Thread: change route

  1. #1
    Registered User
    Join Date
    Jan 2009
    Posts
    77

    change route

    hello every1,
    I need suggestion related change routing information from my program with user privileges. How I can change routing tables in my host linux or bsd based from user?
    i.e. I launch my program with root, forked it and become use it with user privileges.
    i.e2. I want make it more secure, therefore use user, but little bit stumbled about workable this situation.

  2. #2
    {Jaxom,Imriel,Liam}'s Dad Kennedy's Avatar
    Join Date
    Aug 2006
    Location
    Alabama
    Posts
    1,065
    The way other programs do this is to configure the port exactly as it needs to be, then demote yourself at run-time. This is assuming that you never need to change the configuration again. If this is the case, this is doable. Otherwise, perhaps you could fork() yourself and allow the parent to be the one that does the configuration, while the child (and its threads) answer all the calls to the outside world. The child would never have to have the higher privileges but would need to signal the parent when changes needed to be made (adding in an additional layer of security by adding in an additional layer).

  3. #3
    Registered User
    Join Date
    Jan 2009
    Posts
    77
    In another words do full-trip pipe(or something else?) from parent to child(callback) and child to parent and as well as giving information to parent if that really needs? If that exact, then we could narrow bottleneck, but still use root privileges. I'm not use fork too much, usually pthread with shared-memory, because it more simple I think, then fork with signaling. anyway, how I can communicate parent and child instead of pipes or internal sockets?

  4. #4
    {Jaxom,Imriel,Liam}'s Dad Kennedy's Avatar
    Join Date
    Aug 2006
    Location
    Alabama
    Posts
    1,065
    I think you can still get shared memory via a couple of different functions, the easiest being:
    Code:
           #include <sys/ipc.h>
           #include <sys/shm.h>
    
           int shmget(key_t key, size_t size, int shmflg);
    I don't think you'll need a callback, just have a location in where you have an semaphore and a configuration struct that will allow you to change on the fly. Basically, you'll make your parent process sleep for most of the time. In fact, if you created a signal handler, your child could wake your parent whenever a change needed to be made (no need for a semaphore in this case).

    I do not envy your task ahead.

  5. #5
    Officially An Architect brewbuck's Avatar
    Join Date
    Mar 2007
    Location
    Portland, OR
    Posts
    7,396
    I don't see why splitting the process is necessary. Just give yourself CAP_NET_ADMIN capability, then you can alter routing tables without needing to be root. Having a communication channel between an unprivileged and a privileged process seems scary to me. It's not an additional "layer of security," just another layer of complexity and potential bug-hiding place. An attack on your channel protocol could lead to unfettered root access. If you're so worried about coding errors that you're going to drop root access, what makes you think you won't make a coding error in your protocol?

    Just drop all root privileges while retaining CAP_NET_ADMIN.
    Code:
    //try
    //{
    	if (a) do { f( b); } while(1);
    	else   do { f(!b); } while(1);
    //}

  6. #6
    Registered User
    Join Date
    Jan 2009
    Posts
    77
    ok, I made this two ways. I've not too much data on follow, then I use just variables, instead of shared memory. Could you suggest to me something related architect this code.
    Code:
    =first=============
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    #include <pwd.h>
    uid_t   pw_uid
    void 
    loop() 
    {
    int s;
            if (!capable(CAP_NET_ADMIN))
                    return 0;
    
    s = socket(PF_INET, SOCK_DGRAM, 17);
    // do everything from user
    }
    
    
    int
    getusr()
    {
         struct passwd    *ptr;
         if ((ptr = getpwnam("user")) == NULL)
             printf("getpwnam error\n");
    
         return(ptr->pw_uid);
    }
    
    int 
    main(void)
    {
    	getusr();
    	printf("before fork\n");
    	if ((pid = fork()) < 0){
    		printf("fork error\n");
    		return 0;
    	}else if (pid == 0) {      /* child */
    
    		loop();
    
    	} else {
    	               /* parent */
    	}
    	
    
    exit(0);
    }
    =second=============
    
    --head.h
    struct settings {
    uint32_t ip;
    };
    --src1.c
    int
    getusr()
    {
         struct passwd    *ptr;
         if ((ptr = getpwnam("user")) == NULL)
             printf("getpwnam error\n");
    
         return(ptr->pw_uid);
    }
    int 
    main(void) 
    { 
        int     fd, i, counter; 
        pid_t   pid; 
        void    *area; 
    	
       int s;
       struct settings *sx = 0;
       struct sockaddr_in *sa;
    //    if ((fd = open("/dev/zero", O_RDWR)) < 0) 
    //        err_sys("open error"); 
    //    if ((area = mmap(0, sizeof(long), PROT_READ | PROT_WRITE, MAP_SHARED,fd, 0)) == MAP_FAILED) 
    //        err_sys("mmap error"); 
    //    close(fd);
        TELL_WAIT();
        getusr();
        if ((pid = fork()) < 0) { 
            err_sys("fork error"); 
        } else if (pid > 0) {           /* parent */ 
    	if(sx){
    	addr = sx->ip;
    	close(s);	
    	}else{
    	s = socket(PF_INET, SOCK_DGRAM, 17); 
    	addr = sa->sin_addr.s_addr;
    	}
    	if (bind_socket(s, addr) == -1) {
    		printf("bind_socket errot\n");
    		close(s);
    		return -1;
    	}
                TELL_CHILD(pid); 
                WAIT_CHILD(); 
    	}
        } else {                         /* child */ 
                WAIT_PARENT(); 
    
    	loop();
    	
        } 
        exit(0); 
    } 
    --src2.c
    extern struct settings *sx;
    struct sockaddr_in *sa;
    void loop(){
    //todo smth.
    	if(sa->sin_addr.s_addr != &sx->ip)
                TELL_PARENT(getppid()); // if I've got another ip-addres in settings struct and call parent.
    }

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. type casting?
    By greatonesv in forum C Programming
    Replies: 12
    Last Post: 10-22-2008, 08:21 PM
  2. c++builder6 change form names problem
    By Leite33 in forum C++ Programming
    Replies: 2
    Last Post: 06-09-2008, 08:20 AM
  3. Change Value in an array
    By beginner999 in forum C Programming
    Replies: 3
    Last Post: 01-18-2003, 07:16 AM
  4. Replies: 2
    Last Post: 11-08-2002, 03:22 AM
  5. Replies: 2
    Last Post: 09-04-2001, 02:12 PM