); + lua_pushcfunction(L, lc_setgid); + lua_setfield(L, -2, "setgid"); lua_pushcfunction(L, lc_setrlimit); lua_setfield(L, -2, "setrlimit"); -- cgit v1.2.3 From 59c01041069ba69838a735694f7e05e85d9d14a5 Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Thu, 23 Jul 2009 03:47:06 +0100 Subject: pposix, mod_posix: Bump pposix version number --- plugins/mod_posix.lua | 2 +- util-src/pposix.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/mod_posix.lua b/plugins/mod_posix.lua index c00482c5..0f46888d 100644 --- a/plugins/mod_posix.lua +++ b/plugins/mod_posix.lua @@ -7,7 +7,7 @@ -- -local want_pposix_version = "0.3.0"; +local want_pposix_version = "0.3.1"; local pposix = assert(require "util.pposix"); if pposix._VERSION ~= want_pposix_version then module:log("warn", "Unknown version (%s) of binary pposix module, expected %s", tostring(pposix._VERSION), want_pposix_version); end diff --git a/util-src/pposix.c b/util-src/pposix.c index 993e6e87..d27a84b1 100644 --- a/util-src/pposix.c +++ b/util-src/pposix.c @@ -13,7 +13,7 @@ * POSIX support functions for Lua */ -#define MODULE_VERSION "0.3.0" +#define MODULE_VERSION "0.3.1" #include #include -- cgit v1.2.3 From 3417c24b8854ccf3cad8249e80ab9c81bb2081a2 Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Thu, 23 Jul 2009 03:58:14 +0100 Subject: prosodyctl: Also switch group when we switch user --- prosodyctl | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/prosodyctl b/prosodyctl index 81a1bd16..358ec9ea 100755 --- a/prosodyctl +++ b/prosodyctl @@ -66,19 +66,28 @@ require "util.datamanager".set_data_path(data_path); -- Switch away from root and into the prosody user -- local switched_user, current_uid; + +local want_pposix_version = "0.3.1"; local ok, pposix = pcall(require, "util.pposix"); + if ok and pposix then + if pposix._VERSION ~= want_pposix_version then print(string.format("Unknown version (%s) of binary pposix module, expected %s", tostring(pposix._VERSION), want_pposix_version)); return; end current_uid = pposix.getuid(); if current_uid == 0 then -- We haz root! local desired_user = config.get("*", "core", "prosody_user") or "prosody"; - local ok, err = pposix.setuid(desired_user); + local desired_group = config.get("*", "core", "prosody_group") or desired_user; + local ok, err = pposix.setgid(desired_group); if ok then - -- Yay! - switched_user = true; - else + ok, err = pposix.setuid(desired_user); + if ok then + -- Yay! + switched_user = true; + end + end + if not switched_user then -- Boo! - print("Warning: Couldn't switch to Prosody user '"..tostring(desired_user).."': "..tostring(err)); + print("Warning: Couldn't switch to Prosody user/group '"..tostring(desired_user).."'/'"..tostring(desired_group).."': "..tostring(err)); end end else -- cgit v1.2.3 From 23a10d0390865c0e359e3a2e8faa53bd332a2941 Mon Sep 17 00:00:00 2001 From: Matthias Diene Date: Thu, 23 Jul 2009 12:01:00 +0100 Subject: net.server: Fail to open port if legacy SSL requested, but SSL not available --- net/server.lua | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/server.lua b/net/server.lua index 6ff39926..6fe72712 100644 --- a/net/server.lua +++ b/net/server.lua @@ -190,7 +190,12 @@ wrapserver = function( listeners, socket, ip, serverport, pattern, sslctx, maxco end if not ssl then sslctx = false; - out_put("server.lua: ", "ssl not enabled on ", serverport); + if startssl then + out_error( "server.lua: Cannot start ssl on port: ", serverport ) + return nil, "Cannot start ssl, see log for details" + else + out_put("server.lua: ", "ssl not enabled on ", serverport); + end end local accept = socket.accept -- cgit v1.2.3