fix(ping): eliminate seteuid race by pre-opening ICMP socket at init

seteuid(0) is process-wide; the previous approach of acquiring
LOCK_SETEUID per-thread serialized the seteuid calls but left a window
where other threads inherited euid=0 while the mutex was held.

Open the ICMP raw socket once during single-threaded initialization in
spine.c main(), before any worker threads start. Store it as a global
(icmp_socket). ping_icmp() now dup()s that fd per call so each thread
has an independent fd for select()/setsockopt()/close() without
interfering with other threads.

All seteuid()/LOCK_SETEUID blocks are removed from ping_icmp(). If the
socket could not be opened at startup, icmp_avail is set to FALSE and
the poller falls back to UDP ping as before.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

Author: somethingwithproof

ping.c

@@ -257,7 +257,7 @@ int ping_snmp(host_t *host, ping_t *ping) {
  *
  */
 int ping_icmp(host_t *host, ping_t *ping) {
-	int    icmp_socket;
+	int    icmp_fd;
 
 	double begin_time, end_time, total_time;
 	double host_timeout;
@@ -286,49 +286,21 @@ int ping_icmp(host_t *host, ping_t *ping) {
 		SPINE_LOG_DEBUG(("DEBUG: Device[%i] Entering ICMP Ping", host->id));
 	}
 
-	/* get ICMP socket */
-	retry_count = 0;
-	while (TRUE) {
-		#if !(defined(__CYGWIN__) && !defined(SOLAR_PRIV))
-		if (hasCaps() != TRUE) {
-			thread_mutex_lock(LOCK_SETEUID);
-			if (seteuid(0) == -1) {
-				SPINE_LOG_DEBUG(("WARNING: Spine unable to obtain root privileges."));
-			}
-		}
-		#endif
-
-		if ((icmp_socket = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) == -1) {
-			usleep(500000);
-			retry_count++;
-
-			if (retry_count > 4) {
-				snprintf(ping->ping_response, SMALL_BUFSIZE, "ICMP: Ping unable to create ICMP Socket");
-				snprintf(ping->ping_status, 50, "down");
-				#if !(defined(__CYGWIN__) && !defined(SOLAR_PRIV))
-				if (hasCaps() != TRUE) {
-					if (seteuid(getuid()) == -1) {
-						SPINE_LOG_DEBUG(("WARNING: Spine unable to drop from root to local user."));
-					}
-					thread_mutex_unlock(LOCK_SETEUID);
-				}
-				#endif
-
-				return HOST_DOWN;
-			}
-		} else {
-			break;
-		}
+	/* Use the pre-opened global ICMP socket (opened single-threaded in main
+	 * before any worker threads start, eliminating the seteuid race).
+	 * dup() gives each thread its own fd so select()/close() don't interfere. */
+	if (icmp_socket < 0) {
+		snprintf(ping->ping_response, SMALL_BUFSIZE, "ICMP: raw socket not available");
+		snprintf(ping->ping_status, 50, "down");
+		return HOST_DOWN;
 	}
 
-	#if !(defined(__CYGWIN__) && !defined(SOLAR_PRIV))
-	if (hasCaps() != TRUE) {
-		if (seteuid(getuid()) == -1) {
-			SPINE_LOG_DEBUG(("WARNING: Spine unable to drop from root to local user."));
-		}
-		thread_mutex_unlock(LOCK_SETEUID);
+	icmp_fd = dup(icmp_socket);
+	if (icmp_fd < 0) {
+		snprintf(ping->ping_response, SMALL_BUFSIZE, "ICMP: socket dup failed: %s", strerror(errno));
+		snprintf(ping->ping_status, 50, "down");
+		return HOST_DOWN;
 	}
-	#endif
 
 	/* convert the host timeout to a double precision number in seconds */
 	host_timeout = host->ping_timeout;
@@ -359,7 +331,7 @@ int ping_icmp(host_t *host, ping_t *ping) {
 	icmp->icmp_cksum = get_checksum(packet, packet_len);
 
 	/* hostname must be nonblank */
-	if ((strlen(host->hostname) != 0) && (icmp_socket != -1)) {
+	if (strlen(host->hostname) != 0) {
 		/* initialize variables */
 		snprintf(ping->ping_status, 50, "down");
 		snprintf(ping->ping_response, SMALL_BUFSIZE, "default");
@@ -375,7 +347,7 @@ int ping_icmp(host_t *host, ping_t *ping) {
 					snprintf(ping->ping_response, SMALL_BUFSIZE, "ICMP: Ping timed out");
 					snprintf(ping->ping_status, 50, "down");
 					free(packet);
-					close(icmp_socket);
+					close(icmp_fd);
 					return HOST_DOWN;
 				}
 
@@ -390,27 +362,27 @@ int ping_icmp(host_t *host, ping_t *ping) {
 				timeout.tv_usec = ((int) (host_timeout - total_time) % 1000) * 1000;
 
 				/* set the socket send and receive timeout */
-				setsockopt(icmp_socket, SOL_SOCKET, SO_RCVTIMEO, (char*)&timeout, sizeof(timeout));
-				setsockopt(icmp_socket, SOL_SOCKET, SO_SNDTIMEO, (char*)&timeout, sizeof(timeout));
+				setsockopt(icmp_fd, SOL_SOCKET, SO_RCVTIMEO, (char*)&timeout, sizeof(timeout));
+				setsockopt(icmp_fd, SOL_SOCKET, SO_SNDTIMEO, (char*)&timeout, sizeof(timeout));
 
 				/* send packet to destination */
-				return_code = sendto(icmp_socket, packet, packet_len, 0, (struct sockaddr *) &fromname, sizeof(fromname));
+				return_code = sendto(icmp_fd, packet, packet_len, 0, (struct sockaddr *) &fromname, sizeof(fromname));
 
 				fromlen = sizeof(fromname);
 
 				/* wait for a response on the socket */
 				/* reinitialize fd_set -- select(2) clears bits in place on return */
 				keep_listening:
 				FD_ZERO(&socket_fds);
-				if (icmp_socket >= FD_SETSIZE) {
-					SPINE_LOG(("ERROR: Device[%i] ICMP socket %d exceeds FD_SETSIZE %d", host->id, icmp_socket, FD_SETSIZE));
+				if (icmp_fd >= FD_SETSIZE) {
+					SPINE_LOG(("ERROR: Device[%i] ICMP socket %d exceeds FD_SETSIZE %d", host->id, icmp_fd, FD_SETSIZE));
 					snprintf(ping->ping_status, 50, "down");
 					snprintf(ping->ping_response, SMALL_BUFSIZE, "ICMP: fd exceeds FD_SETSIZE");
-					close(icmp_socket);
+					close(icmp_fd);
 					return HOST_DOWN;
 				}
-				FD_SET(icmp_socket,&socket_fds);
-				return_code = select(icmp_socket + 1, &socket_fds, NULL, NULL, &timeout);
+				FD_SET(icmp_fd,&socket_fds);
+				return_code = select(icmp_fd + 1, &socket_fds, NULL, NULL, &timeout);
 
 				/* record end time */
 				end_time = get_time_as_double();
@@ -420,9 +392,9 @@ int ping_icmp(host_t *host, ping_t *ping) {
 
 				if (total_time < host_timeout) {
 					#if !(defined(__CYGWIN__))
-					return_code = recvfrom(icmp_socket, socket_reply, BUFSIZE, MSG_WAITALL, (struct sockaddr *) &recvname, &fromlen);
+					return_code = recvfrom(icmp_fd, socket_reply, BUFSIZE, MSG_WAITALL, (struct sockaddr *) &recvname, &fromlen);
 					#else
-					return_code = recvfrom(icmp_socket, socket_reply, BUFSIZE, MSG_PEEK, (struct sockaddr *) &recvname, &fromlen);
+					return_code = recvfrom(icmp_fd, socket_reply, BUFSIZE, MSG_PEEK, (struct sockaddr *) &recvname, &fromlen);
 					#endif
 
 					if (return_code < 0) {
@@ -451,24 +423,7 @@ int ping_icmp(host_t *host, ping_t *ping) {
 								snprintf(ping->ping_response, SMALL_BUFSIZE, "ICMP: Device is Alive");
 								snprintf(ping->ping_status, 50, "%.5f", total_time);
 								free(packet);
-								#if !(defined(__CYGWIN__) && !defined(SOLAR_PRIV))
-								if (hasCaps() != TRUE) {
-									thread_mutex_lock(LOCK_SETEUID);
-									if (seteuid(0) == -1) {
-										SPINE_LOG_DEBUG(("WARNING: Spine unable to obtain root privileges."));
-									}
-								}
-								#endif
-								close(icmp_socket);
-								#if !(defined(__CYGWIN__) && !defined(SOLAR_PRIV))
-								if (hasCaps() != TRUE) {
-									if (seteuid(getuid()) == -1) {
-										SPINE_LOG_DEBUG(("WARNING: Spine unable to drop from root to local user."));
-									}
-									thread_mutex_unlock(LOCK_SETEUID);
-								}
-								#endif
-
+								close(icmp_fd);
 								return HOST_UP;
 							} else {
 								/* received a response other than an echo reply */
@@ -502,48 +457,14 @@ int ping_icmp(host_t *host, ping_t *ping) {
 			snprintf(ping->ping_response, SMALL_BUFSIZE, "ICMP: Destination hostname invalid");
 			snprintf(ping->ping_status, 50, "down");
 			free(packet);
-			#if !(defined(__CYGWIN__) && !defined(SOLAR_PRIV))
-			if (hasCaps() != TRUE) {
-				thread_mutex_lock(LOCK_SETEUID);
-				if (seteuid(0) == -1) {
-					SPINE_LOG_DEBUG(("WARNING: Spine unable to obtain root privileges."));
-				}
-			}
-			#endif
-			close(icmp_socket);
-			#if !(defined(__CYGWIN__) && !defined(SOLAR_PRIV))
-			if (hasCaps() != TRUE) {
-				if (seteuid(getuid()) == -1) {
-					SPINE_LOG_DEBUG(("WARNING: Spine unable to drop from root to local user."));
-				}
-				thread_mutex_unlock(LOCK_SETEUID);
-			}
-			#endif
+			close(icmp_fd);
 			return HOST_DOWN;
 		}
 	} else {
 		snprintf(ping->ping_response, SMALL_BUFSIZE, "ICMP: Destination address not specified");
 		snprintf(ping->ping_status, 50, "down");
 		free(packet);
-		if (icmp_socket != -1) {
-			#if !(defined(__CYGWIN__) && !defined(SOLAR_PRIV))
-			if (hasCaps() != TRUE) {
-				thread_mutex_lock(LOCK_SETEUID);
-				if (seteuid(0) == -1) {
-					SPINE_LOG_DEBUG(("WARNING: Spine unable to obtain root privileges."));
-				}
-			}
-			#endif
-			close(icmp_socket);
-			#if !(defined(__CYGWIN__) && !defined(SOLAR_PRIV))
-			if (hasCaps() != TRUE) {
-				if (seteuid(getuid()) == -1) {
-					SPINE_LOG_DEBUG(("WARNING: Spine unable to drop from root to local user."));
-				}
-				thread_mutex_unlock(LOCK_SETEUID);
-			}
-			#endif
-		}
+		close(icmp_fd);
 		return HOST_DOWN;
 	}
 }

spine.c

@@ -113,6 +113,7 @@ int     *debug_devices;
 
 pool_t  *db_pool_local;
 pool_t  *db_pool_remote;
+int     icmp_socket = -1;
 
 poller_thread_t** details = NULL;
 
@@ -722,6 +723,29 @@ int main(int argc, char *argv[]) {
 	/* initialize thread initialization semaphore */
 	sem_init(&thread_init_sem, 0, 1);
 
+	/* Open the ICMP raw socket while still single-threaded and privileged.
+	 * seteuid(0) is process-wide; doing it here avoids the race where
+	 * multiple threads could inherit euid=0 while one holds LOCK_SETEUID. */
+	#if !(defined(__CYGWIN__) && !defined(SOLAR_PRIV))
+	if (hasCaps() != TRUE) {
+		if (seteuid(0) == -1) {
+			SPINE_LOG(("WARNING: Unable to obtain root privileges for ICMP socket."));
+		}
+	}
+	#endif
+	icmp_socket = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+	#if !(defined(__CYGWIN__) && !defined(SOLAR_PRIV))
+	if (hasCaps() != TRUE) {
+		if (seteuid(getuid()) == -1) {
+			SPINE_LOG(("WARNING: Unable to drop root privileges after ICMP socket open."));
+		}
+	}
+	#endif
+	if (icmp_socket < 0) {
+		SPINE_LOG(("WARNING: Unable to open ICMP raw socket: %s. ICMP ping disabled.", strerror(errno)));
+		set.icmp_avail = FALSE;
+	}
+
 	/* specify the point of timeout for timedwait semaphores */
 	//until_spec.tv_sec = (time_t)(set.poller_interval + begin_time - 0.2);
 	//until_spec.tv_nsec = 0;

spine.h

@@ -634,5 +634,6 @@ extern sem_t  available_threads;
 extern sem_t  available_scripts;
 extern pool_t *db_pool_remote;
 extern pool_t *db_pool_local;
+extern int    icmp_socket;
 
 #endif /* not _SPINE_H_ */