Print this page
12306 XPG4v2 slave pty behaviour should generally be disabled
Reviewed by: Robert Mustacchi <rm@fingolfin.org>
Change-ID: I7ccd399c22866f34dd20c6bb9d28e77ba4e24c67
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/zlogin/zlogin.c
+++ new/usr/src/cmd/zlogin/zlogin.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
|
↓ open down ↓ |
16 lines elided |
↑ open up ↑ |
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 23 * Copyright 2013 DEY Storage Systems, Inc.
24 24 * Copyright (c) 2014 Gary Mills
25 25 * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
26 26 * Copyright 2019 Joyent, Inc.
27 - * Copyright 2019 OmniOS Community Edition (OmniOSce) Association.
27 + * Copyright 2020 OmniOS Community Edition (OmniOSce) Association.
28 28 */
29 29
30 30 /*
31 31 * zlogin provides three types of login which allow users in the global
32 32 * zone to access non-global zones.
33 33 *
34 34 * - "interactive login" is similar to rlogin(1); for example, the user could
35 35 * issue 'zlogin my-zone' or 'zlogin -e ^ -l me my-zone'. The user is
36 36 * granted a new pty (which is then shoved into the zone), and an I/O
37 37 * loop between parent and child processes takes care of the interactive
38 38 * session. In this mode, login(1) (and its -c option, which means
39 39 * "already authenticated") is employed to take care of the initialization
40 40 * of the user's session.
41 41 *
42 42 * - "non-interactive login" is similar to su(1M); the user could issue
43 43 * 'zlogin my-zone ls -l' and the command would be run as specified.
44 44 * In this mode, zlogin sets up pipes as the communication channel, and
45 45 * 'su' is used to do the login setup work.
46 46 *
47 47 * - "console login" is the equivalent to accessing the tip line for a
48 48 * zone. For example, the user can issue 'zlogin -C my-zone'.
49 49 * In this mode, zlogin contacts the zoneadmd process via unix domain
50 50 * socket. If zoneadmd is not running, it starts it. This allows the
51 51 * console to be available anytime the zone is installed, regardless of
52 52 * whether it is running.
53 53 */
54 54
55 55 #include <sys/socket.h>
56 56 #include <sys/termios.h>
57 57 #include <sys/utsname.h>
58 58 #include <sys/stat.h>
59 59 #include <sys/types.h>
60 60 #include <sys/contract/process.h>
61 61 #include <sys/ctfs.h>
62 62 #include <sys/brand.h>
63 63 #include <sys/wait.h>
64 64 #include <alloca.h>
65 65 #include <assert.h>
66 66 #include <ctype.h>
67 67 #include <paths.h>
68 68 #include <door.h>
69 69 #include <errno.h>
70 70 #include <nss_dbdefs.h>
71 71 #include <poll.h>
72 72 #include <priv.h>
73 73 #include <pwd.h>
74 74 #include <unistd.h>
75 75 #include <utmpx.h>
76 76 #include <sac.h>
77 77 #include <signal.h>
78 78 #include <stdarg.h>
79 79 #include <stdio.h>
80 80 #include <stdlib.h>
81 81 #include <string.h>
82 82 #include <strings.h>
83 83 #include <stropts.h>
84 84 #include <wait.h>
85 85 #include <zone.h>
86 86 #include <fcntl.h>
87 87 #include <libdevinfo.h>
88 88 #include <libintl.h>
89 89 #include <locale.h>
90 90 #include <libzonecfg.h>
91 91 #include <libcontract.h>
92 92 #include <libbrand.h>
93 93 #include <auth_list.h>
94 94 #include <auth_attr.h>
95 95 #include <secdb.h>
96 96
97 97 static int masterfd;
98 98 static struct termios save_termios;
99 99 static struct termios effective_termios;
100 100 static int save_fd;
101 101 static struct winsize winsize;
102 102 static volatile int dead;
103 103 static volatile pid_t child_pid = -1;
104 104 static int interactive = 0;
105 105 static priv_set_t *dropprivs;
106 106
107 107 static int nocmdchar = 0;
|
↓ open down ↓ |
70 lines elided |
↑ open up ↑ |
108 108 static int failsafe = 0;
109 109 static int disconnect = 0;
110 110 static char cmdchar = '~';
111 111 static int quiet = 0;
112 112
113 113 static int pollerr = 0;
114 114
115 115 static const char *pname;
116 116 static char *username;
117 117
118 -extern int __xpg4; /* 0 if not an xpg4/6-compiled program */
119 -
120 118 /*
121 119 * When forced_login is true, the user is not prompted
122 120 * for an authentication password in the target zone.
123 121 */
124 122 static boolean_t forced_login = B_FALSE;
125 123
126 124 #if !defined(TEXT_DOMAIN) /* should be defined by cc -D */
127 125 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it wasn't */
128 126 #endif
129 127
130 128 #define SUPATH "/usr/bin/su"
131 129 #define FAILSAFESHELL "/sbin/sh"
132 130 #define DEFAULTSHELL "/sbin/sh"
133 131 #define DEF_PATH "/usr/sbin:/usr/bin"
134 132
135 133 #define CLUSTER_BRAND_NAME "cluster"
136 134
137 135 /*
138 136 * The ZLOGIN_BUFSIZ is larger than PIPE_BUF so we can be sure we're clearing
139 137 * out the pipe when the child is exiting. The ZLOGIN_RDBUFSIZ must be less
140 138 * than ZLOGIN_BUFSIZ (because we share the buffer in doio). This value is
141 139 * also chosen in conjunction with the HI_WATER setting to make sure we
142 140 * don't fill up the pipe. We can write FIFOHIWAT (16k) into the pipe before
143 141 * blocking. By having ZLOGIN_RDBUFSIZ set to 1k and HI_WATER set to 8k, we
144 142 * know we can always write a ZLOGIN_RDBUFSIZ chunk into the pipe when there
145 143 * is less than HI_WATER data already in the pipe.
146 144 */
147 145 #define ZLOGIN_BUFSIZ 8192
148 146 #define ZLOGIN_RDBUFSIZ 1024
149 147 #define HI_WATER 8192
150 148
151 149 /*
152 150 * See canonify() below. CANONIFY_LEN is the maximum length that a
153 151 * "canonical" sequence will expand to (backslash, three octal digits, NUL).
154 152 */
155 153 #define CANONIFY_LEN 5
156 154
157 155 static void
158 156 usage(void)
159 157 {
160 158 (void) fprintf(stderr, gettext("usage: %s [ -dnQCES ] [ -e cmdchar ] "
161 159 "[-l user] zonename [command [args ...] ]\n"), pname);
162 160 exit(2);
163 161 }
164 162
165 163 static const char *
166 164 getpname(const char *arg0)
167 165 {
168 166 const char *p = strrchr(arg0, '/');
169 167
170 168 if (p == NULL)
171 169 p = arg0;
172 170 else
173 171 p++;
174 172
175 173 pname = p;
176 174 return (p);
177 175 }
178 176
179 177 static void
180 178 zerror(const char *fmt, ...)
181 179 {
182 180 va_list alist;
183 181
184 182 (void) fprintf(stderr, "%s: ", pname);
185 183 va_start(alist, fmt);
186 184 (void) vfprintf(stderr, fmt, alist);
187 185 va_end(alist);
188 186 (void) fprintf(stderr, "\n");
189 187 }
190 188
191 189 static void
192 190 zperror(const char *str)
193 191 {
194 192 const char *estr;
195 193
196 194 if ((estr = strerror(errno)) != NULL)
197 195 (void) fprintf(stderr, "%s: %s: %s\n", pname, str, estr);
198 196 else
199 197 (void) fprintf(stderr, "%s: %s: errno %d\n", pname, str, errno);
200 198 }
201 199
202 200 /*
203 201 * The first part of our privilege dropping scheme needs to be called before
204 202 * fork(), since we must have it for security; we don't want to be surprised
205 203 * later that we couldn't allocate the privset.
206 204 */
207 205 static int
208 206 prefork_dropprivs()
209 207 {
210 208 if ((dropprivs = priv_allocset()) == NULL)
211 209 return (1);
212 210
213 211 priv_basicset(dropprivs);
214 212 (void) priv_delset(dropprivs, PRIV_PROC_INFO);
215 213 (void) priv_delset(dropprivs, PRIV_PROC_FORK);
216 214 (void) priv_delset(dropprivs, PRIV_PROC_EXEC);
217 215 (void) priv_delset(dropprivs, PRIV_FILE_LINK_ANY);
218 216
219 217 /*
220 218 * We need to keep the basic privilege PROC_SESSION and all unknown
221 219 * basic privileges as well as the privileges PROC_ZONE and
222 220 * PROC_OWNER in order to query session information and
223 221 * send signals.
224 222 */
225 223 if (interactive == 0) {
226 224 (void) priv_addset(dropprivs, PRIV_PROC_ZONE);
227 225 (void) priv_addset(dropprivs, PRIV_PROC_OWNER);
228 226 } else {
229 227 (void) priv_delset(dropprivs, PRIV_PROC_SESSION);
230 228 }
231 229
232 230 return (0);
233 231 }
234 232
235 233 /*
236 234 * The second part of the privilege drop. We are paranoid about being attacked
237 235 * by the zone, so we drop all privileges. This should prevent a compromise
238 236 * which gets us to fork(), exec(), symlink(), etc.
239 237 */
240 238 static void
241 239 postfork_dropprivs()
242 240 {
243 241 if ((setppriv(PRIV_SET, PRIV_PERMITTED, dropprivs)) == -1) {
244 242 zperror(gettext("Warning: could not set permitted privileges"));
245 243 }
246 244 if ((setppriv(PRIV_SET, PRIV_LIMIT, dropprivs)) == -1) {
247 245 zperror(gettext("Warning: could not set limit privileges"));
248 246 }
249 247 if ((setppriv(PRIV_SET, PRIV_INHERITABLE, dropprivs)) == -1) {
250 248 zperror(gettext("Warning: could not set inheritable "
251 249 "privileges"));
252 250 }
253 251 }
254 252
255 253 /*
256 254 * Create the unix domain socket and call the zoneadmd server; handshake
257 255 * with it to determine whether it will allow us to connect.
258 256 */
259 257 static int
260 258 get_console_master(const char *zname)
261 259 {
262 260 int sockfd = -1;
263 261 struct sockaddr_un servaddr;
264 262 char clientid[MAXPATHLEN];
265 263 char handshake[MAXPATHLEN], c;
266 264 int msglen;
267 265 int i = 0, err = 0;
268 266
269 267 if ((sockfd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
270 268 zperror(gettext("could not create socket"));
271 269 return (-1);
272 270 }
273 271
274 272 bzero(&servaddr, sizeof (servaddr));
275 273 servaddr.sun_family = AF_UNIX;
276 274 (void) snprintf(servaddr.sun_path, sizeof (servaddr.sun_path),
277 275 "%s/%s.console_sock", ZONES_TMPDIR, zname);
278 276
279 277 if (connect(sockfd, (struct sockaddr *)&servaddr,
280 278 sizeof (servaddr)) == -1) {
281 279 zperror(gettext("Could not connect to zone console"));
282 280 goto bad;
283 281 }
284 282 masterfd = sockfd;
285 283
286 284 msglen = snprintf(clientid, sizeof (clientid), "IDENT %lu %s %d\n",
287 285 getpid(), setlocale(LC_MESSAGES, NULL), disconnect);
288 286
289 287 if (msglen >= sizeof (clientid) || msglen < 0) {
290 288 zerror("protocol error");
291 289 goto bad;
292 290 }
293 291
294 292 if (write(masterfd, clientid, msglen) != msglen) {
295 293 zerror("protocol error");
296 294 goto bad;
297 295 }
298 296
299 297 bzero(handshake, sizeof (handshake));
300 298
301 299 /*
302 300 * Take care not to accumulate more than our fill, and leave room for
303 301 * the NUL at the end.
304 302 */
305 303 while ((err = read(masterfd, &c, 1)) == 1) {
306 304 if (i >= (sizeof (handshake) - 1))
307 305 break;
308 306 if (c == '\n')
309 307 break;
310 308 handshake[i] = c;
311 309 i++;
312 310 }
313 311
314 312 /*
315 313 * If something went wrong during the handshake we bail; perhaps
316 314 * the server died off.
317 315 */
318 316 if (err == -1) {
319 317 zperror(gettext("Could not connect to zone console"));
320 318 goto bad;
321 319 }
322 320
323 321 if (strncmp(handshake, "OK", sizeof (handshake)) == 0)
324 322 return (0);
325 323
326 324 zerror(gettext("Console is already in use by process ID %s."),
327 325 handshake);
328 326 bad:
329 327 (void) close(sockfd);
330 328 masterfd = -1;
331 329 return (-1);
332 330 }
333 331
334 332
335 333 /*
336 334 * Routines to handle pty creation upon zone entry and to shuttle I/O back
337 335 * and forth between the two terminals. We also compute and store the
338 336 * name of the slave terminal associated with the master side.
339 337 */
340 338 static int
341 339 get_master_pty()
342 340 {
343 341 if ((masterfd = open("/dev/ptmx", O_RDWR|O_NONBLOCK)) < 0) {
344 342 zperror(gettext("failed to obtain a pseudo-tty"));
345 343 return (-1);
346 344 }
347 345 if (tcgetattr(STDIN_FILENO, &save_termios) == -1) {
348 346 zperror(gettext("failed to get terminal settings from stdin"));
349 347 return (-1);
350 348 }
351 349 (void) ioctl(STDIN_FILENO, TIOCGWINSZ, (char *)&winsize);
352 350
353 351 return (0);
354 352 }
355 353
356 354 /*
357 355 * This is a bit tricky; normally a pts device will belong to the zone it
358 356 * is granted to. But in the case of "entering" a zone, we need to establish
359 357 * the pty before entering the zone so that we can vector I/O to and from it
360 358 * from the global zone.
361 359 *
362 360 * We use the zonept() call to let the ptm driver know what we are up to;
363 361 * the only other hairy bit is the setting of zoneslavename (which happens
364 362 * above, in get_master_pty()).
365 363 */
366 364 static int
367 365 init_slave_pty(zoneid_t zoneid, char *devroot)
368 366 {
369 367 int slavefd = -1;
370 368 char *slavename, zoneslavename[MAXPATHLEN];
371 369
372 370 /*
373 371 * Set slave permissions, zone the pts, then unlock it.
374 372 */
375 373 if (grantpt(masterfd) != 0) {
376 374 zperror(gettext("grantpt failed"));
377 375 return (-1);
378 376 }
379 377
380 378 if (unlockpt(masterfd) != 0) {
381 379 zperror(gettext("unlockpt failed"));
382 380 return (-1);
383 381 }
384 382
385 383 /*
386 384 * We must open the slave side before zoning this pty; otherwise
387 385 * the kernel would refuse us the open-- zoning a pty makes it
388 386 * inaccessible to the global zone. Note we are trying to open
389 387 * the device node via the $ZONEROOT/dev path for this pty.
390 388 *
391 389 * Later we'll close the slave out when once we've opened it again
392 390 * from within the target zone. Blarg.
393 391 */
394 392 if ((slavename = ptsname(masterfd)) == NULL) {
395 393 zperror(gettext("failed to get name for pseudo-tty"));
396 394 return (-1);
397 395 }
398 396
399 397 (void) snprintf(zoneslavename, sizeof (zoneslavename), "%s%s",
400 398 devroot, slavename);
401 399
402 400 if ((slavefd = open(zoneslavename, O_RDWR)) < 0) {
403 401 zerror(gettext("failed to open %s: %s"), zoneslavename,
404 402 strerror(errno));
405 403 return (-1);
406 404 }
407 405
408 406 /*
409 407 * Push hardware emulation (ptem), line discipline (ldterm),
410 408 * and V7/4BSD/Xenix compatibility (ttcompat) modules.
411 409 */
412 410 if (ioctl(slavefd, I_PUSH, "ptem") == -1) {
413 411 zperror(gettext("failed to push ptem module"));
414 412 if (!failsafe)
415 413 goto bad;
416 414 }
417 415
418 416 /*
419 417 * Anchor the stream to prevent malicious I_POPs; we prefer to do
420 418 * this prior to entering the zone so that we can detect any errors
421 419 * early, and so that we can set the anchor from the global zone.
422 420 */
423 421 if (ioctl(slavefd, I_ANCHOR) == -1) {
424 422 zperror(gettext("failed to set stream anchor"));
425 423 if (!failsafe)
426 424 goto bad;
427 425 }
428 426
429 427 if (ioctl(slavefd, I_PUSH, "ldterm") == -1) {
430 428 zperror(gettext("failed to push ldterm module"));
431 429 if (!failsafe)
432 430 goto bad;
433 431 }
434 432 if (ioctl(slavefd, I_PUSH, "ttcompat") == -1) {
435 433 zperror(gettext("failed to push ttcompat module"));
436 434 if (!failsafe)
437 435 goto bad;
438 436 }
439 437
440 438 /*
441 439 * Propagate terminal settings from the external term to the new one.
442 440 */
443 441 if (tcsetattr(slavefd, TCSAFLUSH, &save_termios) == -1) {
444 442 zperror(gettext("failed to set terminal settings"));
445 443 if (!failsafe)
446 444 goto bad;
447 445 }
448 446 (void) ioctl(slavefd, TIOCSWINSZ, (char *)&winsize);
449 447
450 448 if (zonept(masterfd, zoneid) != 0) {
451 449 zperror(gettext("could not set zoneid of pty"));
452 450 goto bad;
453 451 }
454 452
455 453 return (slavefd);
456 454
457 455 bad:
458 456 (void) close(slavefd);
459 457 return (-1);
460 458 }
461 459
462 460 /*
463 461 * Place terminal into raw mode.
464 462 */
465 463 static int
466 464 set_tty_rawmode(int fd)
467 465 {
468 466 struct termios term;
469 467 if (tcgetattr(fd, &term) < 0) {
470 468 zperror(gettext("failed to get user terminal settings"));
471 469 return (-1);
472 470 }
473 471
474 472 /* Stash for later, so we can revert back to previous mode */
475 473 save_termios = term;
476 474 save_fd = fd;
477 475
478 476 /* disable 8->7 bit strip, start/stop, enable any char to restart */
479 477 term.c_iflag &= ~(ISTRIP|IXON|IXANY);
480 478 /* disable NL->CR, CR->NL, ignore CR, UPPER->lower */
481 479 term.c_iflag &= ~(INLCR|ICRNL|IGNCR|IUCLC);
482 480 /* disable output post-processing */
483 481 term.c_oflag &= ~OPOST;
484 482 /* disable canonical mode, signal chars, echo & extended functions */
485 483 term.c_lflag &= ~(ICANON|ISIG|ECHO|IEXTEN);
486 484
487 485 term.c_cc[VMIN] = 1; /* byte-at-a-time */
488 486 term.c_cc[VTIME] = 0;
489 487
490 488 if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &term)) {
491 489 zperror(gettext("failed to set user terminal to raw mode"));
492 490 return (-1);
493 491 }
494 492
495 493 /*
496 494 * We need to know the value of VEOF so that we can properly process for
497 495 * client-side ~<EOF>. But we have obliterated VEOF in term,
498 496 * because VMIN overloads the same array slot in non-canonical mode.
499 497 * Stupid @&^%!
500 498 *
501 499 * So here we construct the "effective" termios from the current
502 500 * terminal settings, and the corrected VEOF and VEOL settings.
503 501 */
504 502 if (tcgetattr(STDIN_FILENO, &effective_termios) < 0) {
505 503 zperror(gettext("failed to get user terminal settings"));
506 504 return (-1);
507 505 }
508 506 effective_termios.c_cc[VEOF] = save_termios.c_cc[VEOF];
509 507 effective_termios.c_cc[VEOL] = save_termios.c_cc[VEOL];
510 508
511 509 return (0);
512 510 }
513 511
514 512 /*
515 513 * Copy terminal window size from our terminal to the pts.
516 514 */
517 515 /*ARGSUSED*/
518 516 static void
519 517 sigwinch(int s)
520 518 {
521 519 struct winsize ws;
522 520
523 521 if (ioctl(0, TIOCGWINSZ, &ws) == 0)
524 522 (void) ioctl(masterfd, TIOCSWINSZ, &ws);
525 523 }
526 524
527 525 static volatile int close_on_sig = -1;
528 526
529 527 static void
530 528 /*ARGSUSED*/
531 529 sigcld(int s)
532 530 {
533 531 int status;
534 532 pid_t pid;
535 533
536 534 /*
537 535 * Peek at the exit status. If this isn't the process we cared
538 536 * about, then just reap it.
539 537 */
540 538 if ((pid = waitpid(child_pid, &status, WNOHANG|WNOWAIT)) != -1) {
541 539 if (pid == child_pid &&
542 540 (WIFEXITED(status) || WIFSIGNALED(status))) {
543 541 dead = 1;
544 542 if (close_on_sig != -1) {
545 543 (void) write(close_on_sig, "a", 1);
546 544 (void) close(close_on_sig);
547 545 close_on_sig = -1;
548 546 }
549 547 } else {
550 548 (void) waitpid(pid, &status, WNOHANG);
551 549 }
552 550 }
553 551 }
554 552
555 553 /*
556 554 * Some signals (currently, SIGINT) must be forwarded on to the process
557 555 * group of the child process.
558 556 */
559 557 static void
560 558 sig_forward(int s)
561 559 {
562 560 if (child_pid != -1) {
563 561 (void) sigsend(P_PGID, child_pid, s);
564 562 }
565 563 }
566 564
567 565 /*
568 566 * reset terminal settings for global environment
569 567 */
570 568 static void
571 569 reset_tty()
572 570 {
573 571 (void) tcsetattr(save_fd, TCSADRAIN, &save_termios);
574 572 }
575 573
576 574 /*
577 575 * Convert character to printable representation, for display with locally
578 576 * echoed command characters (like when we need to display ~^D)
579 577 */
580 578 static void
581 579 canonify(char c, char *cc)
582 580 {
583 581 if (isprint(c)) {
584 582 cc[0] = c;
585 583 cc[1] = '\0';
586 584 } else if (c >= 0 && c <= 31) { /* ^@ through ^_ */
587 585 cc[0] = '^';
588 586 cc[1] = c + '@';
589 587 cc[2] = '\0';
590 588 } else {
591 589 cc[0] = '\\';
592 590 cc[1] = ((c >> 6) & 7) + '0';
593 591 cc[2] = ((c >> 3) & 7) + '0';
594 592 cc[3] = (c & 7) + '0';
595 593 cc[4] = '\0';
596 594 }
597 595 }
598 596
599 597 /*
600 598 * process_user_input watches the input stream for the escape sequence for
601 599 * 'quit' (by default, tilde-period). Because we might be fed just one
602 600 * keystroke at a time, state associated with the user input (are we at the
603 601 * beginning of the line? are we locally echoing the next character?) is
604 602 * maintained by beginning_of_line and local_echo across calls to the routine.
605 603 * If the write to outfd fails, we'll try to read from infd in an attempt
606 604 * to prevent deadlock between the two processes.
607 605 *
608 606 * This routine returns -1 when the 'quit' escape sequence has been issued,
609 607 * or an error is encountered, 1 if stdin is EOF, and 0 otherwise.
610 608 */
611 609 static int
612 610 process_user_input(int outfd, int infd)
613 611 {
614 612 static boolean_t beginning_of_line = B_TRUE;
615 613 static boolean_t local_echo = B_FALSE;
616 614 char ibuf[ZLOGIN_BUFSIZ];
617 615 int nbytes;
618 616 char *buf = ibuf;
619 617
620 618 nbytes = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
621 619 if (nbytes == -1 && (errno != EINTR || dead))
622 620 return (-1);
623 621
624 622 if (nbytes == -1) /* The read was interrupted. */
625 623 return (0);
626 624
627 625 /* 0 read means EOF, close the pipe to the child */
628 626 if (nbytes == 0)
629 627 return (1);
630 628
631 629 for (char c = *buf; nbytes > 0; c = *buf, --nbytes) {
632 630 buf++;
633 631 if (beginning_of_line && !nocmdchar) {
634 632 beginning_of_line = B_FALSE;
635 633 if (c == cmdchar) {
636 634 local_echo = B_TRUE;
637 635 continue;
638 636 }
639 637 } else if (local_echo) {
640 638 local_echo = B_FALSE;
641 639 if (c == '.' || c == effective_termios.c_cc[VEOF]) {
642 640 char cc[CANONIFY_LEN];
643 641
644 642 canonify(c, cc);
645 643 (void) write(STDOUT_FILENO, &cmdchar, 1);
646 644 (void) write(STDOUT_FILENO, cc, strlen(cc));
647 645 return (-1);
648 646 }
649 647 }
650 648 retry:
651 649 if (write(outfd, &c, 1) <= 0) {
652 650 /*
653 651 * Since the fd we are writing to is opened with
654 652 * O_NONBLOCK it is possible to get EAGAIN if the
655 653 * pipe is full. One way this could happen is if we
656 654 * are writing a lot of data into the pipe in this loop
657 655 * and the application on the other end is echoing that
658 656 * data back out to its stdout. The output pipe can
659 657 * fill up since we are stuck here in this loop and not
660 658 * draining the other pipe. We can try to read some of
661 659 * the data to see if we can drain the pipe so that the
662 660 * application can continue to make progress. The read
663 661 * is non-blocking so we won't hang here. We also wait
664 662 * a bit before retrying since there could be other
665 663 * reasons why the pipe is full and we don't want to
666 664 * continuously retry.
667 665 */
668 666 if (errno == EAGAIN) {
669 667 struct timespec rqtp;
670 668 int ln;
671 669 char obuf[ZLOGIN_BUFSIZ];
672 670
673 671 if ((ln = read(infd, obuf, ZLOGIN_BUFSIZ)) > 0)
674 672 (void) write(STDOUT_FILENO, obuf, ln);
675 673
676 674 /* sleep for 10 milliseconds */
677 675 rqtp.tv_sec = 0;
678 676 rqtp.tv_nsec = MSEC2NSEC(10);
679 677 (void) nanosleep(&rqtp, NULL);
680 678 if (!dead)
681 679 goto retry;
682 680 }
683 681
684 682 return (-1);
685 683 }
686 684 beginning_of_line = (c == '\r' || c == '\n' ||
687 685 c == effective_termios.c_cc[VKILL] ||
688 686 c == effective_termios.c_cc[VEOL] ||
689 687 c == effective_termios.c_cc[VSUSP] ||
690 688 c == effective_termios.c_cc[VINTR]);
691 689 }
692 690 return (0);
693 691 }
694 692
695 693 /*
696 694 * This function prevents deadlock between zlogin and the application in the
697 695 * zone that it is talking to. This can happen when we read from zlogin's
698 696 * stdin and write the data down the pipe to the application. If the pipe
699 697 * is full, we'll block in the write. Because zlogin could be blocked in
700 698 * the write, it would never read the application's stdout/stderr so the
701 699 * application can then block on those writes (when the pipe fills up). If the
702 700 * the application gets blocked this way, it can never get around to reading
703 701 * its stdin so that zlogin can unblock from its write. Once in this state,
704 702 * the two processes are deadlocked.
705 703 *
706 704 * To prevent this, we want to verify that we can write into the pipe before we
707 705 * read from our stdin. If the pipe already is pretty full, we bypass the read
708 706 * for now. We'll circle back here again after the poll() so that we can
709 707 * try again. When this function is called, we already know there is data
710 708 * ready to read on STDIN_FILENO. We return -1 if there is a problem, 1 if
711 709 * stdin is EOF, and 0 if everything is ok (even though we might not have
712 710 * read/written any data into the pipe on this iteration).
713 711 */
714 712 static int
715 713 process_raw_input(int stdin_fd, int appin_fd)
716 714 {
717 715 int cc;
718 716 struct stat64 sb;
719 717 char ibuf[ZLOGIN_RDBUFSIZ];
720 718
721 719 /* Check how much data is already in the pipe */
722 720 if (fstat64(appin_fd, &sb) == -1) {
723 721 perror("stat failed");
724 722 return (-1);
725 723 }
726 724
727 725 if (dead)
728 726 return (-1);
729 727
730 728 /*
731 729 * The pipe already has a lot of data in it, don't write any more
732 730 * right now.
733 731 */
734 732 if (sb.st_size >= HI_WATER)
735 733 return (0);
736 734
737 735 cc = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
738 736 if (cc == -1 && (errno != EINTR || dead))
739 737 return (-1);
740 738
741 739 if (cc == -1) /* The read was interrupted. */
742 740 return (0);
743 741
744 742 /* 0 read means EOF, close the pipe to the child */
745 743 if (cc == 0)
746 744 return (1);
747 745
748 746 /*
749 747 * stdin_fd is stdin of the target; so, the thing we'll write the user
750 748 * data *to*.
751 749 */
752 750 if (write(stdin_fd, ibuf, cc) == -1)
753 751 return (-1);
754 752
755 753 return (0);
756 754 }
757 755
758 756 /*
759 757 * Write the output from the application running in the zone. We can get
760 758 * a signal during the write (usually it would be SIGCHLD when the application
761 759 * has exited) so we loop to make sure we have written all of the data we read.
762 760 */
|
↓ open down ↓ |
633 lines elided |
↑ open up ↑ |
763 761 static int
764 762 process_output(int in_fd, int out_fd)
765 763 {
766 764 int wrote = 0;
767 765 int cc;
768 766 char ibuf[ZLOGIN_BUFSIZ];
769 767
770 768 cc = read(in_fd, ibuf, ZLOGIN_BUFSIZ);
771 769 if (cc == -1 && (errno != EINTR || dead))
772 770 return (-1);
773 - if (cc == 0) {
774 - /*
775 - * A return value of 0 when calling read() on a terminal
776 - * indicates end-of-file pre-XPG4 and no data available
777 - * for XPG4 and above.
778 - */
779 - if (__xpg4 == 0)
780 - return (-1);
781 - return (0);
782 - }
771 + if (cc == 0)
772 + return (-1); /* EOF */
783 773 if (cc == -1) /* The read was interrupted. */
784 774 return (0);
785 775
786 776 do {
787 777 int len;
788 778
789 779 len = write(out_fd, ibuf + wrote, cc - wrote);
790 780 if (len == -1 && errno != EINTR)
791 781 return (-1);
792 782 if (len != -1)
793 783 wrote += len;
794 784 } while (wrote < cc);
795 785
796 786 return (0);
797 787 }
798 788
799 789 /*
800 790 * This is the main I/O loop, and is shared across all zlogin modes.
801 791 * Parameters:
802 792 * stdin_fd: The fd representing 'stdin' for the slave side; input to
803 793 * the zone will be written here.
804 794 *
805 795 * appin_fd: The fd representing the other end of the 'stdin' pipe (when
806 796 * we're running non-interactive); used in process_raw_input
807 797 * to ensure we don't fill up the application's stdin pipe.
808 798 *
809 799 * stdout_fd: The fd representing 'stdout' for the slave side; output
810 800 * from the zone will arrive here.
811 801 *
812 802 * stderr_fd: The fd representing 'stderr' for the slave side; output
813 803 * from the zone will arrive here.
814 804 *
815 805 * raw_mode: If TRUE, then no processing (for example, for '~.') will
816 806 * be performed on the input coming from STDIN.
817 807 *
818 808 * stderr_fd may be specified as -1 if there is no stderr (only non-interactive
819 809 * mode supplies a stderr).
820 810 *
821 811 */
822 812 static void
823 813 doio(int stdin_fd, int appin_fd, int stdout_fd, int stderr_fd, int sig_fd,
824 814 boolean_t raw_mode)
825 815 {
826 816 struct pollfd pollfds[4];
827 817 char ibuf[ZLOGIN_BUFSIZ];
828 818 int cc, ret;
829 819
830 820 /* read from stdout of zone and write to stdout of global zone */
831 821 pollfds[0].fd = stdout_fd;
832 822 pollfds[0].events = POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI;
833 823
834 824 /* read from stderr of zone and write to stderr of global zone */
835 825 pollfds[1].fd = stderr_fd;
836 826 pollfds[1].events = pollfds[0].events;
837 827
838 828 /* read from stdin of global zone and write to stdin of zone */
839 829 pollfds[2].fd = STDIN_FILENO;
840 830 pollfds[2].events = pollfds[0].events;
841 831
842 832 /* read from signalling pipe so we know when child dies */
843 833 pollfds[3].fd = sig_fd;
844 834 pollfds[3].events = pollfds[0].events;
845 835
846 836 for (;;) {
847 837 pollfds[0].revents = pollfds[1].revents =
848 838 pollfds[2].revents = pollfds[3].revents = 0;
849 839
850 840 if (dead)
851 841 break;
852 842
853 843 /*
854 844 * There is a race condition here where we can receive the
855 845 * child death signal, set the dead flag, but since we have
856 846 * passed the test above, we would go into poll and hang.
857 847 * To avoid this we use the sig_fd as an additional poll fd.
858 848 * The signal handler writes into the other end of this pipe
859 849 * when the child dies so that the poll will always see that
860 850 * input and proceed. We just loop around at that point and
861 851 * then notice the dead flag.
862 852 */
863 853
864 854 ret = poll(pollfds,
865 855 sizeof (pollfds) / sizeof (struct pollfd), -1);
866 856
867 857 if (ret == -1 && errno != EINTR) {
868 858 perror("poll failed");
869 859 break;
870 860 }
871 861
872 862 if (errno == EINTR && dead) {
873 863 break;
874 864 }
875 865
876 866 /* event from master side stdout */
877 867 if (pollfds[0].revents) {
878 868 if (pollfds[0].revents &
879 869 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
880 870 if (process_output(stdout_fd, STDOUT_FILENO)
881 871 != 0)
882 872 break;
883 873 } else {
884 874 pollerr = pollfds[0].revents;
885 875 break;
886 876 }
887 877 }
888 878
889 879 /* event from master side stderr */
890 880 if (pollfds[1].revents) {
891 881 if (pollfds[1].revents &
892 882 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
893 883 if (process_output(stderr_fd, STDERR_FILENO)
894 884 != 0)
895 885 break;
896 886 } else {
897 887 pollerr = pollfds[1].revents;
898 888 break;
899 889 }
900 890 }
901 891
902 892 /* event from user STDIN side */
903 893 if (pollfds[2].revents) {
904 894 if (pollfds[2].revents &
905 895 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
906 896 /*
907 897 * stdin fd is stdin of the target; so,
908 898 * the thing we'll write the user data *to*.
909 899 *
910 900 * Also, unlike on the output side, we
911 901 * close the pipe on a zero-length message.
912 902 */
913 903 int res;
914 904
915 905 if (raw_mode)
916 906 res = process_raw_input(stdin_fd,
917 907 appin_fd);
918 908 else
919 909 res = process_user_input(stdin_fd,
920 910 stdout_fd);
921 911
922 912 if (res < 0)
923 913 break;
924 914 if (res > 0) {
925 915 /* EOF (close) child's stdin_fd */
926 916 pollfds[2].fd = -1;
927 917 while ((res = close(stdin_fd)) != 0 &&
928 918 errno == EINTR)
929 919 ;
930 920 if (res != 0)
931 921 break;
932 922 }
933 923
934 924 } else if (raw_mode && pollfds[2].revents & POLLHUP) {
935 925 /*
936 926 * It's OK to get a POLLHUP on STDIN-- it
937 927 * always happens if you do:
938 928 *
939 929 * echo foo | zlogin <zone> <command>
940 930 *
941 931 * We reset fd to -1 in this case to clear
942 932 * the condition and close the pipe (EOF) to
943 933 * the other side in order to wrap things up.
944 934 */
945 935 int res;
946 936
947 937 pollfds[2].fd = -1;
948 938 while ((res = close(stdin_fd)) != 0 &&
949 939 errno == EINTR)
950 940 ;
951 941 if (res != 0)
952 942 break;
953 943 } else {
954 944 pollerr = pollfds[2].revents;
955 945 break;
956 946 }
957 947 }
958 948 }
959 949
960 950 /*
961 951 * We are in the midst of dying, but try to poll with a short
962 952 * timeout to see if we can catch the last bit of I/O from the
963 953 * children.
964 954 */
965 955 retry:
966 956 pollfds[0].revents = pollfds[1].revents = 0;
967 957 (void) poll(pollfds, 2, 100);
968 958 if (pollfds[0].revents &
969 959 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
970 960 if ((cc = read(stdout_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
971 961 (void) write(STDOUT_FILENO, ibuf, cc);
972 962 goto retry;
973 963 }
974 964 }
975 965 if (pollfds[1].revents &
976 966 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
977 967 if ((cc = read(stderr_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
978 968 (void) write(STDERR_FILENO, ibuf, cc);
979 969 goto retry;
980 970 }
981 971 }
982 972 }
983 973
984 974 /*
985 975 * Fetch the user_cmd brand hook for getting a user's passwd(4) entry.
986 976 */
987 977 static const char *
988 978 zone_get_user_cmd(brand_handle_t bh, const char *login, char *user_cmd,
989 979 size_t len)
990 980 {
991 981 bzero(user_cmd, sizeof (user_cmd));
992 982 if (brand_get_user_cmd(bh, login, user_cmd, len) != 0)
993 983 return (NULL);
994 984
995 985 return (user_cmd);
996 986 }
997 987
998 988 /* From libc */
999 989 extern int str2passwd(const char *, int, void *, char *, int);
1000 990
1001 991 /*
1002 992 * exec() the user_cmd brand hook, and convert the output string to a
1003 993 * struct passwd. This is to be called after zone_enter().
1004 994 *
1005 995 */
1006 996 static struct passwd *
1007 997 zone_get_user_pw(const char *user_cmd, struct passwd *pwent, char *pwbuf,
1008 998 int pwbuflen)
1009 999 {
1010 1000 char pwline[NSS_BUFLEN_PASSWD];
1011 1001 char *cin = NULL;
1012 1002 FILE *fin;
1013 1003 int status;
1014 1004
1015 1005 assert(getzoneid() != GLOBAL_ZONEID);
1016 1006
1017 1007 if ((fin = popen(user_cmd, "r")) == NULL)
1018 1008 return (NULL);
1019 1009
1020 1010 while (cin == NULL && !feof(fin))
1021 1011 cin = fgets(pwline, sizeof (pwline), fin);
1022 1012
1023 1013 if (cin == NULL) {
1024 1014 (void) pclose(fin);
1025 1015 return (NULL);
1026 1016 }
1027 1017
1028 1018 status = pclose(fin);
1029 1019 if (!WIFEXITED(status))
1030 1020 return (NULL);
1031 1021 if (WEXITSTATUS(status) != 0)
1032 1022 return (NULL);
1033 1023
1034 1024 if (str2passwd(pwline, sizeof (pwline), pwent, pwbuf, pwbuflen) == 0)
1035 1025 return (pwent);
1036 1026 else
1037 1027 return (NULL);
1038 1028 }
1039 1029
1040 1030 static char **
1041 1031 zone_login_cmd(brand_handle_t bh, const char *login)
1042 1032 {
1043 1033 static char result_buf[ARG_MAX];
1044 1034 char **new_argv, *ptr, *lasts;
1045 1035 int n, a;
1046 1036
1047 1037 /* Get the login command for the target zone. */
1048 1038 bzero(result_buf, sizeof (result_buf));
1049 1039
1050 1040 if (forced_login) {
1051 1041 if (brand_get_forcedlogin_cmd(bh, login,
1052 1042 result_buf, sizeof (result_buf)) != 0)
1053 1043 return (NULL);
1054 1044 } else {
1055 1045 if (brand_get_login_cmd(bh, login,
1056 1046 result_buf, sizeof (result_buf)) != 0)
1057 1047 return (NULL);
1058 1048 }
1059 1049
1060 1050 /*
1061 1051 * We got back a string that we'd like to execute. But since
1062 1052 * we're not doing the execution via a shell we'll need to convert
1063 1053 * the exec string to an array of strings. We'll do that here
1064 1054 * but we're going to be very simplistic about it and break stuff
1065 1055 * up based on spaces. We're not even going to support any kind
1066 1056 * of quoting or escape characters. It's truly amazing that
1067 1057 * there is no library function in OpenSolaris to do this for us.
1068 1058 */
1069 1059
1070 1060 /*
1071 1061 * Be paranoid. Since we're deliniating based on spaces make
1072 1062 * sure there are no adjacent spaces.
1073 1063 */
1074 1064 if (strstr(result_buf, " ") != NULL)
1075 1065 return (NULL);
1076 1066
1077 1067 /* Remove any trailing whitespace. */
1078 1068 n = strlen(result_buf);
1079 1069 if (result_buf[n - 1] == ' ')
1080 1070 result_buf[n - 1] = '\0';
1081 1071
1082 1072 /* Count how many elements there are in the exec string. */
1083 1073 ptr = result_buf;
1084 1074 for (n = 2; ((ptr = strchr(ptr + 1, (int)' ')) != NULL); n++)
1085 1075 ;
1086 1076
1087 1077 /* Allocate the argv array that we're going to return. */
1088 1078 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1089 1079 return (NULL);
1090 1080
1091 1081 /* Tokenize the exec string and return. */
1092 1082 a = 0;
1093 1083 new_argv[a++] = result_buf;
1094 1084 if (n > 2) {
1095 1085 (void) strtok_r(result_buf, " ", &lasts);
1096 1086 while ((new_argv[a++] = strtok_r(NULL, " ", &lasts)) != NULL)
1097 1087 ;
1098 1088 } else {
1099 1089 new_argv[a++] = NULL;
1100 1090 }
1101 1091 assert(n == a);
1102 1092 return (new_argv);
1103 1093 }
1104 1094
1105 1095 /*
1106 1096 * Prepare argv array for exec'd process; if we're passing commands to the
1107 1097 * new process, then use su(1M) to do the invocation. Otherwise, use
1108 1098 * 'login -z <from_zonename> -f' (-z is an undocumented option which tells
1109 1099 * login that we're coming from another zone, and to disregard its CONSOLE
1110 1100 * checks).
1111 1101 */
1112 1102 static char **
1113 1103 prep_args(brand_handle_t bh, const char *login, char **argv)
1114 1104 {
1115 1105 int argc = 0, a = 0, i, n = -1;
1116 1106 char **new_argv;
1117 1107
1118 1108 if (argv != NULL) {
1119 1109 size_t subshell_len = 1;
1120 1110 char *subshell;
1121 1111
1122 1112 while (argv[argc] != NULL)
1123 1113 argc++;
1124 1114
1125 1115 for (i = 0; i < argc; i++) {
1126 1116 subshell_len += strlen(argv[i]) + 1;
1127 1117 }
1128 1118 if ((subshell = calloc(1, subshell_len)) == NULL)
1129 1119 return (NULL);
1130 1120
1131 1121 for (i = 0; i < argc; i++) {
1132 1122 (void) strcat(subshell, argv[i]);
1133 1123 (void) strcat(subshell, " ");
1134 1124 }
1135 1125
1136 1126 if (failsafe) {
1137 1127 n = 4;
1138 1128 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1139 1129 return (NULL);
1140 1130
1141 1131 new_argv[a++] = FAILSAFESHELL;
1142 1132 } else {
1143 1133 n = 5;
1144 1134 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1145 1135 return (NULL);
1146 1136
1147 1137 new_argv[a++] = SUPATH;
1148 1138 if (strcmp(login, "root") != 0) {
1149 1139 new_argv[a++] = "-";
1150 1140 n++;
1151 1141 }
1152 1142 new_argv[a++] = (char *)login;
1153 1143 }
1154 1144 new_argv[a++] = "-c";
1155 1145 new_argv[a++] = subshell;
1156 1146 new_argv[a++] = NULL;
1157 1147 assert(a == n);
1158 1148 } else {
1159 1149 if (failsafe) {
1160 1150 n = 2;
1161 1151 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1162 1152 return (NULL);
1163 1153 new_argv[a++] = FAILSAFESHELL;
1164 1154 new_argv[a++] = NULL;
1165 1155 assert(n == a);
1166 1156 } else {
1167 1157 new_argv = zone_login_cmd(bh, login);
1168 1158 }
1169 1159 }
1170 1160
1171 1161 return (new_argv);
1172 1162 }
1173 1163
1174 1164 /*
1175 1165 * Helper routine for prep_env below.
1176 1166 */
1177 1167 static char *
1178 1168 add_env(char *name, char *value)
1179 1169 {
1180 1170 size_t sz = strlen(name) + strlen(value) + 2; /* name, =, value, NUL */
1181 1171 char *str;
1182 1172
1183 1173 if ((str = malloc(sz)) == NULL)
1184 1174 return (NULL);
1185 1175
1186 1176 (void) snprintf(str, sz, "%s=%s", name, value);
1187 1177 return (str);
1188 1178 }
1189 1179
1190 1180 /*
1191 1181 * Prepare envp array for exec'd process.
1192 1182 */
1193 1183 static char **
1194 1184 prep_env()
1195 1185 {
1196 1186 int e = 0, size = 1;
1197 1187 char **new_env, *estr;
1198 1188 char *term = getenv("TERM");
1199 1189
1200 1190 size++; /* for $PATH */
1201 1191 if (term != NULL)
1202 1192 size++;
1203 1193
1204 1194 /*
1205 1195 * In failsafe mode we set $HOME, since '-l' isn't valid in this mode.
1206 1196 * We also set $SHELL, since neither login nor su will be around to do
1207 1197 * it.
1208 1198 */
1209 1199 if (failsafe)
1210 1200 size += 2;
1211 1201
1212 1202 if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1213 1203 return (NULL);
1214 1204
1215 1205 if ((estr = add_env("PATH", DEF_PATH)) == NULL)
1216 1206 return (NULL);
1217 1207 new_env[e++] = estr;
1218 1208
1219 1209 if (term != NULL) {
1220 1210 if ((estr = add_env("TERM", term)) == NULL)
1221 1211 return (NULL);
1222 1212 new_env[e++] = estr;
1223 1213 }
1224 1214
1225 1215 if (failsafe) {
1226 1216 if ((estr = add_env("HOME", "/")) == NULL)
1227 1217 return (NULL);
1228 1218 new_env[e++] = estr;
1229 1219
1230 1220 if ((estr = add_env("SHELL", FAILSAFESHELL)) == NULL)
1231 1221 return (NULL);
1232 1222 new_env[e++] = estr;
1233 1223 }
1234 1224
1235 1225 new_env[e++] = NULL;
1236 1226
1237 1227 assert(e == size);
1238 1228
1239 1229 return (new_env);
1240 1230 }
1241 1231
1242 1232 /*
1243 1233 * Finish the preparation of the envp array for exec'd non-interactive
1244 1234 * zlogins. This is called in the child process *after* we zone_enter(), since
1245 1235 * it derives things we can only know within the zone, such as $HOME, $SHELL,
1246 1236 * etc. We need only do this in the non-interactive, mode, since otherwise
1247 1237 * login(1) will do it. We don't do this in failsafe mode, since it presents
1248 1238 * additional ways in which the command could fail, and we'd prefer to avoid
1249 1239 * that.
1250 1240 */
1251 1241 static char **
1252 1242 prep_env_noninteractive(const char *user_cmd, char **env)
1253 1243 {
1254 1244 size_t size;
1255 1245 char **new_env;
1256 1246 int e, i;
1257 1247 char *estr;
1258 1248 char varmail[LOGNAME_MAX + 11]; /* strlen(/var/mail/) = 10, NUL */
1259 1249 char pwbuf[NSS_BUFLEN_PASSWD + 1];
1260 1250 struct passwd pwent;
1261 1251 struct passwd *pw = NULL;
1262 1252
1263 1253 assert(env != NULL);
1264 1254 assert(failsafe == 0);
1265 1255
1266 1256 /*
1267 1257 * Exec the "user_cmd" brand hook to get a pwent for the
1268 1258 * login user. If this fails, HOME will be set to "/", SHELL
1269 1259 * will be set to $DEFAULTSHELL, and we will continue to exec
1270 1260 * SUPATH <login> -c <cmd>.
1271 1261 */
1272 1262 pw = zone_get_user_pw(user_cmd, &pwent, pwbuf, sizeof (pwbuf));
1273 1263
1274 1264 /*
1275 1265 * Get existing envp size.
1276 1266 */
1277 1267 for (size = 0; env[size] != NULL; size++)
1278 1268 ;
1279 1269
1280 1270 e = size;
1281 1271
1282 1272 /*
1283 1273 * Finish filling out the environment; we duplicate the environment
1284 1274 * setup described in login(1), for lack of a better precedent.
1285 1275 */
1286 1276 if (pw != NULL)
1287 1277 size += 3; /* LOGNAME, HOME, MAIL */
1288 1278 else
1289 1279 size += 1; /* HOME */
1290 1280
1291 1281 size++; /* always fill in SHELL */
1292 1282 size++; /* terminating NULL */
1293 1283
1294 1284 if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1295 1285 goto malloc_fail;
1296 1286
1297 1287 /*
1298 1288 * Copy existing elements of env into new_env.
1299 1289 */
1300 1290 for (i = 0; env[i] != NULL; i++) {
1301 1291 if ((new_env[i] = strdup(env[i])) == NULL)
1302 1292 goto malloc_fail;
1303 1293 }
1304 1294 assert(e == i);
1305 1295
1306 1296 if (pw != NULL) {
1307 1297 if ((estr = add_env("LOGNAME", pw->pw_name)) == NULL)
1308 1298 goto malloc_fail;
1309 1299 new_env[e++] = estr;
1310 1300
1311 1301 if ((estr = add_env("HOME", pw->pw_dir)) == NULL)
1312 1302 goto malloc_fail;
1313 1303 new_env[e++] = estr;
1314 1304
1315 1305 if (chdir(pw->pw_dir) != 0)
1316 1306 zerror(gettext("Could not chdir to home directory "
1317 1307 "%s: %s"), pw->pw_dir, strerror(errno));
1318 1308
1319 1309 (void) snprintf(varmail, sizeof (varmail), "/var/mail/%s",
1320 1310 pw->pw_name);
1321 1311 if ((estr = add_env("MAIL", varmail)) == NULL)
1322 1312 goto malloc_fail;
1323 1313 new_env[e++] = estr;
1324 1314 } else {
1325 1315 if ((estr = add_env("HOME", "/")) == NULL)
1326 1316 goto malloc_fail;
1327 1317 new_env[e++] = estr;
1328 1318 }
1329 1319
1330 1320 if (pw != NULL && strlen(pw->pw_shell) > 0) {
1331 1321 if ((estr = add_env("SHELL", pw->pw_shell)) == NULL)
1332 1322 goto malloc_fail;
1333 1323 new_env[e++] = estr;
1334 1324 } else {
1335 1325 if ((estr = add_env("SHELL", DEFAULTSHELL)) == NULL)
1336 1326 goto malloc_fail;
1337 1327 new_env[e++] = estr;
1338 1328 }
1339 1329
1340 1330 new_env[e++] = NULL; /* add terminating NULL */
1341 1331
1342 1332 assert(e == size);
1343 1333 return (new_env);
1344 1334
1345 1335 malloc_fail:
1346 1336 zperror(gettext("failed to allocate memory for process environment"));
1347 1337 return (NULL);
1348 1338 }
1349 1339
1350 1340 static int
1351 1341 close_func(void *slavefd, int fd)
1352 1342 {
1353 1343 if (fd != *(int *)slavefd)
1354 1344 (void) close(fd);
1355 1345 return (0);
1356 1346 }
1357 1347
1358 1348 static void
1359 1349 set_cmdchar(char *cmdcharstr)
1360 1350 {
1361 1351 char c;
1362 1352 long lc;
1363 1353
1364 1354 if ((c = *cmdcharstr) != '\\') {
1365 1355 cmdchar = c;
1366 1356 return;
1367 1357 }
1368 1358
1369 1359 c = cmdcharstr[1];
1370 1360 if (c == '\0' || c == '\\') {
1371 1361 cmdchar = '\\';
1372 1362 return;
1373 1363 }
1374 1364
1375 1365 if (c < '0' || c > '7') {
1376 1366 zerror(gettext("Unrecognized escape character option %s"),
1377 1367 cmdcharstr);
1378 1368 usage();
1379 1369 }
1380 1370
1381 1371 lc = strtol(cmdcharstr + 1, NULL, 8);
1382 1372 if (lc < 0 || lc > 255) {
1383 1373 zerror(gettext("Octal escape character '%s' too large"),
1384 1374 cmdcharstr);
1385 1375 usage();
1386 1376 }
1387 1377 cmdchar = (char)lc;
1388 1378 }
1389 1379
1390 1380 static int
1391 1381 setup_utmpx(char *slavename)
1392 1382 {
1393 1383 struct utmpx ut;
1394 1384
1395 1385 bzero(&ut, sizeof (ut));
1396 1386 (void) strncpy(ut.ut_user, ".zlogin", sizeof (ut.ut_user));
1397 1387 (void) strncpy(ut.ut_line, slavename, sizeof (ut.ut_line));
1398 1388 ut.ut_pid = getpid();
1399 1389 ut.ut_id[0] = 'z';
1400 1390 ut.ut_id[1] = ut.ut_id[2] = ut.ut_id[3] = (char)SC_WILDC;
1401 1391 ut.ut_type = LOGIN_PROCESS;
1402 1392 (void) time(&ut.ut_tv.tv_sec);
1403 1393
1404 1394 if (makeutx(&ut) == NULL) {
1405 1395 zerror(gettext("makeutx failed"));
1406 1396 return (-1);
1407 1397 }
1408 1398 return (0);
1409 1399 }
1410 1400
1411 1401 static void
1412 1402 release_lock_file(int lockfd)
1413 1403 {
1414 1404 (void) close(lockfd);
1415 1405 }
1416 1406
1417 1407 static int
1418 1408 grab_lock_file(const char *zone_name, int *lockfd)
1419 1409 {
1420 1410 char pathbuf[PATH_MAX];
1421 1411 struct flock flock;
1422 1412
1423 1413 if (mkdir(ZONES_TMPDIR, S_IRWXU) < 0 && errno != EEXIST) {
1424 1414 zerror(gettext("could not mkdir %s: %s"), ZONES_TMPDIR,
1425 1415 strerror(errno));
1426 1416 return (-1);
1427 1417 }
1428 1418 (void) chmod(ZONES_TMPDIR, S_IRWXU);
1429 1419 (void) snprintf(pathbuf, sizeof (pathbuf), "%s/%s.zoneadm.lock",
1430 1420 ZONES_TMPDIR, zone_name);
1431 1421
1432 1422 if ((*lockfd = open(pathbuf, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR)) < 0) {
1433 1423 zerror(gettext("could not open %s: %s"), pathbuf,
1434 1424 strerror(errno));
1435 1425 return (-1);
1436 1426 }
1437 1427 /*
1438 1428 * Lock the file to synchronize with other zoneadmds
1439 1429 */
1440 1430 flock.l_type = F_WRLCK;
1441 1431 flock.l_whence = SEEK_SET;
1442 1432 flock.l_start = (off_t)0;
1443 1433 flock.l_len = (off_t)0;
1444 1434 if (fcntl(*lockfd, F_SETLKW, &flock) < 0) {
1445 1435 zerror(gettext("unable to lock %s: %s"), pathbuf,
1446 1436 strerror(errno));
1447 1437 release_lock_file(*lockfd);
1448 1438 return (-1);
1449 1439 }
1450 1440 return (Z_OK);
1451 1441 }
1452 1442
1453 1443 static int
1454 1444 start_zoneadmd(const char *zone_name)
1455 1445 {
1456 1446 pid_t retval;
1457 1447 int pstatus = 0, error = -1, lockfd, doorfd;
1458 1448 struct door_info info;
1459 1449 char doorpath[MAXPATHLEN];
1460 1450
1461 1451 (void) snprintf(doorpath, sizeof (doorpath), ZONE_DOOR_PATH, zone_name);
1462 1452
1463 1453 if (grab_lock_file(zone_name, &lockfd) != Z_OK)
1464 1454 return (-1);
1465 1455 /*
1466 1456 * We must do the door check with the lock held. Otherwise, we
1467 1457 * might race against another zoneadm/zlogin process and wind
1468 1458 * up with two processes trying to start zoneadmd at the same
1469 1459 * time. zoneadmd will detect this, and fail, but we prefer this
1470 1460 * to be as seamless as is practical, from a user perspective.
1471 1461 */
1472 1462 if ((doorfd = open(doorpath, O_RDONLY)) < 0) {
1473 1463 if (errno != ENOENT) {
1474 1464 zerror("failed to open %s: %s", doorpath,
1475 1465 strerror(errno));
1476 1466 goto out;
1477 1467 }
1478 1468 } else {
1479 1469 /*
1480 1470 * Seems to be working ok.
1481 1471 */
1482 1472 if (door_info(doorfd, &info) == 0 &&
1483 1473 ((info.di_attributes & DOOR_REVOKED) == 0)) {
1484 1474 error = 0;
1485 1475 goto out;
1486 1476 }
1487 1477 }
1488 1478
1489 1479 if ((child_pid = fork()) == -1) {
1490 1480 zperror(gettext("could not fork"));
1491 1481 goto out;
1492 1482 } else if (child_pid == 0) {
1493 1483 /* child process */
1494 1484 (void) execl("/usr/lib/zones/zoneadmd", "zoneadmd", "-z",
1495 1485 zone_name, NULL);
1496 1486 zperror(gettext("could not exec zoneadmd"));
1497 1487 _exit(1);
1498 1488 }
1499 1489
1500 1490 /* parent process */
1501 1491 do {
1502 1492 retval = waitpid(child_pid, &pstatus, 0);
1503 1493 } while (retval != child_pid);
1504 1494 if (WIFSIGNALED(pstatus) ||
1505 1495 (WIFEXITED(pstatus) && WEXITSTATUS(pstatus) != 0)) {
1506 1496 zerror(gettext("could not start %s"), "zoneadmd");
1507 1497 goto out;
1508 1498 }
1509 1499 error = 0;
1510 1500 out:
1511 1501 release_lock_file(lockfd);
1512 1502 (void) close(doorfd);
1513 1503 return (error);
1514 1504 }
1515 1505
1516 1506 static int
1517 1507 init_template(void)
1518 1508 {
1519 1509 int fd;
1520 1510 int err = 0;
1521 1511
1522 1512 fd = open64(CTFS_ROOT "/process/template", O_RDWR);
1523 1513 if (fd == -1)
1524 1514 return (-1);
1525 1515
1526 1516 /*
1527 1517 * zlogin doesn't do anything with the contract.
1528 1518 * Deliver no events, don't inherit, and allow it to be orphaned.
1529 1519 */
1530 1520 err |= ct_tmpl_set_critical(fd, 0);
1531 1521 err |= ct_tmpl_set_informative(fd, 0);
1532 1522 err |= ct_pr_tmpl_set_fatal(fd, CT_PR_EV_HWERR);
1533 1523 err |= ct_pr_tmpl_set_param(fd, CT_PR_PGRPONLY | CT_PR_REGENT);
1534 1524 if (err || ct_tmpl_activate(fd)) {
1535 1525 (void) close(fd);
1536 1526 return (-1);
1537 1527 }
1538 1528
1539 1529 return (fd);
1540 1530 }
1541 1531
1542 1532 static int
1543 1533 noninteractive_login(char *zonename, const char *user_cmd, zoneid_t zoneid,
1544 1534 char **new_args, char **new_env)
1545 1535 {
1546 1536 pid_t retval;
1547 1537 int stdin_pipe[2], stdout_pipe[2], stderr_pipe[2], dead_child_pipe[2];
1548 1538 int child_status;
1549 1539 int tmpl_fd;
1550 1540 sigset_t block_cld;
1551 1541
1552 1542 if ((tmpl_fd = init_template()) == -1) {
1553 1543 reset_tty();
1554 1544 zperror(gettext("could not create contract"));
1555 1545 return (1);
1556 1546 }
1557 1547
1558 1548 if (pipe(stdin_pipe) != 0) {
1559 1549 zperror(gettext("could not create STDIN pipe"));
1560 1550 return (1);
1561 1551 }
1562 1552 /*
1563 1553 * When the user types ^D, we get a zero length message on STDIN.
1564 1554 * We need to echo that down the pipe to send it to the other side;
1565 1555 * but by default, pipes don't propagate zero-length messages. We
1566 1556 * toggle that behavior off using I_SWROPT. See streamio(7i).
1567 1557 */
1568 1558 if (ioctl(stdin_pipe[0], I_SWROPT, SNDZERO) != 0) {
1569 1559 zperror(gettext("could not configure STDIN pipe"));
1570 1560 return (1);
1571 1561
1572 1562 }
1573 1563 if (pipe(stdout_pipe) != 0) {
1574 1564 zperror(gettext("could not create STDOUT pipe"));
1575 1565 return (1);
1576 1566 }
1577 1567 if (pipe(stderr_pipe) != 0) {
1578 1568 zperror(gettext("could not create STDERR pipe"));
1579 1569 return (1);
1580 1570 }
1581 1571
1582 1572 if (pipe(dead_child_pipe) != 0) {
1583 1573 zperror(gettext("could not create signalling pipe"));
1584 1574 return (1);
1585 1575 }
1586 1576 close_on_sig = dead_child_pipe[0];
1587 1577
1588 1578 /*
1589 1579 * If any of the pipe FD's winds up being less than STDERR, then we
1590 1580 * have a mess on our hands-- and we are lacking some of the I/O
1591 1581 * streams we would expect anyway. So we bail.
1592 1582 */
1593 1583 if (stdin_pipe[0] <= STDERR_FILENO ||
1594 1584 stdin_pipe[1] <= STDERR_FILENO ||
1595 1585 stdout_pipe[0] <= STDERR_FILENO ||
1596 1586 stdout_pipe[1] <= STDERR_FILENO ||
1597 1587 stderr_pipe[0] <= STDERR_FILENO ||
1598 1588 stderr_pipe[1] <= STDERR_FILENO ||
1599 1589 dead_child_pipe[0] <= STDERR_FILENO ||
1600 1590 dead_child_pipe[1] <= STDERR_FILENO) {
1601 1591 zperror(gettext("process lacks valid STDIN, STDOUT, STDERR"));
1602 1592 return (1);
1603 1593 }
1604 1594
1605 1595 if (prefork_dropprivs() != 0) {
1606 1596 zperror(gettext("could not allocate privilege set"));
1607 1597 return (1);
1608 1598 }
1609 1599
1610 1600 (void) sigset(SIGCLD, sigcld);
1611 1601 (void) sigemptyset(&block_cld);
1612 1602 (void) sigaddset(&block_cld, SIGCLD);
1613 1603 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
1614 1604
1615 1605 if ((child_pid = fork()) == -1) {
1616 1606 (void) ct_tmpl_clear(tmpl_fd);
1617 1607 (void) close(tmpl_fd);
1618 1608 zperror(gettext("could not fork"));
1619 1609 return (1);
1620 1610 } else if (child_pid == 0) { /* child process */
1621 1611 (void) ct_tmpl_clear(tmpl_fd);
1622 1612
1623 1613 /*
1624 1614 * Do a dance to get the pipes hooked up as FD's 0, 1 and 2.
1625 1615 */
1626 1616 (void) close(STDIN_FILENO);
1627 1617 (void) close(STDOUT_FILENO);
1628 1618 (void) close(STDERR_FILENO);
1629 1619 (void) dup2(stdin_pipe[1], STDIN_FILENO);
1630 1620 (void) dup2(stdout_pipe[1], STDOUT_FILENO);
1631 1621 (void) dup2(stderr_pipe[1], STDERR_FILENO);
1632 1622 (void) closefrom(STDERR_FILENO + 1);
1633 1623
1634 1624 (void) sigset(SIGCLD, SIG_DFL);
1635 1625 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1636 1626 /*
1637 1627 * In case any of stdin, stdout or stderr are streams,
1638 1628 * anchor them to prevent malicious I_POPs.
1639 1629 */
1640 1630 (void) ioctl(STDIN_FILENO, I_ANCHOR);
1641 1631 (void) ioctl(STDOUT_FILENO, I_ANCHOR);
1642 1632 (void) ioctl(STDERR_FILENO, I_ANCHOR);
1643 1633
1644 1634 if (zone_enter(zoneid) == -1) {
1645 1635 zerror(gettext("could not enter zone %s: %s"),
1646 1636 zonename, strerror(errno));
1647 1637 _exit(1);
1648 1638 }
1649 1639
1650 1640 /*
1651 1641 * For non-native zones, tell libc where it can find locale
1652 1642 * specific getttext() messages.
1653 1643 */
1654 1644 if (access("/.SUNWnative/usr/lib/locale", R_OK) == 0)
1655 1645 (void) bindtextdomain(TEXT_DOMAIN,
1656 1646 "/.SUNWnative/usr/lib/locale");
1657 1647 else if (access("/native/usr/lib/locale", R_OK) == 0)
1658 1648 (void) bindtextdomain(TEXT_DOMAIN,
1659 1649 "/native/usr/lib/locale");
1660 1650
1661 1651 if (!failsafe)
1662 1652 new_env = prep_env_noninteractive(user_cmd, new_env);
1663 1653
1664 1654 if (new_env == NULL) {
1665 1655 _exit(1);
1666 1656 }
1667 1657
1668 1658 /*
1669 1659 * Move into a new process group; the zone_enter will have
1670 1660 * placed us into zsched's session, and we want to be in
1671 1661 * a unique process group.
1672 1662 */
1673 1663 (void) setpgid(getpid(), getpid());
1674 1664
1675 1665 /*
1676 1666 * The child needs to run as root to
1677 1667 * execute the su program.
1678 1668 */
1679 1669 if (setuid(0) == -1) {
1680 1670 zperror(gettext("insufficient privilege"));
1681 1671 return (1);
1682 1672 }
1683 1673
1684 1674 (void) execve(new_args[0], new_args, new_env);
1685 1675 zperror(gettext("exec failure"));
1686 1676 _exit(1);
1687 1677 }
1688 1678 /* parent */
1689 1679
1690 1680 /* close pipe sides written by child */
1691 1681 (void) close(stdout_pipe[1]);
1692 1682 (void) close(stderr_pipe[1]);
1693 1683
1694 1684 (void) sigset(SIGINT, sig_forward);
1695 1685
1696 1686 postfork_dropprivs();
1697 1687
1698 1688 (void) ct_tmpl_clear(tmpl_fd);
1699 1689 (void) close(tmpl_fd);
1700 1690
1701 1691 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1702 1692 doio(stdin_pipe[0], stdin_pipe[1], stdout_pipe[0], stderr_pipe[0],
1703 1693 dead_child_pipe[1], B_TRUE);
1704 1694 do {
1705 1695 retval = waitpid(child_pid, &child_status, 0);
1706 1696 if (retval == -1) {
1707 1697 child_status = 0;
1708 1698 }
1709 1699 } while (retval != child_pid && errno != ECHILD);
1710 1700
1711 1701 return (WEXITSTATUS(child_status));
1712 1702 }
1713 1703
1714 1704 static char *
1715 1705 get_username()
1716 1706 {
1717 1707 uid_t uid;
1718 1708 struct passwd *nptr;
1719 1709
1720 1710 /*
1721 1711 * Authorizations are checked to restrict access based on the
1722 1712 * requested operation and zone name, It is assumed that the
1723 1713 * program is running with all privileges, but that the real
1724 1714 * user ID is that of the user or role on whose behalf we are
1725 1715 * operating. So we start by getting the username that will be
1726 1716 * used for subsequent authorization checks.
1727 1717 */
1728 1718
1729 1719 uid = getuid();
1730 1720 if ((nptr = getpwuid(uid)) == NULL) {
1731 1721 zerror(gettext("could not get user name."));
1732 1722 _exit(1);
1733 1723 }
1734 1724 return (nptr->pw_name);
1735 1725 }
1736 1726
1737 1727 int
1738 1728 main(int argc, char **argv)
1739 1729 {
1740 1730 int arg, console = 0;
1741 1731 zoneid_t zoneid;
1742 1732 zone_state_t st;
1743 1733 char *login = "root";
1744 1734 int lflag = 0;
1745 1735 int nflag = 0;
1746 1736 char *zonename = NULL;
1747 1737 char **proc_args = NULL;
1748 1738 char **new_args, **new_env;
1749 1739 sigset_t block_cld;
1750 1740 char devroot[MAXPATHLEN];
1751 1741 char *slavename, slaveshortname[MAXPATHLEN];
1752 1742 priv_set_t *privset;
1753 1743 int tmpl_fd;
1754 1744 char zonebrand[MAXNAMELEN];
1755 1745 char default_brand[MAXNAMELEN];
1756 1746 struct stat sb;
1757 1747 char kernzone[ZONENAME_MAX];
1758 1748 brand_handle_t bh;
1759 1749 char user_cmd[MAXPATHLEN];
1760 1750 char authname[MAXAUTHS];
1761 1751
1762 1752 (void) setlocale(LC_ALL, "");
1763 1753 (void) textdomain(TEXT_DOMAIN);
1764 1754
1765 1755 (void) getpname(argv[0]);
1766 1756 username = get_username();
1767 1757
1768 1758 while ((arg = getopt(argc, argv, "dnECR:Se:l:Q")) != EOF) {
1769 1759 switch (arg) {
1770 1760 case 'C':
1771 1761 console = 1;
1772 1762 break;
1773 1763 case 'E':
1774 1764 nocmdchar = 1;
1775 1765 break;
1776 1766 case 'R': /* undocumented */
1777 1767 if (*optarg != '/') {
1778 1768 zerror(gettext("root path must be absolute."));
1779 1769 exit(2);
1780 1770 }
1781 1771 if (stat(optarg, &sb) == -1 || !S_ISDIR(sb.st_mode)) {
1782 1772 zerror(
1783 1773 gettext("root path must be a directory."));
1784 1774 exit(2);
1785 1775 }
1786 1776 zonecfg_set_root(optarg);
1787 1777 break;
1788 1778 case 'Q':
1789 1779 quiet = 1;
1790 1780 break;
1791 1781 case 'S':
1792 1782 failsafe = 1;
1793 1783 break;
1794 1784 case 'd':
1795 1785 disconnect = 1;
1796 1786 break;
1797 1787 case 'e':
1798 1788 set_cmdchar(optarg);
1799 1789 break;
1800 1790 case 'l':
1801 1791 login = optarg;
1802 1792 lflag = 1;
1803 1793 break;
1804 1794 case 'n':
1805 1795 nflag = 1;
1806 1796 break;
1807 1797 default:
1808 1798 usage();
1809 1799 }
1810 1800 }
1811 1801
1812 1802 if (console != 0) {
1813 1803
1814 1804 if (lflag != 0) {
1815 1805 zerror(gettext(
1816 1806 "-l may not be specified for console login"));
1817 1807 usage();
1818 1808 }
1819 1809
1820 1810 if (nflag != 0) {
1821 1811 zerror(gettext(
1822 1812 "-n may not be specified for console login"));
1823 1813 usage();
1824 1814 }
1825 1815
1826 1816 if (failsafe != 0) {
1827 1817 zerror(gettext(
1828 1818 "-S may not be specified for console login"));
1829 1819 usage();
1830 1820 }
1831 1821
1832 1822 if (zonecfg_in_alt_root()) {
1833 1823 zerror(gettext(
1834 1824 "-R may not be specified for console login"));
1835 1825 exit(2);
1836 1826 }
1837 1827
1838 1828 }
1839 1829
1840 1830 if (failsafe != 0 && lflag != 0) {
1841 1831 zerror(gettext("-l may not be specified for failsafe login"));
1842 1832 usage();
1843 1833 }
1844 1834
1845 1835 if (!console && disconnect != 0) {
1846 1836 zerror(gettext(
1847 1837 "-d may only be specified with console login"));
1848 1838 usage();
1849 1839 }
1850 1840
1851 1841 if (optind == (argc - 1)) {
1852 1842 /*
1853 1843 * zone name, no process name; this should be an interactive
1854 1844 * as long as STDIN is really a tty.
1855 1845 */
1856 1846 if (nflag != 0) {
1857 1847 zerror(gettext(
1858 1848 "-n may not be specified for interactive login"));
1859 1849 usage();
1860 1850 }
1861 1851 if (isatty(STDIN_FILENO))
1862 1852 interactive = 1;
1863 1853 zonename = argv[optind];
1864 1854 } else if (optind < (argc - 1)) {
1865 1855 if (console) {
1866 1856 zerror(gettext("Commands may not be specified for "
1867 1857 "console login."));
1868 1858 usage();
1869 1859 }
1870 1860 /* zone name and process name, and possibly some args */
1871 1861 zonename = argv[optind];
1872 1862 proc_args = &argv[optind + 1];
1873 1863 interactive = 0;
1874 1864 } else {
1875 1865 usage();
1876 1866 }
1877 1867
1878 1868 if (getzoneid() != GLOBAL_ZONEID) {
1879 1869 zerror(gettext("'%s' may only be used from the global zone"),
1880 1870 pname);
1881 1871 return (1);
1882 1872 }
1883 1873
1884 1874 if (strcmp(zonename, GLOBAL_ZONENAME) == 0) {
1885 1875 zerror(gettext("'%s' not applicable to the global zone"),
1886 1876 pname);
1887 1877 return (1);
1888 1878 }
1889 1879
1890 1880 if (zone_get_state(zonename, &st) != Z_OK) {
1891 1881 zerror(gettext("zone '%s' unknown"), zonename);
1892 1882 return (1);
1893 1883 }
1894 1884
1895 1885 if (st < ZONE_STATE_INSTALLED) {
1896 1886 zerror(gettext("cannot login to a zone which is '%s'"),
1897 1887 zone_state_str(st));
1898 1888 return (1);
1899 1889 }
1900 1890
1901 1891 /*
1902 1892 * In both console and non-console cases, we require all privs.
1903 1893 * In the console case, because we may need to startup zoneadmd.
1904 1894 * In the non-console case in order to do zone_enter(2), zonept()
1905 1895 * and other tasks.
1906 1896 */
1907 1897
1908 1898 if ((privset = priv_allocset()) == NULL) {
1909 1899 zperror(gettext("priv_allocset failed"));
1910 1900 return (1);
1911 1901 }
1912 1902
1913 1903 if (getppriv(PRIV_EFFECTIVE, privset) != 0) {
1914 1904 zperror(gettext("getppriv failed"));
1915 1905 priv_freeset(privset);
1916 1906 return (1);
1917 1907 }
1918 1908
1919 1909 if (priv_isfullset(privset) == B_FALSE) {
1920 1910 zerror(gettext("You lack sufficient privilege to run "
1921 1911 "this command (all privs required)"));
1922 1912 priv_freeset(privset);
1923 1913 return (1);
1924 1914 }
1925 1915 priv_freeset(privset);
1926 1916
1927 1917 /*
1928 1918 * Check if user is authorized for requested usage of the zone
1929 1919 */
1930 1920
1931 1921 (void) snprintf(authname, MAXAUTHS, "%s%s%s",
1932 1922 ZONE_MANAGE_AUTH, KV_OBJECT, zonename);
1933 1923 if (chkauthattr(authname, username) == 0) {
1934 1924 if (console) {
1935 1925 zerror(gettext("%s is not authorized for console "
1936 1926 "access to %s zone."),
1937 1927 username, zonename);
1938 1928 return (1);
1939 1929 } else {
1940 1930 (void) snprintf(authname, MAXAUTHS, "%s%s%s",
1941 1931 ZONE_LOGIN_AUTH, KV_OBJECT, zonename);
1942 1932 if (failsafe || !interactive) {
1943 1933 zerror(gettext("%s is not authorized for "
1944 1934 "failsafe or non-interactive login "
1945 1935 "to %s zone."), username, zonename);
1946 1936 return (1);
1947 1937 } else if (chkauthattr(authname, username) == 0) {
1948 1938 zerror(gettext("%s is not authorized "
1949 1939 " to login to %s zone."),
1950 1940 username, zonename);
1951 1941 return (1);
1952 1942 }
1953 1943 }
1954 1944 } else {
1955 1945 forced_login = B_TRUE;
1956 1946 }
1957 1947
1958 1948 /*
1959 1949 * The console is a separate case from the rest of the code; handle
1960 1950 * it first.
1961 1951 */
1962 1952 if (console) {
1963 1953 /*
1964 1954 * Ensure that zoneadmd for this zone is running.
1965 1955 */
1966 1956 if (start_zoneadmd(zonename) == -1)
1967 1957 return (1);
1968 1958
1969 1959 /*
1970 1960 * Make contact with zoneadmd.
1971 1961 */
1972 1962 if (get_console_master(zonename) == -1)
1973 1963 return (1);
1974 1964
1975 1965 if (!quiet)
1976 1966 (void) printf(
1977 1967 gettext("[Connected to zone '%s' console]\n"),
1978 1968 zonename);
1979 1969
1980 1970 if (set_tty_rawmode(STDIN_FILENO) == -1) {
1981 1971 reset_tty();
1982 1972 zperror(gettext("failed to set stdin pty to raw mode"));
1983 1973 return (1);
1984 1974 }
1985 1975
1986 1976 (void) sigset(SIGWINCH, sigwinch);
1987 1977 (void) sigwinch(0);
1988 1978
1989 1979 /*
1990 1980 * Run the I/O loop until we get disconnected.
1991 1981 */
1992 1982 doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
1993 1983 reset_tty();
1994 1984 if (!quiet)
1995 1985 (void) printf(
1996 1986 gettext("\n[Connection to zone '%s' console "
1997 1987 "closed]\n"), zonename);
1998 1988
1999 1989 return (0);
2000 1990 }
2001 1991
2002 1992 if (st != ZONE_STATE_RUNNING && st != ZONE_STATE_MOUNTED) {
2003 1993 zerror(gettext("login allowed only to running zones "
2004 1994 "(%s is '%s')."), zonename, zone_state_str(st));
2005 1995 return (1);
2006 1996 }
2007 1997
2008 1998 (void) strlcpy(kernzone, zonename, sizeof (kernzone));
2009 1999 if (zonecfg_in_alt_root()) {
2010 2000 FILE *fp = zonecfg_open_scratch("", B_FALSE);
2011 2001
2012 2002 if (fp == NULL || zonecfg_find_scratch(fp, zonename,
2013 2003 zonecfg_get_root(), kernzone, sizeof (kernzone)) == -1) {
2014 2004 zerror(gettext("cannot find scratch zone %s"),
2015 2005 zonename);
2016 2006 if (fp != NULL)
2017 2007 zonecfg_close_scratch(fp);
2018 2008 return (1);
2019 2009 }
2020 2010 zonecfg_close_scratch(fp);
2021 2011 }
2022 2012
2023 2013 if ((zoneid = getzoneidbyname(kernzone)) == -1) {
2024 2014 zerror(gettext("failed to get zoneid for zone '%s'"),
2025 2015 zonename);
2026 2016 return (1);
2027 2017 }
2028 2018
2029 2019 /*
2030 2020 * We need the zone root path only if we are setting up a pty.
2031 2021 */
2032 2022 if (zone_get_devroot(zonename, devroot, sizeof (devroot)) == -1) {
2033 2023 zerror(gettext("could not get dev path for zone %s"),
2034 2024 zonename);
2035 2025 return (1);
2036 2026 }
2037 2027
2038 2028 if (zone_get_brand(zonename, zonebrand, sizeof (zonebrand)) != Z_OK) {
2039 2029 zerror(gettext("could not get brand for zone %s"), zonename);
2040 2030 return (1);
2041 2031 }
2042 2032 /*
2043 2033 * In the alternate root environment, the only supported
2044 2034 * operations are mount and unmount. In this case, just treat
2045 2035 * the zone as native if it is cluster. Cluster zones can be
2046 2036 * native for the purpose of LU or upgrade, and the cluster
2047 2037 * brand may not exist in the miniroot (such as in net install
2048 2038 * upgrade).
2049 2039 */
2050 2040 if (zonecfg_default_brand(default_brand,
2051 2041 sizeof (default_brand)) != Z_OK) {
2052 2042 zerror(gettext("unable to determine default brand"));
2053 2043 return (1);
2054 2044 }
2055 2045 if (zonecfg_in_alt_root() &&
2056 2046 strcmp(zonebrand, CLUSTER_BRAND_NAME) == 0) {
2057 2047 (void) strlcpy(zonebrand, default_brand, sizeof (zonebrand));
2058 2048 }
2059 2049
2060 2050 if ((bh = brand_open(zonebrand)) == NULL) {
2061 2051 zerror(gettext("could not open brand for zone %s"), zonename);
2062 2052 return (1);
2063 2053 }
2064 2054
2065 2055 if ((new_args = prep_args(bh, login, proc_args)) == NULL) {
2066 2056 zperror(gettext("could not assemble new arguments"));
2067 2057 brand_close(bh);
2068 2058 return (1);
2069 2059 }
2070 2060 /*
2071 2061 * Get the brand specific user_cmd. This command is used to get
2072 2062 * a passwd(4) entry for login.
2073 2063 */
2074 2064 if (!interactive && !failsafe) {
2075 2065 if (zone_get_user_cmd(bh, login, user_cmd,
2076 2066 sizeof (user_cmd)) == NULL) {
2077 2067 zerror(gettext("could not get user_cmd for zone %s"),
2078 2068 zonename);
2079 2069 brand_close(bh);
2080 2070 return (1);
2081 2071 }
2082 2072 }
2083 2073 brand_close(bh);
2084 2074
2085 2075 if ((new_env = prep_env()) == NULL) {
2086 2076 zperror(gettext("could not assemble new environment"));
2087 2077 return (1);
2088 2078 }
2089 2079
2090 2080 if (!interactive) {
2091 2081 if (nflag) {
2092 2082 int nfd;
2093 2083
2094 2084 if ((nfd = open(_PATH_DEVNULL, O_RDONLY)) < 0) {
2095 2085 zperror(gettext("failed to open null device"));
2096 2086 return (1);
2097 2087 }
2098 2088 if (nfd != STDIN_FILENO) {
2099 2089 if (dup2(nfd, STDIN_FILENO) < 0) {
2100 2090 zperror(gettext(
2101 2091 "failed to dup2 null device"));
2102 2092 return (1);
2103 2093 }
2104 2094 (void) close(nfd);
2105 2095 }
2106 2096 /* /dev/null is now standard input */
2107 2097 }
2108 2098 return (noninteractive_login(zonename, user_cmd, zoneid,
2109 2099 new_args, new_env));
2110 2100 }
2111 2101
2112 2102 if (zonecfg_in_alt_root()) {
2113 2103 zerror(gettext("cannot use interactive login with scratch "
2114 2104 "zone"));
2115 2105 return (1);
2116 2106 }
2117 2107
2118 2108 /*
2119 2109 * Things are more complex in interactive mode; we get the
2120 2110 * master side of the pty, then place the user's terminal into
2121 2111 * raw mode.
2122 2112 */
2123 2113 if (get_master_pty() == -1) {
2124 2114 zerror(gettext("could not setup master pty device"));
2125 2115 return (1);
2126 2116 }
2127 2117
2128 2118 /*
2129 2119 * Compute the "short name" of the pts. /dev/pts/2 --> pts/2
2130 2120 */
2131 2121 if ((slavename = ptsname(masterfd)) == NULL) {
2132 2122 zperror(gettext("failed to get name for pseudo-tty"));
2133 2123 return (1);
2134 2124 }
2135 2125 if (strncmp(slavename, "/dev/", strlen("/dev/")) == 0)
2136 2126 (void) strlcpy(slaveshortname, slavename + strlen("/dev/"),
2137 2127 sizeof (slaveshortname));
2138 2128 else
2139 2129 (void) strlcpy(slaveshortname, slavename,
2140 2130 sizeof (slaveshortname));
2141 2131
2142 2132 if (!quiet)
2143 2133 (void) printf(gettext("[Connected to zone '%s' %s]\n"),
2144 2134 zonename, slaveshortname);
2145 2135
2146 2136 if (set_tty_rawmode(STDIN_FILENO) == -1) {
2147 2137 reset_tty();
2148 2138 zperror(gettext("failed to set stdin pty to raw mode"));
2149 2139 return (1);
2150 2140 }
2151 2141
2152 2142 if (prefork_dropprivs() != 0) {
2153 2143 reset_tty();
2154 2144 zperror(gettext("could not allocate privilege set"));
2155 2145 return (1);
2156 2146 }
2157 2147
2158 2148 /*
2159 2149 * We must mask SIGCLD until after we have coped with the fork
2160 2150 * sufficiently to deal with it; otherwise we can race and receive the
2161 2151 * signal before child_pid has been initialized (yes, this really
2162 2152 * happens).
2163 2153 */
2164 2154 (void) sigset(SIGCLD, sigcld);
2165 2155 (void) sigemptyset(&block_cld);
2166 2156 (void) sigaddset(&block_cld, SIGCLD);
2167 2157 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
2168 2158
2169 2159 /*
2170 2160 * We activate the contract template at the last minute to
2171 2161 * avoid intermediate functions that could be using fork(2)
2172 2162 * internally.
2173 2163 */
2174 2164 if ((tmpl_fd = init_template()) == -1) {
2175 2165 reset_tty();
2176 2166 zperror(gettext("could not create contract"));
2177 2167 return (1);
2178 2168 }
2179 2169
2180 2170 if ((child_pid = fork()) == -1) {
2181 2171 (void) ct_tmpl_clear(tmpl_fd);
2182 2172 reset_tty();
2183 2173 zperror(gettext("could not fork"));
2184 2174 return (1);
2185 2175 } else if (child_pid == 0) { /* child process */
2186 2176 int slavefd, newslave;
2187 2177
2188 2178 (void) ct_tmpl_clear(tmpl_fd);
2189 2179 (void) close(tmpl_fd);
2190 2180
2191 2181 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2192 2182
2193 2183 if ((slavefd = init_slave_pty(zoneid, devroot)) == -1)
2194 2184 return (1);
2195 2185
2196 2186 /*
2197 2187 * Close all fds except for the slave pty.
2198 2188 */
2199 2189 (void) fdwalk(close_func, &slavefd);
2200 2190
2201 2191 /*
2202 2192 * Temporarily dup slavefd to stderr; that way if we have
2203 2193 * to print out that zone_enter failed, the output will
2204 2194 * have somewhere to go.
2205 2195 */
2206 2196 if (slavefd != STDERR_FILENO)
2207 2197 (void) dup2(slavefd, STDERR_FILENO);
2208 2198
2209 2199 if (zone_enter(zoneid) == -1) {
2210 2200 zerror(gettext("could not enter zone %s: %s"),
2211 2201 zonename, strerror(errno));
2212 2202 return (1);
2213 2203 }
2214 2204
2215 2205 if (slavefd != STDERR_FILENO)
2216 2206 (void) close(STDERR_FILENO);
2217 2207
2218 2208 /*
2219 2209 * We take pains to get this process into a new process
2220 2210 * group, and subsequently a new session. In this way,
2221 2211 * we'll have a session which doesn't yet have a controlling
2222 2212 * terminal. When we open the slave, it will become the
2223 2213 * controlling terminal; no PIDs concerning pgrps or sids
2224 2214 * will leak inappropriately into the zone.
2225 2215 */
2226 2216 (void) setpgrp();
2227 2217
2228 2218 /*
2229 2219 * We need the slave pty to be referenced from the zone's
2230 2220 * /dev in order to ensure that the devt's, etc are all
2231 2221 * correct. Otherwise we break ttyname and the like.
2232 2222 */
2233 2223 if ((newslave = open(slavename, O_RDWR)) == -1) {
2234 2224 (void) close(slavefd);
2235 2225 return (1);
2236 2226 }
2237 2227 (void) close(slavefd);
2238 2228 slavefd = newslave;
2239 2229
2240 2230 /*
2241 2231 * dup the slave to the various FDs, so that when the
2242 2232 * spawned process does a write/read it maps to the slave
2243 2233 * pty.
2244 2234 */
2245 2235 (void) dup2(slavefd, STDIN_FILENO);
2246 2236 (void) dup2(slavefd, STDOUT_FILENO);
2247 2237 (void) dup2(slavefd, STDERR_FILENO);
2248 2238 if (slavefd != STDIN_FILENO && slavefd != STDOUT_FILENO &&
2249 2239 slavefd != STDERR_FILENO) {
2250 2240 (void) close(slavefd);
2251 2241 }
2252 2242
2253 2243 /*
2254 2244 * In failsafe mode, we don't use login(1), so don't try
2255 2245 * setting up a utmpx entry.
2256 2246 */
2257 2247 if (!failsafe)
2258 2248 if (setup_utmpx(slaveshortname) == -1)
2259 2249 return (1);
2260 2250
2261 2251 /*
2262 2252 * The child needs to run as root to
2263 2253 * execute the brand's login program.
2264 2254 */
2265 2255 if (setuid(0) == -1) {
2266 2256 zperror(gettext("insufficient privilege"));
2267 2257 return (1);
2268 2258 }
2269 2259
2270 2260 (void) execve(new_args[0], new_args, new_env);
2271 2261 zperror(gettext("exec failure"));
2272 2262 return (1);
2273 2263 }
2274 2264
2275 2265 (void) ct_tmpl_clear(tmpl_fd);
2276 2266 (void) close(tmpl_fd);
2277 2267
2278 2268 /*
2279 2269 * The rest is only for the parent process.
2280 2270 */
2281 2271 (void) sigset(SIGWINCH, sigwinch);
2282 2272
2283 2273 postfork_dropprivs();
2284 2274
2285 2275 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2286 2276 doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
2287 2277
2288 2278 reset_tty();
2289 2279 if (!quiet)
2290 2280 (void) fprintf(stderr,
2291 2281 gettext("\n[Connection to zone '%s' %s closed]\n"),
2292 2282 zonename, slaveshortname);
2293 2283
2294 2284 if (pollerr != 0) {
2295 2285 (void) fprintf(stderr, gettext("Error: connection closed due "
2296 2286 "to unexpected pollevents=0x%x.\n"), pollerr);
2297 2287 return (1);
2298 2288 }
2299 2289
2300 2290 return (0);
2301 2291 }
|
↓ open down ↓ |
1509 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX