putty-source

nhyatt/putty-source

Fork 0

mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-09 17:38:00 +00:00

Commit Graph

Author	SHA1	Message	Date
Simon Tatham	be8d3974ff	Generalise strbuf_catf() into put_fmt(). marshal.h now provides a macro put_fmt() which allows you to write arbitrary printf-formatted data to an arbitrary BinarySink. We already had this facility for strbufs in particular, in the form of strbuf_catf(). That was able to take advantage of knowing the inner structure of a strbuf to minimise memory allocation (it would snprintf directly into the strbuf's existing buffer if possible). For a general black-box BinarySink we can't do that, so instead we dupvprintf into a temporary buffer. For consistency, I've removed strbuf_catf, and converted all uses of it into the new put_fmt - and I've also added an extra vtable method in the BinarySink API, so that put_fmt can still use strbuf_catf's more efficient memory management when talking to a strbuf, and fall back to the simpler strategy when that's not available.	2021-11-19 11:32:47 +00:00
Simon Tatham	3b51644f2b	Add a /proc/net magic authenticator. This is a Linux-specific trick that I'm quite fond of: I've used it before in 'agedu' and a lot of my unpublished personal scriptery. Suppose you want to run a listening network server in such a way that it can only accept connections from processes under your own control. Often it's not convenient to do this by adding an authentication step to the protocol itself (either because the password management gets hairy or because the protocol is already well defined). The 'right' answer is to switch from TCP to Unix-domain sockets, because then you can use the file permissions on the path leading to the socket inode to ensure that no other user id can connect to it - but that's often inconvenient as well, because if any _client_ of the server is not already prepared to speak AF_UNIX your control then you can only trick it into connecting to an AF_UNIX socket instead of TCP by applying a downstream patch or resorting to LD_PRELOAD shenanigans. But on Linux, there's an alternative shenanigan available, in the form of /proc/net/tcp (or tcp6), which lists every currently active TCP endpoint known to the kernel, and for each one, lists an owning uid. Listen on localhost only. Then, when a connection comes in, look up the far end of it in that file and see if the owning uid is the right one! I've always vaguely wondered if there would be uses for this trick in PuTTY. One potentially useful one might be to protect the listening sockets created by local-to-remote port forwarding. But for the moment, I'm only planning to use it for a less security-critical purpose, which will appear in the next commit.	2019-03-31 10:35:10 +01:00

Author

SHA1

Message

Date

Simon Tatham

be8d3974ff

Generalise strbuf_catf() into put_fmt().

marshal.h now provides a macro put_fmt() which allows you to write
arbitrary printf-formatted data to an arbitrary BinarySink.

We already had this facility for strbufs in particular, in the form of
strbuf_catf(). That was able to take advantage of knowing the inner
structure of a strbuf to minimise memory allocation (it would snprintf
directly into the strbuf's existing buffer if possible). For a general
black-box BinarySink we can't do that, so instead we dupvprintf into a
temporary buffer.

For consistency, I've removed strbuf_catf, and converted all uses of
it into the new put_fmt - and I've also added an extra vtable method
in the BinarySink API, so that put_fmt can still use strbuf_catf's
more efficient memory management when talking to a strbuf, and fall
back to the simpler strategy when that's not available.

2021-11-19 11:32:47 +00:00

Simon Tatham

3b51644f2b

Add a /proc/net magic authenticator.

This is a Linux-specific trick that I'm quite fond of: I've used it
before in 'agedu' and a lot of my unpublished personal scriptery.

Suppose you want to run a listening network server in such a way that
it can only accept connections from processes under your own control.
Often it's not convenient to do this by adding an authentication step
to the protocol itself (either because the password management gets
hairy or because the protocol is already well defined). The 'right'
answer is to switch from TCP to Unix-domain sockets, because then you
can use the file permissions on the path leading to the socket inode
to ensure that no other user id can connect to it - but that's often
inconvenient as well, because if any _client_ of the server is not
already prepared to speak AF_UNIX your control then you can only trick
it into connecting to an AF_UNIX socket instead of TCP by applying a
downstream patch or resorting to LD_PRELOAD shenanigans.

But on Linux, there's an alternative shenanigan available, in the form
of /proc/net/tcp (or tcp6), which lists every currently active TCP
endpoint known to the kernel, and for each one, lists an owning uid.
Listen on localhost only. Then, when a connection comes in, look up
the far end of it in that file and see if the owning uid is the right
one!

I've always vaguely wondered if there would be uses for this trick in
PuTTY. One potentially useful one might be to protect the listening
sockets created by local-to-remote port forwarding. But for the
moment, I'm only planning to use it for a less security-critical
purpose, which will appear in the next commit.

2019-03-31 10:35:10 +01:00

2 Commits