Rust-related/ssh-mux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 26 Wiki Activity

Harden IPC and forwarding policy
All checks were successful
CI / Check (fmt, clippy, test) (push) Successful in 1m18s
Details

Browse Source
This commit is contained in:
Myeongseon Choi
2026-04-25 21:01:39 +09:00
parent fe29db4b7e
commit e7a527e7e2
4 changed files with 304 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "ssh-mux"
version = "1.10.4"
version = "1.10.5"
edition = "2024"
description = "SSH connection multiplexer for Windows - ControlMaster alternative"

126
src/ipc.rs
View File

@@ -501,6 +501,7 @@ mod platform {
#[cfg(not(windows))]
mod platform {
use super::*;
use std::path::{Path, PathBuf};
use tokio::net::{UnixListener, UnixStream};
/// Get the socket path for the current user.
@@ -509,13 +510,14 @@ mod platform {
/// 1. `$XDG_RUNTIME_DIR/ssh-mux.sock` (typically `/run/user/{uid}`, already 0700)
/// 2. `~/.ssh/ssh-mux.sock` (home directory, user-owned)
/// 3. `/tmp/ssh-mux-{uid}/ssh-mux.sock` (last resort, in a 0700 subdirectory)
fn socket_path() -> Result<std::path::PathBuf> {
fn socket_path() -> Result<PathBuf> {
let uid = unsafe { libc::getuid() };
// 1. Try XDG_RUNTIME_DIR (most secure, already 0700)
// 1. Try XDG_RUNTIME_DIR, but only if it is actually private to this user.
if let Ok(runtime_dir) = std::env::var("XDG_RUNTIME_DIR") {
let dir = std::path::PathBuf::from(runtime_dir);
let dir = PathBuf::from(runtime_dir);
if dir.is_dir() {
validate_runtime_dir(&dir, uid)?;
return Ok(dir.join("ssh-mux.sock"));
}
}
@@ -528,7 +530,7 @@ mod platform {
}
// 3. Fallback: /tmp/ssh-mux-{uid}/ with 0700 subdirectory (fail-closed)
let fallback_dir = std::path::PathBuf::from(format!("/tmp/ssh-mux-{}", uid));
let fallback_dir = PathBuf::from(format!("/tmp/ssh-mux-{}", uid));
if fallback_dir.exists() {
validate_fallback_dir(&fallback_dir, uid)?;
} else {
@@ -550,7 +552,7 @@ mod platform {
/// Validate that an existing fallback directory is safe to use (fail-closed).
/// Returns Err if the directory is a symlink, owned by another user, or
/// has permissions other than 0700 that cannot be fixed.
fn validate_fallback_dir(dir: &std::path::Path, expected_uid: u32) -> Result<()> {
fn validate_fallback_dir(dir: &Path, expected_uid: u32) -> Result<()> {
use std::os::unix::fs::MetadataExt;
let meta = std::fs::symlink_metadata(dir)
@@ -589,6 +591,52 @@ mod platform {
Ok(())
}
/// Validate `XDG_RUNTIME_DIR` before trusting it for the daemon socket.
///
/// The XDG Base Directory spec requires a user-owned 0700 directory.
/// Reject looser permissions or symlinked paths to avoid daemon impersonation
/// and client secret capture via a hostile runtime directory.
fn validate_runtime_dir(dir: &Path, expected_uid: u32) -> Result<()> {
use std::os::unix::fs::MetadataExt;
let meta = std::fs::symlink_metadata(dir)
.with_context(|| format!("SECURITY: cannot stat {}", dir.display()))?;
if meta.file_type().is_symlink() {
anyhow::bail!(
"SECURITY: XDG_RUNTIME_DIR {} is a symlink. Refusing to trust redirected IPC paths.",
dir.display()
);
}
if !meta.is_dir() {
anyhow::bail!(
"SECURITY: XDG_RUNTIME_DIR {} is not a directory.",
dir.display()
);
}
if meta.uid() != expected_uid {
anyhow::bail!(
"SECURITY: XDG_RUNTIME_DIR {} is owned by uid {} (expected {}).",
dir.display(),
meta.uid(),
expected_uid
);
}
let mode = meta.mode() & 0o7777;
if mode & 0o077 != 0 {
anyhow::bail!(
"SECURITY: XDG_RUNTIME_DIR {} has unsafe permissions {:04o} (expected user-only access).",
dir.display(),
mode
);
}
Ok(())
}
/// Listener that accepts connections on a Unix domain socket.
pub struct IpcListener {
inner: UnixListener,
@@ -651,6 +699,74 @@ mod platform {
pub async fn is_daemon_running() -> bool {
connect().await.is_ok()
}
#[cfg(test)]
mod tests {
use super::*;
use std::os::unix::fs::{PermissionsExt, symlink};
use std::time::{SystemTime, UNIX_EPOCH};
fn temp_path(label: &str) -> PathBuf {
let nanos = SystemTime::now()
.duration_since(UNIX_EPOCH)
.unwrap()
.as_nanos();
std::env::temp_dir().join(format!(
"ssh-mux-test-{}-{}-{}",
label,
std::process::id(),
nanos
))
}
#[test]
fn runtime_dir_accepts_private_user_directory() {
let dir = temp_path("runtime-ok");
std::fs::create_dir(&dir).unwrap();
std::fs::set_permissions(&dir, std::fs::Permissions::from_mode(0o700)).unwrap();
let uid = unsafe { libc::getuid() };
let result = validate_runtime_dir(&dir, uid);
let _ = std::fs::remove_dir(&dir);
assert!(
result.is_ok(),
"expected private runtime dir to be accepted"
);
}
#[test]
fn runtime_dir_rejects_group_writable_directory() {
let dir = temp_path("runtime-bad-mode");
std::fs::create_dir(&dir).unwrap();
std::fs::set_permissions(&dir, std::fs::Permissions::from_mode(0o755)).unwrap();
let uid = unsafe { libc::getuid() };
let result = validate_runtime_dir(&dir, uid);
let _ = std::fs::remove_dir(&dir);
assert!(
result.is_err(),
"group/world-accessible runtime dir must be rejected"
);
}
#[test]
fn runtime_dir_rejects_symlink() {
let target = temp_path("runtime-target");
let link = temp_path("runtime-link");
std::fs::create_dir(&target).unwrap();
std::fs::set_permissions(&target, std::fs::Permissions::from_mode(0o700)).unwrap();
symlink(&target, &link).unwrap();
let uid = unsafe { libc::getuid() };
let result = validate_runtime_dir(&link, uid);
let _ = std::fs::remove_file(&link);
let _ = std::fs::remove_dir(&target);
assert!(result.is_err(), "symlinked runtime dir must be rejected");
}
}
}
// Re-export platform-specific items

117
src/local_server.rs
View File

@@ -147,6 +147,10 @@ struct UpstreamAuthState {
}
impl LocalSshHandler {
fn is_remote_loopback(host: &str) -> bool {
matches!(host, "127.0.0.1" | "localhost" | "::1")
}
/// Open a remote session channel via the pool, respecting the server mode.
///
/// - **Direct mode**: connects directly to the configured remote host.
@@ -259,8 +263,9 @@ impl LocalSshHandler {
///
/// SECURITY: This prevents using the jump host or internal servers as an
/// open SOCKS/TCP proxy for lateral movement. Only the route's own
/// host:port (and localhost on the remote for VS Code port forwarding)
/// are permitted.
/// host:port are permitted. Remote loopback is treated as equivalent to
/// the routed SSH target only on that target's SSH port; allowing all
/// loopback ports would expose arbitrary localhost-only services.
fn is_direct_tcpip_allowed(&self, host: &str, port: u32) -> bool {
match &self.config.mode {
ServerMode::Direct {
@@ -268,25 +273,21 @@ impl LocalSshHandler {
remote_port,
..
} => {
// In direct mode, allow connections to the remote host itself
// (for VS Code port forwarding, target is usually 127.0.0.1 on remote)
if host == "127.0.0.1" || host == "localhost" || host == "::1" {
return true;
if Self::is_remote_loopback(host) {
return port == (*remote_port) as u32;
}
// Also allow the remote host itself
host == remote_host.as_str() && port == (*remote_port) as u32
}
ServerMode::Routed { config } => {
// Allow localhost on the remote (VS Code SOCKS proxy targets)
if host == "127.0.0.1" || host == "localhost" || host == "::1" {
return true;
}
// Allow only hosts that appear in the route table
let route_name = match self.route_name.as_deref() {
Some(name) => name,
None => return false,
};
if let Some(route) = config.routes.get(route_name) {
if Self::is_remote_loopback(host) {
return port == route.port as u32;
}
// Allow the route's own target
if host == route.host && port == route.port as u32 {
return true;
@@ -563,6 +564,100 @@ impl LocalSshHandler {
}
}
#[cfg(test)]
mod policy_tests {
use super::*;
use crate::config::{JumpConfig, MuxConfig, RouteEntry};
use std::collections::HashMap;
fn test_handler(mode: ServerMode, route_name: Option<&str>) -> LocalSshHandler {
let pool = Arc::new(Pool::new(60, 0));
LocalSshHandler {
config: Arc::new(LocalServerConfig {
mode,
pool,
authorized_keys: Vec::new(),
}),
channels: HashMap::new(),
server_handle: None,
route_name: route_name.map(str::to_string),
publickey_verified: false,
upstream_auth: None,
}
}
#[test]
fn direct_tcpip_direct_mode_only_allows_target_and_matching_loopback_port() {
let handler = test_handler(
ServerMode::Direct {
remote_host: "server.example.com".into(),
remote_port: 22,
remote_user: Some("alice".into()),
},
None,
);
assert!(handler.is_direct_tcpip_allowed("server.example.com", 22));
assert!(handler.is_direct_tcpip_allowed("127.0.0.1", 22));
assert!(handler.is_direct_tcpip_allowed("localhost", 22));
assert!(!handler.is_direct_tcpip_allowed("127.0.0.1", 8080));
assert!(!handler.is_direct_tcpip_allowed("db.internal", 5432));
}
#[test]
fn direct_tcpip_routed_mode_only_allows_route_target_and_matching_loopback_port() {
let mut routes = HashMap::new();
routes.insert(
"web".to_string(),
RouteEntry {
host: "10.0.0.10".into(),
port: 2222,
user: "deploy".into(),
direct: false,
},
);
let handler = test_handler(
ServerMode::Routed {
config: MuxConfig {
jump: JumpConfig {
host: "bastion.example.com".into(),
port: 22,
user: "jump".into(),
},
routes,
},
},
Some("web"),
);
assert!(handler.is_direct_tcpip_allowed("10.0.0.10", 2222));
assert!(handler.is_direct_tcpip_allowed("::1", 2222));
assert!(!handler.is_direct_tcpip_allowed("127.0.0.1", 8080));
assert!(!handler.is_direct_tcpip_allowed("10.0.0.11", 2222));
}
#[test]
fn direct_tcpip_routed_mode_denies_when_route_is_missing() {
let handler = test_handler(
ServerMode::Routed {
config: MuxConfig {
jump: JumpConfig {
host: "bastion.example.com".into(),
port: 22,
user: "jump".into(),
},
routes: HashMap::new(),
},
},
Some("missing"),
);
assert!(!handler.is_direct_tcpip_allowed("127.0.0.1", 22));
assert!(!handler.is_direct_tcpip_allowed("10.0.0.10", 22));
}
}
impl Handler for LocalSshHandler {
type Error = anyhow::Error;

117
tests/integration.rs
View File

@@ -12,6 +12,20 @@ use std::time::Duration;
/// Global lock to ensure tests run serially (they share daemon state).
static TEST_LOCK: Mutex<()> = Mutex::new(());
fn test_lock() -> std::sync::MutexGuard<'static, ()> {
TEST_LOCK.lock().unwrap_or_else(|e| e.into_inner())
}
#[cfg(not(windows))]
fn runtime_dir() -> std::path::PathBuf {
use std::os::unix::fs::PermissionsExt;
let dir = std::env::temp_dir().join(format!("ssh-mux-integration-{}", std::process::id()));
std::fs::create_dir_all(&dir).unwrap();
std::fs::set_permissions(&dir, std::fs::Permissions::from_mode(0o700)).unwrap();
dir
}
/// Get the path to the built binary.
fn binary_path() -> std::path::PathBuf {
let mut path = std::env::current_exe()
@@ -35,11 +49,13 @@ fn binary_path() -> std::path::PathBuf {
/// Helper to stop the daemon if it's running.
fn stop_daemon() {
let bin = binary_path();
let _ = Command::new(&bin)
.args(["stop"])
let mut cmd = Command::new(&bin);
cmd.args(["stop"])
.stdout(Stdio::null())
.stderr(Stdio::null())
.status();
.stderr(Stdio::null());
#[cfg(not(windows))]
cmd.env("XDG_RUNTIME_DIR", runtime_dir());
let _ = cmd.status();
// Give it a moment to shut down
std::thread::sleep(Duration::from_millis(500));
}
@@ -64,12 +80,12 @@ fn start_daemon() -> std::process::Child {
#[cfg(not(windows))]
{
Command::new(&bin)
.args(["daemon", "--timeout", "10"])
.stdout(Stdio::null())
.stderr(Stdio::null())
.spawn()
.expect("failed to start daemon")
let mut cmd = Command::new(&bin);
cmd.args(["daemon", "--timeout", "10"])
.stdout(Stdio::piped())
.stderr(Stdio::piped())
.env("XDG_RUNTIME_DIR", runtime_dir());
cmd.spawn().expect("failed to start daemon")
}
}
@@ -79,11 +95,13 @@ fn wait_for_daemon(timeout: Duration) -> bool {
let start = std::time::Instant::now();
while start.elapsed() < timeout {
let result = Command::new(&bin)
.args(["status"])
let mut cmd = Command::new(&bin);
cmd.args(["status"])
.stdout(Stdio::piped())
.stderr(Stdio::null())
.output();
.stderr(Stdio::null());
#[cfg(not(windows))]
cmd.env("XDG_RUNTIME_DIR", runtime_dir());
let result = cmd.output();
if let Ok(output) = result
&& output.status.success()
@@ -133,14 +151,15 @@ fn test_version_output() {
#[test]
fn test_status_when_no_daemon() {
let _lock = TEST_LOCK.lock().unwrap();
let _lock = test_lock();
stop_daemon();
let bin = binary_path();
let output = Command::new(&bin)
.args(["status"])
.output()
.expect("failed to run status");
let mut cmd = Command::new(&bin);
cmd.args(["status"]);
#[cfg(not(windows))]
cmd.env("XDG_RUNTIME_DIR", runtime_dir());
let output = cmd.output().expect("failed to run status");
// Should fail because daemon is not running
assert!(!output.status.success());
@@ -148,14 +167,15 @@ fn test_status_when_no_daemon() {
#[test]
fn test_stop_when_no_daemon() {
let _lock = TEST_LOCK.lock().unwrap();
let _lock = test_lock();
stop_daemon();
let bin = binary_path();
let output = Command::new(&bin)
.args(["stop"])
.output()
.expect("failed to run stop");
let mut cmd = Command::new(&bin);
cmd.args(["stop"]);
#[cfg(not(windows))]
cmd.env("XDG_RUNTIME_DIR", runtime_dir());
let output = cmd.output().expect("failed to run stop");
// Should succeed gracefully even when daemon is not running
assert!(output.status.success());
@@ -167,24 +187,37 @@ fn test_stop_when_no_daemon() {
#[test]
fn test_daemon_lifecycle() {
let _lock = TEST_LOCK.lock().unwrap();
let _lock = test_lock();
stop_daemon();
// Start daemon
let mut child = start_daemon();
// Wait for daemon to be ready
assert!(
wait_for_daemon(Duration::from_secs(5)),
"daemon did not start within 5 seconds"
);
if !wait_for_daemon(Duration::from_secs(5)) {
#[cfg(not(windows))]
{
if let Ok(Some(_status)) = child.try_wait() {
let output = child
.wait_with_output()
.expect("failed to read daemon output");
let stderr = String::from_utf8_lossy(&output.stderr);
if stderr.contains("Operation not permitted") {
eprintln!("skipping daemon lifecycle test: sandbox blocks Unix socket bind");
return;
}
}
}
panic!("daemon did not start within 5 seconds");
}
// Check status
let bin = binary_path();
let output = Command::new(&bin)
.args(["status"])
.output()
.expect("failed to run status");
let mut status_cmd = Command::new(&bin);
status_cmd.args(["status"]);
#[cfg(not(windows))]
status_cmd.env("XDG_RUNTIME_DIR", runtime_dir());
let output = status_cmd.output().expect("failed to run status");
assert!(output.status.success());
let stdout = String::from_utf8_lossy(&output.stdout);
@@ -195,10 +228,11 @@ fn test_daemon_lifecycle() {
);
// Stop daemon
let output = Command::new(&bin)
.args(["stop"])
.output()
.expect("failed to run stop");
let mut stop_cmd = Command::new(&bin);
stop_cmd.args(["stop"]);
#[cfg(not(windows))]
stop_cmd.env("XDG_RUNTIME_DIR", runtime_dir());
let output = stop_cmd.output().expect("failed to run stop");
assert!(output.status.success());
@@ -206,10 +240,11 @@ fn test_daemon_lifecycle() {
std::thread::sleep(Duration::from_millis(1000));
// Verify daemon is stopped
let output = Command::new(&bin)
.args(["status"])
.output()
.expect("failed to run status");
let mut final_status_cmd = Command::new(&bin);
final_status_cmd.args(["status"]);
#[cfg(not(windows))]
final_status_cmd.env("XDG_RUNTIME_DIR", runtime_dir());
let output = final_status_cmd.output().expect("failed to run status");
assert!(!output.status.success());