1 // Simple RPC-like protocol: establish new connection and upload helper
3 // Copyright (C) 2021 Simon Ruderich
5 // This program is free software: you can redistribute it and/or modify
6 // it under the terms of the GNU General Public License as published by
7 // the Free Software Foundation, either version 3 of the License, or
8 // (at your option) any later version.
10 // This program is distributed in the hope that it will be useful,
11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 // GNU General Public License for more details.
15 // You should have received a copy of the GNU General Public License
16 // along with this program. If not, see <http://www.gnu.org/licenses/>.
31 "ruderich.org/simon/safcm"
32 "ruderich.org/simon/safcm/remote"
35 func (c *Conn) DialSSH(user, host string) error {
37 return fmt.Errorf("cannot reuse Conn")
42 remote = user + "@" + host
44 c.debugf("DialSSH: connecting to %q", remote)
48 // Help debugging by showing executed shell commands
51 c.cmd = exec.Command("ssh", remote, "/bin/sh", opts)
54 stdin, err := c.cmd.StdinPipe()
58 stdout, err := c.cmd.StdoutPipe()
62 err = c.handleStderrAsEvents(c.cmd)
72 err = c.dialSSH(stdin, stdout)
77 c.conn = safcm.NewGobConn(stdout, stdin)
82 func (c *Conn) dialSSH(stdin io.Writer, stdout_ io.Reader) error {
83 stdout := bufio.NewReader(stdout_)
85 goos, err := connGetGoos(stdin, stdout)
89 goarch, err := connGetGoarch(stdin, stdout)
93 uid, err := connGetUID(stdin, stdout)
98 path := fmt.Sprintf("/tmp/safcm-remote-%d", uid)
100 c.debugf("DialSSH: probing remote at %q", path)
102 // Compatibility for different operating systems
107 dir_stat='drwxrwxrwt 0 0'
108 file_stat="-rwx------ $(id -u) $(id -g)"
110 stat -c '%A %u %g' "$1"
119 file_stat="100700 $(id -u) $(id -g)"
121 stat -f '%p %u %g' "$1"
128 return fmt.Errorf("internal error: no support for %q", goos)
131 // Use a function so the shell cannot execute the input line-wise.
132 // This is important because we're also using stdin to send data to
133 // the script. If the shell executes the input line-wise then our
134 // script is interpreted as input for `read`.
136 // The target directory must no permit other users to delete our files
137 // or symlink attacks and arbitrary code execution is possible. For
138 // /tmp this is guaranteed by the sticky bit. Make sure it has the
139 // proper permissions.
141 // We cannot use `test -f && test -O` because this is open to TOCTOU
142 // attacks. `stat` gives use the full file state. If the file is owned
143 // by us and not a symlink then it's safe to use (assuming sticky or
144 // directory not writable by others).
146 // `test -e` is only used to prevent error messages if the file
147 // doesn't exist. It does not guard against any races.
148 _, err = fmt.Fprintf(stdin, `
153 dir="$(dirname "$x")"
154 if ! test "$(compat_stat "$dir")" = "$dir_stat"; then
155 echo "unsafe permissions on $dir, aborting" >&2
159 if test -e "$x" && test "$(compat_stat "$x")" = "$file_stat"; then
161 compat_sha512sum "$x"
163 # Empty checksum to request upload
167 # Wait for signal to continue
170 if test -n "$upload"; then
171 tmp="$(mktemp "$x.XXXXXX")"
172 # Report filename for upload
175 # Wait for upload to complete
178 # Safely create new file (ln does not follow symlinks)
182 # Make file executable
193 remoteSum, err := stdout.ReadString('\n')
198 // Get embedded helper binary
199 helper, err := remote.Helpers.ReadFile(
200 fmt.Sprintf("helpers/%s-%s", goos, goarch))
202 return fmt.Errorf("remote not built for GOOS/GOARCH %s/%s",
207 if remoteSum == "\n" {
209 c.debugf("DialSSH: remote not present or invalid permissions")
212 x := strings.Fields(remoteSum)
214 return fmt.Errorf("got unexpected checksum line %q",
217 sha := sha512.Sum512(helper)
218 hex := hex.EncodeToString(sha[:])
220 c.debugf("DialSSH: remote checksum matches")
223 c.debugf("DialSSH: remote checksum does not match")
228 // Notify user that an upload is going to take place.
229 c.events <- ConnEvent{
230 Type: ConnEventUpload,
233 // Tell script we want to upload a new file.
234 _, err = fmt.Fprintln(stdin, "upload")
238 // Get path to temporary file for upload.
240 // Write to the temporary file instead of the final path so
241 // that a concurrent run of this function won't use a
242 // partially written file. The rm in the script could still
243 // cause a missing file but at least no file with unknown
244 // content is executed.
245 path, err := stdout.ReadString('\n')
249 path = strings.TrimSuffix(path, "\n")
251 c.debugf("DialSSH: uploading new remote to %q at %q",
254 cmd := exec.Command("ssh", c.remote,
255 fmt.Sprintf("cat > %q", path))
256 cmd.Stdin = bytes.NewReader(helper)
257 err = c.handleStderrAsEvents(cmd)
267 // Tell script to continue and execute the remote helper
268 _, err = fmt.Fprintln(stdin, "")
276 func connGetGoos(stdin io.Writer, stdout *bufio.Reader) (string, error) {
277 _, err := fmt.Fprintln(stdin, "uname -o")
281 x, err := stdout.ReadString('\n')
285 x = strings.TrimSpace(x)
287 // NOTE: Adapt helper uploading in dialSSH() when adding new systems
295 return "", fmt.Errorf("unsupported OS %q (`uname -o`)", x)
300 func connGetGoarch(stdin io.Writer, stdout *bufio.Reader) (string, error) {
301 _, err := fmt.Fprintln(stdin, "uname -m")
305 x, err := stdout.ReadString('\n')
309 x = strings.TrimSpace(x)
311 // NOTE: Adapt cmd/safcm-remote/build.sh when adding new architectures
314 case "x86_64", "amd64":
319 return "", fmt.Errorf("unsupported arch %q (`uname -m`)", x)
324 func connGetUID(stdin io.Writer, stdout *bufio.Reader) (int, error) {
325 _, err := fmt.Fprintln(stdin, "id -u")
329 x, err := stdout.ReadString('\n')
333 x = strings.TrimSpace(x)
335 uid, err := strconv.Atoi(x)
337 return -1, fmt.Errorf("invalid UID %q (`id -u`)", x)