[ipfire-2.x.git] / src / misc-progs / sshctrl.c

/* SmoothWall helper program - sshctrl
 *
 * This program is distributed under the terms of the GNU General Public
 * Licence.  See the file COPYING for details.
 *
 * (c) Mark Wormgoor, 2001
 * Simple program intended to be installed setuid(0) that can be used for
 * restarting SSHd. 
 * 
 * $Id: sshctrl.c,v 1.3 2003/12/11 10:57:34 riddles Exp $
 * 
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <fcntl.h>
#include <signal.h>
#include <errno.h>
#include "libsmooth.h"
#include "setuid.h"

#define BUFFER_SIZE 1024

char command[BUFFER_SIZE]; 

int main(int argc, char *argv[])
{
	if (argc < 2) {
				int fd, config_fd, rc, pid;
				char buffer[STRING_SIZE], command[STRING_SIZE] = "/bin/sed -e '";
				struct keyvalue *kv = NULL;

				if (!(initsetuid()))
						exit(1);

				kv = initkeyvalues();
				if (!readkeyvalues(kv, CONFIG_ROOT "/remote/settings")){
						fprintf(stderr, "Cannot read remote access settings\n");
						exit(1);
				}

				/* By using O_CREAT with O_EXCL open() will fail if the file already exists,
				* this prevents 2 copies of sshctrl both trying to edit the config file
				* at once. It also prevents race conditions, but these shouldn't be
				* possible as /etc/ssh/ should only be writable by root anyhow
				*/

				if ((config_fd = open( "/etc/ssh/sshd_config.new", O_WRONLY|O_CREAT|O_EXCL, 0644 )) == -1 ){
						perror("Unable to open new config file");
						freekeyvalues(kv);
						exit(1);
				}

				strlcat(command, "s/^Protocol .*$/Protocol 2/;", STRING_SIZE - 1 );

				if(findkey(kv, "ENABLE_SSH_KEYS", buffer) && !strcmp(buffer,"off"))
						strlcat(command, "s/^RSAAuthentication .*$/RSAAuthentication no/;"		"s/^PubkeyAuthentication .*$/PubkeyAuthentication no/;", STRING_SIZE - 1 );
				else
						strlcat(command, "s/^RSAAuthentication .*$/RSAAuthentication yes/;"		"s/^PubkeyAuthentication .*$/PubkeyAuthentication yes/;", STRING_SIZE - 1 );

				if(findkey(kv, "ENABLE_SSH_PASSWORDS", buffer) && !strcmp(buffer,"off"))
						strlcat(command, "s/^PasswordAuthentication .*$/PasswordAuthentication no/;", STRING_SIZE - 1 );
				else
						strlcat(command, "s/^PasswordAuthentication .*$/PasswordAuthentication yes/;", STRING_SIZE - 1 );

				if(findkey(kv, "ENABLE_SSH_PORTFW", buffer) && !strcmp(buffer,"on"))
						strlcat(command, "s/^AllowTcpForwarding .*$/AllowTcpForwarding yes/;", STRING_SIZE - 1 );
				else
						strlcat(command, "s/^AllowTcpForwarding .*$/AllowTcpForwarding no/;", STRING_SIZE - 1 );
						
				if(findkey(kv, "SSH_PORT", buffer) && !strcmp(buffer,"on"))
						strlcat(command, "s/^Port .*$/Port 22/;", STRING_SIZE - 1 );
				else
						strlcat(command, "s/^Port .*$/Port 222/;", STRING_SIZE - 1 );

				if(findkey(kv, "SSH_AGENT_FORWARDING", buffer) && !strcmp(buffer,"on"))
						strlcat(command, "s/^AllowAgentForwarding .*$/AllowAgentForwarding yes/;", STRING_SIZE - 1 );
				else
						strlcat(command, "s/^AllowAgentForwarding .*$/AllowAgentForwarding no/;", STRING_SIZE - 1 );

				freekeyvalues(kv);

				snprintf(buffer, STRING_SIZE - 1, "' /etc/ssh/sshd_config >&%d", config_fd );
				strlcat(command, buffer, STRING_SIZE - 1);

				if((rc = unpriv_system(command,99,99)) != 0){
						fprintf(stderr, "sed returned bad exit code: %d\n", rc);
						close(config_fd);
						unlink("/etc/ssh/sshd_config.new");
						exit(1);
				}

				close(config_fd);
				if (rename("/etc/ssh/sshd_config.new","/etc/ssh/sshd_config") != 0){
						perror("Unable to replace old config file");
						unlink("/etc/ssh/sshd_config.new");
						exit(1);
				}

				memset(buffer, 0, STRING_SIZE);

				if ((fd = open("/var/run/sshd.pid", O_RDONLY)) != -1){
						if (read(fd, buffer, STRING_SIZE - 1) == -1)
								fprintf(stderr, "Couldn't read from pid file\n");
						else{
								pid = atoi(buffer);
								if (pid <= 1)
										fprintf(stderr, "Bad pid value\n");
								else{
										if (kill(pid, SIGTERM) == -1)
												fprintf(stderr, "Unable to send SIGTERM\n");
										else
												unlink("/var/run/sshd.pid");
										}
								}
						close(fd);
				}
				else{
						if (errno != ENOENT){
								perror("Unable to open pid file");
								exit(1);
						}
				}

				if ((fd = open(CONFIG_ROOT "/remote/enablessh", O_RDONLY)) != -1){
						close(fd);
						safe_system("/usr/sbin/sshd");
				}

				return 0;
	}
	else if (strcmp(argv[1], "tempstart") == 0) {
				safe_system("/usr/local/bin/sshctrl");
				sleep(5);
				unlink("/var/ipfire/remote/enablessh");
				safe_system("cat /var/ipfire/remote/settings | sed 's/ENABLE_SSH=on/ENABLE_SSH=off/' > /var/ipfire/remote/settings2 && mv /var/ipfire/remote/settings2 /var/ipfire/remote/settings");
        safe_system("chown nobody.nobody /var/ipfire/remote/settings");
				snprintf(command, BUFFER_SIZE-1, "sleep %s && /usr/local/bin/sshctrl &", argv[2]);
				safe_system(command);
	}
}
Commit	Line	Data
900832fa	1	/* SmoothWall helper program - sshctrl
70db8683 CS	2	*
	3	* This program is distributed under the terms of the GNU General Public
	4	* Licence. See the file COPYING for details.
	5	*
	6	* (c) Mark Wormgoor, 2001
	7	* Simple program intended to be installed setuid(0) that can be used for
	8	* restarting SSHd.
	9	*
900832fa	10	* $Id: sshctrl.c,v 1.3 2003/12/11 10:57:34 riddles Exp $
70db8683 CS	11	*
	12	*/
	13
	14	#include <stdio.h>
	15	#include <stdlib.h>
	16	#include <unistd.h>
	17	#include <string.h>
	18	#include <sys/types.h>
	19	#include <fcntl.h>
	20	#include <signal.h>
	21	#include <errno.h>
	22	#include "libsmooth.h"
	23	#include "setuid.h"
	24
ca4c317c CS	25	#define BUFFER_SIZE 1024
	26
	27	char command[BUFFER_SIZE];
	28
70db8683 CS	29	int main(int argc, char *argv[])
70db8683 CS	30	{
ca4c317c CS	31	if (argc < 2) {
	32	int fd, config_fd, rc, pid;
	33	char buffer[STRING_SIZE], command[STRING_SIZE] = "/bin/sed -e '";
	34	struct keyvalue *kv = NULL;
	35
	36	if (!(initsetuid()))
	37	exit(1);
	38
	39	kv = initkeyvalues();
	40	if (!readkeyvalues(kv, CONFIG_ROOT "/remote/settings")){
	41	fprintf(stderr, "Cannot read remote access settings\n");
	42	exit(1);
	43	}
	44
	45	/* By using O_CREAT with O_EXCL open() will fail if the file already exists,
	46	* this prevents 2 copies of sshctrl both trying to edit the config file
	47	* at once. It also prevents race conditions, but these shouldn't be
	48	* possible as /etc/ssh/ should only be writable by root anyhow
	49	*/
	50
	51	if ((config_fd = open( "/etc/ssh/sshd_config.new", O_WRONLY\|O_CREAT\|O_EXCL, 0644 )) == -1 ){
	52	perror("Unable to open new config file");
	53	freekeyvalues(kv);
	54	exit(1);
	55	}
	56
701b39d8	57	strlcat(command, "s/^Protocol .*$/Protocol 2/;", STRING_SIZE - 1 );
70db8683	58
ca4c317c CS	59	if(findkey(kv, "ENABLE_SSH_KEYS", buffer) && !strcmp(buffer,"off"))
	60	strlcat(command, "s/^RSAAuthentication .$/RSAAuthentication no/;" "s/^PubkeyAuthentication .$/PubkeyAuthentication no/;", STRING_SIZE - 1 );
	61	else
	62	strlcat(command, "s/^RSAAuthentication .$/RSAAuthentication yes/;" "s/^PubkeyAuthentication .$/PubkeyAuthentication yes/;", STRING_SIZE - 1 );
70db8683	63
ca4c317c CS	64	if(findkey(kv, "ENABLE_SSH_PASSWORDS", buffer) && !strcmp(buffer,"off"))
	65	strlcat(command, "s/^PasswordAuthentication .*$/PasswordAuthentication no/;", STRING_SIZE - 1 );
	66	else
	67	strlcat(command, "s/^PasswordAuthentication .*$/PasswordAuthentication yes/;", STRING_SIZE - 1 );
70db8683	68
ca4c317c	69	if(findkey(kv, "ENABLE_SSH_PORTFW", buffer) && !strcmp(buffer,"on"))
51d1705b	70	strlcat(command, "s/^AllowTcpForwarding .*$/AllowTcpForwarding yes/;", STRING_SIZE - 1 );
70db8683	71	else
51d1705b JPT	72	strlcat(command, "s/^AllowTcpForwarding .*$/AllowTcpForwarding no/;", STRING_SIZE - 1 );
	73
	74	if(findkey(kv, "SSH_PORT", buffer) && !strcmp(buffer,"on"))
5e39f3c0	75	strlcat(command, "s/^Port .*$/Port 22/;", STRING_SIZE - 1 );
51d1705b	76	else
5e39f3c0	77	strlcat(command, "s/^Port .*$/Port 222/;", STRING_SIZE - 1 );
ca4c317c	78
f9de28e6 PM	79	if(findkey(kv, "SSH_AGENT_FORWARDING", buffer) && !strcmp(buffer,"on"))
	80	strlcat(command, "s/^AllowAgentForwarding .*$/AllowAgentForwarding yes/;", STRING_SIZE - 1 );
	81	else
	82	strlcat(command, "s/^AllowAgentForwarding .*$/AllowAgentForwarding no/;", STRING_SIZE - 1 );
	83
ca4c317c CS	84	freekeyvalues(kv);
	85
	86	snprintf(buffer, STRING_SIZE - 1, "' /etc/ssh/sshd_config >&%d", config_fd );
	87	strlcat(command, buffer, STRING_SIZE - 1);
	88
	89	if((rc = unpriv_system(command,99,99)) != 0){
	90	fprintf(stderr, "sed returned bad exit code: %d\n", rc);
	91	close(config_fd);
	92	unlink("/etc/ssh/sshd_config.new");
	93	exit(1);
	94	}
	95
	96	close(config_fd);
	97	if (rename("/etc/ssh/sshd_config.new","/etc/ssh/sshd_config") != 0){
	98	perror("Unable to replace old config file");
	99	unlink("/etc/ssh/sshd_config.new");
	100	exit(1);
	101	}
	102
	103	memset(buffer, 0, STRING_SIZE);
	104
	105	if ((fd = open("/var/run/sshd.pid", O_RDONLY)) != -1){
	106	if (read(fd, buffer, STRING_SIZE - 1) == -1)
	107	fprintf(stderr, "Couldn't read from pid file\n");
	108	else{
	109	pid = atoi(buffer);
	110	if (pid <= 1)
	111	fprintf(stderr, "Bad pid value\n");
	112	else{
	113	if (kill(pid, SIGTERM) == -1)
	114	fprintf(stderr, "Unable to send SIGTERM\n");
	115	else
	116	unlink("/var/run/sshd.pid");
	117	}
	118	}
	119	close(fd);
	120	}
	121	else{
	122	if (errno != ENOENT){
	123	perror("Unable to open pid file");
	124	exit(1);
	125	}
	126	}
	127
	128	if ((fd = open(CONFIG_ROOT "/remote/enablessh", O_RDONLY)) != -1){
	129	close(fd);
	130	safe_system("/usr/sbin/sshd");
	131	}
	132
	133	return 0;
70db8683	134	}
ca4c317c CS	135	else if (strcmp(argv[1], "tempstart") == 0) {
	136	safe_system("/usr/local/bin/sshctrl");
	137	sleep(5);
	138	unlink("/var/ipfire/remote/enablessh");
	139	safe_system("cat /var/ipfire/remote/settings \| sed 's/ENABLE_SSH=on/ENABLE_SSH=off/' > /var/ipfire/remote/settings2 && mv /var/ipfire/remote/settings2 /var/ipfire/remote/settings");
113cd628	140	safe_system("chown nobody.nobody /var/ipfire/remote/settings");
ca4c317c CS	141	snprintf(command, BUFFER_SIZE-1, "sleep %s && /usr/local/bin/sshctrl &", argv[2]);
ca4c317c CS	142	safe_system(command);
70db8683	143	}
70db8683	144	}