Updated Branches: refs/heads/master 99999bdd2 -> 1e55ec8fb
TS-2353: add ability to load ssl certs that are owned by root and only read only by the user Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/1e55ec8f Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/1e55ec8f Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/1e55ec8f Branch: refs/heads/master Commit: 1e55ec8fb16aac4a2c99e6ac3fc2ea0e8571c0b3 Parents: 99999bd Author: Ron Barber <[email protected]> Authored: Mon Feb 3 12:26:24 2014 -0800 Committer: Bryan Call <[email protected]> Committed: Mon Feb 3 12:26:24 2014 -0800 ---------------------------------------------------------------------- CHANGES | 3 +++ doc/reference/configuration/records.config.en.rst | 7 +++++++ iocore/net/SSLUtils.cc | 6 ++++++ lib/ts/ink_cap.cc | 5 +++++ lib/ts/ink_cap.h | 9 ++++++++- mgmt/RecordsConfig.cc | 2 ++ 6 files changed, 31 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/1e55ec8f/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index b733352..4753b52 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 4.2.0 + *) [TS-2353] Add ability to load ssl certs that are owned by root and only + read only by the user + *) [TS-2551] Eliminate the tr1 dependency from CPP APIs. *) [TS-2541] Add WebSocket support http://git-wip-us.apache.org/repos/asf/trafficserver/blob/1e55ec8f/doc/reference/configuration/records.config.en.rst ---------------------------------------------------------------------- diff --git a/doc/reference/configuration/records.config.en.rst b/doc/reference/configuration/records.config.en.rst index 501d65b..be67e33 100644 --- a/doc/reference/configuration/records.config.en.rst +++ b/doc/reference/configuration/records.config.en.rst @@ -2067,6 +2067,13 @@ SSL Termination renegotiation of the SSL connection. The default of ``0``, means the client can't initiate renegotiation. +.. ts:cv:: CONFIG proxy.config.ssl.cert.load_elevated INT 0 + + Enables (``1``) or disables (``0``) elevation of traffic_server + privileges during loading of SSL certificates. By enabling this, SSL + certificate files' access rights can be restricted to help reduce the + vulnerability of certificates. + Client-Related Configuration ---------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/1e55ec8f/iocore/net/SSLUtils.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index eeb1fbc..44db439 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -23,6 +23,7 @@ #include "libts.h" #include "I_Layout.h" #include "P_Net.h" +#include "ink_cap.h" #include <openssl/err.h> #include <openssl/bio.h> @@ -840,6 +841,11 @@ SSLParseCertificateConfiguration( return false; } + // elevate/allow file access to root read only files/certs + uint32_t elevate_setting = 0; + REC_ReadConfigInteger(elevate_setting, "proxy.config.ssl.cert.load_elevated"); + ElevateAccess elevate_access(elevate_setting != 0); // destructor will demote for us + line = tokLine(file_buf, &tok_state); while (line != NULL) { http://git-wip-us.apache.org/repos/asf/trafficserver/blob/1e55ec8f/lib/ts/ink_cap.cc ---------------------------------------------------------------------- diff --git a/lib/ts/ink_cap.cc b/lib/ts/ink_cap.cc index e51b730..7091144 100644 --- a/lib/ts/ink_cap.cc +++ b/lib/ts/ink_cap.cc @@ -24,12 +24,17 @@ # include "ink_config.h" # include "Diags.h" # include "ink_cap.h" +# include "ink_thread.h" # if TS_USE_POSIX_CAP # include <sys/capability.h> # include <sys/prctl.h> # endif +# if !TS_USE_POSIX_CAP +ink_mutex ElevateAccess::lock = INK_MUTEX_INIT; +#endif + void DebugCapabilities(char const* tag) { if (is_debug_tag_set(tag)) { http://git-wip-us.apache.org/repos/asf/trafficserver/blob/1e55ec8f/lib/ts/ink_cap.h ---------------------------------------------------------------------- diff --git a/lib/ts/ink_cap.h b/lib/ts/ink_cap.h index e29acea..49c1219 100644 --- a/lib/ts/ink_cap.h +++ b/lib/ts/ink_cap.h @@ -21,9 +21,9 @@ limitations under the License. */ - #if !defined (_ink_cap_h_) #define _ink_cap_h_ +#include "ink_mutex.h" /// Generate a debug message with the current capabilities for the process. extern void DebugCapabilities( @@ -66,7 +66,10 @@ public: #if TS_USE_POSIX_CAP elevateFileAccess(true); #else + // Since we are setting a process-wide credential, we have to block any other thread + // attempting to elevate until this one demotes. restoreRootPriv(&saved_uid); + ink_mutex_acquire(&lock); #endif elevated = true; } @@ -76,6 +79,7 @@ public: elevateFileAccess(false); #else removeRootPriv(saved_uid); + ink_mutex_release(&lock); #endif elevated = false; } @@ -89,6 +93,9 @@ public: private: bool elevated; uid_t saved_uid; +#if !TS_USE_POSIX_CAP + static ink_mutex lock; // only one thread at a time can elevate +#endif }; #endif http://git-wip-us.apache.org/repos/asf/trafficserver/blob/1e55ec8f/mgmt/RecordsConfig.cc ---------------------------------------------------------------------- diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index 659abe9..41b876c 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -1308,6 +1308,8 @@ RecordElement RecordsConfig[] = { , {RECT_CONFIG, "proxy.config.icp.default_reply_port", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL} , + {RECT_CONFIG, "proxy.config.ssl.cert.load_elevated", RECD_INT, "0", RECU_NULL, RR_NULL, RECC_NULL, "[0-1]", RECA_NULL} + , //############################################################################ //#
