/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ #include "config.h" #include "conf.h" #include "conf-args.h" #include "conf-file.h" #include "connection.h" #include "log.h" #include "proc-map.h" #ifdef ENABLE_SSL #include #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define GUACD_DEV_NULL "/dev/null" #define GUACD_ROOT "/" /** * Redirects the given file descriptor to /dev/null. The given flags must match * the read/write flags of the file descriptor given (if the given file * descriptor was opened write-only, flags here must be O_WRONLY, etc.). * * @param fd * The file descriptor to redirect to /dev/null. * * @param flags * The flags to use when opening /dev/null as the target for redirection. * These flags must match the flags of the file descriptor given. * * @return * Zero on success, non-zero if redirecting the file descriptor fails. */ static int redirect_fd(int fd, int flags) { /* Attempt to open bit bucket */ int new_fd = open(GUACD_DEV_NULL, flags); if (new_fd < 0) return 1; /* If descriptor is different, redirect old to new and close new */ if (new_fd != fd) { dup2(new_fd, fd); close(new_fd); } return 0; } /** * Turns the current process into a daemon through a series of fork() calls. * The standard I/O file desriptors for STDIN, STDOUT, and STDERR will be * redirected to /dev/null, and the working directory is changed to root. * Execution within the caller of this function will terminate before this * function returns, while execution within the daemonized child process will * continue. * * @return * Zero if the daemonization process succeeded and we are now in the * daemonized child process, or non-zero if daemonization failed and we are * still the original caller. This function does not return for the original * caller if daemonization succeeds. */ static int daemonize() { pid_t pid; /* Fork once to ensure we aren't the process group leader */ pid = fork(); if (pid < 0) { guacd_log(GUAC_LOG_ERROR, "Could not fork() parent: %s", strerror(errno)); return 1; } /* Exit if we are the parent */ if (pid > 0) { guacd_log(GUAC_LOG_DEBUG, "Exiting and passing control to PID %i", pid); _exit(0); } /* Start a new session (if not already group leader) */ setsid(); /* Fork again so the session group leader exits */ pid = fork(); if (pid < 0) { guacd_log(GUAC_LOG_ERROR, "Could not fork() group leader: %s", strerror(errno)); return 1; } /* Exit if we are the parent */ if (pid > 0) { guacd_log(GUAC_LOG_DEBUG, "Exiting and passing control to PID %i", pid); _exit(0); } /* Change to root directory */ if (chdir(GUACD_ROOT) < 0) { guacd_log(GUAC_LOG_ERROR, "Unable to change working directory to " GUACD_ROOT); return 1; } /* Reopen the 3 stdxxx to /dev/null */ if (redirect_fd(STDIN_FILENO, O_RDONLY) || redirect_fd(STDOUT_FILENO, O_WRONLY) || redirect_fd(STDERR_FILENO, O_WRONLY)) { guacd_log(GUAC_LOG_ERROR, "Unable to redirect standard file descriptors to " GUACD_DEV_NULL); return 1; } /* Success */ return 0; } #ifdef ENABLE_SSL #ifdef OPENSSL_REQUIRES_THREADING_CALLBACKS /** * Array of mutexes, used by OpenSSL. */ static pthread_mutex_t* guacd_openssl_locks = NULL; /** * Called by OpenSSL when locking or unlocking the Nth mutex. * * @param mode * A bitmask denoting the action to be taken on the Nth lock, such as * CRYPTO_LOCK or CRYPTO_UNLOCK. * * @param n * The index of the lock to lock or unlock. * * @param file * The filename of the function setting the lock, for debugging purposes. * * @param line * The line number of the function setting the lock, for debugging * purposes. */ static void guacd_openssl_locking_callback(int mode, int n, const char* file, int line){ /* Lock given mutex upon request */ if (mode & CRYPTO_LOCK) pthread_mutex_lock(&(guacd_openssl_locks[n])); /* Unlock given mutex upon request */ else if (mode & CRYPTO_UNLOCK) pthread_mutex_unlock(&(guacd_openssl_locks[n])); } /** * Called by OpenSSL when determining the current thread ID. * * @return * An ID which uniquely identifies the current thread. */ static unsigned long guacd_openssl_id_callback() { return (unsigned long) pthread_self(); } /** * Creates the given number of mutexes, such that OpenSSL will have at least * this number of mutexes at its disposal. * * @param count * The number of mutexes (locks) to create. */ static void guacd_openssl_init_locks(int count) { int i; /* Allocate required number of locks */ guacd_openssl_locks = malloc(sizeof(pthread_mutex_t) * count); /* Initialize each lock */ for (i=0; i < count; i++) pthread_mutex_init(&(guacd_openssl_locks[i]), NULL); } /** * Frees the given number of mutexes. * * @param count * The number of mutexes (locks) to free. */ static void guacd_openssl_free_locks(int count) { int i; /* SSL lock array was not initialized */ if (guacd_openssl_locks == NULL) return; /* Free all locks */ for (i=0; i < count; i++) pthread_mutex_destroy(&(guacd_openssl_locks[i])); /* Free lock array */ free(guacd_openssl_locks); } #endif #endif int main(int argc, char* argv[]) { /* Server */ int socket_fd; struct addrinfo* addresses; struct addrinfo* current_address; char bound_address[1024]; char bound_port[64]; int opt_on = 1; struct addrinfo hints = { .ai_family = AF_UNSPEC, .ai_socktype = SOCK_STREAM, .ai_protocol = IPPROTO_TCP }; /* Client */ struct sockaddr_in client_addr; socklen_t client_addr_len; int connected_socket_fd; #ifdef ENABLE_SSL SSL_CTX* ssl_context = NULL; #endif guacd_proc_map* map = guacd_proc_map_alloc(); /* General */ int retval; /* Load configuration */ guacd_config* config = guacd_conf_load(); if (config == NULL || guacd_conf_parse_args(config, argc, argv)) exit(EXIT_FAILURE); /* If requested, simply print version and exit, without initializing the * logging system, etc. */ if (config->print_version) { printf("Guacamole proxy daemon (guacd) version " VERSION "\n"); exit(EXIT_SUCCESS); } /* Init logging as early as possible */ guacd_log_level = config->max_log_level; openlog(GUACD_LOG_NAME, LOG_PID, LOG_DAEMON); /* Log start */ guacd_log(GUAC_LOG_INFO, "Guacamole proxy daemon (guacd) version " VERSION " started"); /* Get addresses for binding */ if ((retval = getaddrinfo(config->bind_host, config->bind_port, &hints, &addresses))) { guacd_log(GUAC_LOG_ERROR, "Error parsing given address or port: %s", gai_strerror(retval)); exit(EXIT_FAILURE); } /* Get socket */ socket_fd = socket(AF_INET, SOCK_STREAM, 0); if (socket_fd < 0) { guacd_log(GUAC_LOG_ERROR, "Error opening socket: %s", strerror(errno)); exit(EXIT_FAILURE); } /* Allow socket reuse */ if (setsockopt(socket_fd, SOL_SOCKET, SO_REUSEADDR, (void*) &opt_on, sizeof(opt_on))) { guacd_log(GUAC_LOG_WARNING, "Unable to set socket options for reuse: %s", strerror(errno)); } /* Attempt binding of each address until success */ current_address = addresses; while (current_address != NULL) { int retval; /* Resolve hostname */ if ((retval = getnameinfo(current_address->ai_addr, current_address->ai_addrlen, bound_address, sizeof(bound_address), bound_port, sizeof(bound_port), NI_NUMERICHOST | NI_NUMERICSERV))) guacd_log(GUAC_LOG_ERROR, "Unable to resolve host: %s", gai_strerror(retval)); /* Attempt to bind socket to address */ if (bind(socket_fd, current_address->ai_addr, current_address->ai_addrlen) == 0) { guacd_log(GUAC_LOG_DEBUG, "Successfully bound socket to " "host %s, port %s", bound_address, bound_port); /* Done if successful bind */ break; } /* Otherwise log information regarding bind failure */ else guacd_log(GUAC_LOG_DEBUG, "Unable to bind socket to " "host %s, port %s: %s", bound_address, bound_port, strerror(errno)); current_address = current_address->ai_next; } /* If unable to bind to anything, fail */ if (current_address == NULL) { guacd_log(GUAC_LOG_ERROR, "Unable to bind socket to any addresses."); exit(EXIT_FAILURE); } #ifdef ENABLE_SSL /* Init SSL if enabled */ if (config->key_file != NULL || config->cert_file != NULL) { guacd_log(GUAC_LOG_INFO, "Communication will require SSL/TLS."); #ifdef OPENSSL_REQUIRES_THREADING_CALLBACKS /* Init threadsafety in OpenSSL */ guacd_openssl_init_locks(CRYPTO_num_locks()); CRYPTO_set_id_callback(guacd_openssl_id_callback); CRYPTO_set_locking_callback(guacd_openssl_locking_callback); #endif /* Init SSL */ SSL_library_init(); SSL_load_error_strings(); ssl_context = SSL_CTX_new(SSLv23_server_method()); /* Load key */ if (config->key_file != NULL) { guacd_log(GUAC_LOG_INFO, "Using PEM keyfile %s", config->key_file); if (!SSL_CTX_use_PrivateKey_file(ssl_context, config->key_file, SSL_FILETYPE_PEM)) { guacd_log(GUAC_LOG_ERROR, "Unable to load keyfile."); exit(EXIT_FAILURE); } } else guacd_log(GUAC_LOG_WARNING, "No PEM keyfile given - SSL/TLS may not work."); /* Load cert file if specified */ if (config->cert_file != NULL) { guacd_log(GUAC_LOG_INFO, "Using certificate file %s", config->cert_file); if (!SSL_CTX_use_certificate_chain_file(ssl_context, config->cert_file)) { guacd_log(GUAC_LOG_ERROR, "Unable to load certificate."); exit(EXIT_FAILURE); } } else guacd_log(GUAC_LOG_WARNING, "No certificate file given - SSL/TLS may not work."); } #endif /* Daemonize if requested */ if (!config->foreground) { /* Attempt to daemonize process */ if (daemonize()) { guacd_log(GUAC_LOG_ERROR, "Could not become a daemon."); exit(EXIT_FAILURE); } } /* Write PID file if requested */ if (config->pidfile != NULL) { /* Attempt to open pidfile and write PID */ FILE* pidf = fopen(config->pidfile, "w"); if (pidf) { fprintf(pidf, "%d\n", getpid()); fclose(pidf); } /* Fail if could not write PID file*/ else { guacd_log(GUAC_LOG_ERROR, "Could not write PID file: %s", strerror(errno)); exit(EXIT_FAILURE); } } /* Ignore SIGPIPE */ if (signal(SIGPIPE, SIG_IGN) == SIG_ERR) { guacd_log(GUAC_LOG_INFO, "Could not set handler for SIGPIPE to ignore. " "SIGPIPE may cause termination of the daemon."); } /* Ignore SIGCHLD (force automatic removal of children) */ if (signal(SIGCHLD, SIG_IGN) == SIG_ERR) { guacd_log(GUAC_LOG_INFO, "Could not set handler for SIGCHLD to ignore. " "Child processes may pile up in the process table."); } /* Log listening status */ guacd_log(GUAC_LOG_INFO, "Listening on host %s, port %s", bound_address, bound_port); /* Free addresses */ freeaddrinfo(addresses); /* Listen for connections */ if (listen(socket_fd, 5) < 0) { guacd_log(GUAC_LOG_ERROR, "Could not listen on socket: %s", strerror(errno)); return 3; } /* Daemon loop */ for (;;) { pthread_t child_thread; /* Accept connection */ client_addr_len = sizeof(client_addr); connected_socket_fd = accept(socket_fd, (struct sockaddr*) &client_addr, &client_addr_len); if (connected_socket_fd < 0) { guacd_log(GUAC_LOG_ERROR, "Could not accept client connection: %s", strerror(errno)); continue; } /* Create parameters for connection thread */ guacd_connection_thread_params* params = malloc(sizeof(guacd_connection_thread_params)); if (params == NULL) { guacd_log(GUAC_LOG_ERROR, "Could not create connection thread: %s", strerror(errno)); continue; } params->map = map; params->connected_socket_fd = connected_socket_fd; #ifdef ENABLE_SSL params->ssl_context = ssl_context; #endif /* Spawn thread to handle connection */ pthread_create(&child_thread, NULL, guacd_connection_thread, params); pthread_detach(child_thread); } /* Close socket */ if (close(socket_fd) < 0) { guacd_log(GUAC_LOG_ERROR, "Could not close socket: %s", strerror(errno)); return 3; } #ifdef ENABLE_SSL if (ssl_context != NULL) { #ifdef OPENSSL_REQUIRES_THREADING_CALLBACKS guacd_openssl_free_locks(CRYPTO_num_locks()); #endif SSL_CTX_free(ssl_context); } #endif return 0; }