From 4b2d6c8af69e54dc00a28f7fa5c649385bbabad4 Mon Sep 17 00:00:00 2001 From: Simone Mainardi Date: Tue, 3 Oct 2017 16:47:18 +0200 Subject: [PATCH] Hardening: more restrictive permissions of created files and dirs As top_talkers and alerts_db were created with root privileges, a chown may be required if the process is run with nobody -rw-r--r-- 1 root root 3.0K Oct 3 16:35 top_talkers.db Fixes #1486 --- scripts/callbacks/startup.lua | 63 ++--------------------------------- src/NetworkInterface.cpp | 16 +++++---- src/Ntop.cpp | 4 +-- src/Prefs.cpp | 14 -------- src/Utils.cpp | 4 +-- src/main.cpp | 14 ++++++++ 6 files changed, 29 insertions(+), 86 deletions(-) diff --git a/scripts/callbacks/startup.lua b/scripts/callbacks/startup.lua index d9d9d9c836..e183df0ce0 100644 --- a/scripts/callbacks/startup.lua +++ b/scripts/callbacks/startup.lua @@ -15,9 +15,8 @@ if(ntop.isPro()) then end require "lua_utils" -require "alert_utils" require "blacklist_utils" -require "db_utils" + local host_pools_utils = require "host_pools_utils" local http_bridge_conf_utils = require "http_bridge_conf_utils" @@ -55,41 +54,6 @@ if(ntop.isPro()) then shaper_utils.initShapers() end --- old host alerts were global and did not consider vlans --- this part of the script aims at converting old global alerts to per-interface, vlan aware alerts - --- convert host alert to include interfaces and vlans -for _, timespan in ipairs(alerts_granularity) do - granularity = timespan[1] - -- this is the old hash table that didn't include interfaces or vlans - local hash_name = "ntopng.prefs.alerts_"..granularity - -- grab the old hosts - local hosts = ntop.getHashKeysCache(hash_name) - if hosts ~= nil then - for h in pairs(hosts) do - local hash_val = ntop.getHashCache(hash_name, h) - -- if here, we need to migrate the old hosts. Assumptions are that hosts - -- will be set for _all_ interfaces and for vlan 0 - - -- h can be iface_2 or a subnet such as 192.168.2.0/24 or an host such as 192.168.2.2 - if not string.starts(h, "iface_") then - if not string.match(h, "/") then - -- this is an host so we want to add the vlan - h = h.."@0" - end - end - - for _, ifname in pairs(interface.getIfNames()) do - local ifid = getInterfaceId(ifname) - local new_hash_name = get_alerts_hash_name(granularity, ifname) - ntop.setHashCache(new_hash_name, h, hash_val) - end - end - -- remember to delete the hash with named hash_name - ntop.delCache(hash_name) - end -end - -- Use a specific bridging_policy_target_type default for previous user installations if isEmptyString(ntop.getPref("ntopng.prefs.bridging_policy_target_type")) then for _, ifname in pairs(interface.getIfNames()) do @@ -105,34 +69,11 @@ if isEmptyString(ntop.getPref("ntopng.prefs.bridging_policy_target_type")) then end end --- convert suppressed alerts to include interfaces and vlans -local hash_name = "ntopng.prefs.alerts" --- grab the old hosts -local suppressed_alerts = ntop.getHashKeysCache(hash_name) -if suppressed_alerts ~= nil then - for h in pairs(suppressed_alerts) do - -- h can be iface_2 or a subnet such as 192.168.2.0/24 or an host such as 192.168.2.2 - if not string.starts(h, "iface_") then - if not string.match(h, "/") then - -- this is an host so we want to add the vlan - h = h.."@0" - end - end - for _, ifname in pairs(interface.getIfNames()) do - local ifid = getInterfaceId(ifname) - local new_hash_name = "ntopng.prefs.alerts.ifid_"..tostring(ifid) - ntop.setHashCache(new_hash_name, h, "false") - end - end -end --- remember to delete the hash with named hash_name -ntop.delCache(hash_name) - -- ################################################################## initCustomnDPIProtoCategories() loadHostBlackList() -checkOpenFiles() + -- TODO: migrate custom re-arm settings -- this will retrieve host pools and policers configurtions via HTTP if enabled diff --git a/src/NetworkInterface.cpp b/src/NetworkInterface.cpp index f5a4034332..c042627348 100644 --- a/src/NetworkInterface.cpp +++ b/src/NetworkInterface.cpp @@ -211,15 +211,11 @@ NetworkInterface::NetworkInterface(const char *name, loadDumpPrefs(); loadScalingFactorPrefs(); - if(((statsManager = new StatsManager(id, STATS_MANAGER_STORE_NAME)) == NULL) - || ((alertsManager = new AlertsManager(id, ALERTS_MANAGER_STORE_NAME)) == NULL)) - throw "Not enough memory"; + statsManager = NULL, alertsManager = NULL; if((host_pools = new HostPools(this)) == NULL) throw "Not enough memory"; - alertLevel = alertsManager->getNumAlerts(true); - #ifdef linux /* A bit aggressive but as people usually @@ -5205,6 +5201,8 @@ void NetworkInterface::allocateNetworkStats() { try { networkStats = new NetworkStats[numNetworks]; + statsManager = new StatsManager(id, STATS_MANAGER_STORE_NAME); + alertsManager = new AlertsManager(id, ALERTS_MANAGER_STORE_NAME); } catch(std::bad_alloc& ba) { static bool oom_warning_sent = false; @@ -5212,9 +5210,13 @@ void NetworkInterface::allocateNetworkStats() { ntop->getTrace()->traceEvent(TRACE_WARNING, "Not enough memory"); oom_warning_sent = true; } - - networkStats = NULL; } + + if(alertsManager) + alertLevel = alertsManager->getNumAlerts(true); + else + alertLevel = 0; + } /* **************************************** */ diff --git a/src/Ntop.cpp b/src/Ntop.cpp index f629ca5402..3f2956b28b 100644 --- a/src/Ntop.cpp +++ b/src/Ntop.cpp @@ -94,7 +94,7 @@ Ntop::Ntop(char *appName) { /* Folder will be created lazily, avoid creating it now */ snprintf(working_dir, sizeof(working_dir), "%s/ntopng", CONST_DEFAULT_WRITABLE_DIR); - umask(0); + //umask(0); if(getcwd(startup_dir, sizeof(startup_dir)) == NULL) ntop->getTrace()->traceEvent(TRACE_ERROR, @@ -1384,7 +1384,7 @@ void Ntop::daemonize() { /* * clear any inherited file mode creation mask */ - umask(0); + //umask(0); /* * Use line buffered stdout diff --git a/src/Prefs.cpp b/src/Prefs.cpp index f46c1fa958..c752ba21f9 100755 --- a/src/Prefs.cpp +++ b/src/Prefs.cpp @@ -1162,20 +1162,6 @@ int Prefs::setOption(int optkey, char *optarg) { /* ******************************************* */ int Prefs::checkOptions() { -#ifndef WIN32 - if(daemonize) -#endif - { - char path[MAX_PATH]; - - ntop_mkdir(data_dir, 0777); - ntop_mkdir(ntop->get_working_dir(), 0777); - snprintf(path, sizeof(path), "%s/ntopng.log", ntop->get_working_dir() /* "C:\\Windows\\Temp" */); - ntop->fixPath(path); - ntop->registerLogFile(path); - ntop->rotateLogs(true /* Force rotation to start clean */); - } - if(install_dir) ntop->set_install_dir(install_dir); diff --git a/src/Utils.cpp b/src/Utils.cpp index 6461fe798e..8938316cf1 100755 --- a/src/Utils.cpp +++ b/src/Utils.cpp @@ -310,7 +310,7 @@ bool Utils::mkdir_tree(char *path) { ntop->fixPath(path); if(stat(path, &s) != 0) { - int permission = 0777; + int permission = 0700; /* Start at 1 to skip the root */ for(int i=1; path[i] != '\0'; i++) @@ -448,7 +448,7 @@ int Utils::dropPrivileges() { ntop->getTrace()->traceEvent(TRACE_WARNING, "Unable to locate user %s", username); return -1; } - umask(0); + // umask(0); #endif return 0; } diff --git a/src/main.cpp b/src/main.cpp index 048b753719..04b91d8cb1 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -361,6 +361,20 @@ int main(int argc, char *argv[]) unlink(path); } +#ifndef WIN32 + if(prefs->daemonize_ntopng()) +#endif + { + char path[MAX_PATH]; + + Utils::mkdir_tree(ntop->get_data_dir()); + Utils::mkdir_tree(ntop->get_working_dir()); + snprintf(path, sizeof(path), "%s/ntopng.log", ntop->get_working_dir() /* "C:\\Windows\\Temp" */); + ntop->fixPath(path); + ntop->registerLogFile(path); + ntop->rotateLogs(true /* Force rotation to start clean */); + } + if(prefs->get_httpbl_key() != NULL) ntop->setHTTPBL(new HTTPBL(prefs->get_httpbl_key()));