From now on, the lttng command line sends it's credential at each
command along with the regular communication data.
The tracing output directory is set to those credentials (uid/gid) if
the session daemon is running as a regular user (even if the user is in
the tracing group). So *no* tracing group is ever set if the session
daemon is not running as a non-root user.
If the sessiond is running as root, the tracing group is set (if exist)
and the uid of the calling user is used.
This fixes the triple enable-channel/event needed to trace UST
applications with a non-root session daemon. This was reported by
Yannick Brosseau <yannick.brosseau@polymtl.ca>.
Signed-off-by: David Goulet <david.goulet@polymtl.ca>
- ret = lttcomm_send_unix_sock(sessiond_socket, lsm,
+ ret = lttcomm_send_creds_unix_sock(sessiond_socket, lsm,
sizeof(struct lttcomm_session_msg));
end:
sizeof(struct lttcomm_session_msg));
end:
* Place - Suite 330, Boston, MA 02111-1307, USA.
*/
* Place - Suite 330, Boston, MA 02111-1307, USA.
*/
#include <errno.h>
#include <urcu/list.h>
#include <string.h>
#include <errno.h>
#include <urcu/list.h>
#include <string.h>
struct command_ctx {
int ust_sock;
unsigned int lttng_msg_size;
struct command_ctx {
int ust_sock;
unsigned int lttng_msg_size;
struct ltt_session *session;
struct lttcomm_lttng_msg *llm;
struct lttcomm_session_msg *lsm;
struct ltt_session *session;
struct lttcomm_lttng_msg *llm;
struct lttcomm_session_msg *lsm;
* Create an UST session and add it to the session ust list.
*/
static int create_ust_session(struct ltt_session *session,
* Create an UST session and add it to the session ust list.
*/
static int create_ust_session(struct ltt_session *session,
- struct lttng_domain *domain)
+ struct lttng_domain *domain, struct ucred *creds)
+ unsigned int sess_uid;
+ gid_t gid;
struct ltt_ust_session *lus = NULL;
switch (domain->type) {
struct ltt_ust_session *lus = NULL;
switch (domain->type) {
DBG("Creating UST session");
DBG("Creating UST session");
- uid = session->uid;
- lus = trace_ust_create_session(session->path, uid, domain);
+ sess_uid = session->uid;
+ lus = trace_ust_create_session(session->path, sess_uid, domain);
if (lus == NULL) {
ret = LTTCOMM_UST_SESS_FAIL;
goto error;
}
if (lus == NULL) {
ret = LTTCOMM_UST_SESS_FAIL;
goto error;
}
- ret = mkdir_recursive(lus->pathname, S_IRWXU | S_IRWXG,
- geteuid(), allowed_group());
+ /*
+ * Get the right group ID. To use the tracing group, the daemon must be
+ * running with root credentials or else it's the user GID used.
+ */
+ gid = allowed_group();
+ if (gid < 0 || !is_root) {
+ gid = creds->gid;
+ }
+
+ ret = mkdir_recursive(lus->pathname, S_IRWXU | S_IRWXG, creds->uid, gid);
if (ret < 0) {
if (ret != -EEXIST) {
ERR("Trace directory creation error");
if (ret < 0) {
if (ret != -EEXIST) {
ERR("Trace directory creation error");
/*
* Create a kernel tracer session then create the default channel.
*/
/*
* Create a kernel tracer session then create the default channel.
*/
-static int create_kernel_session(struct ltt_session *session)
+static int create_kernel_session(struct ltt_session *session,
+ struct ucred *creds)
DBG("Creating kernel session");
DBG("Creating kernel session");
session->kernel_session->consumer_fd = kconsumer_data.cmd_sock;
}
session->kernel_session->consumer_fd = kconsumer_data.cmd_sock;
}
+ gid = allowed_group();
+ if (gid < 0) {
+ /*
+ * Use GID 0 has a fallback since kernel session is only allowed under
+ * root or the gid of the calling user
+ */
+ is_root ? (gid = 0) : (gid = creds->gid);
+ }
+
ret = mkdir_recursive(session->kernel_session->trace_path,
ret = mkdir_recursive(session->kernel_session->trace_path,
- S_IRWXU | S_IRWXG, geteuid(), allowed_group());
+ S_IRWXU | S_IRWXG, creds->uid, gid);
if (ret < 0) {
if (ret != -EEXIST) {
ERR("Trace directory creation error");
if (ret < 0) {
if (ret != -EEXIST) {
ERR("Trace directory creation error");
/* Need a session for kernel command */
if (need_tracing_session) {
if (cmd_ctx->session->kernel_session == NULL) {
/* Need a session for kernel command */
if (need_tracing_session) {
if (cmd_ctx->session->kernel_session == NULL) {
- ret = create_kernel_session(cmd_ctx->session);
+ ret = create_kernel_session(cmd_ctx->session, &cmd_ctx->creds);
if (ret < 0) {
ret = LTTCOMM_KERN_SESS_FAIL;
goto error;
if (ret < 0) {
ret = LTTCOMM_KERN_SESS_FAIL;
goto error;
if (need_tracing_session) {
if (cmd_ctx->session->ust_session == NULL) {
ret = create_ust_session(cmd_ctx->session,
if (need_tracing_session) {
if (cmd_ctx->session->ust_session == NULL) {
ret = create_ust_session(cmd_ctx->session,
- &cmd_ctx->lsm->domain);
+ &cmd_ctx->lsm->domain, &cmd_ctx->creds);
if (ret != LTTCOMM_OK) {
goto error;
}
if (ret != LTTCOMM_OK) {
goto error;
}
+ /* Set socket option for credentials retrieval */
+ ret = lttcomm_setsockopt_creds_unix_sock(sock);
+ if (ret < 0) {
+ goto error;
+ }
+
/* Allocate context command to process the client request */
cmd_ctx = zmalloc(sizeof(struct command_ctx));
if (cmd_ctx == NULL) {
/* Allocate context command to process the client request */
cmd_ctx = zmalloc(sizeof(struct command_ctx));
if (cmd_ctx == NULL) {
* the client.
*/
DBG("Receiving data from client ...");
* the client.
*/
DBG("Receiving data from client ...");
- ret = lttcomm_recv_unix_sock(sock, cmd_ctx->lsm,
- sizeof(struct lttcomm_session_msg));
+ ret = lttcomm_recv_creds_unix_sock(sock, cmd_ctx->lsm,
+ sizeof(struct lttcomm_session_msg), &cmd_ctx->creds);
if (ret <= 0) {
DBG("Nothing recv() from client... continuing");
close(sock);
if (ret <= 0) {
DBG("Nothing recv() from client... continuing");
close(sock);
ERR("Failed to send data back to client");
}
ERR("Failed to send data back to client");
}
- clean_command_ctx(&cmd_ctx);
-
/* End of transmission */
close(sock);
/* End of transmission */
close(sock);
+
+ clean_command_ctx(&cmd_ctx);
* Race window between mkdir and chown is OK because we are going from more
* permissive (root.root) to les permissive (root.tracing).
*/
* Race window between mkdir and chown is OK because we are going from more
* permissive (root.root) to les permissive (root.tracing).
*/
-static int set_permissions(void)
+static int set_permissions(char *rundir)
{
int ret;
gid_t gid;
gid = allowed_group();
if (gid < 0) {
{
int ret;
gid_t gid;
gid = allowed_group();
if (gid < 0) {
- if (is_root) {
- WARN("No tracing group detected");
- ret = 0;
- } else {
- ERR("Missing tracing group. Aborting execution.");
- ret = -1;
- }
+ WARN("No tracing group detected");
+ ret = 0;
goto end;
}
/* Set lttng run dir */
goto end;
}
/* Set lttng run dir */
- ret = chown(LTTNG_RUNDIR, 0, gid);
+ ret = chown(rundir, 0, gid);
- ERR("Unable to set group on " LTTNG_RUNDIR);
+ ERR("Unable to set group on %s", rundir);
}
/* Set credentials to socket */
}
/* Set credentials to socket */
- if (is_root && ((ret = set_permissions()) < 0)) {
+ if (is_root && ((ret = set_permissions(rundir)) < 0)) {