Commit Graph

484 Commits

Author SHA1 Message Date
Daniel Roethlisberger
e6dc9db6a4 Fix markdown links 2014-11-28 12:15:45 +01:00
Daniel Roethlisberger
f2ff2ec9f5 Link to Github author pages 2014-11-28 12:12:48 +01:00
Daniel Roethlisberger
b8ecbcd773 Split out AUTHORS.md and HACKING.md from README.md 2014-11-28 12:09:40 +01:00
Daniel Roethlisberger
b8213e756d Merge branch 'feature/privsep' into develop
Conflicts:
	NEWS.md
	main.c
	sslsplit.1
2014-11-28 11:08:05 +01:00
Daniel Roethlisberger
61cd0fb541 SSLsplit 0.4.10 release 2014-11-28 10:28:58 +01:00
Daniel Roethlisberger
5ac565f5df Note that -j impacts -S and -F 2014-11-28 10:28:58 +01:00
Daniel Roethlisberger
008821cfca Update NEWS.md 2014-11-28 10:15:09 +01:00
Daniel Roethlisberger
ab466aafb7 Allow -u root with pf proxyspecs on OS X 2014-11-28 10:03:29 +01:00
Daniel Roethlisberger
f076336e0b Don't allow -u on Mac OS X with pf proxyspecs
Apple checks EUID==0 on ioctl(/dev/pf), whereas OpenBSD and FreeBSD only
check permissions on open(/dev/pf).  This means that on OS X, it is not
possible to open /dev/pf, drop privileges, and send an ioctl to the file
descriptor opened earlier with EUID==0.  It also means Apple broke the
Unix way of dealing with device nodes - why are there file permissions
on /dev/pf when they later enforce EUID==0 on use, thereby breaking
basic Unix mechanisms?  Work around this by disallowing -u with pf
proxyspecs and by not automatically dropping to nobody on Mac OS X.

Issue:		#65
Reported by:	Vladimir Marteev
2014-11-28 00:13:42 +01:00
Daniel Roethlisberger
c4b22efa5a Fix segmentation fault for aborted connections 2014-11-27 23:19:54 +01:00
Daniel Roethlisberger
9341f25e6d Explicitly support Yosemite 10.10.1 with XNU 2782.1.97 2014-11-27 22:11:12 +01:00
Daniel Roethlisberger
47abb0030d Update clean target for newer clang build artefacts 2014-11-27 22:09:03 +01:00
Daniel Roethlisberger
43c0f57eec Update NEWS.md for feature/privsep 2014-11-25 23:55:15 +01:00
Daniel Roethlisberger
e69b13f2eb SIGUSR1 re-opens -l/-L log files; add defaults.h
Issue:		#52
2014-11-25 23:45:40 +01:00
Daniel Roethlisberger
16a1beb655 Fix version output on local procinfo availability 2014-11-25 23:38:37 +01:00
Daniel Roethlisberger
a9bd438756 Minor updates to manual page 2014-11-25 23:38:05 +01:00
Daniel Roethlisberger
12ff6e6ddf Merge https://github.com/fix-macosx/sslsplit
Conflicts:
	GNUmakefile
	main.c
2014-11-25 00:24:58 +01:00
Daniel Roethlisberger
25e3145d1f Add missing headers to fix build on FreeBSD 8.4 2014-11-25 00:10:51 +01:00
Daniel Roethlisberger
476967ccdc Add SIGUSR1 to the signals forwarded by the parent 2014-11-24 23:32:37 +01:00
Daniel Roethlisberger
0e0a465f5d Fix build on OpenBSD by adding missing includes 2014-11-24 22:49:02 +01:00
Daniel Roethlisberger
c01ace1261 Introduce privilege separation architecture
Fork into a monitor parent process and an actual proxy child process,
communicating over AF_UNIX sockets.  Certain privileged operations are
performed through the privileged parent process, like opening log files
or listener sockets, while all other operations happen in the child
process, which can now drop its privileges without side-effects for
log file opening and other privileged operations.  This is also a
preparation for -l/-L logfile reopening through SIGUSR1.

This means that -S and -F are no longer relative to chroot() if used
with -j.  This is a deliberate POLA violation.
2014-11-24 22:14:09 +01:00
Daniel Roethlisberger
b3f4d25619 Make log_fini() more robust 2014-11-24 21:34:08 +01:00
Daniel Roethlisberger
a027f87c1c Check if -u and -m user and group exist immediately 2014-11-23 22:52:09 +01:00
Daniel Roethlisberger
db80d3460c Remove spurious UNUSED attribute 2014-11-23 17:27:57 +01:00
Daniel Roethlisberger
a09f42a507 Handle EINTR in sys_sendmsgfd() and sys_recvmsgfd() 2014-11-23 15:49:03 +01:00
Daniel Roethlisberger
2d97659a6b Check if args to -j and -S are directories 2014-11-23 15:46:37 +01:00
Daniel Roethlisberger
86397dac89 Break at 80 cols 2014-11-23 15:45:55 +01:00
Daniel Roethlisberger
762bd0cba1 Rename shortcut flag for clarity 2014-11-23 15:44:20 +01:00
Daniel Roethlisberger
53096b2e61 Add util_max() 2014-11-22 02:09:32 +01:00
Daniel Roethlisberger
71743feaa1 Add functions to send/recv UNIX dgram socket msgs and fds 2014-11-22 02:09:07 +01:00
Daniel Roethlisberger
65f56f634d Improve error handling on logging calls 2014-11-21 17:42:10 +01:00
Daniel Roethlisberger
98520c8091 Remove old struct definition 2014-11-21 16:45:45 +01:00
Daniel Roethlisberger
c24d32e9e5 Remove obsolete preinit code 2014-11-21 16:41:57 +01:00
Daniel Roethlisberger
25edad1b6a Merge branch 'rewrite/logthr' 2014-11-21 16:21:02 +01:00
Daniel Roethlisberger
d1d6d295df Fixing error-case memory leaks in uid/gid lookups 2014-11-21 16:19:36 +01:00
Daniel Roethlisberger
b5e3856a97 Move open() and mkdir() to logger thread 2014-11-21 16:10:37 +01:00
Daniel Roethlisberger
5fd1d7de9c Rename flags for clarity 2014-11-21 12:03:08 +01:00
Daniel Roethlisberger
77942a7abb Fix compiler warning on type conversion 2014-11-19 22:54:11 +01:00
Daniel Roethlisberger
007823b16e Fix connect logging for corner cases 2014-11-19 22:39:51 +01:00
Daniel Roethlisberger
80af8f7d52 Fix SSL_METHOD* const mismatch on OpenSSL < 1.0.0 2014-11-19 22:38:21 +01:00
Daniel Roethlisberger
125163a003 Add local process lookup on FreeBSD using sysctl() API 2014-11-19 22:30:01 +01:00
Daniel Roethlisberger
7b8ba7310d Fix uid/gid lookup where sysconf(_SC_GETPW_R_SIZE_MAX) fails
On some platforms, sysconf(_SC_GETPW_R_SIZE_MAX) compiles but never
succeeds (e.g. FreeBSD 8.4).  Fix this by dynamically enlarging an
initially small buffer until it is large enough, and reuse the
determined buffer size on subsequent calls to the same function.
2014-11-20 09:38:14 +01:00
Daniel Roethlisberger
c35e40a597 Update NEWS.md for OpenSSL 0.9.8y bug workaround 2014-11-20 09:38:13 +01:00
Daniel Roethlisberger
341d6b77d1 Use SSL_get_certificate() hack for OpenSSL 0.9.8y
OpenSSL 0.9.8y also crashes in OpenSSL's SSL_get_certificate() on a
NULL pointer dereference.  Fix by also using the direct access hack
developed for OpenSSL 1.0.0k and 1.0.1e with OpenSSL 0.9.8y.
2014-11-19 20:01:42 +01:00
Daniel Roethlisberger
e1156a3482 Make awk regexp more robust 2014-11-17 23:50:16 +01:00
Daniel Roethlisberger
352b199166 Remove spurious space in netfilter output 2014-11-17 23:41:21 +01:00
Daniel Roethlisberger
c5b8fd127f Add version and ciphersuite to connect and debug log 2014-11-17 19:14:29 +01:00
Daniel Roethlisberger
077fb8c348 Handle other address families and abort when found 2014-11-17 19:13:03 +01:00
Daniel Roethlisberger
fcd008df4b Unify asprintf error handling 2014-11-17 19:11:27 +01:00
Daniel Roethlisberger
ec9cc5fb23 Fix usr/grp test with Linux id 2014-11-16 22:47:42 +01:00