Print this page
4736 spamming zlogin with SIGINT will halt the target zone
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/zlogin/zlogin.c
+++ new/usr/src/cmd/zlogin/zlogin.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 23 * Copyright 2013 DEY Storage Systems, Inc.
24 24 * Copyright (c) 2014 Gary Mills
25 25 */
26 26
27 27 /*
28 28 * zlogin provides three types of login which allow users in the global
29 29 * zone to access non-global zones.
30 30 *
31 31 * - "interactive login" is similar to rlogin(1); for example, the user could
32 32 * issue 'zlogin my-zone' or 'zlogin -e ^ -l me my-zone'. The user is
33 33 * granted a new pty (which is then shoved into the zone), and an I/O
34 34 * loop between parent and child processes takes care of the interactive
35 35 * session. In this mode, login(1) (and its -c option, which means
36 36 * "already authenticated") is employed to take care of the initialization
37 37 * of the user's session.
38 38 *
39 39 * - "non-interactive login" is similar to su(1M); the user could issue
40 40 * 'zlogin my-zone ls -l' and the command would be run as specified.
41 41 * In this mode, zlogin sets up pipes as the communication channel, and
42 42 * 'su' is used to do the login setup work.
43 43 *
44 44 * - "console login" is the equivalent to accessing the tip line for a
45 45 * zone. For example, the user can issue 'zlogin -C my-zone'.
46 46 * In this mode, zlogin contacts the zoneadmd process via unix domain
47 47 * socket. If zoneadmd is not running, it starts it. This allows the
48 48 * console to be available anytime the zone is installed, regardless of
49 49 * whether it is running.
50 50 */
51 51
52 52 #include <sys/socket.h>
53 53 #include <sys/termios.h>
54 54 #include <sys/utsname.h>
55 55 #include <sys/stat.h>
56 56 #include <sys/types.h>
57 57 #include <sys/contract/process.h>
58 58 #include <sys/ctfs.h>
59 59 #include <sys/brand.h>
60 60 #include <sys/wait.h>
61 61 #include <alloca.h>
62 62 #include <assert.h>
63 63 #include <ctype.h>
64 64 #include <paths.h>
65 65 #include <door.h>
66 66 #include <errno.h>
67 67 #include <nss_dbdefs.h>
68 68 #include <poll.h>
69 69 #include <priv.h>
70 70 #include <pwd.h>
71 71 #include <unistd.h>
72 72 #include <utmpx.h>
73 73 #include <sac.h>
74 74 #include <signal.h>
75 75 #include <stdarg.h>
76 76 #include <stdio.h>
77 77 #include <stdlib.h>
78 78 #include <string.h>
79 79 #include <strings.h>
80 80 #include <stropts.h>
81 81 #include <wait.h>
82 82 #include <zone.h>
83 83 #include <fcntl.h>
84 84 #include <libdevinfo.h>
85 85 #include <libintl.h>
86 86 #include <locale.h>
87 87 #include <libzonecfg.h>
88 88 #include <libcontract.h>
89 89 #include <libbrand.h>
90 90 #include <auth_list.h>
91 91 #include <auth_attr.h>
92 92 #include <secdb.h>
93 93
94 94 static int masterfd;
95 95 static struct termios save_termios;
96 96 static struct termios effective_termios;
97 97 static int save_fd;
98 98 static struct winsize winsize;
99 99 static volatile int dead;
100 100 static volatile pid_t child_pid = -1;
101 101 static int interactive = 0;
102 102 static priv_set_t *dropprivs;
103 103
104 104 static int nocmdchar = 0;
105 105 static int failsafe = 0;
106 106 static char cmdchar = '~';
107 107 static int quiet = 0;
108 108
109 109 static int pollerr = 0;
110 110
111 111 static const char *pname;
112 112 static char *username;
113 113
114 114 /*
115 115 * When forced_login is true, the user is not prompted
116 116 * for an authentication password in the target zone.
117 117 */
118 118 static boolean_t forced_login = B_FALSE;
119 119
120 120 #if !defined(TEXT_DOMAIN) /* should be defined by cc -D */
121 121 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it wasn't */
122 122 #endif
123 123
124 124 #define SUPATH "/usr/bin/su"
125 125 #define FAILSAFESHELL "/sbin/sh"
126 126 #define DEFAULTSHELL "/sbin/sh"
127 127 #define DEF_PATH "/usr/sbin:/usr/bin"
128 128
129 129 #define CLUSTER_BRAND_NAME "cluster"
130 130
131 131 /*
132 132 * The ZLOGIN_BUFSIZ is larger than PIPE_BUF so we can be sure we're clearing
133 133 * out the pipe when the child is exiting. The ZLOGIN_RDBUFSIZ must be less
134 134 * than ZLOGIN_BUFSIZ (because we share the buffer in doio). This value is
135 135 * also chosen in conjunction with the HI_WATER setting to make sure we
136 136 * don't fill up the pipe. We can write FIFOHIWAT (16k) into the pipe before
137 137 * blocking. By having ZLOGIN_RDBUFSIZ set to 1k and HI_WATER set to 8k, we
138 138 * know we can always write a ZLOGIN_RDBUFSIZ chunk into the pipe when there
139 139 * is less than HI_WATER data already in the pipe.
140 140 */
141 141 #define ZLOGIN_BUFSIZ 8192
142 142 #define ZLOGIN_RDBUFSIZ 1024
143 143 #define HI_WATER 8192
144 144
145 145 /*
146 146 * See canonify() below. CANONIFY_LEN is the maximum length that a
147 147 * "canonical" sequence will expand to (backslash, three octal digits, NUL).
148 148 */
149 149 #define CANONIFY_LEN 5
150 150
151 151 static void
152 152 usage(void)
153 153 {
154 154 (void) fprintf(stderr, gettext("usage: %s [ -nQCES ] [ -e cmdchar ] "
155 155 "[-l user] zonename [command [args ...] ]\n"), pname);
156 156 exit(2);
157 157 }
158 158
159 159 static const char *
160 160 getpname(const char *arg0)
161 161 {
162 162 const char *p = strrchr(arg0, '/');
163 163
164 164 if (p == NULL)
165 165 p = arg0;
166 166 else
167 167 p++;
168 168
169 169 pname = p;
170 170 return (p);
171 171 }
172 172
173 173 static void
174 174 zerror(const char *fmt, ...)
175 175 {
176 176 va_list alist;
177 177
178 178 (void) fprintf(stderr, "%s: ", pname);
179 179 va_start(alist, fmt);
180 180 (void) vfprintf(stderr, fmt, alist);
181 181 va_end(alist);
182 182 (void) fprintf(stderr, "\n");
183 183 }
184 184
185 185 static void
186 186 zperror(const char *str)
187 187 {
188 188 const char *estr;
189 189
190 190 if ((estr = strerror(errno)) != NULL)
191 191 (void) fprintf(stderr, "%s: %s: %s\n", pname, str, estr);
192 192 else
193 193 (void) fprintf(stderr, "%s: %s: errno %d\n", pname, str, errno);
194 194 }
195 195
196 196 /*
197 197 * The first part of our privilege dropping scheme needs to be called before
198 198 * fork(), since we must have it for security; we don't want to be surprised
199 199 * later that we couldn't allocate the privset.
200 200 */
201 201 static int
202 202 prefork_dropprivs()
203 203 {
204 204 if ((dropprivs = priv_allocset()) == NULL)
205 205 return (1);
206 206
207 207 priv_basicset(dropprivs);
208 208 (void) priv_delset(dropprivs, PRIV_PROC_INFO);
209 209 (void) priv_delset(dropprivs, PRIV_PROC_FORK);
210 210 (void) priv_delset(dropprivs, PRIV_PROC_EXEC);
211 211 (void) priv_delset(dropprivs, PRIV_FILE_LINK_ANY);
212 212
213 213 /*
214 214 * We need to keep the basic privilege PROC_SESSION and all unknown
215 215 * basic privileges as well as the privileges PROC_ZONE and
216 216 * PROC_OWNER in order to query session information and
217 217 * send signals.
218 218 */
219 219 if (interactive == 0) {
220 220 (void) priv_addset(dropprivs, PRIV_PROC_ZONE);
221 221 (void) priv_addset(dropprivs, PRIV_PROC_OWNER);
222 222 } else {
223 223 (void) priv_delset(dropprivs, PRIV_PROC_SESSION);
224 224 }
225 225
226 226 return (0);
227 227 }
228 228
229 229 /*
230 230 * The second part of the privilege drop. We are paranoid about being attacked
231 231 * by the zone, so we drop all privileges. This should prevent a compromise
232 232 * which gets us to fork(), exec(), symlink(), etc.
233 233 */
234 234 static void
235 235 postfork_dropprivs()
236 236 {
237 237 if ((setppriv(PRIV_SET, PRIV_PERMITTED, dropprivs)) == -1) {
238 238 zperror(gettext("Warning: could not set permitted privileges"));
239 239 }
240 240 if ((setppriv(PRIV_SET, PRIV_LIMIT, dropprivs)) == -1) {
241 241 zperror(gettext("Warning: could not set limit privileges"));
242 242 }
243 243 if ((setppriv(PRIV_SET, PRIV_INHERITABLE, dropprivs)) == -1) {
244 244 zperror(gettext("Warning: could not set inheritable "
245 245 "privileges"));
246 246 }
247 247 }
248 248
249 249 /*
250 250 * Create the unix domain socket and call the zoneadmd server; handshake
251 251 * with it to determine whether it will allow us to connect.
252 252 */
253 253 static int
254 254 get_console_master(const char *zname)
255 255 {
256 256 int sockfd = -1;
257 257 struct sockaddr_un servaddr;
258 258 char clientid[MAXPATHLEN];
259 259 char handshake[MAXPATHLEN], c;
260 260 int msglen;
261 261 int i = 0, err = 0;
262 262
263 263 if ((sockfd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
264 264 zperror(gettext("could not create socket"));
265 265 return (-1);
266 266 }
267 267
268 268 bzero(&servaddr, sizeof (servaddr));
269 269 servaddr.sun_family = AF_UNIX;
270 270 (void) snprintf(servaddr.sun_path, sizeof (servaddr.sun_path),
271 271 "%s/%s.console_sock", ZONES_TMPDIR, zname);
272 272
273 273 if (connect(sockfd, (struct sockaddr *)&servaddr,
274 274 sizeof (servaddr)) == -1) {
275 275 zperror(gettext("Could not connect to zone console"));
276 276 goto bad;
277 277 }
278 278 masterfd = sockfd;
279 279
280 280 msglen = snprintf(clientid, sizeof (clientid), "IDENT %lu %s\n",
281 281 getpid(), setlocale(LC_MESSAGES, NULL));
282 282
283 283 if (msglen >= sizeof (clientid) || msglen < 0) {
284 284 zerror("protocol error");
285 285 goto bad;
286 286 }
287 287
288 288 if (write(masterfd, clientid, msglen) != msglen) {
289 289 zerror("protocol error");
290 290 goto bad;
291 291 }
292 292
293 293 bzero(handshake, sizeof (handshake));
294 294
295 295 /*
296 296 * Take care not to accumulate more than our fill, and leave room for
297 297 * the NUL at the end.
298 298 */
299 299 while ((err = read(masterfd, &c, 1)) == 1) {
300 300 if (i >= (sizeof (handshake) - 1))
301 301 break;
302 302 if (c == '\n')
303 303 break;
304 304 handshake[i] = c;
305 305 i++;
306 306 }
307 307
308 308 /*
309 309 * If something went wrong during the handshake we bail; perhaps
310 310 * the server died off.
311 311 */
312 312 if (err == -1) {
313 313 zperror(gettext("Could not connect to zone console"));
314 314 goto bad;
315 315 }
316 316
317 317 if (strncmp(handshake, "OK", sizeof (handshake)) == 0)
318 318 return (0);
319 319
320 320 zerror(gettext("Console is already in use by process ID %s."),
321 321 handshake);
322 322 bad:
323 323 (void) close(sockfd);
324 324 masterfd = -1;
325 325 return (-1);
326 326 }
327 327
328 328
329 329 /*
330 330 * Routines to handle pty creation upon zone entry and to shuttle I/O back
331 331 * and forth between the two terminals. We also compute and store the
332 332 * name of the slave terminal associated with the master side.
333 333 */
334 334 static int
335 335 get_master_pty()
336 336 {
337 337 if ((masterfd = open("/dev/ptmx", O_RDWR|O_NONBLOCK)) < 0) {
338 338 zperror(gettext("failed to obtain a pseudo-tty"));
339 339 return (-1);
340 340 }
341 341 if (tcgetattr(STDIN_FILENO, &save_termios) == -1) {
342 342 zperror(gettext("failed to get terminal settings from stdin"));
343 343 return (-1);
344 344 }
345 345 (void) ioctl(STDIN_FILENO, TIOCGWINSZ, (char *)&winsize);
346 346
347 347 return (0);
348 348 }
349 349
350 350 /*
351 351 * This is a bit tricky; normally a pts device will belong to the zone it
352 352 * is granted to. But in the case of "entering" a zone, we need to establish
353 353 * the pty before entering the zone so that we can vector I/O to and from it
354 354 * from the global zone.
355 355 *
356 356 * We use the zonept() call to let the ptm driver know what we are up to;
357 357 * the only other hairy bit is the setting of zoneslavename (which happens
358 358 * above, in get_master_pty()).
359 359 */
360 360 static int
361 361 init_slave_pty(zoneid_t zoneid, char *devroot)
362 362 {
363 363 int slavefd = -1;
364 364 char *slavename, zoneslavename[MAXPATHLEN];
365 365
366 366 /*
367 367 * Set slave permissions, zone the pts, then unlock it.
368 368 */
369 369 if (grantpt(masterfd) != 0) {
370 370 zperror(gettext("grantpt failed"));
371 371 return (-1);
372 372 }
373 373
374 374 if (unlockpt(masterfd) != 0) {
375 375 zperror(gettext("unlockpt failed"));
376 376 return (-1);
377 377 }
378 378
379 379 /*
380 380 * We must open the slave side before zoning this pty; otherwise
381 381 * the kernel would refuse us the open-- zoning a pty makes it
382 382 * inaccessible to the global zone. Note we are trying to open
383 383 * the device node via the $ZONEROOT/dev path for this pty.
384 384 *
385 385 * Later we'll close the slave out when once we've opened it again
386 386 * from within the target zone. Blarg.
387 387 */
388 388 if ((slavename = ptsname(masterfd)) == NULL) {
389 389 zperror(gettext("failed to get name for pseudo-tty"));
390 390 return (-1);
391 391 }
392 392
393 393 (void) snprintf(zoneslavename, sizeof (zoneslavename), "%s%s",
394 394 devroot, slavename);
395 395
396 396 if ((slavefd = open(zoneslavename, O_RDWR)) < 0) {
397 397 zerror(gettext("failed to open %s: %s"), zoneslavename,
398 398 strerror(errno));
399 399 return (-1);
400 400 }
401 401
402 402 /*
403 403 * Push hardware emulation (ptem), line discipline (ldterm),
404 404 * and V7/4BSD/Xenix compatibility (ttcompat) modules.
405 405 */
406 406 if (ioctl(slavefd, I_PUSH, "ptem") == -1) {
407 407 zperror(gettext("failed to push ptem module"));
408 408 if (!failsafe)
409 409 goto bad;
410 410 }
411 411
412 412 /*
413 413 * Anchor the stream to prevent malicious I_POPs; we prefer to do
414 414 * this prior to entering the zone so that we can detect any errors
415 415 * early, and so that we can set the anchor from the global zone.
416 416 */
417 417 if (ioctl(slavefd, I_ANCHOR) == -1) {
418 418 zperror(gettext("failed to set stream anchor"));
419 419 if (!failsafe)
420 420 goto bad;
421 421 }
422 422
423 423 if (ioctl(slavefd, I_PUSH, "ldterm") == -1) {
424 424 zperror(gettext("failed to push ldterm module"));
425 425 if (!failsafe)
426 426 goto bad;
427 427 }
428 428 if (ioctl(slavefd, I_PUSH, "ttcompat") == -1) {
429 429 zperror(gettext("failed to push ttcompat module"));
430 430 if (!failsafe)
431 431 goto bad;
432 432 }
433 433
434 434 /*
435 435 * Propagate terminal settings from the external term to the new one.
436 436 */
437 437 if (tcsetattr(slavefd, TCSAFLUSH, &save_termios) == -1) {
438 438 zperror(gettext("failed to set terminal settings"));
439 439 if (!failsafe)
440 440 goto bad;
441 441 }
442 442 (void) ioctl(slavefd, TIOCSWINSZ, (char *)&winsize);
443 443
444 444 if (zonept(masterfd, zoneid) != 0) {
445 445 zperror(gettext("could not set zoneid of pty"));
446 446 goto bad;
447 447 }
448 448
449 449 return (slavefd);
450 450
451 451 bad:
452 452 (void) close(slavefd);
453 453 return (-1);
454 454 }
455 455
456 456 /*
457 457 * Place terminal into raw mode.
458 458 */
459 459 static int
460 460 set_tty_rawmode(int fd)
461 461 {
462 462 struct termios term;
463 463 if (tcgetattr(fd, &term) < 0) {
464 464 zperror(gettext("failed to get user terminal settings"));
465 465 return (-1);
466 466 }
467 467
468 468 /* Stash for later, so we can revert back to previous mode */
469 469 save_termios = term;
470 470 save_fd = fd;
471 471
472 472 /* disable 8->7 bit strip, start/stop, enable any char to restart */
473 473 term.c_iflag &= ~(ISTRIP|IXON|IXANY);
474 474 /* disable NL->CR, CR->NL, ignore CR, UPPER->lower */
475 475 term.c_iflag &= ~(INLCR|ICRNL|IGNCR|IUCLC);
476 476 /* disable output post-processing */
477 477 term.c_oflag &= ~OPOST;
478 478 /* disable canonical mode, signal chars, echo & extended functions */
479 479 term.c_lflag &= ~(ICANON|ISIG|ECHO|IEXTEN);
480 480
481 481 term.c_cc[VMIN] = 1; /* byte-at-a-time */
482 482 term.c_cc[VTIME] = 0;
483 483
484 484 if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &term)) {
485 485 zperror(gettext("failed to set user terminal to raw mode"));
486 486 return (-1);
487 487 }
488 488
489 489 /*
490 490 * We need to know the value of VEOF so that we can properly process for
491 491 * client-side ~<EOF>. But we have obliterated VEOF in term,
492 492 * because VMIN overloads the same array slot in non-canonical mode.
493 493 * Stupid @&^%!
494 494 *
495 495 * So here we construct the "effective" termios from the current
496 496 * terminal settings, and the corrected VEOF and VEOL settings.
497 497 */
498 498 if (tcgetattr(STDIN_FILENO, &effective_termios) < 0) {
499 499 zperror(gettext("failed to get user terminal settings"));
500 500 return (-1);
501 501 }
502 502 effective_termios.c_cc[VEOF] = save_termios.c_cc[VEOF];
503 503 effective_termios.c_cc[VEOL] = save_termios.c_cc[VEOL];
504 504
505 505 return (0);
506 506 }
507 507
508 508 /*
509 509 * Copy terminal window size from our terminal to the pts.
510 510 */
511 511 /*ARGSUSED*/
512 512 static void
513 513 sigwinch(int s)
514 514 {
515 515 struct winsize ws;
516 516
517 517 if (ioctl(0, TIOCGWINSZ, &ws) == 0)
518 518 (void) ioctl(masterfd, TIOCSWINSZ, &ws);
519 519 }
520 520
521 521 static volatile int close_on_sig = -1;
522 522
523 523 static void
524 524 /*ARGSUSED*/
525 525 sigcld(int s)
526 526 {
527 527 int status;
528 528 pid_t pid;
529 529
530 530 /*
531 531 * Peek at the exit status. If this isn't the process we cared
532 532 * about, then just reap it.
533 533 */
534 534 if ((pid = waitpid(child_pid, &status, WNOHANG|WNOWAIT)) != -1) {
535 535 if (pid == child_pid &&
536 536 (WIFEXITED(status) || WIFSIGNALED(status))) {
537 537 dead = 1;
538 538 if (close_on_sig != -1) {
539 539 (void) write(close_on_sig, "a", 1);
540 540 (void) close(close_on_sig);
541 541 close_on_sig = -1;
542 542 }
543 543 } else {
544 544 (void) waitpid(pid, &status, WNOHANG);
545 545 }
546 546 }
|
↓ open down ↓ |
546 lines elided |
↑ open up ↑ |
547 547 }
548 548
549 549 /*
550 550 * Some signals (currently, SIGINT) must be forwarded on to the process
551 551 * group of the child process.
552 552 */
553 553 static void
554 554 sig_forward(int s)
555 555 {
556 556 if (child_pid != -1) {
557 - pid_t pgid = getpgid(child_pid);
558 - if (pgid != -1)
559 - (void) sigsend(P_PGID, pgid, s);
557 + (void) sigsend(P_PGID, child_pid, s);
560 558 }
561 559 }
562 560
563 561 /*
564 562 * reset terminal settings for global environment
565 563 */
566 564 static void
567 565 reset_tty()
568 566 {
569 567 (void) tcsetattr(save_fd, TCSADRAIN, &save_termios);
570 568 }
571 569
572 570 /*
573 571 * Convert character to printable representation, for display with locally
574 572 * echoed command characters (like when we need to display ~^D)
575 573 */
576 574 static void
577 575 canonify(char c, char *cc)
578 576 {
579 577 if (isprint(c)) {
580 578 cc[0] = c;
581 579 cc[1] = '\0';
582 580 } else if (c >= 0 && c <= 31) { /* ^@ through ^_ */
583 581 cc[0] = '^';
584 582 cc[1] = c + '@';
585 583 cc[2] = '\0';
586 584 } else {
587 585 cc[0] = '\\';
588 586 cc[1] = ((c >> 6) & 7) + '0';
589 587 cc[2] = ((c >> 3) & 7) + '0';
590 588 cc[3] = (c & 7) + '0';
591 589 cc[4] = '\0';
592 590 }
593 591 }
594 592
595 593 /*
596 594 * process_user_input watches the input stream for the escape sequence for
597 595 * 'quit' (by default, tilde-period). Because we might be fed just one
598 596 * keystroke at a time, state associated with the user input (are we at the
599 597 * beginning of the line? are we locally echoing the next character?) is
600 598 * maintained by beginning_of_line and local_echo across calls to the routine.
601 599 * If the write to outfd fails, we'll try to read from infd in an attempt
602 600 * to prevent deadlock between the two processes.
603 601 *
604 602 * This routine returns -1 when the 'quit' escape sequence has been issued,
605 603 * or an error is encountered, 1 if stdin is EOF, and 0 otherwise.
606 604 */
607 605 static int
608 606 process_user_input(int outfd, int infd)
609 607 {
610 608 static boolean_t beginning_of_line = B_TRUE;
611 609 static boolean_t local_echo = B_FALSE;
612 610 char ibuf[ZLOGIN_BUFSIZ];
613 611 int nbytes;
614 612 char *buf = ibuf;
615 613 char c = *buf;
616 614
617 615 nbytes = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
618 616 if (nbytes == -1 && (errno != EINTR || dead))
619 617 return (-1);
620 618
621 619 if (nbytes == -1) /* The read was interrupted. */
622 620 return (0);
623 621
624 622 /* 0 read means EOF, close the pipe to the child */
625 623 if (nbytes == 0)
626 624 return (1);
627 625
628 626 for (c = *buf; nbytes > 0; c = *buf, --nbytes) {
629 627 buf++;
630 628 if (beginning_of_line && !nocmdchar) {
631 629 beginning_of_line = B_FALSE;
632 630 if (c == cmdchar) {
633 631 local_echo = B_TRUE;
634 632 continue;
635 633 }
636 634 } else if (local_echo) {
637 635 local_echo = B_FALSE;
638 636 if (c == '.' || c == effective_termios.c_cc[VEOF]) {
639 637 char cc[CANONIFY_LEN];
640 638
641 639 canonify(c, cc);
642 640 (void) write(STDOUT_FILENO, &cmdchar, 1);
643 641 (void) write(STDOUT_FILENO, cc, strlen(cc));
644 642 return (-1);
645 643 }
646 644 }
647 645 retry:
648 646 if (write(outfd, &c, 1) <= 0) {
649 647 /*
650 648 * Since the fd we are writing to is opened with
651 649 * O_NONBLOCK it is possible to get EAGAIN if the
652 650 * pipe is full. One way this could happen is if we
653 651 * are writing a lot of data into the pipe in this loop
654 652 * and the application on the other end is echoing that
655 653 * data back out to its stdout. The output pipe can
656 654 * fill up since we are stuck here in this loop and not
657 655 * draining the other pipe. We can try to read some of
658 656 * the data to see if we can drain the pipe so that the
659 657 * application can continue to make progress. The read
660 658 * is non-blocking so we won't hang here. We also wait
661 659 * a bit before retrying since there could be other
662 660 * reasons why the pipe is full and we don't want to
663 661 * continuously retry.
664 662 */
665 663 if (errno == EAGAIN) {
666 664 struct timespec rqtp;
667 665 int ln;
668 666 char obuf[ZLOGIN_BUFSIZ];
669 667
670 668 if ((ln = read(infd, obuf, ZLOGIN_BUFSIZ)) > 0)
671 669 (void) write(STDOUT_FILENO, obuf, ln);
672 670
673 671 /* sleep for 10 milliseconds */
674 672 rqtp.tv_sec = 0;
675 673 rqtp.tv_nsec = 10 * (NANOSEC / MILLISEC);
676 674 (void) nanosleep(&rqtp, NULL);
677 675 if (!dead)
678 676 goto retry;
679 677 }
680 678
681 679 return (-1);
682 680 }
683 681 beginning_of_line = (c == '\r' || c == '\n' ||
684 682 c == effective_termios.c_cc[VKILL] ||
685 683 c == effective_termios.c_cc[VEOL] ||
686 684 c == effective_termios.c_cc[VSUSP] ||
687 685 c == effective_termios.c_cc[VINTR]);
688 686 }
689 687 return (0);
690 688 }
691 689
692 690 /*
693 691 * This function prevents deadlock between zlogin and the application in the
694 692 * zone that it is talking to. This can happen when we read from zlogin's
695 693 * stdin and write the data down the pipe to the application. If the pipe
696 694 * is full, we'll block in the write. Because zlogin could be blocked in
697 695 * the write, it would never read the application's stdout/stderr so the
698 696 * application can then block on those writes (when the pipe fills up). If the
699 697 * the application gets blocked this way, it can never get around to reading
700 698 * its stdin so that zlogin can unblock from its write. Once in this state,
701 699 * the two processes are deadlocked.
702 700 *
703 701 * To prevent this, we want to verify that we can write into the pipe before we
704 702 * read from our stdin. If the pipe already is pretty full, we bypass the read
705 703 * for now. We'll circle back here again after the poll() so that we can
706 704 * try again. When this function is called, we already know there is data
707 705 * ready to read on STDIN_FILENO. We return -1 if there is a problem, 1 if
708 706 * stdin is EOF, and 0 if everything is ok (even though we might not have
709 707 * read/written any data into the pipe on this iteration).
710 708 */
711 709 static int
712 710 process_raw_input(int stdin_fd, int appin_fd)
713 711 {
714 712 int cc;
715 713 struct stat64 sb;
716 714 char ibuf[ZLOGIN_RDBUFSIZ];
717 715
718 716 /* Check how much data is already in the pipe */
719 717 if (fstat64(appin_fd, &sb) == -1) {
720 718 perror("stat failed");
721 719 return (-1);
722 720 }
723 721
724 722 if (dead)
725 723 return (-1);
726 724
727 725 /*
728 726 * The pipe already has a lot of data in it, don't write any more
729 727 * right now.
730 728 */
731 729 if (sb.st_size >= HI_WATER)
732 730 return (0);
733 731
734 732 cc = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
735 733 if (cc == -1 && (errno != EINTR || dead))
736 734 return (-1);
737 735
738 736 if (cc == -1) /* The read was interrupted. */
739 737 return (0);
740 738
741 739 /* 0 read means EOF, close the pipe to the child */
742 740 if (cc == 0)
743 741 return (1);
744 742
745 743 /*
746 744 * stdin_fd is stdin of the target; so, the thing we'll write the user
747 745 * data *to*.
748 746 */
749 747 if (write(stdin_fd, ibuf, cc) == -1)
750 748 return (-1);
751 749
752 750 return (0);
753 751 }
754 752
755 753 /*
756 754 * Write the output from the application running in the zone. We can get
757 755 * a signal during the write (usually it would be SIGCHLD when the application
758 756 * has exited) so we loop to make sure we have written all of the data we read.
759 757 */
760 758 static int
761 759 process_output(int in_fd, int out_fd)
762 760 {
763 761 int wrote = 0;
764 762 int cc;
765 763 char ibuf[ZLOGIN_BUFSIZ];
766 764
767 765 cc = read(in_fd, ibuf, ZLOGIN_BUFSIZ);
768 766 if (cc == -1 && (errno != EINTR || dead))
769 767 return (-1);
770 768 if (cc == 0) /* EOF */
771 769 return (-1);
772 770 if (cc == -1) /* The read was interrupted. */
773 771 return (0);
774 772
775 773 do {
776 774 int len;
777 775
778 776 len = write(out_fd, ibuf + wrote, cc - wrote);
779 777 if (len == -1 && errno != EINTR)
780 778 return (-1);
781 779 if (len != -1)
782 780 wrote += len;
783 781 } while (wrote < cc);
784 782
785 783 return (0);
786 784 }
787 785
788 786 /*
789 787 * This is the main I/O loop, and is shared across all zlogin modes.
790 788 * Parameters:
791 789 * stdin_fd: The fd representing 'stdin' for the slave side; input to
792 790 * the zone will be written here.
793 791 *
794 792 * appin_fd: The fd representing the other end of the 'stdin' pipe (when
795 793 * we're running non-interactive); used in process_raw_input
796 794 * to ensure we don't fill up the application's stdin pipe.
797 795 *
798 796 * stdout_fd: The fd representing 'stdout' for the slave side; output
799 797 * from the zone will arrive here.
800 798 *
801 799 * stderr_fd: The fd representing 'stderr' for the slave side; output
802 800 * from the zone will arrive here.
803 801 *
804 802 * raw_mode: If TRUE, then no processing (for example, for '~.') will
805 803 * be performed on the input coming from STDIN.
806 804 *
807 805 * stderr_fd may be specified as -1 if there is no stderr (only non-interactive
808 806 * mode supplies a stderr).
809 807 *
810 808 */
811 809 static void
812 810 doio(int stdin_fd, int appin_fd, int stdout_fd, int stderr_fd, int sig_fd,
813 811 boolean_t raw_mode)
814 812 {
815 813 struct pollfd pollfds[4];
816 814 char ibuf[ZLOGIN_BUFSIZ];
817 815 int cc, ret;
818 816
819 817 /* read from stdout of zone and write to stdout of global zone */
820 818 pollfds[0].fd = stdout_fd;
821 819 pollfds[0].events = POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI;
822 820
823 821 /* read from stderr of zone and write to stderr of global zone */
824 822 pollfds[1].fd = stderr_fd;
825 823 pollfds[1].events = pollfds[0].events;
826 824
827 825 /* read from stdin of global zone and write to stdin of zone */
828 826 pollfds[2].fd = STDIN_FILENO;
829 827 pollfds[2].events = pollfds[0].events;
830 828
831 829 /* read from signalling pipe so we know when child dies */
832 830 pollfds[3].fd = sig_fd;
833 831 pollfds[3].events = pollfds[0].events;
834 832
835 833 for (;;) {
836 834 pollfds[0].revents = pollfds[1].revents =
837 835 pollfds[2].revents = pollfds[3].revents = 0;
838 836
839 837 if (dead)
840 838 break;
841 839
842 840 /*
843 841 * There is a race condition here where we can receive the
844 842 * child death signal, set the dead flag, but since we have
845 843 * passed the test above, we would go into poll and hang.
846 844 * To avoid this we use the sig_fd as an additional poll fd.
847 845 * The signal handler writes into the other end of this pipe
848 846 * when the child dies so that the poll will always see that
849 847 * input and proceed. We just loop around at that point and
850 848 * then notice the dead flag.
851 849 */
852 850
853 851 ret = poll(pollfds,
854 852 sizeof (pollfds) / sizeof (struct pollfd), -1);
855 853
856 854 if (ret == -1 && errno != EINTR) {
857 855 perror("poll failed");
858 856 break;
859 857 }
860 858
861 859 if (errno == EINTR && dead) {
862 860 break;
863 861 }
864 862
865 863 /* event from master side stdout */
866 864 if (pollfds[0].revents) {
867 865 if (pollfds[0].revents &
868 866 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
869 867 if (process_output(stdout_fd, STDOUT_FILENO)
870 868 != 0)
871 869 break;
872 870 } else {
873 871 pollerr = pollfds[0].revents;
874 872 break;
875 873 }
876 874 }
877 875
878 876 /* event from master side stderr */
879 877 if (pollfds[1].revents) {
880 878 if (pollfds[1].revents &
881 879 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
882 880 if (process_output(stderr_fd, STDERR_FILENO)
883 881 != 0)
884 882 break;
885 883 } else {
886 884 pollerr = pollfds[1].revents;
887 885 break;
888 886 }
889 887 }
890 888
891 889 /* event from user STDIN side */
892 890 if (pollfds[2].revents) {
893 891 if (pollfds[2].revents &
894 892 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
895 893 /*
896 894 * stdin fd is stdin of the target; so,
897 895 * the thing we'll write the user data *to*.
898 896 *
899 897 * Also, unlike on the output side, we
900 898 * close the pipe on a zero-length message.
901 899 */
902 900 int res;
903 901
904 902 if (raw_mode)
905 903 res = process_raw_input(stdin_fd,
906 904 appin_fd);
907 905 else
908 906 res = process_user_input(stdin_fd,
909 907 stdout_fd);
910 908
911 909 if (res < 0)
912 910 break;
913 911 if (res > 0) {
914 912 /* EOF (close) child's stdin_fd */
915 913 pollfds[2].fd = -1;
916 914 while ((res = close(stdin_fd)) != 0 &&
917 915 errno == EINTR)
918 916 ;
919 917 if (res != 0)
920 918 break;
921 919 }
922 920
923 921 } else if (raw_mode && pollfds[2].revents & POLLHUP) {
924 922 /*
925 923 * It's OK to get a POLLHUP on STDIN-- it
926 924 * always happens if you do:
927 925 *
928 926 * echo foo | zlogin <zone> <command>
929 927 *
930 928 * We reset fd to -1 in this case to clear
931 929 * the condition and close the pipe (EOF) to
932 930 * the other side in order to wrap things up.
933 931 */
934 932 int res;
935 933
936 934 pollfds[2].fd = -1;
937 935 while ((res = close(stdin_fd)) != 0 &&
938 936 errno == EINTR)
939 937 ;
940 938 if (res != 0)
941 939 break;
942 940 } else {
943 941 pollerr = pollfds[2].revents;
944 942 break;
945 943 }
946 944 }
947 945 }
948 946
949 947 /*
950 948 * We are in the midst of dying, but try to poll with a short
951 949 * timeout to see if we can catch the last bit of I/O from the
952 950 * children.
953 951 */
954 952 retry:
955 953 pollfds[0].revents = pollfds[1].revents = 0;
956 954 (void) poll(pollfds, 2, 100);
957 955 if (pollfds[0].revents &
958 956 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
959 957 if ((cc = read(stdout_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
960 958 (void) write(STDOUT_FILENO, ibuf, cc);
961 959 goto retry;
962 960 }
963 961 }
964 962 if (pollfds[1].revents &
965 963 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
966 964 if ((cc = read(stderr_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
967 965 (void) write(STDERR_FILENO, ibuf, cc);
968 966 goto retry;
969 967 }
970 968 }
971 969 }
972 970
973 971 /*
974 972 * Fetch the user_cmd brand hook for getting a user's passwd(4) entry.
975 973 */
976 974 static const char *
977 975 zone_get_user_cmd(brand_handle_t bh, const char *login, char *user_cmd,
978 976 size_t len)
979 977 {
980 978 bzero(user_cmd, sizeof (user_cmd));
981 979 if (brand_get_user_cmd(bh, login, user_cmd, len) != 0)
982 980 return (NULL);
983 981
984 982 return (user_cmd);
985 983 }
986 984
987 985 /* From libc */
988 986 extern int str2passwd(const char *, int, void *, char *, int);
989 987
990 988 /*
991 989 * exec() the user_cmd brand hook, and convert the output string to a
992 990 * struct passwd. This is to be called after zone_enter().
993 991 *
994 992 */
995 993 static struct passwd *
996 994 zone_get_user_pw(const char *user_cmd, struct passwd *pwent, char *pwbuf,
997 995 int pwbuflen)
998 996 {
999 997 char pwline[NSS_BUFLEN_PASSWD];
1000 998 char *cin = NULL;
1001 999 FILE *fin;
1002 1000 int status;
1003 1001
1004 1002 assert(getzoneid() != GLOBAL_ZONEID);
1005 1003
1006 1004 if ((fin = popen(user_cmd, "r")) == NULL)
1007 1005 return (NULL);
1008 1006
1009 1007 while (cin == NULL && !feof(fin))
1010 1008 cin = fgets(pwline, sizeof (pwline), fin);
1011 1009
1012 1010 if (cin == NULL) {
1013 1011 (void) pclose(fin);
1014 1012 return (NULL);
1015 1013 }
1016 1014
1017 1015 status = pclose(fin);
1018 1016 if (!WIFEXITED(status))
1019 1017 return (NULL);
1020 1018 if (WEXITSTATUS(status) != 0)
1021 1019 return (NULL);
1022 1020
1023 1021 if (str2passwd(pwline, sizeof (pwline), pwent, pwbuf, pwbuflen) == 0)
1024 1022 return (pwent);
1025 1023 else
1026 1024 return (NULL);
1027 1025 }
1028 1026
1029 1027 static char **
1030 1028 zone_login_cmd(brand_handle_t bh, const char *login)
1031 1029 {
1032 1030 static char result_buf[ARG_MAX];
1033 1031 char **new_argv, *ptr, *lasts;
1034 1032 int n, a;
1035 1033
1036 1034 /* Get the login command for the target zone. */
1037 1035 bzero(result_buf, sizeof (result_buf));
1038 1036
1039 1037 if (forced_login) {
1040 1038 if (brand_get_forcedlogin_cmd(bh, login,
1041 1039 result_buf, sizeof (result_buf)) != 0)
1042 1040 return (NULL);
1043 1041 } else {
1044 1042 if (brand_get_login_cmd(bh, login,
1045 1043 result_buf, sizeof (result_buf)) != 0)
1046 1044 return (NULL);
1047 1045 }
1048 1046
1049 1047 /*
1050 1048 * We got back a string that we'd like to execute. But since
1051 1049 * we're not doing the execution via a shell we'll need to convert
1052 1050 * the exec string to an array of strings. We'll do that here
1053 1051 * but we're going to be very simplistic about it and break stuff
1054 1052 * up based on spaces. We're not even going to support any kind
1055 1053 * of quoting or escape characters. It's truly amazing that
1056 1054 * there is no library function in OpenSolaris to do this for us.
1057 1055 */
1058 1056
1059 1057 /*
1060 1058 * Be paranoid. Since we're deliniating based on spaces make
1061 1059 * sure there are no adjacent spaces.
1062 1060 */
1063 1061 if (strstr(result_buf, " ") != NULL)
1064 1062 return (NULL);
1065 1063
1066 1064 /* Remove any trailing whitespace. */
1067 1065 n = strlen(result_buf);
1068 1066 if (result_buf[n - 1] == ' ')
1069 1067 result_buf[n - 1] = '\0';
1070 1068
1071 1069 /* Count how many elements there are in the exec string. */
1072 1070 ptr = result_buf;
1073 1071 for (n = 2; ((ptr = strchr(ptr + 1, (int)' ')) != NULL); n++)
1074 1072 ;
1075 1073
1076 1074 /* Allocate the argv array that we're going to return. */
1077 1075 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1078 1076 return (NULL);
1079 1077
1080 1078 /* Tokenize the exec string and return. */
1081 1079 a = 0;
1082 1080 new_argv[a++] = result_buf;
1083 1081 if (n > 2) {
1084 1082 (void) strtok_r(result_buf, " ", &lasts);
1085 1083 while ((new_argv[a++] = strtok_r(NULL, " ", &lasts)) != NULL)
1086 1084 ;
1087 1085 } else {
1088 1086 new_argv[a++] = NULL;
1089 1087 }
1090 1088 assert(n == a);
1091 1089 return (new_argv);
1092 1090 }
1093 1091
1094 1092 /*
1095 1093 * Prepare argv array for exec'd process; if we're passing commands to the
1096 1094 * new process, then use su(1M) to do the invocation. Otherwise, use
1097 1095 * 'login -z <from_zonename> -f' (-z is an undocumented option which tells
1098 1096 * login that we're coming from another zone, and to disregard its CONSOLE
1099 1097 * checks).
1100 1098 */
1101 1099 static char **
1102 1100 prep_args(brand_handle_t bh, const char *login, char **argv)
1103 1101 {
1104 1102 int argc = 0, a = 0, i, n = -1;
1105 1103 char **new_argv;
1106 1104
1107 1105 if (argv != NULL) {
1108 1106 size_t subshell_len = 1;
1109 1107 char *subshell;
1110 1108
1111 1109 while (argv[argc] != NULL)
1112 1110 argc++;
1113 1111
1114 1112 for (i = 0; i < argc; i++) {
1115 1113 subshell_len += strlen(argv[i]) + 1;
1116 1114 }
1117 1115 if ((subshell = calloc(1, subshell_len)) == NULL)
1118 1116 return (NULL);
1119 1117
1120 1118 for (i = 0; i < argc; i++) {
1121 1119 (void) strcat(subshell, argv[i]);
1122 1120 (void) strcat(subshell, " ");
1123 1121 }
1124 1122
1125 1123 if (failsafe) {
1126 1124 n = 4;
1127 1125 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1128 1126 return (NULL);
1129 1127
1130 1128 new_argv[a++] = FAILSAFESHELL;
1131 1129 } else {
1132 1130 n = 5;
1133 1131 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1134 1132 return (NULL);
1135 1133
1136 1134 new_argv[a++] = SUPATH;
1137 1135 if (strcmp(login, "root") != 0) {
1138 1136 new_argv[a++] = "-";
1139 1137 n++;
1140 1138 }
1141 1139 new_argv[a++] = (char *)login;
1142 1140 }
1143 1141 new_argv[a++] = "-c";
1144 1142 new_argv[a++] = subshell;
1145 1143 new_argv[a++] = NULL;
1146 1144 assert(a == n);
1147 1145 } else {
1148 1146 if (failsafe) {
1149 1147 n = 2;
1150 1148 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1151 1149 return (NULL);
1152 1150 new_argv[a++] = FAILSAFESHELL;
1153 1151 new_argv[a++] = NULL;
1154 1152 assert(n == a);
1155 1153 } else {
1156 1154 new_argv = zone_login_cmd(bh, login);
1157 1155 }
1158 1156 }
1159 1157
1160 1158 return (new_argv);
1161 1159 }
1162 1160
1163 1161 /*
1164 1162 * Helper routine for prep_env below.
1165 1163 */
1166 1164 static char *
1167 1165 add_env(char *name, char *value)
1168 1166 {
1169 1167 size_t sz = strlen(name) + strlen(value) + 2; /* name, =, value, NUL */
1170 1168 char *str;
1171 1169
1172 1170 if ((str = malloc(sz)) == NULL)
1173 1171 return (NULL);
1174 1172
1175 1173 (void) snprintf(str, sz, "%s=%s", name, value);
1176 1174 return (str);
1177 1175 }
1178 1176
1179 1177 /*
1180 1178 * Prepare envp array for exec'd process.
1181 1179 */
1182 1180 static char **
1183 1181 prep_env()
1184 1182 {
1185 1183 int e = 0, size = 1;
1186 1184 char **new_env, *estr;
1187 1185 char *term = getenv("TERM");
1188 1186
1189 1187 size++; /* for $PATH */
1190 1188 if (term != NULL)
1191 1189 size++;
1192 1190
1193 1191 /*
1194 1192 * In failsafe mode we set $HOME, since '-l' isn't valid in this mode.
1195 1193 * We also set $SHELL, since neither login nor su will be around to do
1196 1194 * it.
1197 1195 */
1198 1196 if (failsafe)
1199 1197 size += 2;
1200 1198
1201 1199 if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1202 1200 return (NULL);
1203 1201
1204 1202 if ((estr = add_env("PATH", DEF_PATH)) == NULL)
1205 1203 return (NULL);
1206 1204 new_env[e++] = estr;
1207 1205
1208 1206 if (term != NULL) {
1209 1207 if ((estr = add_env("TERM", term)) == NULL)
1210 1208 return (NULL);
1211 1209 new_env[e++] = estr;
1212 1210 }
1213 1211
1214 1212 if (failsafe) {
1215 1213 if ((estr = add_env("HOME", "/")) == NULL)
1216 1214 return (NULL);
1217 1215 new_env[e++] = estr;
1218 1216
1219 1217 if ((estr = add_env("SHELL", FAILSAFESHELL)) == NULL)
1220 1218 return (NULL);
1221 1219 new_env[e++] = estr;
1222 1220 }
1223 1221
1224 1222 new_env[e++] = NULL;
1225 1223
1226 1224 assert(e == size);
1227 1225
1228 1226 return (new_env);
1229 1227 }
1230 1228
1231 1229 /*
1232 1230 * Finish the preparation of the envp array for exec'd non-interactive
1233 1231 * zlogins. This is called in the child process *after* we zone_enter(), since
1234 1232 * it derives things we can only know within the zone, such as $HOME, $SHELL,
1235 1233 * etc. We need only do this in the non-interactive, mode, since otherwise
1236 1234 * login(1) will do it. We don't do this in failsafe mode, since it presents
1237 1235 * additional ways in which the command could fail, and we'd prefer to avoid
1238 1236 * that.
1239 1237 */
1240 1238 static char **
1241 1239 prep_env_noninteractive(const char *user_cmd, char **env)
1242 1240 {
1243 1241 size_t size;
1244 1242 char **new_env;
1245 1243 int e, i;
1246 1244 char *estr;
1247 1245 char varmail[LOGNAME_MAX + 11]; /* strlen(/var/mail/) = 10, NUL */
1248 1246 char pwbuf[NSS_BUFLEN_PASSWD + 1];
1249 1247 struct passwd pwent;
1250 1248 struct passwd *pw = NULL;
1251 1249
1252 1250 assert(env != NULL);
1253 1251 assert(failsafe == 0);
1254 1252
1255 1253 /*
1256 1254 * Exec the "user_cmd" brand hook to get a pwent for the
1257 1255 * login user. If this fails, HOME will be set to "/", SHELL
1258 1256 * will be set to $DEFAULTSHELL, and we will continue to exec
1259 1257 * SUPATH <login> -c <cmd>.
1260 1258 */
1261 1259 pw = zone_get_user_pw(user_cmd, &pwent, pwbuf, sizeof (pwbuf));
1262 1260
1263 1261 /*
1264 1262 * Get existing envp size.
1265 1263 */
1266 1264 for (size = 0; env[size] != NULL; size++)
1267 1265 ;
1268 1266
1269 1267 e = size;
1270 1268
1271 1269 /*
1272 1270 * Finish filling out the environment; we duplicate the environment
1273 1271 * setup described in login(1), for lack of a better precedent.
1274 1272 */
1275 1273 if (pw != NULL)
1276 1274 size += 3; /* LOGNAME, HOME, MAIL */
1277 1275 else
1278 1276 size += 1; /* HOME */
1279 1277
1280 1278 size++; /* always fill in SHELL */
1281 1279 size++; /* terminating NULL */
1282 1280
1283 1281 if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1284 1282 goto malloc_fail;
1285 1283
1286 1284 /*
1287 1285 * Copy existing elements of env into new_env.
1288 1286 */
1289 1287 for (i = 0; env[i] != NULL; i++) {
1290 1288 if ((new_env[i] = strdup(env[i])) == NULL)
1291 1289 goto malloc_fail;
1292 1290 }
1293 1291 assert(e == i);
1294 1292
1295 1293 if (pw != NULL) {
1296 1294 if ((estr = add_env("LOGNAME", pw->pw_name)) == NULL)
1297 1295 goto malloc_fail;
1298 1296 new_env[e++] = estr;
1299 1297
1300 1298 if ((estr = add_env("HOME", pw->pw_dir)) == NULL)
1301 1299 goto malloc_fail;
1302 1300 new_env[e++] = estr;
1303 1301
1304 1302 if (chdir(pw->pw_dir) != 0)
1305 1303 zerror(gettext("Could not chdir to home directory "
1306 1304 "%s: %s"), pw->pw_dir, strerror(errno));
1307 1305
1308 1306 (void) snprintf(varmail, sizeof (varmail), "/var/mail/%s",
1309 1307 pw->pw_name);
1310 1308 if ((estr = add_env("MAIL", varmail)) == NULL)
1311 1309 goto malloc_fail;
1312 1310 new_env[e++] = estr;
1313 1311 } else {
1314 1312 if ((estr = add_env("HOME", "/")) == NULL)
1315 1313 goto malloc_fail;
1316 1314 new_env[e++] = estr;
1317 1315 }
1318 1316
1319 1317 if (pw != NULL && strlen(pw->pw_shell) > 0) {
1320 1318 if ((estr = add_env("SHELL", pw->pw_shell)) == NULL)
1321 1319 goto malloc_fail;
1322 1320 new_env[e++] = estr;
1323 1321 } else {
1324 1322 if ((estr = add_env("SHELL", DEFAULTSHELL)) == NULL)
1325 1323 goto malloc_fail;
1326 1324 new_env[e++] = estr;
1327 1325 }
1328 1326
1329 1327 new_env[e++] = NULL; /* add terminating NULL */
1330 1328
1331 1329 assert(e == size);
1332 1330 return (new_env);
1333 1331
1334 1332 malloc_fail:
1335 1333 zperror(gettext("failed to allocate memory for process environment"));
1336 1334 return (NULL);
1337 1335 }
1338 1336
1339 1337 static int
1340 1338 close_func(void *slavefd, int fd)
1341 1339 {
1342 1340 if (fd != *(int *)slavefd)
1343 1341 (void) close(fd);
1344 1342 return (0);
1345 1343 }
1346 1344
1347 1345 static void
1348 1346 set_cmdchar(char *cmdcharstr)
1349 1347 {
1350 1348 char c;
1351 1349 long lc;
1352 1350
1353 1351 if ((c = *cmdcharstr) != '\\') {
1354 1352 cmdchar = c;
1355 1353 return;
1356 1354 }
1357 1355
1358 1356 c = cmdcharstr[1];
1359 1357 if (c == '\0' || c == '\\') {
1360 1358 cmdchar = '\\';
1361 1359 return;
1362 1360 }
1363 1361
1364 1362 if (c < '0' || c > '7') {
1365 1363 zerror(gettext("Unrecognized escape character option %s"),
1366 1364 cmdcharstr);
1367 1365 usage();
1368 1366 }
1369 1367
1370 1368 lc = strtol(cmdcharstr + 1, NULL, 8);
1371 1369 if (lc < 0 || lc > 255) {
1372 1370 zerror(gettext("Octal escape character '%s' too large"),
1373 1371 cmdcharstr);
1374 1372 usage();
1375 1373 }
1376 1374 cmdchar = (char)lc;
1377 1375 }
1378 1376
1379 1377 static int
1380 1378 setup_utmpx(char *slavename)
1381 1379 {
1382 1380 struct utmpx ut;
1383 1381
1384 1382 bzero(&ut, sizeof (ut));
1385 1383 (void) strncpy(ut.ut_user, ".zlogin", sizeof (ut.ut_user));
1386 1384 (void) strncpy(ut.ut_line, slavename, sizeof (ut.ut_line));
1387 1385 ut.ut_pid = getpid();
1388 1386 ut.ut_id[0] = 'z';
1389 1387 ut.ut_id[1] = ut.ut_id[2] = ut.ut_id[3] = (char)SC_WILDC;
1390 1388 ut.ut_type = LOGIN_PROCESS;
1391 1389 (void) time(&ut.ut_tv.tv_sec);
1392 1390
1393 1391 if (makeutx(&ut) == NULL) {
1394 1392 zerror(gettext("makeutx failed"));
1395 1393 return (-1);
1396 1394 }
1397 1395 return (0);
1398 1396 }
1399 1397
1400 1398 static void
1401 1399 release_lock_file(int lockfd)
1402 1400 {
1403 1401 (void) close(lockfd);
1404 1402 }
1405 1403
1406 1404 static int
1407 1405 grab_lock_file(const char *zone_name, int *lockfd)
1408 1406 {
1409 1407 char pathbuf[PATH_MAX];
1410 1408 struct flock flock;
1411 1409
1412 1410 if (mkdir(ZONES_TMPDIR, S_IRWXU) < 0 && errno != EEXIST) {
1413 1411 zerror(gettext("could not mkdir %s: %s"), ZONES_TMPDIR,
1414 1412 strerror(errno));
1415 1413 return (-1);
1416 1414 }
1417 1415 (void) chmod(ZONES_TMPDIR, S_IRWXU);
1418 1416 (void) snprintf(pathbuf, sizeof (pathbuf), "%s/%s.zoneadm.lock",
1419 1417 ZONES_TMPDIR, zone_name);
1420 1418
1421 1419 if ((*lockfd = open(pathbuf, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR)) < 0) {
1422 1420 zerror(gettext("could not open %s: %s"), pathbuf,
1423 1421 strerror(errno));
1424 1422 return (-1);
1425 1423 }
1426 1424 /*
1427 1425 * Lock the file to synchronize with other zoneadmds
1428 1426 */
1429 1427 flock.l_type = F_WRLCK;
1430 1428 flock.l_whence = SEEK_SET;
1431 1429 flock.l_start = (off_t)0;
1432 1430 flock.l_len = (off_t)0;
1433 1431 if (fcntl(*lockfd, F_SETLKW, &flock) < 0) {
1434 1432 zerror(gettext("unable to lock %s: %s"), pathbuf,
1435 1433 strerror(errno));
1436 1434 release_lock_file(*lockfd);
1437 1435 return (-1);
1438 1436 }
1439 1437 return (Z_OK);
1440 1438 }
1441 1439
1442 1440 static int
1443 1441 start_zoneadmd(const char *zone_name)
1444 1442 {
1445 1443 pid_t retval;
1446 1444 int pstatus = 0, error = -1, lockfd, doorfd;
1447 1445 struct door_info info;
1448 1446 char doorpath[MAXPATHLEN];
1449 1447
1450 1448 (void) snprintf(doorpath, sizeof (doorpath), ZONE_DOOR_PATH, zone_name);
1451 1449
1452 1450 if (grab_lock_file(zone_name, &lockfd) != Z_OK)
1453 1451 return (-1);
1454 1452 /*
1455 1453 * We must do the door check with the lock held. Otherwise, we
1456 1454 * might race against another zoneadm/zlogin process and wind
1457 1455 * up with two processes trying to start zoneadmd at the same
1458 1456 * time. zoneadmd will detect this, and fail, but we prefer this
1459 1457 * to be as seamless as is practical, from a user perspective.
1460 1458 */
1461 1459 if ((doorfd = open(doorpath, O_RDONLY)) < 0) {
1462 1460 if (errno != ENOENT) {
1463 1461 zerror("failed to open %s: %s", doorpath,
1464 1462 strerror(errno));
1465 1463 goto out;
1466 1464 }
1467 1465 } else {
1468 1466 /*
1469 1467 * Seems to be working ok.
1470 1468 */
1471 1469 if (door_info(doorfd, &info) == 0 &&
1472 1470 ((info.di_attributes & DOOR_REVOKED) == 0)) {
1473 1471 error = 0;
1474 1472 goto out;
1475 1473 }
1476 1474 }
1477 1475
1478 1476 if ((child_pid = fork()) == -1) {
1479 1477 zperror(gettext("could not fork"));
1480 1478 goto out;
1481 1479 } else if (child_pid == 0) {
1482 1480 /* child process */
1483 1481 (void) execl("/usr/lib/zones/zoneadmd", "zoneadmd", "-z",
1484 1482 zone_name, NULL);
1485 1483 zperror(gettext("could not exec zoneadmd"));
1486 1484 _exit(1);
1487 1485 }
1488 1486
1489 1487 /* parent process */
1490 1488 do {
1491 1489 retval = waitpid(child_pid, &pstatus, 0);
1492 1490 } while (retval != child_pid);
1493 1491 if (WIFSIGNALED(pstatus) ||
1494 1492 (WIFEXITED(pstatus) && WEXITSTATUS(pstatus) != 0)) {
1495 1493 zerror(gettext("could not start %s"), "zoneadmd");
1496 1494 goto out;
1497 1495 }
1498 1496 error = 0;
1499 1497 out:
1500 1498 release_lock_file(lockfd);
1501 1499 (void) close(doorfd);
1502 1500 return (error);
1503 1501 }
1504 1502
1505 1503 static int
1506 1504 init_template(void)
1507 1505 {
1508 1506 int fd;
1509 1507 int err = 0;
1510 1508
1511 1509 fd = open64(CTFS_ROOT "/process/template", O_RDWR);
1512 1510 if (fd == -1)
1513 1511 return (-1);
1514 1512
1515 1513 /*
1516 1514 * zlogin doesn't do anything with the contract.
1517 1515 * Deliver no events, don't inherit, and allow it to be orphaned.
1518 1516 */
1519 1517 err |= ct_tmpl_set_critical(fd, 0);
1520 1518 err |= ct_tmpl_set_informative(fd, 0);
1521 1519 err |= ct_pr_tmpl_set_fatal(fd, CT_PR_EV_HWERR);
1522 1520 err |= ct_pr_tmpl_set_param(fd, CT_PR_PGRPONLY | CT_PR_REGENT);
1523 1521 if (err || ct_tmpl_activate(fd)) {
1524 1522 (void) close(fd);
1525 1523 return (-1);
1526 1524 }
1527 1525
1528 1526 return (fd);
1529 1527 }
1530 1528
1531 1529 static int
1532 1530 noninteractive_login(char *zonename, const char *user_cmd, zoneid_t zoneid,
1533 1531 char **new_args, char **new_env)
1534 1532 {
1535 1533 pid_t retval;
1536 1534 int stdin_pipe[2], stdout_pipe[2], stderr_pipe[2], dead_child_pipe[2];
1537 1535 int child_status;
1538 1536 int tmpl_fd;
1539 1537 sigset_t block_cld;
1540 1538
1541 1539 if ((tmpl_fd = init_template()) == -1) {
1542 1540 reset_tty();
1543 1541 zperror(gettext("could not create contract"));
1544 1542 return (1);
1545 1543 }
1546 1544
1547 1545 if (pipe(stdin_pipe) != 0) {
1548 1546 zperror(gettext("could not create STDIN pipe"));
1549 1547 return (1);
1550 1548 }
1551 1549 /*
1552 1550 * When the user types ^D, we get a zero length message on STDIN.
1553 1551 * We need to echo that down the pipe to send it to the other side;
1554 1552 * but by default, pipes don't propagate zero-length messages. We
1555 1553 * toggle that behavior off using I_SWROPT. See streamio(7i).
1556 1554 */
1557 1555 if (ioctl(stdin_pipe[0], I_SWROPT, SNDZERO) != 0) {
1558 1556 zperror(gettext("could not configure STDIN pipe"));
1559 1557 return (1);
1560 1558
1561 1559 }
1562 1560 if (pipe(stdout_pipe) != 0) {
1563 1561 zperror(gettext("could not create STDOUT pipe"));
1564 1562 return (1);
1565 1563 }
1566 1564 if (pipe(stderr_pipe) != 0) {
1567 1565 zperror(gettext("could not create STDERR pipe"));
1568 1566 return (1);
1569 1567 }
1570 1568
1571 1569 if (pipe(dead_child_pipe) != 0) {
1572 1570 zperror(gettext("could not create signalling pipe"));
1573 1571 return (1);
1574 1572 }
1575 1573 close_on_sig = dead_child_pipe[0];
1576 1574
1577 1575 /*
1578 1576 * If any of the pipe FD's winds up being less than STDERR, then we
1579 1577 * have a mess on our hands-- and we are lacking some of the I/O
1580 1578 * streams we would expect anyway. So we bail.
1581 1579 */
1582 1580 if (stdin_pipe[0] <= STDERR_FILENO ||
1583 1581 stdin_pipe[1] <= STDERR_FILENO ||
1584 1582 stdout_pipe[0] <= STDERR_FILENO ||
1585 1583 stdout_pipe[1] <= STDERR_FILENO ||
1586 1584 stderr_pipe[0] <= STDERR_FILENO ||
1587 1585 stderr_pipe[1] <= STDERR_FILENO ||
1588 1586 dead_child_pipe[0] <= STDERR_FILENO ||
1589 1587 dead_child_pipe[1] <= STDERR_FILENO) {
1590 1588 zperror(gettext("process lacks valid STDIN, STDOUT, STDERR"));
1591 1589 return (1);
1592 1590 }
1593 1591
1594 1592 if (prefork_dropprivs() != 0) {
1595 1593 zperror(gettext("could not allocate privilege set"));
1596 1594 return (1);
1597 1595 }
1598 1596
1599 1597 (void) sigset(SIGCLD, sigcld);
1600 1598 (void) sigemptyset(&block_cld);
1601 1599 (void) sigaddset(&block_cld, SIGCLD);
1602 1600 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
1603 1601
1604 1602 if ((child_pid = fork()) == -1) {
1605 1603 (void) ct_tmpl_clear(tmpl_fd);
1606 1604 (void) close(tmpl_fd);
1607 1605 zperror(gettext("could not fork"));
1608 1606 return (1);
1609 1607 } else if (child_pid == 0) { /* child process */
1610 1608 (void) ct_tmpl_clear(tmpl_fd);
1611 1609
1612 1610 /*
1613 1611 * Do a dance to get the pipes hooked up as FD's 0, 1 and 2.
1614 1612 */
1615 1613 (void) close(STDIN_FILENO);
1616 1614 (void) close(STDOUT_FILENO);
1617 1615 (void) close(STDERR_FILENO);
1618 1616 (void) dup2(stdin_pipe[1], STDIN_FILENO);
1619 1617 (void) dup2(stdout_pipe[1], STDOUT_FILENO);
1620 1618 (void) dup2(stderr_pipe[1], STDERR_FILENO);
1621 1619 (void) closefrom(STDERR_FILENO + 1);
1622 1620
1623 1621 (void) sigset(SIGCLD, SIG_DFL);
1624 1622 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1625 1623 /*
1626 1624 * In case any of stdin, stdout or stderr are streams,
1627 1625 * anchor them to prevent malicious I_POPs.
1628 1626 */
1629 1627 (void) ioctl(STDIN_FILENO, I_ANCHOR);
1630 1628 (void) ioctl(STDOUT_FILENO, I_ANCHOR);
1631 1629 (void) ioctl(STDERR_FILENO, I_ANCHOR);
1632 1630
1633 1631 if (zone_enter(zoneid) == -1) {
1634 1632 zerror(gettext("could not enter zone %s: %s"),
1635 1633 zonename, strerror(errno));
1636 1634 _exit(1);
1637 1635 }
1638 1636
1639 1637 /*
1640 1638 * For non-native zones, tell libc where it can find locale
1641 1639 * specific getttext() messages.
1642 1640 */
1643 1641 if (access("/.SUNWnative/usr/lib/locale", R_OK) == 0)
1644 1642 (void) bindtextdomain(TEXT_DOMAIN,
1645 1643 "/.SUNWnative/usr/lib/locale");
1646 1644 else if (access("/native/usr/lib/locale", R_OK) == 0)
1647 1645 (void) bindtextdomain(TEXT_DOMAIN,
1648 1646 "/native/usr/lib/locale");
1649 1647
1650 1648 if (!failsafe)
1651 1649 new_env = prep_env_noninteractive(user_cmd, new_env);
1652 1650
1653 1651 if (new_env == NULL) {
1654 1652 _exit(1);
1655 1653 }
1656 1654
1657 1655 /*
1658 1656 * Move into a new process group; the zone_enter will have
1659 1657 * placed us into zsched's session, and we want to be in
1660 1658 * a unique process group.
1661 1659 */
1662 1660 (void) setpgid(getpid(), getpid());
1663 1661
1664 1662 /*
1665 1663 * The child needs to run as root to
1666 1664 * execute the su program.
1667 1665 */
1668 1666 if (setuid(0) == -1) {
1669 1667 zperror(gettext("insufficient privilege"));
1670 1668 return (1);
1671 1669 }
1672 1670
1673 1671 (void) execve(new_args[0], new_args, new_env);
1674 1672 zperror(gettext("exec failure"));
1675 1673 _exit(1);
1676 1674 }
1677 1675 /* parent */
1678 1676
1679 1677 /* close pipe sides written by child */
1680 1678 (void) close(stdout_pipe[1]);
1681 1679 (void) close(stderr_pipe[1]);
1682 1680
1683 1681 (void) sigset(SIGINT, sig_forward);
1684 1682
1685 1683 postfork_dropprivs();
1686 1684
1687 1685 (void) ct_tmpl_clear(tmpl_fd);
1688 1686 (void) close(tmpl_fd);
1689 1687
1690 1688 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1691 1689 doio(stdin_pipe[0], stdin_pipe[1], stdout_pipe[0], stderr_pipe[0],
1692 1690 dead_child_pipe[1], B_TRUE);
1693 1691 do {
1694 1692 retval = waitpid(child_pid, &child_status, 0);
1695 1693 if (retval == -1) {
1696 1694 child_status = 0;
1697 1695 }
1698 1696 } while (retval != child_pid && errno != ECHILD);
1699 1697
1700 1698 return (WEXITSTATUS(child_status));
1701 1699 }
1702 1700
1703 1701 static char *
1704 1702 get_username()
1705 1703 {
1706 1704 uid_t uid;
1707 1705 struct passwd *nptr;
1708 1706
1709 1707 /*
1710 1708 * Authorizations are checked to restrict access based on the
1711 1709 * requested operation and zone name, It is assumed that the
1712 1710 * program is running with all privileges, but that the real
1713 1711 * user ID is that of the user or role on whose behalf we are
1714 1712 * operating. So we start by getting the username that will be
1715 1713 * used for subsequent authorization checks.
1716 1714 */
1717 1715
1718 1716 uid = getuid();
1719 1717 if ((nptr = getpwuid(uid)) == NULL) {
1720 1718 zerror(gettext("could not get user name."));
1721 1719 _exit(1);
1722 1720 }
1723 1721 return (nptr->pw_name);
1724 1722 }
1725 1723
1726 1724 int
1727 1725 main(int argc, char **argv)
1728 1726 {
1729 1727 int arg, console = 0;
1730 1728 zoneid_t zoneid;
1731 1729 zone_state_t st;
1732 1730 char *login = "root";
1733 1731 int lflag = 0;
1734 1732 int nflag = 0;
1735 1733 char *zonename = NULL;
1736 1734 char **proc_args = NULL;
1737 1735 char **new_args, **new_env;
1738 1736 sigset_t block_cld;
1739 1737 char devroot[MAXPATHLEN];
1740 1738 char *slavename, slaveshortname[MAXPATHLEN];
1741 1739 priv_set_t *privset;
1742 1740 int tmpl_fd;
1743 1741 char zonebrand[MAXNAMELEN];
1744 1742 char default_brand[MAXNAMELEN];
1745 1743 struct stat sb;
1746 1744 char kernzone[ZONENAME_MAX];
1747 1745 brand_handle_t bh;
1748 1746 char user_cmd[MAXPATHLEN];
1749 1747 char authname[MAXAUTHS];
1750 1748
1751 1749 (void) setlocale(LC_ALL, "");
1752 1750 (void) textdomain(TEXT_DOMAIN);
1753 1751
1754 1752 (void) getpname(argv[0]);
1755 1753 username = get_username();
1756 1754
1757 1755 while ((arg = getopt(argc, argv, "nECR:Se:l:Q")) != EOF) {
1758 1756 switch (arg) {
1759 1757 case 'C':
1760 1758 console = 1;
1761 1759 break;
1762 1760 case 'E':
1763 1761 nocmdchar = 1;
1764 1762 break;
1765 1763 case 'R': /* undocumented */
1766 1764 if (*optarg != '/') {
1767 1765 zerror(gettext("root path must be absolute."));
1768 1766 exit(2);
1769 1767 }
1770 1768 if (stat(optarg, &sb) == -1 || !S_ISDIR(sb.st_mode)) {
1771 1769 zerror(
1772 1770 gettext("root path must be a directory."));
1773 1771 exit(2);
1774 1772 }
1775 1773 zonecfg_set_root(optarg);
1776 1774 break;
1777 1775 case 'Q':
1778 1776 quiet = 1;
1779 1777 break;
1780 1778 case 'S':
1781 1779 failsafe = 1;
1782 1780 break;
1783 1781 case 'e':
1784 1782 set_cmdchar(optarg);
1785 1783 break;
1786 1784 case 'l':
1787 1785 login = optarg;
1788 1786 lflag = 1;
1789 1787 break;
1790 1788 case 'n':
1791 1789 nflag = 1;
1792 1790 break;
1793 1791 default:
1794 1792 usage();
1795 1793 }
1796 1794 }
1797 1795
1798 1796 if (console != 0) {
1799 1797
1800 1798 if (lflag != 0) {
1801 1799 zerror(gettext(
1802 1800 "-l may not be specified for console login"));
1803 1801 usage();
1804 1802 }
1805 1803
1806 1804 if (nflag != 0) {
1807 1805 zerror(gettext(
1808 1806 "-n may not be specified for console login"));
1809 1807 usage();
1810 1808 }
1811 1809
1812 1810 if (failsafe != 0) {
1813 1811 zerror(gettext(
1814 1812 "-S may not be specified for console login"));
1815 1813 usage();
1816 1814 }
1817 1815
1818 1816 if (zonecfg_in_alt_root()) {
1819 1817 zerror(gettext(
1820 1818 "-R may not be specified for console login"));
1821 1819 exit(2);
1822 1820 }
1823 1821
1824 1822 }
1825 1823
1826 1824 if (failsafe != 0 && lflag != 0) {
1827 1825 zerror(gettext("-l may not be specified for failsafe login"));
1828 1826 usage();
1829 1827 }
1830 1828
1831 1829 if (optind == (argc - 1)) {
1832 1830 /*
1833 1831 * zone name, no process name; this should be an interactive
1834 1832 * as long as STDIN is really a tty.
1835 1833 */
1836 1834 if (nflag != 0) {
1837 1835 zerror(gettext(
1838 1836 "-n may not be specified for interactive login"));
1839 1837 usage();
1840 1838 }
1841 1839 if (isatty(STDIN_FILENO))
1842 1840 interactive = 1;
1843 1841 zonename = argv[optind];
1844 1842 } else if (optind < (argc - 1)) {
1845 1843 if (console) {
1846 1844 zerror(gettext("Commands may not be specified for "
1847 1845 "console login."));
1848 1846 usage();
1849 1847 }
1850 1848 /* zone name and process name, and possibly some args */
1851 1849 zonename = argv[optind];
1852 1850 proc_args = &argv[optind + 1];
1853 1851 interactive = 0;
1854 1852 } else {
1855 1853 usage();
1856 1854 }
1857 1855
1858 1856 if (getzoneid() != GLOBAL_ZONEID) {
1859 1857 zerror(gettext("'%s' may only be used from the global zone"),
1860 1858 pname);
1861 1859 return (1);
1862 1860 }
1863 1861
1864 1862 if (strcmp(zonename, GLOBAL_ZONENAME) == 0) {
1865 1863 zerror(gettext("'%s' not applicable to the global zone"),
1866 1864 pname);
1867 1865 return (1);
1868 1866 }
1869 1867
1870 1868 if (zone_get_state(zonename, &st) != Z_OK) {
1871 1869 zerror(gettext("zone '%s' unknown"), zonename);
1872 1870 return (1);
1873 1871 }
1874 1872
1875 1873 if (st < ZONE_STATE_INSTALLED) {
1876 1874 zerror(gettext("cannot login to a zone which is '%s'"),
1877 1875 zone_state_str(st));
1878 1876 return (1);
1879 1877 }
1880 1878
1881 1879 /*
1882 1880 * In both console and non-console cases, we require all privs.
1883 1881 * In the console case, because we may need to startup zoneadmd.
1884 1882 * In the non-console case in order to do zone_enter(2), zonept()
1885 1883 * and other tasks.
1886 1884 */
1887 1885
1888 1886 if ((privset = priv_allocset()) == NULL) {
1889 1887 zperror(gettext("priv_allocset failed"));
1890 1888 return (1);
1891 1889 }
1892 1890
1893 1891 if (getppriv(PRIV_EFFECTIVE, privset) != 0) {
1894 1892 zperror(gettext("getppriv failed"));
1895 1893 priv_freeset(privset);
1896 1894 return (1);
1897 1895 }
1898 1896
1899 1897 if (priv_isfullset(privset) == B_FALSE) {
1900 1898 zerror(gettext("You lack sufficient privilege to run "
1901 1899 "this command (all privs required)"));
1902 1900 priv_freeset(privset);
1903 1901 return (1);
1904 1902 }
1905 1903 priv_freeset(privset);
1906 1904
1907 1905 /*
1908 1906 * Check if user is authorized for requested usage of the zone
1909 1907 */
1910 1908
1911 1909 (void) snprintf(authname, MAXAUTHS, "%s%s%s",
1912 1910 ZONE_MANAGE_AUTH, KV_OBJECT, zonename);
1913 1911 if (chkauthattr(authname, username) == 0) {
1914 1912 if (console) {
1915 1913 zerror(gettext("%s is not authorized for console "
1916 1914 "access to %s zone."),
1917 1915 username, zonename);
1918 1916 return (1);
1919 1917 } else {
1920 1918 (void) snprintf(authname, MAXAUTHS, "%s%s%s",
1921 1919 ZONE_LOGIN_AUTH, KV_OBJECT, zonename);
1922 1920 if (failsafe || !interactive) {
1923 1921 zerror(gettext("%s is not authorized for "
1924 1922 "failsafe or non-interactive login "
1925 1923 "to %s zone."), username, zonename);
1926 1924 return (1);
1927 1925 } else if (chkauthattr(authname, username) == 0) {
1928 1926 zerror(gettext("%s is not authorized "
1929 1927 " to login to %s zone."),
1930 1928 username, zonename);
1931 1929 return (1);
1932 1930 }
1933 1931 }
1934 1932 } else {
1935 1933 forced_login = B_TRUE;
1936 1934 }
1937 1935
1938 1936 /*
1939 1937 * The console is a separate case from the rest of the code; handle
1940 1938 * it first.
1941 1939 */
1942 1940 if (console) {
1943 1941 /*
1944 1942 * Ensure that zoneadmd for this zone is running.
1945 1943 */
1946 1944 if (start_zoneadmd(zonename) == -1)
1947 1945 return (1);
1948 1946
1949 1947 /*
1950 1948 * Make contact with zoneadmd.
1951 1949 */
1952 1950 if (get_console_master(zonename) == -1)
1953 1951 return (1);
1954 1952
1955 1953 if (!quiet)
1956 1954 (void) printf(
1957 1955 gettext("[Connected to zone '%s' console]\n"),
1958 1956 zonename);
1959 1957
1960 1958 if (set_tty_rawmode(STDIN_FILENO) == -1) {
1961 1959 reset_tty();
1962 1960 zperror(gettext("failed to set stdin pty to raw mode"));
1963 1961 return (1);
1964 1962 }
1965 1963
1966 1964 (void) sigset(SIGWINCH, sigwinch);
1967 1965 (void) sigwinch(0);
1968 1966
1969 1967 /*
1970 1968 * Run the I/O loop until we get disconnected.
1971 1969 */
1972 1970 doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
1973 1971 reset_tty();
1974 1972 if (!quiet)
1975 1973 (void) printf(
1976 1974 gettext("\n[Connection to zone '%s' console "
1977 1975 "closed]\n"), zonename);
1978 1976
1979 1977 return (0);
1980 1978 }
1981 1979
1982 1980 if (st != ZONE_STATE_RUNNING && st != ZONE_STATE_MOUNTED) {
1983 1981 zerror(gettext("login allowed only to running zones "
1984 1982 "(%s is '%s')."), zonename, zone_state_str(st));
1985 1983 return (1);
1986 1984 }
1987 1985
1988 1986 (void) strlcpy(kernzone, zonename, sizeof (kernzone));
1989 1987 if (zonecfg_in_alt_root()) {
1990 1988 FILE *fp = zonecfg_open_scratch("", B_FALSE);
1991 1989
1992 1990 if (fp == NULL || zonecfg_find_scratch(fp, zonename,
1993 1991 zonecfg_get_root(), kernzone, sizeof (kernzone)) == -1) {
1994 1992 zerror(gettext("cannot find scratch zone %s"),
1995 1993 zonename);
1996 1994 if (fp != NULL)
1997 1995 zonecfg_close_scratch(fp);
1998 1996 return (1);
1999 1997 }
2000 1998 zonecfg_close_scratch(fp);
2001 1999 }
2002 2000
2003 2001 if ((zoneid = getzoneidbyname(kernzone)) == -1) {
2004 2002 zerror(gettext("failed to get zoneid for zone '%s'"),
2005 2003 zonename);
2006 2004 return (1);
2007 2005 }
2008 2006
2009 2007 /*
2010 2008 * We need the zone root path only if we are setting up a pty.
2011 2009 */
2012 2010 if (zone_get_devroot(zonename, devroot, sizeof (devroot)) == -1) {
2013 2011 zerror(gettext("could not get dev path for zone %s"),
2014 2012 zonename);
2015 2013 return (1);
2016 2014 }
2017 2015
2018 2016 if (zone_get_brand(zonename, zonebrand, sizeof (zonebrand)) != Z_OK) {
2019 2017 zerror(gettext("could not get brand for zone %s"), zonename);
2020 2018 return (1);
2021 2019 }
2022 2020 /*
2023 2021 * In the alternate root environment, the only supported
2024 2022 * operations are mount and unmount. In this case, just treat
2025 2023 * the zone as native if it is cluster. Cluster zones can be
2026 2024 * native for the purpose of LU or upgrade, and the cluster
2027 2025 * brand may not exist in the miniroot (such as in net install
2028 2026 * upgrade).
2029 2027 */
2030 2028 if (zonecfg_default_brand(default_brand,
2031 2029 sizeof (default_brand)) != Z_OK) {
2032 2030 zerror(gettext("unable to determine default brand"));
2033 2031 return (1);
2034 2032 }
2035 2033 if (zonecfg_in_alt_root() &&
2036 2034 strcmp(zonebrand, CLUSTER_BRAND_NAME) == 0) {
2037 2035 (void) strlcpy(zonebrand, default_brand, sizeof (zonebrand));
2038 2036 }
2039 2037
2040 2038 if ((bh = brand_open(zonebrand)) == NULL) {
2041 2039 zerror(gettext("could not open brand for zone %s"), zonename);
2042 2040 return (1);
2043 2041 }
2044 2042
2045 2043 if ((new_args = prep_args(bh, login, proc_args)) == NULL) {
2046 2044 zperror(gettext("could not assemble new arguments"));
2047 2045 brand_close(bh);
2048 2046 return (1);
2049 2047 }
2050 2048 /*
2051 2049 * Get the brand specific user_cmd. This command is used to get
2052 2050 * a passwd(4) entry for login.
2053 2051 */
2054 2052 if (!interactive && !failsafe) {
2055 2053 if (zone_get_user_cmd(bh, login, user_cmd,
2056 2054 sizeof (user_cmd)) == NULL) {
2057 2055 zerror(gettext("could not get user_cmd for zone %s"),
2058 2056 zonename);
2059 2057 brand_close(bh);
2060 2058 return (1);
2061 2059 }
2062 2060 }
2063 2061 brand_close(bh);
2064 2062
2065 2063 if ((new_env = prep_env()) == NULL) {
2066 2064 zperror(gettext("could not assemble new environment"));
2067 2065 return (1);
2068 2066 }
2069 2067
2070 2068 if (!interactive) {
2071 2069 if (nflag) {
2072 2070 int nfd;
2073 2071
2074 2072 if ((nfd = open(_PATH_DEVNULL, O_RDONLY)) < 0) {
2075 2073 zperror(gettext("failed to open null device"));
2076 2074 return (1);
2077 2075 }
2078 2076 if (nfd != STDIN_FILENO) {
2079 2077 if (dup2(nfd, STDIN_FILENO) < 0) {
2080 2078 zperror(gettext(
2081 2079 "failed to dup2 null device"));
2082 2080 return (1);
2083 2081 }
2084 2082 (void) close(nfd);
2085 2083 }
2086 2084 /* /dev/null is now standard input */
2087 2085 }
2088 2086 return (noninteractive_login(zonename, user_cmd, zoneid,
2089 2087 new_args, new_env));
2090 2088 }
2091 2089
2092 2090 if (zonecfg_in_alt_root()) {
2093 2091 zerror(gettext("cannot use interactive login with scratch "
2094 2092 "zone"));
2095 2093 return (1);
2096 2094 }
2097 2095
2098 2096 /*
2099 2097 * Things are more complex in interactive mode; we get the
2100 2098 * master side of the pty, then place the user's terminal into
2101 2099 * raw mode.
2102 2100 */
2103 2101 if (get_master_pty() == -1) {
2104 2102 zerror(gettext("could not setup master pty device"));
2105 2103 return (1);
2106 2104 }
2107 2105
2108 2106 /*
2109 2107 * Compute the "short name" of the pts. /dev/pts/2 --> pts/2
2110 2108 */
2111 2109 if ((slavename = ptsname(masterfd)) == NULL) {
2112 2110 zperror(gettext("failed to get name for pseudo-tty"));
2113 2111 return (1);
2114 2112 }
2115 2113 if (strncmp(slavename, "/dev/", strlen("/dev/")) == 0)
2116 2114 (void) strlcpy(slaveshortname, slavename + strlen("/dev/"),
2117 2115 sizeof (slaveshortname));
2118 2116 else
2119 2117 (void) strlcpy(slaveshortname, slavename,
2120 2118 sizeof (slaveshortname));
2121 2119
2122 2120 if (!quiet)
2123 2121 (void) printf(gettext("[Connected to zone '%s' %s]\n"),
2124 2122 zonename, slaveshortname);
2125 2123
2126 2124 if (set_tty_rawmode(STDIN_FILENO) == -1) {
2127 2125 reset_tty();
2128 2126 zperror(gettext("failed to set stdin pty to raw mode"));
2129 2127 return (1);
2130 2128 }
2131 2129
2132 2130 if (prefork_dropprivs() != 0) {
2133 2131 reset_tty();
2134 2132 zperror(gettext("could not allocate privilege set"));
2135 2133 return (1);
2136 2134 }
2137 2135
2138 2136 /*
2139 2137 * We must mask SIGCLD until after we have coped with the fork
2140 2138 * sufficiently to deal with it; otherwise we can race and receive the
2141 2139 * signal before child_pid has been initialized (yes, this really
2142 2140 * happens).
2143 2141 */
2144 2142 (void) sigset(SIGCLD, sigcld);
2145 2143 (void) sigemptyset(&block_cld);
2146 2144 (void) sigaddset(&block_cld, SIGCLD);
2147 2145 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
2148 2146
2149 2147 /*
2150 2148 * We activate the contract template at the last minute to
2151 2149 * avoid intermediate functions that could be using fork(2)
2152 2150 * internally.
2153 2151 */
2154 2152 if ((tmpl_fd = init_template()) == -1) {
2155 2153 reset_tty();
2156 2154 zperror(gettext("could not create contract"));
2157 2155 return (1);
2158 2156 }
2159 2157
2160 2158 if ((child_pid = fork()) == -1) {
2161 2159 (void) ct_tmpl_clear(tmpl_fd);
2162 2160 reset_tty();
2163 2161 zperror(gettext("could not fork"));
2164 2162 return (1);
2165 2163 } else if (child_pid == 0) { /* child process */
2166 2164 int slavefd, newslave;
2167 2165
2168 2166 (void) ct_tmpl_clear(tmpl_fd);
2169 2167 (void) close(tmpl_fd);
2170 2168
2171 2169 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2172 2170
2173 2171 if ((slavefd = init_slave_pty(zoneid, devroot)) == -1)
2174 2172 return (1);
2175 2173
2176 2174 /*
2177 2175 * Close all fds except for the slave pty.
2178 2176 */
2179 2177 (void) fdwalk(close_func, &slavefd);
2180 2178
2181 2179 /*
2182 2180 * Temporarily dup slavefd to stderr; that way if we have
2183 2181 * to print out that zone_enter failed, the output will
2184 2182 * have somewhere to go.
2185 2183 */
2186 2184 if (slavefd != STDERR_FILENO)
2187 2185 (void) dup2(slavefd, STDERR_FILENO);
2188 2186
2189 2187 if (zone_enter(zoneid) == -1) {
2190 2188 zerror(gettext("could not enter zone %s: %s"),
2191 2189 zonename, strerror(errno));
2192 2190 return (1);
2193 2191 }
2194 2192
2195 2193 if (slavefd != STDERR_FILENO)
2196 2194 (void) close(STDERR_FILENO);
2197 2195
2198 2196 /*
2199 2197 * We take pains to get this process into a new process
2200 2198 * group, and subsequently a new session. In this way,
2201 2199 * we'll have a session which doesn't yet have a controlling
2202 2200 * terminal. When we open the slave, it will become the
2203 2201 * controlling terminal; no PIDs concerning pgrps or sids
2204 2202 * will leak inappropriately into the zone.
2205 2203 */
2206 2204 (void) setpgrp();
2207 2205
2208 2206 /*
2209 2207 * We need the slave pty to be referenced from the zone's
2210 2208 * /dev in order to ensure that the devt's, etc are all
2211 2209 * correct. Otherwise we break ttyname and the like.
2212 2210 */
2213 2211 if ((newslave = open(slavename, O_RDWR)) == -1) {
2214 2212 (void) close(slavefd);
2215 2213 return (1);
2216 2214 }
2217 2215 (void) close(slavefd);
2218 2216 slavefd = newslave;
2219 2217
2220 2218 /*
2221 2219 * dup the slave to the various FDs, so that when the
2222 2220 * spawned process does a write/read it maps to the slave
2223 2221 * pty.
2224 2222 */
2225 2223 (void) dup2(slavefd, STDIN_FILENO);
2226 2224 (void) dup2(slavefd, STDOUT_FILENO);
2227 2225 (void) dup2(slavefd, STDERR_FILENO);
2228 2226 if (slavefd != STDIN_FILENO && slavefd != STDOUT_FILENO &&
2229 2227 slavefd != STDERR_FILENO) {
2230 2228 (void) close(slavefd);
2231 2229 }
2232 2230
2233 2231 /*
2234 2232 * In failsafe mode, we don't use login(1), so don't try
2235 2233 * setting up a utmpx entry.
2236 2234 */
2237 2235 if (!failsafe)
2238 2236 if (setup_utmpx(slaveshortname) == -1)
2239 2237 return (1);
2240 2238
2241 2239 /*
2242 2240 * The child needs to run as root to
2243 2241 * execute the brand's login program.
2244 2242 */
2245 2243 if (setuid(0) == -1) {
2246 2244 zperror(gettext("insufficient privilege"));
2247 2245 return (1);
2248 2246 }
2249 2247
2250 2248 (void) execve(new_args[0], new_args, new_env);
2251 2249 zperror(gettext("exec failure"));
2252 2250 return (1);
2253 2251 }
2254 2252
2255 2253 (void) ct_tmpl_clear(tmpl_fd);
2256 2254 (void) close(tmpl_fd);
2257 2255
2258 2256 /*
2259 2257 * The rest is only for the parent process.
2260 2258 */
2261 2259 (void) sigset(SIGWINCH, sigwinch);
2262 2260
2263 2261 postfork_dropprivs();
2264 2262
2265 2263 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2266 2264 doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
2267 2265
2268 2266 reset_tty();
2269 2267 if (!quiet)
2270 2268 (void) fprintf(stderr,
2271 2269 gettext("\n[Connection to zone '%s' %s closed]\n"),
2272 2270 zonename, slaveshortname);
2273 2271
2274 2272 if (pollerr != 0) {
2275 2273 (void) fprintf(stderr, gettext("Error: connection closed due "
2276 2274 "to unexpected pollevents=0x%x.\n"), pollerr);
2277 2275 return (1);
2278 2276 }
2279 2277
2280 2278 return (0);
2281 2279 }
|
↓ open down ↓ |
1712 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX