Loading docs/changes.txt +1 −0 Original line number Diff line number Diff line Loading @@ -508,6 +508,7 @@ v71.1 nfqws,tpws: much faster ipset implementation. move from hash to avl tree nfqws,tpws: check list files accessibility with dropped privs in --dry-run mode nfqws,tpws: --debug=android for NDK builds nfqws,tpws: use initgroups instead of setgroups if --user specified nfqws: --filter-ssid (linux-only) install_easy: stop if running embedded release on traditional linux system (some files missing) install_bin: add "read elf" arch detection method nfq/nfqws.c +14 −46 Original line number Diff line number Diff line Loading @@ -297,7 +297,7 @@ static int nfq_main(void) return 1; } if (params.droproot && !droproot(params.uid, params.gid, params.gid_count) || !dropcaps()) if (params.droproot && !droproot(params.uid, params.user, params.gid, params.gid_count) || !dropcaps()) goto err; print_id(); if (params.droproot && !test_list_files()) Loading Loading @@ -439,7 +439,7 @@ static int dvt_main(void) goto exiterr; if (params.droproot && !droproot(params.uid, params.gid, params.gid_count)) if (params.droproot && !droproot(params.uid, params.user, params.gid, params.gid_count)) goto exiterr; print_id(); if (params.droproot && !test_list_files()) Loading Loading @@ -661,34 +661,9 @@ static int win_main(const char *windivert_filter) #if !defined( __OpenBSD__) && !defined(__ANDROID__) static void cleanup_args() { wordfree(¶ms.wexp); } #endif static void cleanup_params(void) { #if !defined( __OpenBSD__) && !defined(__ANDROID__) cleanup_args(); #endif ConntrackPoolDestroy(¶ms.conntrack); dp_list_destroy(¶ms.desync_profiles); hostlist_files_destroy(¶ms.hostlists); ipset_files_destroy(¶ms.ipsets); ipcacheDestroy(¶ms.ipcache); #ifdef __CYGWIN__ strlist_destroy(¶ms.ssid_filter); strlist_destroy(¶ms.nlm_filter); #endif } static void exit_clean(int code) { cleanup_params(); cleanup_params(¶ms); exit(code); } Loading Loading @@ -1667,7 +1642,7 @@ static void exithelp(void) } static void exithelp_clean(void) { cleanup_params(); cleanup_params(¶ms); exithelp(); } Loading Loading @@ -2163,6 +2138,7 @@ int main(int argc, char **argv) #ifndef __CYGWIN__ case IDX_USER: { free(params.user); params.user=NULL; struct passwd *pwd = getpwnam(optarg); if (!pwd) { Loading @@ -2170,27 +2146,18 @@ int main(int argc, char **argv) exit_clean(1); } params.uid = pwd->pw_uid; params.gid_count=MAX_GIDS; #ifdef __APPLE__ // silence warning if (getgrouplist(optarg,pwd->pw_gid,(int*)params.gid,¶ms.gid_count)<0) #else if (getgrouplist(optarg,pwd->pw_gid,params.gid,¶ms.gid_count)<0) #endif { DLOG_ERR("getgrouplist failed. too much groups ?\n"); exit_clean(1); } if (!params.gid_count) { params.gid[0]=pwd->pw_gid; params.gid_count=1; if (!(params.user=strdup(optarg))) { DLOG_ERR("strdup: out of memory\n"); exit_clean(1); } params.droproot = true; break; } case IDX_UID: params.droproot = true; free(params.user); params.user=NULL; if (!parse_uid(optarg,¶ms.uid,params.gid,¶ms.gid_count,MAX_GIDS)) { DLOG_ERR("--uid should be : uid[:gid,gid,...]\n"); Loading @@ -2201,6 +2168,7 @@ int main(int argc, char **argv) params.gid[0] = 0x7FFFFFFF; params.gid_count = 1; } params.droproot = true; break; #endif case IDX_WSIZE: Loading Loading @@ -2999,7 +2967,7 @@ int main(int argc, char **argv) // do not need args from file anymore #if !defined( __OpenBSD__) && !defined(__ANDROID__) cleanup_args(); cleanup_args(¶ms); #endif argv=NULL; argc=0; Loading Loading @@ -3142,7 +3110,7 @@ int main(int argc, char **argv) #ifndef __CYGWIN__ if (params.droproot) { if (!droproot(params.uid,params.gid,params.gid_count)) if (!droproot(params.uid,params.user,params.gid,params.gid_count)) exit_clean(1); #ifdef __linux__ if (!dropcaps()) Loading Loading @@ -3177,7 +3145,7 @@ int main(int argc, char **argv) #endif ex: rawsend_cleanup(); cleanup_params(); cleanup_params(¶ms); #ifdef __CYGWIN__ if (hMutexArg) { Loading nfq/params.c +29 −0 Original line number Diff line number Diff line Loading @@ -345,3 +345,32 @@ bool dp_list_need_all_out(struct desync_profile_list_head *head) return true; return false; } #if !defined( __OpenBSD__) && !defined(__ANDROID__) void cleanup_args(struct params_s *params) { wordfree(¶ms->wexp); } #endif void cleanup_params(struct params_s *params) { #if !defined( __OpenBSD__) && !defined(__ANDROID__) cleanup_args(params); #endif ConntrackPoolDestroy(¶ms->conntrack); dp_list_destroy(¶ms->desync_profiles); hostlist_files_destroy(¶ms->hostlists); ipset_files_destroy(¶ms->ipsets); ipcacheDestroy(¶ms->ipcache); #ifdef __CYGWIN__ strlist_destroy(¶ms->ssid_filter); strlist_destroy(¶ms->nlm_filter); #else free(params->user); params->user=NULL; #endif } nfq/params.h +5 −0 Original line number Diff line number Diff line Loading @@ -200,6 +200,7 @@ struct params_s struct str_list_head ssid_filter,nlm_filter; #else bool droproot; char *user; uid_t uid; gid_t gid[MAX_GIDS]; int gid_count; Loading Loading @@ -229,6 +230,10 @@ struct params_s extern struct params_s params; extern const char *progname; #if !defined( __OpenBSD__) && !defined(__ANDROID__) void cleanup_args(struct params_s *params); #endif void cleanup_params(struct params_s *params); int DLOG(const char *format, ...); int DLOG_ERR(const char *format, ...); Loading nfq/sec.c +17 −5 Original line number Diff line number Diff line Loading @@ -295,7 +295,7 @@ bool can_drop_root(void) #endif } bool droproot(uid_t uid, gid_t *gid, int gid_count) bool droproot(uid_t uid, const char *user, const gid_t *gid, int gid_count) { if (gid_count<1) { Loading @@ -309,12 +309,24 @@ bool droproot(uid_t uid, gid_t *gid, int gid_count) return false; } #endif // drop all SGIDs if (user) { // macos has strange supp gid handling. they cache only 16 groups and fail setgroups if more than 16 gids specified. // better to leave it to the os if (initgroups(user,gid[0])) { DLOG_PERROR("initgroups"); return false; } } else { if (setgroups(gid_count,gid)) { DLOG_PERROR("setgroups"); return false; } } if (setgid(gid[0])) { DLOG_PERROR("setgid"); Loading Loading
docs/changes.txt +1 −0 Original line number Diff line number Diff line Loading @@ -508,6 +508,7 @@ v71.1 nfqws,tpws: much faster ipset implementation. move from hash to avl tree nfqws,tpws: check list files accessibility with dropped privs in --dry-run mode nfqws,tpws: --debug=android for NDK builds nfqws,tpws: use initgroups instead of setgroups if --user specified nfqws: --filter-ssid (linux-only) install_easy: stop if running embedded release on traditional linux system (some files missing) install_bin: add "read elf" arch detection method
nfq/nfqws.c +14 −46 Original line number Diff line number Diff line Loading @@ -297,7 +297,7 @@ static int nfq_main(void) return 1; } if (params.droproot && !droproot(params.uid, params.gid, params.gid_count) || !dropcaps()) if (params.droproot && !droproot(params.uid, params.user, params.gid, params.gid_count) || !dropcaps()) goto err; print_id(); if (params.droproot && !test_list_files()) Loading Loading @@ -439,7 +439,7 @@ static int dvt_main(void) goto exiterr; if (params.droproot && !droproot(params.uid, params.gid, params.gid_count)) if (params.droproot && !droproot(params.uid, params.user, params.gid, params.gid_count)) goto exiterr; print_id(); if (params.droproot && !test_list_files()) Loading Loading @@ -661,34 +661,9 @@ static int win_main(const char *windivert_filter) #if !defined( __OpenBSD__) && !defined(__ANDROID__) static void cleanup_args() { wordfree(¶ms.wexp); } #endif static void cleanup_params(void) { #if !defined( __OpenBSD__) && !defined(__ANDROID__) cleanup_args(); #endif ConntrackPoolDestroy(¶ms.conntrack); dp_list_destroy(¶ms.desync_profiles); hostlist_files_destroy(¶ms.hostlists); ipset_files_destroy(¶ms.ipsets); ipcacheDestroy(¶ms.ipcache); #ifdef __CYGWIN__ strlist_destroy(¶ms.ssid_filter); strlist_destroy(¶ms.nlm_filter); #endif } static void exit_clean(int code) { cleanup_params(); cleanup_params(¶ms); exit(code); } Loading Loading @@ -1667,7 +1642,7 @@ static void exithelp(void) } static void exithelp_clean(void) { cleanup_params(); cleanup_params(¶ms); exithelp(); } Loading Loading @@ -2163,6 +2138,7 @@ int main(int argc, char **argv) #ifndef __CYGWIN__ case IDX_USER: { free(params.user); params.user=NULL; struct passwd *pwd = getpwnam(optarg); if (!pwd) { Loading @@ -2170,27 +2146,18 @@ int main(int argc, char **argv) exit_clean(1); } params.uid = pwd->pw_uid; params.gid_count=MAX_GIDS; #ifdef __APPLE__ // silence warning if (getgrouplist(optarg,pwd->pw_gid,(int*)params.gid,¶ms.gid_count)<0) #else if (getgrouplist(optarg,pwd->pw_gid,params.gid,¶ms.gid_count)<0) #endif { DLOG_ERR("getgrouplist failed. too much groups ?\n"); exit_clean(1); } if (!params.gid_count) { params.gid[0]=pwd->pw_gid; params.gid_count=1; if (!(params.user=strdup(optarg))) { DLOG_ERR("strdup: out of memory\n"); exit_clean(1); } params.droproot = true; break; } case IDX_UID: params.droproot = true; free(params.user); params.user=NULL; if (!parse_uid(optarg,¶ms.uid,params.gid,¶ms.gid_count,MAX_GIDS)) { DLOG_ERR("--uid should be : uid[:gid,gid,...]\n"); Loading @@ -2201,6 +2168,7 @@ int main(int argc, char **argv) params.gid[0] = 0x7FFFFFFF; params.gid_count = 1; } params.droproot = true; break; #endif case IDX_WSIZE: Loading Loading @@ -2999,7 +2967,7 @@ int main(int argc, char **argv) // do not need args from file anymore #if !defined( __OpenBSD__) && !defined(__ANDROID__) cleanup_args(); cleanup_args(¶ms); #endif argv=NULL; argc=0; Loading Loading @@ -3142,7 +3110,7 @@ int main(int argc, char **argv) #ifndef __CYGWIN__ if (params.droproot) { if (!droproot(params.uid,params.gid,params.gid_count)) if (!droproot(params.uid,params.user,params.gid,params.gid_count)) exit_clean(1); #ifdef __linux__ if (!dropcaps()) Loading Loading @@ -3177,7 +3145,7 @@ int main(int argc, char **argv) #endif ex: rawsend_cleanup(); cleanup_params(); cleanup_params(¶ms); #ifdef __CYGWIN__ if (hMutexArg) { Loading
nfq/params.c +29 −0 Original line number Diff line number Diff line Loading @@ -345,3 +345,32 @@ bool dp_list_need_all_out(struct desync_profile_list_head *head) return true; return false; } #if !defined( __OpenBSD__) && !defined(__ANDROID__) void cleanup_args(struct params_s *params) { wordfree(¶ms->wexp); } #endif void cleanup_params(struct params_s *params) { #if !defined( __OpenBSD__) && !defined(__ANDROID__) cleanup_args(params); #endif ConntrackPoolDestroy(¶ms->conntrack); dp_list_destroy(¶ms->desync_profiles); hostlist_files_destroy(¶ms->hostlists); ipset_files_destroy(¶ms->ipsets); ipcacheDestroy(¶ms->ipcache); #ifdef __CYGWIN__ strlist_destroy(¶ms->ssid_filter); strlist_destroy(¶ms->nlm_filter); #else free(params->user); params->user=NULL; #endif }
nfq/params.h +5 −0 Original line number Diff line number Diff line Loading @@ -200,6 +200,7 @@ struct params_s struct str_list_head ssid_filter,nlm_filter; #else bool droproot; char *user; uid_t uid; gid_t gid[MAX_GIDS]; int gid_count; Loading Loading @@ -229,6 +230,10 @@ struct params_s extern struct params_s params; extern const char *progname; #if !defined( __OpenBSD__) && !defined(__ANDROID__) void cleanup_args(struct params_s *params); #endif void cleanup_params(struct params_s *params); int DLOG(const char *format, ...); int DLOG_ERR(const char *format, ...); Loading
nfq/sec.c +17 −5 Original line number Diff line number Diff line Loading @@ -295,7 +295,7 @@ bool can_drop_root(void) #endif } bool droproot(uid_t uid, gid_t *gid, int gid_count) bool droproot(uid_t uid, const char *user, const gid_t *gid, int gid_count) { if (gid_count<1) { Loading @@ -309,12 +309,24 @@ bool droproot(uid_t uid, gid_t *gid, int gid_count) return false; } #endif // drop all SGIDs if (user) { // macos has strange supp gid handling. they cache only 16 groups and fail setgroups if more than 16 gids specified. // better to leave it to the os if (initgroups(user,gid[0])) { DLOG_PERROR("initgroups"); return false; } } else { if (setgroups(gid_count,gid)) { DLOG_PERROR("setgroups"); return false; } } if (setgid(gid[0])) { DLOG_PERROR("setgid"); Loading
