tonarino/innernet
1
1
Fork 0
mirror of https://github.com/tonarino/innernet.git synced 2024-09-20 14:56:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

client: support running as non-root (#94)

Browse source 
shared(wg): use netlink instead of execve calls to "ip"
hostsfile: write to hostsfile in-place
This commit is contained in:
Jake McGinty 2021-06-10 22:57:47 +09:00 committed by GitHub
parent 6a60643d7d
commit 449b4b8278
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
20 changed files with 417 additions and 200 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
Cargo.lock generated
View file

@ -153,13 +153,13 @@ dependencies = [
name = "client"
version = "1.3.1"
dependencies = [
"anyhow",
"colored",
"dialoguer",
"hostsfile",
"indoc",
"ipnetwork",
"lazy_static",
"libc",
"log",
"regex",
"serde",
@ -382,10 +382,7 @@ checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
[[package]]
name = "hostsfile"
version = "1.0.1"
dependencies = [
"tempfile",
]
version = "1.1.0"
[[package]]
name = "http"
@ -576,6 +573,54 @@ dependencies = [
"winapi",
]
[[package]]
name = "netlink-packet-core"
version = "0.2.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac48279d5062bdf175bdbcb6b58ff1d6b0ecd54b951f7a0ff4bc0550fe903ccb"
dependencies = [
"anyhow",
"byteorder",
"libc",
"netlink-packet-utils",
]
[[package]]
name = "netlink-packet-route"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da1bf86b4324996fb58f8e17752b2a06176f4c5efc013928060ac94a3a329b71"
dependencies = [
"anyhow",
"bitflags",
"byteorder",
"libc",
"netlink-packet-core",
"netlink-packet-utils",
]
[[package]]
name = "netlink-packet-utils"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6c2afb159d0e3ac700e85f0df25b8438b99d43ed0c0b685242fcdf1b5673e54d"
dependencies = [
"anyhow",
"byteorder",
"paste",
"thiserror",
]
[[package]]
name = "netlink-sys"
version = "0.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d61c5374735aa0cd07cb7fd820b656062b187b5588d79517f72956b57c6de9ef"
dependencies = [
"libc",
"log",
]
[[package]]
name = "nom"
version = "5.1.2"
@ -636,6 +681,12 @@ dependencies = [
"winapi",
]
[[package]]
name = "paste"
version = "1.0.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "acbf547ad0c65e31259204bd90935776d1c693cec2f4ff7abb7a1bbbd40dfe58"
[[package]]
name = "peeking_take_while"
version = "0.1.2"
@ -930,12 +981,17 @@ dependencies = [
name = "shared"
version = "1.3.1"
dependencies = [
"anyhow",
"colored",
"dialoguer",
"indoc",
"ipnetwork",
"lazy_static",
"libc",
"log",
"netlink-packet-core",
"netlink-packet-route",
"netlink-sys",
"publicip",
"regex",
"serde",
@ -943,6 +999,7 @@ dependencies = [
"toml",
"url",
"wgctrl",
"wgctrl-sys",
]
[[package]]

2
client/Cargo.toml
View file

@ -14,13 +14,13 @@ name = "innernet"
path = "src/main.rs"
[dependencies]
anyhow = "1"
colored = "2"
dialoguer = "0.8"
hostsfile = { path = "../hostsfile" }
indoc = "1"
ipnetwork = { git = "https://github.com/mcginty/ipnetwork" } # pending https://github.com/achanda/ipnetwork/pull/129
lazy_static = "1"
libc = "0.2"
log = "0.4"
regex = { version = "1", default-features = false, features = ["std"] }
serde = { version = "1.0", features = ["derive"] }

14
client/src/data_store.rs
View file

@ -1,5 +1,5 @@
use crate::Error;
use colored::*;
use anyhow::bail;
use serde::{Deserialize, Serialize};
use shared::{ensure_dirs_exist, Cidr, IoErrorContext, Peer, WrappedIoError, CLIENT_DATA_DIR};
use std::{
@ -35,13 +35,7 @@ impl DataStore {
.open(path)
.with_path(path)?;
if shared::chmod(&file, 0o600).with_path(path)? {
println!(
"{} updated permissions for {} to 0600.",
"[!]".yellow(),
path.display()
);
}
shared::warn_on_dangerous_mode(path).with_path(path)?;
let mut json = String::new();
file.read_to_string(&mut json).with_path(path)?;
@ -94,9 +88,7 @@ impl DataStore {
for new_peer in current_peers.iter() {
if let Some(existing_peer) = peers.iter_mut().find(|p| p.ip == new_peer.ip) {
if existing_peer.public_key != new_peer.public_key {
return Err(
"PINNING ERROR: New peer has same IP but different public key.".into(),
);
bail!("PINNING ERROR: New peer has same IP but different public key.");
} else {
*existing_peer = new_peer.clone();
}

53
client/src/main.rs
View file

@ -1,3 +1,4 @@
use anyhow::{anyhow, bail};
use colored::*;
use dialoguer::{Confirm, Input};
use hostsfile::HostsBuilder;
@ -6,10 +7,10 @@ use shared::{
interface_config::InterfaceConfig, prompts, AddAssociationOpts, AddCidrOpts, AddPeerOpts,
Association, AssociationContents, Cidr, CidrTree, DeleteCidrOpts, EndpointContents,
InstallOpts, Interface, IoErrorContext, NetworkOpt, Peer, RedeemContents, RenamePeerOpts,
State, CLIENT_CONFIG_DIR, REDEEM_TRANSITION_WAIT,
State, WrappedIoError, CLIENT_CONFIG_DIR, REDEEM_TRANSITION_WAIT,
};
use std::{
fmt,
fmt, io,
path::{Path, PathBuf},
thread,
time::{Duration, SystemTime},
@ -245,7 +246,9 @@ fn update_hosts_file(
&format!("{}.{}.wg", peer.contents.name, interface),
);
}
hosts_builder.write_to(hosts_path)?;
if let Err(e) = hosts_builder.write_to(&hosts_path).with_path(hosts_path) {
log::warn!("failed to update hosts ({})", e);
}
Ok(())
}
@ -272,7 +275,7 @@ fn install(
let target_conf = CLIENT_CONFIG_DIR.join(&iface).with_extension("conf");
if target_conf.exists() {
return Err("An interface with this name already exists in innernet.".into());
bail!("An interface with this name already exists in innernet.");
}
let iface = iface.parse()?;
@ -423,11 +426,10 @@ fn fetch(
if !interface_up {
if !bring_up_interface {
return Err(format!(
bail!(
"Interface is not up. Use 'innernet up {}' instead",
interface
)
.into());
);
}
log::info!("bringing up the interface.");
@ -647,7 +649,7 @@ fn rename_peer(interface: &InterfaceName, opts: RenamePeerOpts) -> Result<(), Er
.filter(|p| p.name == old_name)
.map(|p| p.id)
.next()
.ok_or("Peer not found.")?;
.ok_or(anyhow!("Peer not found."))?;
let _ = api.http_form("PUT", &format!("/admin/peers/{}", id), peer_request)?;
log::info!("Peer renamed.");
@ -687,11 +689,11 @@ fn add_association(interface: &InterfaceName, opts: AddAssociationOpts) -> Resul
let cidr1 = cidrs
.iter()
.find(|c| &c.name == cidr1)
.ok_or(format!("can't find cidr '{}'", cidr1))?;
.ok_or(anyhow!("can't find cidr '{}'", cidr1))?;
let cidr2 = cidrs
.iter()
.find(|c| &c.name == cidr2)
.ok_or(format!("can't find cidr '{}'", cidr2))?;
.ok_or(anyhow!("can't find cidr '{}'", cidr2))?;
(cidr1, cidr2)
} else if let Some((cidr1, cidr2)) = prompts::add_association(&cidrs[..])? {
(cidr1, cidr2)
@ -824,16 +826,18 @@ fn show(
let devices = interfaces
.into_iter()
.filter_map(|name| {
DataStore::open(&name)
.and_then(|store| {
Ok((
Device::get(&name, network.backend).with_str(name.as_str_lossy())?,
store,
))
})
.ok()
match DataStore::open(&name) {
Ok(store) => {
let device = Device::get(&name, network.backend).with_str(name.as_str_lossy());
Some(device.map(|device| (device, store)))
},
// Skip WireGuard interfaces that aren't managed by innernet.
Err(e) if e.kind() == io::ErrorKind::NotFound => None,
// Error on interfaces that *are* managed by innernet but are not readable.
Err(e) => Some(Err(e)),
}
})
.collect::<Vec<_>>();
.collect::<Result<Vec<_>, _>>()?;
if devices.is_empty() {
log::info!("No innernet networks currently running.");
@ -846,7 +850,7 @@ fn show(
let me = peers
.iter()
.find(|p| p.public_key == device_info.public_key.as_ref().unwrap().to_base64())
.ok_or("missing peer info")?;
.ok_or(anyhow!("missing peer info"))?;
let mut peer_states = device_info
.peers
@ -858,7 +862,7 @@ fn show(
peer,
info: Some(info),
}),
None => Err(format!("peer {} isn't an innernet peer.", public_key)),
None => Err(anyhow!("peer {} isn't an innernet peer.", public_key)),
}
})
.collect::<Result<Vec<PeerState>, _>>()?;
@ -987,6 +991,9 @@ fn main() {
if let Err(e) = run(opt) {
println!();
log::error!("{}\n", e);
if let Some(e) = e.downcast_ref::<WrappedIoError>() {
util::permissions_helptext(e);
}
std::process::exit(1);
}
}
@ -998,10 +1005,6 @@ fn run(opt: Opts) -> Result<(), Error> {
interface: None,
});
if unsafe { libc::getuid() } != 0 && !matches!(command, Command::Completions { .. }) {
return Err("innernet must run as root.".into());
}
match command {
Command::Install {
invite,

55
client/src/util.rs
View file

@ -1,19 +1,27 @@
use crate::{ClientError, Error};
use colored::*;
use indoc::eprintdoc;
use log::{Level, LevelFilter};
use serde::{de::DeserializeOwned, Serialize};
use shared::{interface_config::ServerInfo, INNERNET_PUBKEY_HEADER};
use std::time::Duration;
use shared::{interface_config::ServerInfo, WrappedIoError, INNERNET_PUBKEY_HEADER};
use std::{io, time::Duration};
use ureq::{Agent, AgentBuilder};
static LOGGER: Logger = Logger;
struct Logger;
const BASE_MODULES: &[&str] = &["innernet", "shared"];
fn target_is_base(target: &str) -> bool {
BASE_MODULES
.iter()
.any(|module| module == &target || target.starts_with(&format!("{}::", module)))
}
impl log::Log for Logger {
fn enabled(&self, metadata: &log::Metadata) -> bool {
metadata.level() <= log::max_level()
&& (log::max_level() == LevelFilter::Trace
|| metadata.target().starts_with("shared::")
|| metadata.target() == "innernet")
&& (log::max_level() == LevelFilter::Trace || target_is_base(metadata.target()))
}
fn log(&self, record: &log::Record) {
@ -25,7 +33,7 @@ impl log::Log for Logger {
Level::Debug => "[D]".blue(),
Level::Trace => "[T]".purple(),
};
if record.level() <= LevelFilter::Debug && record.target() != "innernet" {
if record.level() <= LevelFilter::Debug && !target_is_base(record.target()) {
println!(
"{} {} {}",
level_str,
@ -94,6 +102,41 @@ pub fn human_size(bytes: u64) -> String {
}
}
pub fn permissions_helptext(e: &WrappedIoError) {
if e.raw_os_error() == Some(1) {
let current_exe = std::env::current_exe()
.ok()
.map(|s| s.to_string_lossy().to_string())
.unwrap_or_else(|| "<innernet path>".into());
eprintdoc!(
"{}: innernet can't access the device info.
You either need to run innernet as root, or give innernet CAP_NET_ADMIN capabilities:
sudo setcap cap_net_admin+eip {}
",
"ERROR".bold().red(),
current_exe
);
} else if e.kind() == io::ErrorKind::PermissionDenied {
eprintdoc!(
"{}: innernet can't access its config/data folders.
You either need to run innernet as root, or give the user/group running innernet permissions
to access {config} and {data}.
For non-root permissions, it's recommended to create an \"innernet\" group, and run for example:
sudo chgrp -R innernet {config} {data}
sudo chmod -R g+rwX {config} {data}
",
"ERROR".bold().red(),
config = shared::CLIENT_CONFIG_DIR.to_string_lossy(),
data = shared::CLIENT_DATA_DIR.to_string_lossy(),
);
}
}
pub struct Api<'a> {
agent: Agent,
server: &'a ServerInfo,

3
hostsfile/Cargo.toml
View file

@ -5,7 +5,6 @@ edition = "2018"
license = "UNLICENSED"
name = "hostsfile"
publish = false
version = "1.0.1"
version = "1.1.0"
[dependencies]
tempfile = "3"

77
hostsfile/src/lib.rs
View file

@ -1,12 +1,4 @@
use std::{
collections::HashMap,
fmt,
fs::{self, File, OpenOptions},
io::{BufRead, BufReader, Write},
net::IpAddr,
path::{Path, PathBuf},
result,
};
use std::{collections::HashMap, fmt, fs::OpenOptions, io::{self, BufRead, BufReader, ErrorKind, Write}, net::IpAddr, path::{Path, PathBuf}, result};
pub type Result<T> = result::Result<T, Box<dyn std::error::Error>>;
@ -115,7 +107,12 @@ impl HostsBuilder {
/// Inserts a new section to the system's default hosts file. If there is a section with the
/// same tag name already, it will be replaced with the new list instead.
pub fn write(&self) -> Result<()> {
pub fn write(&self) -> io::Result<()> {
self.write_to(&Self::default_path()?)
}
/// Returns the default hosts path based on the current OS.
pub fn default_path() -> io::Result<PathBuf> {
let hosts_file = if cfg!(unix) {
PathBuf::from("/etc/hosts")
} else if cfg!(windows) {
@ -124,21 +121,24 @@ impl HostsBuilder {
// the location depends on the environment variable %WinDir%.
format!(
"{}\\System32\\Drivers\\Etc\\hosts",
std::env::var("WinDir")?
std::env::var("WinDir").map_err(|_| io::Error::new(
ErrorKind::Other,
"WinDir environment variable missing".to_owned()
))?
),
)
} else {
return Err(Box::new(Error("unsupported operating system.".to_owned())));
return Err(io::Error::new(
ErrorKind::Other,
"unsupported operating system.".to_owned(),
));
};
if !hosts_file.exists() {
return Err(Box::new(Error(format!(
"hosts file {:?} missing",
&hosts_file
))));
return Err(ErrorKind::NotFound.into());
}
self.write_to(&hosts_file)
Ok(hosts_file)
}
/// Inserts a new section to the specified hosts file. If there is a section with the same tag
@ -146,7 +146,7 @@ impl HostsBuilder {
///
/// On Windows, the format of one hostname per line will be used, all other systems will use
/// the same format as Unix and Unix-like systems (i.e. allow multiple hostnames per line).
pub fn write_to<P: AsRef<Path>>(&self, hosts_path: P) -> Result<()> {
pub fn write_to<P: AsRef<Path>>(&self, hosts_path: P) -> io::Result<()> {
let hosts_path = hosts_path.as_ref();
let begin_marker = format!("# DO NOT EDIT {} BEGIN", &self.tag);
let end_marker = format!("# DO NOT EDIT {} END", &self.tag);
@ -179,49 +179,44 @@ impl HostsBuilder {
lines.len()
},
_ => {
return Err(Box::new(Error(format!(
"start or end marker missing in {:?}",
&hosts_path
))));
return Err(io::Error::new(
io::ErrorKind::InvalidData,
format!("start or end marker missing in {:?}", &hosts_path),
));
},
};
// The tempfile should be in the same filesystem as the hosts file.
let hosts_dir = hosts_path
.parent()
.expect("hosts file must be an absolute file path");
let temp_dir = tempfile::Builder::new().tempdir_in(hosts_dir)?;
let temp_path = temp_dir.path().join("hosts");
// Copy the existing hosts file to preserve permissions.
fs::copy(&hosts_path, &temp_path)?;
let mut file = File::create(&temp_path)?;
let mut s = vec![];
for line in &lines[..insert] {
writeln!(&mut file, "{}", line)?;
writeln!(&mut s, "{}", line)?;
}
if !self.hostname_map.is_empty() {
writeln!(&mut file, "{}", begin_marker)?;
writeln!(&mut s, "{}", begin_marker)?;
for (ip, hostnames) in &self.hostname_map {
if cfg!(windows) {
// windows only allows one hostname per line
for hostname in hostnames {
writeln!(&mut file, "{} {}", ip, hostname)?;
writeln!(&mut s, "{} {}", ip, hostname)?;
}
} else {
// assume the same format as Unix
writeln!(&mut file, "{} {}", ip, hostnames.join(" "))?;
writeln!(&mut s, "{} {}", ip, hostnames.join(" "))?;
}
}
writeln!(&mut file, "{}", end_marker)?;
writeln!(&mut s, "{}", end_marker)?;
}
for line in &lines[insert..] {
writeln!(&mut file, "{}", line)?;
writeln!(&mut s, "{}", line)?;
}
// Move the file atomically to avoid a partial state.
fs::rename(&temp_path, &hosts_path)?;
OpenOptions::new()
.create(true)
.read(true)
.write(true)
.truncate(true)
.open(hosts_path)?
.write_all(&s)?;
Ok(())
}

1
server/Cargo.toml
View file

@ -13,6 +13,7 @@ name = "innernet-server"
path = "src/main.rs"
[dependencies]
anyhow = "1"
bytes = "1"
colored = "2"
dialoguer = "0.8"

2
server/src/api/admin/peer.rs
View file

@ -229,7 +229,7 @@ mod tests {
let old_peer = DatabasePeer::get(&server.db.lock(), test::DEVELOPER1_PEER_ID)?;
let change = PeerContents {
name: "new-peer-name".parse()?,
name: "new-peer-name".parse().unwrap(),
..old_peer.contents.clone()
};

17
server/src/initialize.rs
View file

@ -1,4 +1,5 @@
use crate::*;
use anyhow::anyhow;
use db::DatabaseCidr;
use dialoguer::{theme::ColorfulTheme, Input};
use indoc::printdoc;
@ -63,7 +64,7 @@ fn populate_database(conn: &Connection, db_init_data: DbInitData) -> Result<(),
parent: None,
},
)
.map_err(|_| "failed to create root CIDR".to_string())?;
.map_err(|_| anyhow!("failed to create root CIDR"))?;
let server_cidr = DatabaseCidr::create(
&conn,
@ -73,12 +74,12 @@ fn populate_database(conn: &Connection, db_init_data: DbInitData) -> Result<(),
parent: Some(root_cidr.id),
},
)
.map_err(|_| "failed to create innernet-server CIDR".to_string())?;
.map_err(|_| anyhow!("failed to create innernet-server CIDR"))?;
let _me = DatabasePeer::create(
&conn,
PeerContents {
name: SERVER_NAME.parse()?,
name: SERVER_NAME.parse().map_err(|e: &str| anyhow!(e))?,
ip: db_init_data.our_ip,
cidr_id: server_cidr.id,
public_key: db_init_data.public_key_base64,
@ -90,7 +91,7 @@ fn populate_database(conn: &Connection, db_init_data: DbInitData) -> Result<(),
invite_expires: None,
},
)
.map_err(|_| "failed to create innernet peer.".to_string())?;
.map_err(|_| anyhow!("failed to create innernet peer."))?;
Ok(())
}
@ -99,7 +100,7 @@ pub fn init_wizard(conf: &ServerConfig, opts: InitializeOpts) -> Result<(), Erro
let theme = ColorfulTheme::default();
shared::ensure_dirs_exist(&[conf.config_dir(), conf.database_dir()]).map_err(|_| {
format!(
anyhow!(
"Failed to create config and database directories {}",
"(are you not running as root?)".bold()
)
@ -139,7 +140,7 @@ pub fn init_wizard(conf: &ServerConfig, opts: InitializeOpts) -> Result<(), Erro
let endpoint: Endpoint = if let Some(endpoint) = opts.external_endpoint {
endpoint
} else if opts.auto_external_endpoint {
let ip = publicip::get_any(Preference::Ipv4).ok_or("couldn't get external IP")?;
let ip = publicip::get_any(Preference::Ipv4).ok_or(anyhow!("couldn't get external IP"))?;
SocketAddr::new(ip, 51820).into()
} else {
prompts::ask_endpoint()?
@ -152,7 +153,7 @@ pub fn init_wizard(conf: &ServerConfig, opts: InitializeOpts) -> Result<(), Erro
.with_prompt("Listen port")
.default(51820)
.interact()
.map_err(|_| "failed to get listen port.")?
.map_err(|_| anyhow!("failed to get listen port."))?
};
let our_ip = root_cidr
@ -185,7 +186,7 @@ pub fn init_wizard(conf: &ServerConfig, opts: InitializeOpts) -> Result<(), Erro
let database_path = conf.database_path(&name);
let conn = create_database(&database_path).map_err(|_| {
format!(
anyhow!(
"failed to create database {}",
"(are you not running as root?)".bold()
)

10
server/src/main.rs
View file

@ -1,3 +1,4 @@
use anyhow::{anyhow, bail};
use colored::*;
use dialoguer::Confirm;
use hyper::{http, server::conn::AddrStream, Body, Request, Response};
@ -261,14 +262,13 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
fn open_database_connection(
interface: &InterfaceName,
conf: &ServerConfig,
) -> Result<rusqlite::Connection, Box<dyn std::error::Error>> {
) -> Result<rusqlite::Connection, Error> {
let database_path = conf.database_path(&interface);
if !Path::new(&database_path).exists() {
return Err(format!(
bail!(
"no database file found at {}",
database_path.to_string_lossy()
)
.into());
);
}
let conn = Connection::open(&database_path)?;
@ -337,7 +337,7 @@ fn rename_peer(
let mut db_peer = DatabasePeer::list(&conn)?
.into_iter()
.find(|p| p.name == old_name)
.ok_or( "Peer not found.")?;
.ok_or(anyhow!("Peer not found."))?;
let _peer = db_peer.update(&conn, peer_request)?;
} else {
println!("exited without creating peer.");

2
server/src/test.rs
View file

@ -221,7 +221,7 @@ pub fn peer_contents(
let public_key = KeyPair::generate().public;
Ok(PeerContents {
name: name.parse()?,
name: name.parse().map_err(|e: &str| anyhow!(e))?,
ip: ip_str.parse()?,
cidr_id,
public_key: public_key.to_base64(),

8
shared/Cargo.toml
View file

@ -7,11 +7,13 @@ publish = false
version = "1.3.1"
[dependencies]
anyhow = "1"
colored = "2.0"
dialoguer = "0.8"
indoc = "1"
ipnetwork = { git = "https://github.com/mcginty/ipnetwork" } # pending https://github.com/achanda/ipnetwork/pull/129
lazy_static = "1"
libc = "0.2"
log = "0.4"
publicip = { path = "../publicip" }
regex = "1"
@ -20,3 +22,9 @@ structopt = "0.3"
toml = "0.5"
url = "2"
wgctrl = { path = "../wgctrl-rs" }
[target.'cfg(target_os = "linux")'.dependencies]
netlink-sys = "0.6"
netlink-packet-core = "0.2"
netlink-packet-route = "0.7"
wgctrl-sys = { path = "../wgctrl-sys" }

9
shared/src/interface_config.rs
View file

@ -116,14 +116,7 @@ impl InterfaceConfig {
pub fn from_interface(interface: &InterfaceName) -> Result<Self, Error> {
let path = Self::build_config_file_path(interface)?;
let file = File::open(&path).with_path(&path)?;
if crate::chmod(&file, 0o600)? {
println!(
"{} updated permissions for {} to 0600.",
"[!]".yellow(),
path.display()
);
}
crate::warn_on_dangerous_mode(&path).with_path(&path)?;
Self::from_file(path)
}

31
shared/src/lib.rs
View file

@ -1,4 +1,4 @@
use colored::*;
pub use anyhow::Error;
use lazy_static::lazy_static;
use std::{
fs::{self, File},
@ -9,6 +9,8 @@ use std::{
};
pub mod interface_config;
#[cfg(target_os = "linux")]
mod netlink;
pub mod prompts;
pub mod types;
pub mod wg;
@ -26,8 +28,6 @@ lazy_static! {
pub const PERSISTENT_KEEPALIVE_INTERVAL_SECS: u16 = 25;
pub const INNERNET_PUBKEY_HEADER: &str = "X-Innernet-Server-Key";
pub type Error = Box<dyn std::error::Error>;
pub fn ensure_dirs_exist(dirs: &[&Path]) -> Result<(), WrappedIoError> {
for dir in dirs {
match fs::create_dir(dir).with_path(dir) {
@ -35,20 +35,29 @@ pub fn ensure_dirs_exist(dirs: &[&Path]) -> Result<(), WrappedIoError> {
return Err(e);
},
_ => {
let target_file = File::open(dir).with_path(dir)?;
if chmod(&target_file, 0o700).with_path(dir)? {
println!(
"{} updated permissions for {} to 0700.",
"[!]".yellow(),
dir.display()
);
}
warn_on_dangerous_mode(dir).with_path(dir)?;
},
}
}
Ok(())
}
pub fn warn_on_dangerous_mode(path: &Path) -> Result<(), io::Error> {
let file = File::open(path)?;
let metadata = file.metadata()?;
let permissions = metadata.permissions();
let mode = permissions.mode() & 0o777;
if mode & 0o007 != 0 {
log::warn!(
"{} is world-accessible (mode is {:#05o}). This is probably not what you want.",
path.to_string_lossy(),
mode
);
}
Ok(())
}
/// Updates the permissions of a file or directory. Returns `Ok(true)` if
/// permissions had to be changed, `Ok(false)` if permissions were already
/// correct.

128
shared/src/netlink.rs Normal file
View file

@ -0,0 +1,128 @@
use crate::Error;
use anyhow::anyhow;
use ipnetwork::IpNetwork;
use netlink_packet_core::{
NetlinkMessage, NetlinkPayload, NLM_F_ACK, NLM_F_CREATE, NLM_F_EXCL, NLM_F_REQUEST,
};
use netlink_packet_route::{
address, constants::*, link, route, AddressHeader, AddressMessage, LinkHeader, LinkMessage,
RouteHeader, RouteMessage, RtnlMessage, RTN_UNICAST, RT_SCOPE_LINK, RT_TABLE_MAIN,
};
use netlink_sys::{protocols::NETLINK_ROUTE, Socket, SocketAddr};
use std::io;
use wgctrl::InterfaceName;
fn if_nametoindex(interface: &InterfaceName) -> Result<u32, Error> {
match unsafe { libc::if_nametoindex(interface.as_ptr()) } {
0 => Err(anyhow!("couldn't find interface '{}'.", interface)),
index => Ok(index),
}
}
fn netlink_call(
message: RtnlMessage,
flags: Option<u16>,
) -> Result<NetlinkMessage<RtnlMessage>, io::Error> {
let mut req = NetlinkMessage::from(message);
req.header.flags = flags.unwrap_or(NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE);
req.finalize();
let mut buf = [0; 4096];
req.serialize(&mut buf);
let len = req.buffer_len();
log::debug!("netlink request: {:?}", req);
let socket = Socket::new(NETLINK_ROUTE).unwrap();
let kernel_addr = SocketAddr::new(0, 0);
socket.connect(&kernel_addr)?;
let n_sent = socket.send(&buf[..len], 0).unwrap();
if n_sent != len {
return Err(io::Error::new(
io::ErrorKind::UnexpectedEof,
"failed to send netlink request",
));
}
let n_received = socket.recv(&mut buf[..], 0).unwrap();
let response = NetlinkMessage::<RtnlMessage>::deserialize(&buf[..n_received])
.map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?;
log::trace!("netlink response: {:?}", response);
if let NetlinkPayload::Error(e) = response.payload {
return Err(e.to_io());
}
Ok(response)
}
pub fn set_up(interface: &InterfaceName, mtu: u32) -> Result<(), Error> {
let index = if_nametoindex(interface)?;
let message = LinkMessage {
header: LinkHeader {
index,
flags: IFF_UP,
..Default::default()
},
nlas: vec![link::nlas::Nla::Mtu(mtu)],
};
netlink_call(RtnlMessage::SetLink(message), None)?;
Ok(())
}
pub fn set_addr(interface: &InterfaceName, addr: IpNetwork) -> Result<(), Error> {
let index = if_nametoindex(interface)?;
let (family, nlas) = match addr {
IpNetwork::V4(network) => {
let addr_bytes = network.ip().octets().to_vec();
(
AF_INET as u8,
vec![
address::Nla::Local(addr_bytes.clone()),
address::Nla::Address(addr_bytes),
],
)
},
IpNetwork::V6(network) => (
AF_INET6 as u8,
vec![address::Nla::Address(network.ip().octets().to_vec())],
),
};
let message = AddressMessage {
header: AddressHeader {
index,
family,
prefix_len: addr.prefix(),
scope: RT_SCOPE_UNIVERSE,
..Default::default()
},
nlas,
};
netlink_call(
RtnlMessage::NewAddress(message),
Some(NLM_F_REQUEST | NLM_F_ACK | NLM_F_REPLACE | NLM_F_CREATE),
)?;
Ok(())
}
pub fn add_route(interface: &InterfaceName, cidr: IpNetwork) -> Result<bool, Error> {
let if_index = if_nametoindex(interface)?;
let (address_family, dst) = match cidr {
IpNetwork::V4(network) => (AF_INET as u8, network.network().octets().to_vec()),
IpNetwork::V6(network) => (AF_INET6 as u8, network.network().octets().to_vec()),
};
let message = RouteMessage {
header: RouteHeader {
table: RT_TABLE_MAIN,
protocol: RTPROT_BOOT,
scope: RT_SCOPE_LINK,
kind: RTN_UNICAST,
destination_prefix_length: cidr.prefix(),
address_family,
..Default::default()
},
nlas: vec![route::Nla::Destination(dst), route::Nla::Oif(if_index)],
};
match netlink_call(RtnlMessage::NewRoute(message), None) {
Ok(_) => Ok(true),
Err(e) if e.kind() == io::ErrorKind::AlreadyExists => Ok(false),
Err(e) => Err(e.into()),
}
}

13
shared/src/prompts.rs
View file

@ -3,6 +3,7 @@ use crate::{
AddCidrOpts, AddPeerOpts, Association, Cidr, CidrContents, CidrTree, DeleteCidrOpts, Endpoint,
Error, Hostname, Peer, PeerContents, RenamePeerOpts, PERSISTENT_KEEPALIVE_INTERVAL_SECS,
};
use anyhow::anyhow;
use colored::*;
use dialoguer::{theme::ColorfulTheme, Confirm, Input, Select};
use ipnetwork::IpNetwork;
@ -21,7 +22,7 @@ pub fn add_cidr(cidrs: &[Cidr], request: &AddCidrOpts) -> Result<Option<CidrCont
cidrs
.iter()
.find(|cidr| &cidr.name == parent_name)
.ok_or("No parent CIDR with that name exists.")?
.ok_or(anyhow!("No parent CIDR with that name exists."))?
} else {
choose_cidr(cidrs, "Parent CIDR")?
};
@ -74,7 +75,7 @@ pub fn delete_cidr(cidrs: &[Cidr], peers: &[Peer], request: &DeleteCidrOpts) ->
cidrs
.iter()
.find(|cidr| &cidr.name == name)
.ok_or_else(|| format!("CIDR {} doesn't exist or isn't eligible for deletion", name))?
.ok_or_else(|| anyhow!("CIDR {} doesn't exist or isn't eligible for deletion", name))?
} else {
let cidr_index = Select::with_theme(&*THEME)
.with_prompt("Delete CIDR")
@ -92,7 +93,7 @@ pub fn delete_cidr(cidrs: &[Cidr], peers: &[Peer], request: &DeleteCidrOpts) ->
{
Ok(cidr.id)
} else {
Err("Canceled".into())
Err(anyhow!("Canceled"))
}
}
@ -193,7 +194,7 @@ pub fn add_peer(
leaves
.iter()
.find(|cidr| &cidr.name == parent_name)
.ok_or("No eligible CIDR with that name exists.")?
.ok_or(anyhow!("No eligible CIDR with that name exists."))?
} else {
choose_cidr(&leaves[..], "Eligible CIDRs for peer")?
};
@ -241,7 +242,7 @@ pub fn add_peer(
} else {
Input::with_theme(&*THEME)
.with_prompt("Invite expires after")
.default("14d".parse()?)
.default("14d".parse().map_err(|s: &str| anyhow!(s))?)
.interact()?
};
@ -287,7 +288,7 @@ pub fn rename_peer(
eligible_peers
.into_iter()
.find(|p| &p.name == name)
.ok_or_else(|| format!("Peer '{}' does not exist", name))?
.ok_or_else(|| anyhow!("Peer '{}' does not exist", name))?
.clone()
} else {
let peer_index = Select::with_theme(&*THEME)

17
shared/src/types.rs
View file

@ -4,6 +4,7 @@ use regex::Regex;
use serde::{Deserialize, Serialize};
use std::{
fmt::{self, Display, Formatter},
io,
net::{IpAddr, SocketAddr, ToSocketAddrs},
ops::Deref,
path::Path,
@ -121,14 +122,14 @@ impl fmt::Display for Endpoint {
}
impl Endpoint {
pub fn resolve(&self) -> Result<SocketAddr, String> {
let mut addrs = self
.to_string()
.to_socket_addrs()
.map_err(|e| e.to_string())?;
addrs
.next()
.ok_or_else(|| "failed to resolve address".to_string())
pub fn resolve(&self) -> Result<SocketAddr, io::Error> {
let mut addrs = self.to_string().to_socket_addrs()?;
addrs.next().ok_or_else(|| {
io::Error::new(
io::ErrorKind::AddrNotAvailable,
"failed to resolve address".to_string(),
)
})
}
}

106
shared/src/wg.rs
View file

@ -1,13 +1,11 @@
use crate::{Error, IoErrorContext, NetworkOpt};
use ipnetwork::IpNetwork;
use std::{
net::{IpAddr, SocketAddr},
process::{self, Command},
};
use std::net::{IpAddr, SocketAddr};
use wgctrl::{Backend, Device, DeviceUpdate, InterfaceName, PeerConfigBuilder};
fn cmd(bin: &str, args: &[&str]) -> Result<process::Output, Error> {
let output = Command::new(bin).args(args).output()?;
#[cfg(target_os = "macos")]
fn cmd(bin: &str, args: &[&str]) -> Result<std::process::Output, Error> {
let output = std::process::Command::new(bin).args(args).output()?;
log::debug!("cmd: {} {}", bin, args.join(" "));
log::debug!("status: {:?}", output.status.code());
log::trace!("stdout: {}", String::from_utf8_lossy(&output.stdout));
@ -15,13 +13,12 @@ fn cmd(bin: &str, args: &[&str]) -> Result<process::Output, Error> {
if output.status.success() {
Ok(output)
} else {
Err(format!(
Err(anyhow::anyhow!(
"failed to run {} {} command: {}",
bin,
args.join(" "),
String::from_utf8_lossy(&output.stderr)
)
.into())
))
}
}
@ -40,30 +37,30 @@ pub fn set_addr(interface: &InterfaceName, addr: IpNetwork) -> Result<(), Error>
&addr.ip().to_string(),
"alias",
],
)?;
)
.map(|_output| ())
} else {
cmd(
"ifconfig",
&[&real_interface, "inet6", &addr.to_string(), "alias"],
)?;
)
.map(|_output| ())
}
cmd("ifconfig", &[&real_interface, "mtu", "1420"])?;
}
#[cfg(target_os = "macos")]
pub fn set_up(interface: &InterfaceName, mtu: u32) -> Result<(), Error> {
let real_interface =
wgctrl::backends::userspace::resolve_tun(interface).with_str(interface.to_string())?;
cmd("ifconfig", &[&real_interface, "mtu", &mtu.to_string()])?;
Ok(())
}
#[cfg(target_os = "linux")]
pub fn set_addr(interface: &InterfaceName, addr: IpNetwork) -> Result<(), Error> {
let interface = interface.to_string();
cmd(
"ip",
&["address", "replace", &addr.to_string(), "dev", &interface],
)?;
cmd(
"ip",
&["link", "set", "mtu", "1420", "up", "dev", &interface],
)?;
Ok(())
}
pub use super::netlink::set_addr;
#[cfg(target_os = "linux")]
pub use super::netlink::set_up;
pub fn up(
interface: &InterfaceName,
@ -88,6 +85,7 @@ pub fn up(
.set_private_key(wgctrl::Key::from_base64(&private_key).unwrap())
.apply(interface, network.backend)?;
set_addr(interface, address)?;
set_up(interface, 1420)?;
if !network.no_routing {
add_route(interface, address)?;
}
@ -120,43 +118,31 @@ pub fn down(interface: &InterfaceName, backend: Backend) -> Result<(), Error> {
/// Add a route in the OS's routing table to get traffic flowing through this interface.
/// Returns an error if the process doesn't exit successfully, otherwise returns
/// true if the route was changed, false if the route already exists.
#[cfg(target_os = "macos")]
pub fn add_route(interface: &InterfaceName, cidr: IpNetwork) -> Result<bool, Error> {
if cfg!(target_os = "macos") {
let real_interface =
wgctrl::backends::userspace::resolve_tun(interface).with_str(interface.to_string())?;
let output = cmd(
"route",
&[
"-n",
"add",
if cidr.is_ipv4() { "-inet" } else { "-inet6" },
&cidr.to_string(),
"-interface",
&real_interface,
],
)?;
let stderr = String::from_utf8_lossy(&output.stderr);
if !output.status.success() {
Err(format!(
"failed to add route for device {} ({}): {}",
&interface, real_interface, stderr
)
.into())
} else {
Ok(!stderr.contains("File exists"))
}
let real_interface =
wgctrl::backends::userspace::resolve_tun(interface).with_str(interface.to_string())?;
let output = cmd(
"route",
&[
"-n",
"add",
if cidr.is_ipv4() { "-inet" } else { "-inet6" },
&cidr.to_string(),
"-interface",
&real_interface,
],
)?;
let stderr = String::from_utf8_lossy(&output.stderr);
if !output.status.success() {
Err(anyhow::anyhow!(
"failed to add route for device {} ({}): {}",
&interface, real_interface, stderr
))
} else {
// TODO(mcginty): use the netlink interface on linux to modify routing table.
let _ = cmd(
"ip",
&[
"route",
"add",
&IpNetwork::new(cidr.network(), cidr.prefix())?.to_string(),
"dev",
&interface.to_string(),
],
);
Ok(false)
Ok(!stderr.contains("File exists"))
}
}
#[cfg(target_os = "linux")]
pub use super::netlink::add_route;

2
wgctrl-rs/src/device.rs
View file

@ -165,7 +165,7 @@ impl InterfaceName {
#[cfg(target_os = "linux")]
/// Returns a pointer to the inner byte buffer for FFI calls.
pub(crate) fn as_ptr(&self) -> *const c_char {
pub fn as_ptr(&self) -> *const c_char {
self.0.as_ptr()
}