From 92d375f6a37cff3aa522f02b2e51f54bfeab4be2 Mon Sep 17 00:00:00 2001
From: Mikhail Zakharov <zmey20000@yahoo.com>
Date: Tue, 23 Jul 2024 18:38:28 +0200
Subject: [PATCH] ts-warp-1.5.4

---
 CHANGELOG.md |  4 ++++
 ts-warp.c    | 25 +++++++++++--------------
 ts-warp.h    |  6 +++++-
 version.h    |  2 +-
 4 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c302505..fc0987a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # CHANGELOG
 
+* **2024.07.23    ts-warp-1.5.4, gui-warp-1.0.25 (gui-warp-v1.0.30-mac), ns-warp-1.0.7**
+  * `ts-warp.c`: `ACT`-file created as `RUNAS_USER` user owner
+  * `ts-warp.c`: On `macOS` delayed `setuid()`/`setgid()` disabled as almost useless
+
 * **2024.07.23    ts-warp-1.5.3, gui-warp-1.0.25 (gui-warp-v1.0.30-mac), ns-warp-1.0.7**
   * `ts-warp.c`: Enable on `macOS` delayed `setuid()`/`setgid()` to run as non-privileged user
   * `ts-warp.c`: SSH2 proxy connection fixed, thanks Stefan Hildebrandt for the bug-hunting
diff --git a/ts-warp.c b/ts-warp.c
index 4491df3..a82d25f 100644
--- a/ts-warp.c
+++ b/ts-warp.c
@@ -228,6 +228,9 @@ All parameters are optional:
 
             case 'u':
                 runas_user = optarg;
+                #if defined(__APPLE__)
+                    fprintf(stderr, "Note, -u option has no effect on macOS\n");
+                #endif
             break;
 
             case 'h':                                                   /* Help */
@@ -260,20 +263,22 @@ All parameters are optional:
     printl(LOG_INFO, "ts-warp Internal Socks address: [%s:%s]", saddr, sport);
     printl(LOG_INFO, "ts-warp Internal HTTP address: [%s:%s]", haddr, hport);
 
+    struct passwd *pwd = getpwnam(runas_user);
+
     if (mkfifo(tfile_name, S_IFIFO|S_IRWXU|S_IRGRP|S_IROTH) == -1 && errno != EEXIST)
         printl(LOG_WARN, "Unable to create active connections and traffic log pipe: [%s]", tfile_name);
-    else
+    else {
+        chown(tfile_name, pwd ? pwd->pw_uid : 0, pwd ? pwd->pw_gid : 0);
         if ((tfd = open(tfile_name, O_RDWR) ) == -1)
             printl(LOG_WARN, "Unable to open active connections and traffic log pipe: [%s]", tfile_name);
         else
             printl(LOG_INFO, "Active connections and traffic log pipe available: [%s]", tfile_name);
+    }
 
     #if !defined(linux)
         pfd = pf_open();                                                /* Open PF device-file on *BSD */
     #endif
 
-    struct passwd *pwd = getpwnam(runas_user);
-
     #if (WITH_LIBSSH2)                                                  /* Init LIBSSH2 */
         if ((ret = libssh2_init(0))) {
             fprintf (stderr, "libssh2 initialization failed (%d)\n", ret);
@@ -315,7 +320,7 @@ All parameters are optional:
     mpid = pid;
 
     #if !defined(__APPLE__)
-        /* MacOS won't allow reading /dev/pf under non-root user. So, let's try user switching later */
+        /* unfortunately, macOS won't allow reading /dev/pf under non-root user */
         if (setuid(pwd->pw_uid) && setgid(pwd->pw_gid)) {
             printl(LOG_CRIT, "Failed to set privilege level to UID:GID [%d:%d]", pwd->pw_uid, pwd->pw_gid);
             exit(1);
@@ -635,14 +640,6 @@ All parameters are optional:
         if (cpid == 0) {
             /* -- Client processing (child) ------------------------------------------------------------------------- */
 
-            #if defined(__APPLE__)
-                /* Switch to a non-privileged user on macOS */
-                if (setuid(pwd->pw_uid) && setgid(pwd->pw_gid)) {
-                    printl(LOG_CRIT, "Failed to set privilege level to UID:GID [%d:%d]", pwd->pw_uid, pwd->pw_gid);
-                    exit(1);
-                }
-            #endif
-
             ssock.t = CHS_SOCKET;                                       /* Type socket */
             #if (WITH_LIBSSH2)
                 ssock.c = NULL;
@@ -1174,7 +1171,7 @@ All parameters are optional:
             tmessage.mtype = 1;
             memset(&tmessage.mtext, 0, sizeof(struct traffic_data));
             tmessage.mtext.pid = pid;
-            tmessage.mtext.timestamp = 0;
+            tmessage.mtext.timestamp = time(NULL);
             tmessage.mtext.caddr = caddr;
             tmessage.mtext.cbytes = 0;
             tmessage.mtext.daddr = daddr.ip_addr;
@@ -1440,7 +1437,7 @@ All parameters are optional:\n\
   -p file.pid\t    PID filename, default: %s\n\
   -f\t\t    Force start\n\
   \n\
-  -u user\t    A user to run ts-warp, default: %s\n\
+  -u user\t    A user to run ts-warp, default: %s. Note, this option has no effect on macOS\n\
   \n\
   -h\t\t    This message\n\n",
     PROG_NAME, PROG_VERSION, INI_FILE_NAME, LOG_FILE_NAME, LOG_LEVEL_DEFAULT, PID_FILE_NAME, RUNAS_USER);
diff --git a/ts-warp.h b/ts-warp.h
index 46d0709..3fc588c 100644
--- a/ts-warp.h
+++ b/ts-warp.h
@@ -37,7 +37,11 @@
 #define ACT_FILE_NAME   PREFIX"/var/spool/ts-warp/ts-warp.act"
 #define PID_FILE_NAME   PREFIX"/var/run/ts-warp.pid"
 
-#define RUNAS_USER      "nobody"
+#if !defined(__APPLE__)
+   #define RUNAS_USER      "nobody"
+#else
+   #define RUNAS_USER      "root"
+#endif
 
 /* -- Function prototypes ------------------------------------------------------------------------------------------- */
 void trap_signal(int sig);
diff --git a/version.h b/version.h
index 11ca1ee..0fc7f79 100644
--- a/version.h
+++ b/version.h
@@ -29,7 +29,7 @@
 #define PROG_NAME_SHORT    "TSW"
 #define PROG_VERSION_MAJOR "1"
 #define PROG_VERSION_MINOR "5"
-#define PROG_VERSION_BUILD "3"
+#define PROG_VERSION_BUILD "4"
 #define PROG_VERSION       PROG_VERSION_MAJOR "." PROG_VERSION_MINOR "." PROG_VERSION_BUILD
 #define PROG_NAME_FULL     PROG_NAME " " PROG_VERSION
 #define PROG_NAME_CODE     PROG_NAME_SHORT PROG_VERSION