Print this page
2989 Eliminate use of LOGNAME_MAX in ON
1166 useradd have warning with name more 8 chars
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/zlogin/zlogin.c
+++ new/usr/src/cmd/zlogin/zlogin.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
|
↓ open down ↓ |
11 lines elided |
↑ open up ↑ |
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 + * Copyright (c) 2013 Gary Mills
23 + *
22 24 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 25 */
24 26
25 27 /*
26 28 * zlogin provides three types of login which allow users in the global
27 29 * zone to access non-global zones.
28 30 *
29 31 * - "interactive login" is similar to rlogin(1); for example, the user could
30 32 * issue 'zlogin my-zone' or 'zlogin -e ^ -l me my-zone'. The user is
31 33 * granted a new pty (which is then shoved into the zone), and an I/O
32 34 * loop between parent and child processes takes care of the interactive
33 35 * session. In this mode, login(1) (and its -c option, which means
34 36 * "already authenticated") is employed to take care of the initialization
35 37 * of the user's session.
36 38 *
37 39 * - "non-interactive login" is similar to su(1M); the user could issue
38 40 * 'zlogin my-zone ls -l' and the command would be run as specified.
39 41 * In this mode, zlogin sets up pipes as the communication channel, and
40 42 * 'su' is used to do the login setup work.
41 43 *
42 44 * - "console login" is the equivalent to accessing the tip line for a
43 45 * zone. For example, the user can issue 'zlogin -C my-zone'.
44 46 * In this mode, zlogin contacts the zoneadmd process via unix domain
45 47 * socket. If zoneadmd is not running, it starts it. This allows the
46 48 * console to be available anytime the zone is installed, regardless of
47 49 * whether it is running.
48 50 */
49 51
50 52 #include <sys/socket.h>
51 53 #include <sys/termios.h>
52 54 #include <sys/utsname.h>
53 55 #include <sys/stat.h>
54 56 #include <sys/types.h>
55 57 #include <sys/contract/process.h>
56 58 #include <sys/ctfs.h>
57 59 #include <sys/brand.h>
58 60 #include <sys/wait.h>
59 61 #include <alloca.h>
60 62 #include <assert.h>
61 63 #include <ctype.h>
62 64 #include <door.h>
63 65 #include <errno.h>
64 66 #include <nss_dbdefs.h>
65 67 #include <poll.h>
66 68 #include <priv.h>
67 69 #include <pwd.h>
68 70 #include <unistd.h>
69 71 #include <utmpx.h>
70 72 #include <sac.h>
71 73 #include <signal.h>
72 74 #include <stdarg.h>
73 75 #include <stdio.h>
74 76 #include <stdlib.h>
75 77 #include <string.h>
76 78 #include <strings.h>
77 79 #include <stropts.h>
78 80 #include <wait.h>
79 81 #include <zone.h>
80 82 #include <fcntl.h>
|
↓ open down ↓ |
49 lines elided |
↑ open up ↑ |
81 83 #include <libdevinfo.h>
82 84 #include <libintl.h>
83 85 #include <locale.h>
84 86 #include <libzonecfg.h>
85 87 #include <libcontract.h>
86 88 #include <libbrand.h>
87 89 #include <auth_list.h>
88 90 #include <auth_attr.h>
89 91 #include <secdb.h>
90 92
93 +#ifdef LOGNAME_MAX_ILLUMOS
94 +#define _LOGNAME_MAX LOGNAME_MAX_ILLUMOS
95 +#else /* LOGNAME_MAX_ILLUMOS */
96 +#define _LOGNAME_MAX LOGNAME_MAX
97 +#endif /* LOGNAME_MAX_ILLUMOS */
98 +
91 99 static int masterfd;
92 100 static struct termios save_termios;
93 101 static struct termios effective_termios;
94 102 static int save_fd;
95 103 static struct winsize winsize;
96 104 static volatile int dead;
97 105 static volatile pid_t child_pid = -1;
98 106 static int interactive = 0;
99 107 static priv_set_t *dropprivs;
100 108
101 109 static int nocmdchar = 0;
102 110 static int failsafe = 0;
103 111 static char cmdchar = '~';
104 112
105 113 static int pollerr = 0;
106 114
107 115 static const char *pname;
108 116 static char *username;
109 117
110 118 /*
111 119 * When forced_login is true, the user is not prompted
112 120 * for an authentication password in the target zone.
113 121 */
114 122 static boolean_t forced_login = B_FALSE;
115 123
116 124 #if !defined(TEXT_DOMAIN) /* should be defined by cc -D */
117 125 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it wasn't */
118 126 #endif
119 127
120 128 #define SUPATH "/usr/bin/su"
121 129 #define FAILSAFESHELL "/sbin/sh"
122 130 #define DEFAULTSHELL "/sbin/sh"
123 131 #define DEF_PATH "/usr/sbin:/usr/bin"
124 132
125 133 #define CLUSTER_BRAND_NAME "cluster"
126 134
127 135 /*
128 136 * The ZLOGIN_BUFSIZ is larger than PIPE_BUF so we can be sure we're clearing
129 137 * out the pipe when the child is exiting. The ZLOGIN_RDBUFSIZ must be less
130 138 * than ZLOGIN_BUFSIZ (because we share the buffer in doio). This value is
131 139 * also chosen in conjunction with the HI_WATER setting to make sure we
132 140 * don't fill up the pipe. We can write FIFOHIWAT (16k) into the pipe before
133 141 * blocking. By having ZLOGIN_RDBUFSIZ set to 1k and HI_WATER set to 8k, we
134 142 * know we can always write a ZLOGIN_RDBUFSIZ chunk into the pipe when there
135 143 * is less than HI_WATER data already in the pipe.
136 144 */
137 145 #define ZLOGIN_BUFSIZ 8192
138 146 #define ZLOGIN_RDBUFSIZ 1024
139 147 #define HI_WATER 8192
140 148
141 149 /*
142 150 * See canonify() below. CANONIFY_LEN is the maximum length that a
143 151 * "canonical" sequence will expand to (backslash, three octal digits, NUL).
144 152 */
145 153 #define CANONIFY_LEN 5
146 154
147 155 static void
148 156 usage(void)
149 157 {
150 158 (void) fprintf(stderr, gettext("usage: %s [ -CES ] [ -e cmdchar ] "
151 159 "[-l user] zonename [command [args ...] ]\n"), pname);
152 160 exit(2);
153 161 }
154 162
155 163 static const char *
156 164 getpname(const char *arg0)
157 165 {
158 166 const char *p = strrchr(arg0, '/');
159 167
160 168 if (p == NULL)
161 169 p = arg0;
162 170 else
163 171 p++;
164 172
165 173 pname = p;
166 174 return (p);
167 175 }
168 176
169 177 static void
170 178 zerror(const char *fmt, ...)
171 179 {
172 180 va_list alist;
173 181
174 182 (void) fprintf(stderr, "%s: ", pname);
175 183 va_start(alist, fmt);
176 184 (void) vfprintf(stderr, fmt, alist);
177 185 va_end(alist);
178 186 (void) fprintf(stderr, "\n");
179 187 }
180 188
181 189 static void
182 190 zperror(const char *str)
183 191 {
184 192 const char *estr;
185 193
186 194 if ((estr = strerror(errno)) != NULL)
187 195 (void) fprintf(stderr, "%s: %s: %s\n", pname, str, estr);
188 196 else
189 197 (void) fprintf(stderr, "%s: %s: errno %d\n", pname, str, errno);
190 198 }
191 199
192 200 /*
193 201 * The first part of our privilege dropping scheme needs to be called before
194 202 * fork(), since we must have it for security; we don't want to be surprised
195 203 * later that we couldn't allocate the privset.
196 204 */
197 205 static int
198 206 prefork_dropprivs()
199 207 {
200 208 if ((dropprivs = priv_allocset()) == NULL)
201 209 return (1);
202 210
203 211 priv_basicset(dropprivs);
204 212 (void) priv_delset(dropprivs, PRIV_PROC_INFO);
205 213 (void) priv_delset(dropprivs, PRIV_PROC_FORK);
206 214 (void) priv_delset(dropprivs, PRIV_PROC_EXEC);
207 215 (void) priv_delset(dropprivs, PRIV_FILE_LINK_ANY);
208 216
209 217 /*
210 218 * We need to keep the basic privilege PROC_SESSION and all unknown
211 219 * basic privileges as well as the privileges PROC_ZONE and
212 220 * PROC_OWNER in order to query session information and
213 221 * send signals.
214 222 */
215 223 if (interactive == 0) {
216 224 (void) priv_addset(dropprivs, PRIV_PROC_ZONE);
217 225 (void) priv_addset(dropprivs, PRIV_PROC_OWNER);
218 226 } else {
219 227 (void) priv_delset(dropprivs, PRIV_PROC_SESSION);
220 228 }
221 229
222 230 return (0);
223 231 }
224 232
225 233 /*
226 234 * The second part of the privilege drop. We are paranoid about being attacked
227 235 * by the zone, so we drop all privileges. This should prevent a compromise
228 236 * which gets us to fork(), exec(), symlink(), etc.
229 237 */
230 238 static void
231 239 postfork_dropprivs()
232 240 {
233 241 if ((setppriv(PRIV_SET, PRIV_PERMITTED, dropprivs)) == -1) {
234 242 zperror(gettext("Warning: could not set permitted privileges"));
235 243 }
236 244 if ((setppriv(PRIV_SET, PRIV_LIMIT, dropprivs)) == -1) {
237 245 zperror(gettext("Warning: could not set limit privileges"));
238 246 }
239 247 if ((setppriv(PRIV_SET, PRIV_INHERITABLE, dropprivs)) == -1) {
240 248 zperror(gettext("Warning: could not set inheritable "
241 249 "privileges"));
242 250 }
243 251 }
244 252
245 253 /*
246 254 * Create the unix domain socket and call the zoneadmd server; handshake
247 255 * with it to determine whether it will allow us to connect.
248 256 */
249 257 static int
250 258 get_console_master(const char *zname)
251 259 {
252 260 int sockfd = -1;
253 261 struct sockaddr_un servaddr;
254 262 char clientid[MAXPATHLEN];
255 263 char handshake[MAXPATHLEN], c;
256 264 int msglen;
257 265 int i = 0, err = 0;
258 266
259 267 if ((sockfd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
260 268 zperror(gettext("could not create socket"));
261 269 return (-1);
262 270 }
263 271
264 272 bzero(&servaddr, sizeof (servaddr));
265 273 servaddr.sun_family = AF_UNIX;
266 274 (void) snprintf(servaddr.sun_path, sizeof (servaddr.sun_path),
267 275 "%s/%s.console_sock", ZONES_TMPDIR, zname);
268 276
269 277 if (connect(sockfd, (struct sockaddr *)&servaddr,
270 278 sizeof (servaddr)) == -1) {
271 279 zperror(gettext("Could not connect to zone console"));
272 280 goto bad;
273 281 }
274 282 masterfd = sockfd;
275 283
276 284 msglen = snprintf(clientid, sizeof (clientid), "IDENT %lu %s\n",
277 285 getpid(), setlocale(LC_MESSAGES, NULL));
278 286
279 287 if (msglen >= sizeof (clientid) || msglen < 0) {
280 288 zerror("protocol error");
281 289 goto bad;
282 290 }
283 291
284 292 if (write(masterfd, clientid, msglen) != msglen) {
285 293 zerror("protocol error");
286 294 goto bad;
287 295 }
288 296
289 297 bzero(handshake, sizeof (handshake));
290 298
291 299 /*
292 300 * Take care not to accumulate more than our fill, and leave room for
293 301 * the NUL at the end.
294 302 */
295 303 while ((err = read(masterfd, &c, 1)) == 1) {
296 304 if (i >= (sizeof (handshake) - 1))
297 305 break;
298 306 if (c == '\n')
299 307 break;
300 308 handshake[i] = c;
301 309 i++;
302 310 }
303 311
304 312 /*
305 313 * If something went wrong during the handshake we bail; perhaps
306 314 * the server died off.
307 315 */
308 316 if (err == -1) {
309 317 zperror(gettext("Could not connect to zone console"));
310 318 goto bad;
311 319 }
312 320
313 321 if (strncmp(handshake, "OK", sizeof (handshake)) == 0)
314 322 return (0);
315 323
316 324 zerror(gettext("Console is already in use by process ID %s."),
317 325 handshake);
318 326 bad:
319 327 (void) close(sockfd);
320 328 masterfd = -1;
321 329 return (-1);
322 330 }
323 331
324 332
325 333 /*
326 334 * Routines to handle pty creation upon zone entry and to shuttle I/O back
327 335 * and forth between the two terminals. We also compute and store the
328 336 * name of the slave terminal associated with the master side.
329 337 */
330 338 static int
331 339 get_master_pty()
332 340 {
333 341 if ((masterfd = open("/dev/ptmx", O_RDWR|O_NONBLOCK)) < 0) {
334 342 zperror(gettext("failed to obtain a pseudo-tty"));
335 343 return (-1);
336 344 }
337 345 if (tcgetattr(STDIN_FILENO, &save_termios) == -1) {
338 346 zperror(gettext("failed to get terminal settings from stdin"));
339 347 return (-1);
340 348 }
341 349 (void) ioctl(STDIN_FILENO, TIOCGWINSZ, (char *)&winsize);
342 350
343 351 return (0);
344 352 }
345 353
346 354 /*
347 355 * This is a bit tricky; normally a pts device will belong to the zone it
348 356 * is granted to. But in the case of "entering" a zone, we need to establish
349 357 * the pty before entering the zone so that we can vector I/O to and from it
350 358 * from the global zone.
351 359 *
352 360 * We use the zonept() call to let the ptm driver know what we are up to;
353 361 * the only other hairy bit is the setting of zoneslavename (which happens
354 362 * above, in get_master_pty()).
355 363 */
356 364 static int
357 365 init_slave_pty(zoneid_t zoneid, char *devroot)
358 366 {
359 367 int slavefd = -1;
360 368 char *slavename, zoneslavename[MAXPATHLEN];
361 369
362 370 /*
363 371 * Set slave permissions, zone the pts, then unlock it.
364 372 */
365 373 if (grantpt(masterfd) != 0) {
366 374 zperror(gettext("grantpt failed"));
367 375 return (-1);
368 376 }
369 377
370 378 if (unlockpt(masterfd) != 0) {
371 379 zperror(gettext("unlockpt failed"));
372 380 return (-1);
373 381 }
374 382
375 383 /*
376 384 * We must open the slave side before zoning this pty; otherwise
377 385 * the kernel would refuse us the open-- zoning a pty makes it
378 386 * inaccessible to the global zone. Note we are trying to open
379 387 * the device node via the $ZONEROOT/dev path for this pty.
380 388 *
381 389 * Later we'll close the slave out when once we've opened it again
382 390 * from within the target zone. Blarg.
383 391 */
384 392 if ((slavename = ptsname(masterfd)) == NULL) {
385 393 zperror(gettext("failed to get name for pseudo-tty"));
386 394 return (-1);
387 395 }
388 396
389 397 (void) snprintf(zoneslavename, sizeof (zoneslavename), "%s%s",
390 398 devroot, slavename);
391 399
392 400 if ((slavefd = open(zoneslavename, O_RDWR)) < 0) {
393 401 zerror(gettext("failed to open %s: %s"), zoneslavename,
394 402 strerror(errno));
395 403 return (-1);
396 404 }
397 405
398 406 /*
399 407 * Push hardware emulation (ptem), line discipline (ldterm),
400 408 * and V7/4BSD/Xenix compatibility (ttcompat) modules.
401 409 */
402 410 if (ioctl(slavefd, I_PUSH, "ptem") == -1) {
403 411 zperror(gettext("failed to push ptem module"));
404 412 if (!failsafe)
405 413 goto bad;
406 414 }
407 415
408 416 /*
409 417 * Anchor the stream to prevent malicious I_POPs; we prefer to do
410 418 * this prior to entering the zone so that we can detect any errors
411 419 * early, and so that we can set the anchor from the global zone.
412 420 */
413 421 if (ioctl(slavefd, I_ANCHOR) == -1) {
414 422 zperror(gettext("failed to set stream anchor"));
415 423 if (!failsafe)
416 424 goto bad;
417 425 }
418 426
419 427 if (ioctl(slavefd, I_PUSH, "ldterm") == -1) {
420 428 zperror(gettext("failed to push ldterm module"));
421 429 if (!failsafe)
422 430 goto bad;
423 431 }
424 432 if (ioctl(slavefd, I_PUSH, "ttcompat") == -1) {
425 433 zperror(gettext("failed to push ttcompat module"));
426 434 if (!failsafe)
427 435 goto bad;
428 436 }
429 437
430 438 /*
431 439 * Propagate terminal settings from the external term to the new one.
432 440 */
433 441 if (tcsetattr(slavefd, TCSAFLUSH, &save_termios) == -1) {
434 442 zperror(gettext("failed to set terminal settings"));
435 443 if (!failsafe)
436 444 goto bad;
437 445 }
438 446 (void) ioctl(slavefd, TIOCSWINSZ, (char *)&winsize);
439 447
440 448 if (zonept(masterfd, zoneid) != 0) {
441 449 zperror(gettext("could not set zoneid of pty"));
442 450 goto bad;
443 451 }
444 452
445 453 return (slavefd);
446 454
447 455 bad:
448 456 (void) close(slavefd);
449 457 return (-1);
450 458 }
451 459
452 460 /*
453 461 * Place terminal into raw mode.
454 462 */
455 463 static int
456 464 set_tty_rawmode(int fd)
457 465 {
458 466 struct termios term;
459 467 if (tcgetattr(fd, &term) < 0) {
460 468 zperror(gettext("failed to get user terminal settings"));
461 469 return (-1);
462 470 }
463 471
464 472 /* Stash for later, so we can revert back to previous mode */
465 473 save_termios = term;
466 474 save_fd = fd;
467 475
468 476 /* disable 8->7 bit strip, start/stop, enable any char to restart */
469 477 term.c_iflag &= ~(ISTRIP|IXON|IXANY);
470 478 /* disable NL->CR, CR->NL, ignore CR, UPPER->lower */
471 479 term.c_iflag &= ~(INLCR|ICRNL|IGNCR|IUCLC);
472 480 /* disable output post-processing */
473 481 term.c_oflag &= ~OPOST;
474 482 /* disable canonical mode, signal chars, echo & extended functions */
475 483 term.c_lflag &= ~(ICANON|ISIG|ECHO|IEXTEN);
476 484
477 485 term.c_cc[VMIN] = 1; /* byte-at-a-time */
478 486 term.c_cc[VTIME] = 0;
479 487
480 488 if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &term)) {
481 489 zperror(gettext("failed to set user terminal to raw mode"));
482 490 return (-1);
483 491 }
484 492
485 493 /*
486 494 * We need to know the value of VEOF so that we can properly process for
487 495 * client-side ~<EOF>. But we have obliterated VEOF in term,
488 496 * because VMIN overloads the same array slot in non-canonical mode.
489 497 * Stupid @&^%!
490 498 *
491 499 * So here we construct the "effective" termios from the current
492 500 * terminal settings, and the corrected VEOF and VEOL settings.
493 501 */
494 502 if (tcgetattr(STDIN_FILENO, &effective_termios) < 0) {
495 503 zperror(gettext("failed to get user terminal settings"));
496 504 return (-1);
497 505 }
498 506 effective_termios.c_cc[VEOF] = save_termios.c_cc[VEOF];
499 507 effective_termios.c_cc[VEOL] = save_termios.c_cc[VEOL];
500 508
501 509 return (0);
502 510 }
503 511
504 512 /*
505 513 * Copy terminal window size from our terminal to the pts.
506 514 */
507 515 /*ARGSUSED*/
508 516 static void
509 517 sigwinch(int s)
510 518 {
511 519 struct winsize ws;
512 520
513 521 if (ioctl(0, TIOCGWINSZ, &ws) == 0)
514 522 (void) ioctl(masterfd, TIOCSWINSZ, &ws);
515 523 }
516 524
517 525 static volatile int close_on_sig = -1;
518 526
519 527 static void
520 528 /*ARGSUSED*/
521 529 sigcld(int s)
522 530 {
523 531 int status;
524 532 pid_t pid;
525 533
526 534 /*
527 535 * Peek at the exit status. If this isn't the process we cared
528 536 * about, then just reap it.
529 537 */
530 538 if ((pid = waitpid(child_pid, &status, WNOHANG|WNOWAIT)) != -1) {
531 539 if (pid == child_pid &&
532 540 (WIFEXITED(status) || WIFSIGNALED(status))) {
533 541 dead = 1;
534 542 if (close_on_sig != -1) {
535 543 (void) write(close_on_sig, "a", 1);
536 544 (void) close(close_on_sig);
537 545 close_on_sig = -1;
538 546 }
539 547 } else {
540 548 (void) waitpid(pid, &status, WNOHANG);
541 549 }
542 550 }
543 551 }
544 552
545 553 /*
546 554 * Some signals (currently, SIGINT) must be forwarded on to the process
547 555 * group of the child process.
548 556 */
549 557 static void
550 558 sig_forward(int s)
551 559 {
552 560 if (child_pid != -1) {
553 561 pid_t pgid = getpgid(child_pid);
554 562 if (pgid != -1)
555 563 (void) sigsend(P_PGID, pgid, s);
556 564 }
557 565 }
558 566
559 567 /*
560 568 * reset terminal settings for global environment
561 569 */
562 570 static void
563 571 reset_tty()
564 572 {
565 573 (void) tcsetattr(save_fd, TCSADRAIN, &save_termios);
566 574 }
567 575
568 576 /*
569 577 * Convert character to printable representation, for display with locally
570 578 * echoed command characters (like when we need to display ~^D)
571 579 */
572 580 static void
573 581 canonify(char c, char *cc)
574 582 {
575 583 if (isprint(c)) {
576 584 cc[0] = c;
577 585 cc[1] = '\0';
578 586 } else if (c >= 0 && c <= 31) { /* ^@ through ^_ */
579 587 cc[0] = '^';
580 588 cc[1] = c + '@';
581 589 cc[2] = '\0';
582 590 } else {
583 591 cc[0] = '\\';
584 592 cc[1] = ((c >> 6) & 7) + '0';
585 593 cc[2] = ((c >> 3) & 7) + '0';
586 594 cc[3] = (c & 7) + '0';
587 595 cc[4] = '\0';
588 596 }
589 597 }
590 598
591 599 /*
592 600 * process_user_input watches the input stream for the escape sequence for
593 601 * 'quit' (by default, tilde-period). Because we might be fed just one
594 602 * keystroke at a time, state associated with the user input (are we at the
595 603 * beginning of the line? are we locally echoing the next character?) is
596 604 * maintained by beginning_of_line and local_echo across calls to the routine.
597 605 * If the write to outfd fails, we'll try to read from infd in an attempt
598 606 * to prevent deadlock between the two processes.
599 607 *
600 608 * This routine returns -1 when the 'quit' escape sequence has been issued,
601 609 * or an error is encountered, 1 if stdin is EOF, and 0 otherwise.
602 610 */
603 611 static int
604 612 process_user_input(int outfd, int infd)
605 613 {
606 614 static boolean_t beginning_of_line = B_TRUE;
607 615 static boolean_t local_echo = B_FALSE;
608 616 char ibuf[ZLOGIN_BUFSIZ];
609 617 int nbytes;
610 618 char *buf = ibuf;
611 619 char c = *buf;
612 620
613 621 nbytes = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
614 622 if (nbytes == -1 && (errno != EINTR || dead))
615 623 return (-1);
616 624
617 625 if (nbytes == -1) /* The read was interrupted. */
618 626 return (0);
619 627
620 628 /* 0 read means EOF, close the pipe to the child */
621 629 if (nbytes == 0)
622 630 return (1);
623 631
624 632 for (c = *buf; nbytes > 0; c = *buf, --nbytes) {
625 633 buf++;
626 634 if (beginning_of_line && !nocmdchar) {
627 635 beginning_of_line = B_FALSE;
628 636 if (c == cmdchar) {
629 637 local_echo = B_TRUE;
630 638 continue;
631 639 }
632 640 } else if (local_echo) {
633 641 local_echo = B_FALSE;
634 642 if (c == '.' || c == effective_termios.c_cc[VEOF]) {
635 643 char cc[CANONIFY_LEN];
636 644
637 645 canonify(c, cc);
638 646 (void) write(STDOUT_FILENO, &cmdchar, 1);
639 647 (void) write(STDOUT_FILENO, cc, strlen(cc));
640 648 return (-1);
641 649 }
642 650 }
643 651 retry:
644 652 if (write(outfd, &c, 1) <= 0) {
645 653 /*
646 654 * Since the fd we are writing to is opened with
647 655 * O_NONBLOCK it is possible to get EAGAIN if the
648 656 * pipe is full. One way this could happen is if we
649 657 * are writing a lot of data into the pipe in this loop
650 658 * and the application on the other end is echoing that
651 659 * data back out to its stdout. The output pipe can
652 660 * fill up since we are stuck here in this loop and not
653 661 * draining the other pipe. We can try to read some of
654 662 * the data to see if we can drain the pipe so that the
655 663 * application can continue to make progress. The read
656 664 * is non-blocking so we won't hang here. We also wait
657 665 * a bit before retrying since there could be other
658 666 * reasons why the pipe is full and we don't want to
659 667 * continuously retry.
660 668 */
661 669 if (errno == EAGAIN) {
662 670 struct timespec rqtp;
663 671 int ln;
664 672 char obuf[ZLOGIN_BUFSIZ];
665 673
666 674 if ((ln = read(infd, obuf, ZLOGIN_BUFSIZ)) > 0)
667 675 (void) write(STDOUT_FILENO, obuf, ln);
668 676
669 677 /* sleep for 10 milliseconds */
670 678 rqtp.tv_sec = 0;
671 679 rqtp.tv_nsec = 10 * (NANOSEC / MILLISEC);
672 680 (void) nanosleep(&rqtp, NULL);
673 681 if (!dead)
674 682 goto retry;
675 683 }
676 684
677 685 return (-1);
678 686 }
679 687 beginning_of_line = (c == '\r' || c == '\n' ||
680 688 c == effective_termios.c_cc[VKILL] ||
681 689 c == effective_termios.c_cc[VEOL] ||
682 690 c == effective_termios.c_cc[VSUSP] ||
683 691 c == effective_termios.c_cc[VINTR]);
684 692 }
685 693 return (0);
686 694 }
687 695
688 696 /*
689 697 * This function prevents deadlock between zlogin and the application in the
690 698 * zone that it is talking to. This can happen when we read from zlogin's
691 699 * stdin and write the data down the pipe to the application. If the pipe
692 700 * is full, we'll block in the write. Because zlogin could be blocked in
693 701 * the write, it would never read the application's stdout/stderr so the
694 702 * application can then block on those writes (when the pipe fills up). If the
695 703 * the application gets blocked this way, it can never get around to reading
696 704 * its stdin so that zlogin can unblock from its write. Once in this state,
697 705 * the two processes are deadlocked.
698 706 *
699 707 * To prevent this, we want to verify that we can write into the pipe before we
700 708 * read from our stdin. If the pipe already is pretty full, we bypass the read
701 709 * for now. We'll circle back here again after the poll() so that we can
702 710 * try again. When this function is called, we already know there is data
703 711 * ready to read on STDIN_FILENO. We return -1 if there is a problem, 1 if
704 712 * stdin is EOF, and 0 if everything is ok (even though we might not have
705 713 * read/written any data into the pipe on this iteration).
706 714 */
707 715 static int
708 716 process_raw_input(int stdin_fd, int appin_fd)
709 717 {
710 718 int cc;
711 719 struct stat64 sb;
712 720 char ibuf[ZLOGIN_RDBUFSIZ];
713 721
714 722 /* Check how much data is already in the pipe */
715 723 if (fstat64(appin_fd, &sb) == -1) {
716 724 perror("stat failed");
717 725 return (-1);
718 726 }
719 727
720 728 if (dead)
721 729 return (-1);
722 730
723 731 /*
724 732 * The pipe already has a lot of data in it, don't write any more
725 733 * right now.
726 734 */
727 735 if (sb.st_size >= HI_WATER)
728 736 return (0);
729 737
730 738 cc = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
731 739 if (cc == -1 && (errno != EINTR || dead))
732 740 return (-1);
733 741
734 742 if (cc == -1) /* The read was interrupted. */
735 743 return (0);
736 744
737 745 /* 0 read means EOF, close the pipe to the child */
738 746 if (cc == 0)
739 747 return (1);
740 748
741 749 /*
742 750 * stdin_fd is stdin of the target; so, the thing we'll write the user
743 751 * data *to*.
744 752 */
745 753 if (write(stdin_fd, ibuf, cc) == -1)
746 754 return (-1);
747 755
748 756 return (0);
749 757 }
750 758
751 759 /*
752 760 * Write the output from the application running in the zone. We can get
753 761 * a signal during the write (usually it would be SIGCHLD when the application
754 762 * has exited) so we loop to make sure we have written all of the data we read.
755 763 */
756 764 static int
757 765 process_output(int in_fd, int out_fd)
758 766 {
759 767 int wrote = 0;
760 768 int cc;
761 769 char ibuf[ZLOGIN_BUFSIZ];
762 770
763 771 cc = read(in_fd, ibuf, ZLOGIN_BUFSIZ);
764 772 if (cc == -1 && (errno != EINTR || dead))
765 773 return (-1);
766 774 if (cc == 0) /* EOF */
767 775 return (-1);
768 776 if (cc == -1) /* The read was interrupted. */
769 777 return (0);
770 778
771 779 do {
772 780 int len;
773 781
774 782 len = write(out_fd, ibuf + wrote, cc - wrote);
775 783 if (len == -1 && errno != EINTR)
776 784 return (-1);
777 785 if (len != -1)
778 786 wrote += len;
779 787 } while (wrote < cc);
780 788
781 789 return (0);
782 790 }
783 791
784 792 /*
785 793 * This is the main I/O loop, and is shared across all zlogin modes.
786 794 * Parameters:
787 795 * stdin_fd: The fd representing 'stdin' for the slave side; input to
788 796 * the zone will be written here.
789 797 *
790 798 * appin_fd: The fd representing the other end of the 'stdin' pipe (when
791 799 * we're running non-interactive); used in process_raw_input
792 800 * to ensure we don't fill up the application's stdin pipe.
793 801 *
794 802 * stdout_fd: The fd representing 'stdout' for the slave side; output
795 803 * from the zone will arrive here.
796 804 *
797 805 * stderr_fd: The fd representing 'stderr' for the slave side; output
798 806 * from the zone will arrive here.
799 807 *
800 808 * raw_mode: If TRUE, then no processing (for example, for '~.') will
801 809 * be performed on the input coming from STDIN.
802 810 *
803 811 * stderr_fd may be specified as -1 if there is no stderr (only non-interactive
804 812 * mode supplies a stderr).
805 813 *
806 814 */
807 815 static void
808 816 doio(int stdin_fd, int appin_fd, int stdout_fd, int stderr_fd, int sig_fd,
809 817 boolean_t raw_mode)
810 818 {
811 819 struct pollfd pollfds[4];
812 820 char ibuf[ZLOGIN_BUFSIZ];
813 821 int cc, ret;
814 822
815 823 /* read from stdout of zone and write to stdout of global zone */
816 824 pollfds[0].fd = stdout_fd;
817 825 pollfds[0].events = POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI;
818 826
819 827 /* read from stderr of zone and write to stderr of global zone */
820 828 pollfds[1].fd = stderr_fd;
821 829 pollfds[1].events = pollfds[0].events;
822 830
823 831 /* read from stdin of global zone and write to stdin of zone */
824 832 pollfds[2].fd = STDIN_FILENO;
825 833 pollfds[2].events = pollfds[0].events;
826 834
827 835 /* read from signalling pipe so we know when child dies */
828 836 pollfds[3].fd = sig_fd;
829 837 pollfds[3].events = pollfds[0].events;
830 838
831 839 for (;;) {
832 840 pollfds[0].revents = pollfds[1].revents =
833 841 pollfds[2].revents = pollfds[3].revents = 0;
834 842
835 843 if (dead)
836 844 break;
837 845
838 846 /*
839 847 * There is a race condition here where we can receive the
840 848 * child death signal, set the dead flag, but since we have
841 849 * passed the test above, we would go into poll and hang.
842 850 * To avoid this we use the sig_fd as an additional poll fd.
843 851 * The signal handler writes into the other end of this pipe
844 852 * when the child dies so that the poll will always see that
845 853 * input and proceed. We just loop around at that point and
846 854 * then notice the dead flag.
847 855 */
848 856
849 857 ret = poll(pollfds,
850 858 sizeof (pollfds) / sizeof (struct pollfd), -1);
851 859
852 860 if (ret == -1 && errno != EINTR) {
853 861 perror("poll failed");
854 862 break;
855 863 }
856 864
857 865 if (errno == EINTR && dead) {
858 866 break;
859 867 }
860 868
861 869 /* event from master side stdout */
862 870 if (pollfds[0].revents) {
863 871 if (pollfds[0].revents &
864 872 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
865 873 if (process_output(stdout_fd, STDOUT_FILENO)
866 874 != 0)
867 875 break;
868 876 } else {
869 877 pollerr = pollfds[0].revents;
870 878 break;
871 879 }
872 880 }
873 881
874 882 /* event from master side stderr */
875 883 if (pollfds[1].revents) {
876 884 if (pollfds[1].revents &
877 885 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
878 886 if (process_output(stderr_fd, STDERR_FILENO)
879 887 != 0)
880 888 break;
881 889 } else {
882 890 pollerr = pollfds[1].revents;
883 891 break;
884 892 }
885 893 }
886 894
887 895 /* event from user STDIN side */
888 896 if (pollfds[2].revents) {
889 897 if (pollfds[2].revents &
890 898 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
891 899 /*
892 900 * stdin fd is stdin of the target; so,
893 901 * the thing we'll write the user data *to*.
894 902 *
895 903 * Also, unlike on the output side, we
896 904 * close the pipe on a zero-length message.
897 905 */
898 906 int res;
899 907
900 908 if (raw_mode)
901 909 res = process_raw_input(stdin_fd,
902 910 appin_fd);
903 911 else
904 912 res = process_user_input(stdin_fd,
905 913 stdout_fd);
906 914
907 915 if (res < 0)
908 916 break;
909 917 if (res > 0) {
910 918 /* EOF (close) child's stdin_fd */
911 919 pollfds[2].fd = -1;
912 920 while ((res = close(stdin_fd)) != 0 &&
913 921 errno == EINTR)
914 922 ;
915 923 if (res != 0)
916 924 break;
917 925 }
918 926
919 927 } else if (raw_mode && pollfds[2].revents & POLLHUP) {
920 928 /*
921 929 * It's OK to get a POLLHUP on STDIN-- it
922 930 * always happens if you do:
923 931 *
924 932 * echo foo | zlogin <zone> <command>
925 933 *
926 934 * We reset fd to -1 in this case to clear
927 935 * the condition and close the pipe (EOF) to
928 936 * the other side in order to wrap things up.
929 937 */
930 938 int res;
931 939
932 940 pollfds[2].fd = -1;
933 941 while ((res = close(stdin_fd)) != 0 &&
934 942 errno == EINTR)
935 943 ;
936 944 if (res != 0)
937 945 break;
938 946 } else {
939 947 pollerr = pollfds[2].revents;
940 948 break;
941 949 }
942 950 }
943 951 }
944 952
945 953 /*
946 954 * We are in the midst of dying, but try to poll with a short
947 955 * timeout to see if we can catch the last bit of I/O from the
948 956 * children.
949 957 */
950 958 retry:
951 959 pollfds[0].revents = pollfds[1].revents = 0;
952 960 (void) poll(pollfds, 2, 100);
953 961 if (pollfds[0].revents &
954 962 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
955 963 if ((cc = read(stdout_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
956 964 (void) write(STDOUT_FILENO, ibuf, cc);
957 965 goto retry;
958 966 }
959 967 }
960 968 if (pollfds[1].revents &
961 969 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
962 970 if ((cc = read(stderr_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
963 971 (void) write(STDERR_FILENO, ibuf, cc);
964 972 goto retry;
965 973 }
966 974 }
967 975 }
968 976
969 977 /*
970 978 * Fetch the user_cmd brand hook for getting a user's passwd(4) entry.
971 979 */
972 980 static const char *
973 981 zone_get_user_cmd(brand_handle_t bh, const char *login, char *user_cmd,
974 982 size_t len)
975 983 {
976 984 bzero(user_cmd, sizeof (user_cmd));
977 985 if (brand_get_user_cmd(bh, login, user_cmd, len) != 0)
978 986 return (NULL);
979 987
980 988 return (user_cmd);
981 989 }
982 990
983 991 /* From libc */
984 992 extern int str2passwd(const char *, int, void *, char *, int);
985 993
986 994 /*
987 995 * exec() the user_cmd brand hook, and convert the output string to a
988 996 * struct passwd. This is to be called after zone_enter().
989 997 *
990 998 */
991 999 static struct passwd *
992 1000 zone_get_user_pw(const char *user_cmd, struct passwd *pwent, char *pwbuf,
993 1001 int pwbuflen)
994 1002 {
995 1003 char pwline[NSS_BUFLEN_PASSWD];
996 1004 char *cin = NULL;
997 1005 FILE *fin;
998 1006 int status;
999 1007
1000 1008 assert(getzoneid() != GLOBAL_ZONEID);
1001 1009
1002 1010 if ((fin = popen(user_cmd, "r")) == NULL)
1003 1011 return (NULL);
1004 1012
1005 1013 while (cin == NULL && !feof(fin))
1006 1014 cin = fgets(pwline, sizeof (pwline), fin);
1007 1015
1008 1016 if (cin == NULL) {
1009 1017 (void) pclose(fin);
1010 1018 return (NULL);
1011 1019 }
1012 1020
1013 1021 status = pclose(fin);
1014 1022 if (!WIFEXITED(status))
1015 1023 return (NULL);
1016 1024 if (WEXITSTATUS(status) != 0)
1017 1025 return (NULL);
1018 1026
1019 1027 if (str2passwd(pwline, sizeof (pwline), pwent, pwbuf, pwbuflen) == 0)
1020 1028 return (pwent);
1021 1029 else
1022 1030 return (NULL);
1023 1031 }
1024 1032
1025 1033 static char **
1026 1034 zone_login_cmd(brand_handle_t bh, const char *login)
1027 1035 {
1028 1036 static char result_buf[ARG_MAX];
1029 1037 char **new_argv, *ptr, *lasts;
1030 1038 int n, a;
1031 1039
1032 1040 /* Get the login command for the target zone. */
1033 1041 bzero(result_buf, sizeof (result_buf));
1034 1042
1035 1043 if (forced_login) {
1036 1044 if (brand_get_forcedlogin_cmd(bh, login,
1037 1045 result_buf, sizeof (result_buf)) != 0)
1038 1046 return (NULL);
1039 1047 } else {
1040 1048 if (brand_get_login_cmd(bh, login,
1041 1049 result_buf, sizeof (result_buf)) != 0)
1042 1050 return (NULL);
1043 1051 }
1044 1052
1045 1053 /*
1046 1054 * We got back a string that we'd like to execute. But since
1047 1055 * we're not doing the execution via a shell we'll need to convert
1048 1056 * the exec string to an array of strings. We'll do that here
1049 1057 * but we're going to be very simplistic about it and break stuff
1050 1058 * up based on spaces. We're not even going to support any kind
1051 1059 * of quoting or escape characters. It's truly amazing that
1052 1060 * there is no library function in OpenSolaris to do this for us.
1053 1061 */
1054 1062
1055 1063 /*
1056 1064 * Be paranoid. Since we're deliniating based on spaces make
1057 1065 * sure there are no adjacent spaces.
1058 1066 */
1059 1067 if (strstr(result_buf, " ") != NULL)
1060 1068 return (NULL);
1061 1069
1062 1070 /* Remove any trailing whitespace. */
1063 1071 n = strlen(result_buf);
1064 1072 if (result_buf[n - 1] == ' ')
1065 1073 result_buf[n - 1] = '\0';
1066 1074
1067 1075 /* Count how many elements there are in the exec string. */
1068 1076 ptr = result_buf;
1069 1077 for (n = 2; ((ptr = strchr(ptr + 1, (int)' ')) != NULL); n++)
1070 1078 ;
1071 1079
1072 1080 /* Allocate the argv array that we're going to return. */
1073 1081 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1074 1082 return (NULL);
1075 1083
1076 1084 /* Tokenize the exec string and return. */
1077 1085 a = 0;
1078 1086 new_argv[a++] = result_buf;
1079 1087 if (n > 2) {
1080 1088 (void) strtok_r(result_buf, " ", &lasts);
1081 1089 while ((new_argv[a++] = strtok_r(NULL, " ", &lasts)) != NULL)
1082 1090 ;
1083 1091 } else {
1084 1092 new_argv[a++] = NULL;
1085 1093 }
1086 1094 assert(n == a);
1087 1095 return (new_argv);
1088 1096 }
1089 1097
1090 1098 /*
1091 1099 * Prepare argv array for exec'd process; if we're passing commands to the
1092 1100 * new process, then use su(1M) to do the invocation. Otherwise, use
1093 1101 * 'login -z <from_zonename> -f' (-z is an undocumented option which tells
1094 1102 * login that we're coming from another zone, and to disregard its CONSOLE
1095 1103 * checks).
1096 1104 */
1097 1105 static char **
1098 1106 prep_args(brand_handle_t bh, const char *login, char **argv)
1099 1107 {
1100 1108 int argc = 0, a = 0, i, n = -1;
1101 1109 char **new_argv;
1102 1110
1103 1111 if (argv != NULL) {
1104 1112 size_t subshell_len = 1;
1105 1113 char *subshell;
1106 1114
1107 1115 while (argv[argc] != NULL)
1108 1116 argc++;
1109 1117
1110 1118 for (i = 0; i < argc; i++) {
1111 1119 subshell_len += strlen(argv[i]) + 1;
1112 1120 }
1113 1121 if ((subshell = calloc(1, subshell_len)) == NULL)
1114 1122 return (NULL);
1115 1123
1116 1124 for (i = 0; i < argc; i++) {
1117 1125 (void) strcat(subshell, argv[i]);
1118 1126 (void) strcat(subshell, " ");
1119 1127 }
1120 1128
1121 1129 if (failsafe) {
1122 1130 n = 4;
1123 1131 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1124 1132 return (NULL);
1125 1133
1126 1134 new_argv[a++] = FAILSAFESHELL;
1127 1135 } else {
1128 1136 n = 5;
1129 1137 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1130 1138 return (NULL);
1131 1139
1132 1140 new_argv[a++] = SUPATH;
1133 1141 if (strcmp(login, "root") != 0) {
1134 1142 new_argv[a++] = "-";
1135 1143 n++;
1136 1144 }
1137 1145 new_argv[a++] = (char *)login;
1138 1146 }
1139 1147 new_argv[a++] = "-c";
1140 1148 new_argv[a++] = subshell;
1141 1149 new_argv[a++] = NULL;
1142 1150 assert(a == n);
1143 1151 } else {
1144 1152 if (failsafe) {
1145 1153 n = 2;
1146 1154 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1147 1155 return (NULL);
1148 1156 new_argv[a++] = FAILSAFESHELL;
1149 1157 new_argv[a++] = NULL;
1150 1158 assert(n == a);
1151 1159 } else {
1152 1160 new_argv = zone_login_cmd(bh, login);
1153 1161 }
1154 1162 }
1155 1163
1156 1164 return (new_argv);
1157 1165 }
1158 1166
1159 1167 /*
1160 1168 * Helper routine for prep_env below.
1161 1169 */
1162 1170 static char *
1163 1171 add_env(char *name, char *value)
1164 1172 {
1165 1173 size_t sz = strlen(name) + strlen(value) + 2; /* name, =, value, NUL */
1166 1174 char *str;
1167 1175
1168 1176 if ((str = malloc(sz)) == NULL)
1169 1177 return (NULL);
1170 1178
1171 1179 (void) snprintf(str, sz, "%s=%s", name, value);
1172 1180 return (str);
1173 1181 }
1174 1182
1175 1183 /*
1176 1184 * Prepare envp array for exec'd process.
1177 1185 */
1178 1186 static char **
1179 1187 prep_env()
1180 1188 {
1181 1189 int e = 0, size = 1;
1182 1190 char **new_env, *estr;
1183 1191 char *term = getenv("TERM");
1184 1192
1185 1193 size++; /* for $PATH */
1186 1194 if (term != NULL)
1187 1195 size++;
1188 1196
1189 1197 /*
1190 1198 * In failsafe mode we set $HOME, since '-l' isn't valid in this mode.
1191 1199 * We also set $SHELL, since neither login nor su will be around to do
1192 1200 * it.
1193 1201 */
1194 1202 if (failsafe)
1195 1203 size += 2;
1196 1204
1197 1205 if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1198 1206 return (NULL);
1199 1207
1200 1208 if ((estr = add_env("PATH", DEF_PATH)) == NULL)
1201 1209 return (NULL);
1202 1210 new_env[e++] = estr;
1203 1211
1204 1212 if (term != NULL) {
1205 1213 if ((estr = add_env("TERM", term)) == NULL)
1206 1214 return (NULL);
1207 1215 new_env[e++] = estr;
1208 1216 }
1209 1217
1210 1218 if (failsafe) {
1211 1219 if ((estr = add_env("HOME", "/")) == NULL)
1212 1220 return (NULL);
1213 1221 new_env[e++] = estr;
1214 1222
1215 1223 if ((estr = add_env("SHELL", FAILSAFESHELL)) == NULL)
1216 1224 return (NULL);
1217 1225 new_env[e++] = estr;
1218 1226 }
1219 1227
1220 1228 new_env[e++] = NULL;
1221 1229
1222 1230 assert(e == size);
1223 1231
1224 1232 return (new_env);
1225 1233 }
1226 1234
1227 1235 /*
1228 1236 * Finish the preparation of the envp array for exec'd non-interactive
1229 1237 * zlogins. This is called in the child process *after* we zone_enter(), since
1230 1238 * it derives things we can only know within the zone, such as $HOME, $SHELL,
1231 1239 * etc. We need only do this in the non-interactive, mode, since otherwise
1232 1240 * login(1) will do it. We don't do this in failsafe mode, since it presents
|
↓ open down ↓ |
1132 lines elided |
↑ open up ↑ |
1233 1241 * additional ways in which the command could fail, and we'd prefer to avoid
1234 1242 * that.
1235 1243 */
1236 1244 static char **
1237 1245 prep_env_noninteractive(const char *user_cmd, char **env)
1238 1246 {
1239 1247 size_t size;
1240 1248 char **new_env;
1241 1249 int e, i;
1242 1250 char *estr;
1243 - char varmail[LOGNAME_MAX + 11]; /* strlen(/var/mail/) = 10, NUL */
1251 + char varmail[_LOGNAME_MAX + 11]; /* strlen(/var/mail/) = 10, NUL */
1244 1252 char pwbuf[NSS_BUFLEN_PASSWD + 1];
1245 1253 struct passwd pwent;
1246 1254 struct passwd *pw = NULL;
1247 1255
1248 1256 assert(env != NULL);
1249 1257 assert(failsafe == 0);
1250 1258
1251 1259 /*
1252 1260 * Exec the "user_cmd" brand hook to get a pwent for the
1253 1261 * login user. If this fails, HOME will be set to "/", SHELL
1254 1262 * will be set to $DEFAULTSHELL, and we will continue to exec
1255 1263 * SUPATH <login> -c <cmd>.
1256 1264 */
1257 1265 pw = zone_get_user_pw(user_cmd, &pwent, pwbuf, sizeof (pwbuf));
1258 1266
1259 1267 /*
1260 1268 * Get existing envp size.
1261 1269 */
1262 1270 for (size = 0; env[size] != NULL; size++)
1263 1271 ;
1264 1272
1265 1273 e = size;
1266 1274
1267 1275 /*
1268 1276 * Finish filling out the environment; we duplicate the environment
1269 1277 * setup described in login(1), for lack of a better precedent.
1270 1278 */
1271 1279 if (pw != NULL)
1272 1280 size += 3; /* LOGNAME, HOME, MAIL */
1273 1281 else
1274 1282 size += 1; /* HOME */
1275 1283
1276 1284 size++; /* always fill in SHELL */
1277 1285 size++; /* terminating NULL */
1278 1286
1279 1287 if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1280 1288 goto malloc_fail;
1281 1289
1282 1290 /*
1283 1291 * Copy existing elements of env into new_env.
1284 1292 */
1285 1293 for (i = 0; env[i] != NULL; i++) {
1286 1294 if ((new_env[i] = strdup(env[i])) == NULL)
1287 1295 goto malloc_fail;
1288 1296 }
1289 1297 assert(e == i);
1290 1298
1291 1299 if (pw != NULL) {
1292 1300 if ((estr = add_env("LOGNAME", pw->pw_name)) == NULL)
1293 1301 goto malloc_fail;
1294 1302 new_env[e++] = estr;
1295 1303
1296 1304 if ((estr = add_env("HOME", pw->pw_dir)) == NULL)
1297 1305 goto malloc_fail;
1298 1306 new_env[e++] = estr;
1299 1307
1300 1308 if (chdir(pw->pw_dir) != 0)
1301 1309 zerror(gettext("Could not chdir to home directory "
1302 1310 "%s: %s"), pw->pw_dir, strerror(errno));
1303 1311
1304 1312 (void) snprintf(varmail, sizeof (varmail), "/var/mail/%s",
1305 1313 pw->pw_name);
1306 1314 if ((estr = add_env("MAIL", varmail)) == NULL)
1307 1315 goto malloc_fail;
1308 1316 new_env[e++] = estr;
1309 1317 } else {
1310 1318 if ((estr = add_env("HOME", "/")) == NULL)
1311 1319 goto malloc_fail;
1312 1320 new_env[e++] = estr;
1313 1321 }
1314 1322
1315 1323 if (pw != NULL && strlen(pw->pw_shell) > 0) {
1316 1324 if ((estr = add_env("SHELL", pw->pw_shell)) == NULL)
1317 1325 goto malloc_fail;
1318 1326 new_env[e++] = estr;
1319 1327 } else {
1320 1328 if ((estr = add_env("SHELL", DEFAULTSHELL)) == NULL)
1321 1329 goto malloc_fail;
1322 1330 new_env[e++] = estr;
1323 1331 }
1324 1332
1325 1333 new_env[e++] = NULL; /* add terminating NULL */
1326 1334
1327 1335 assert(e == size);
1328 1336 return (new_env);
1329 1337
1330 1338 malloc_fail:
1331 1339 zperror(gettext("failed to allocate memory for process environment"));
1332 1340 return (NULL);
1333 1341 }
1334 1342
1335 1343 static int
1336 1344 close_func(void *slavefd, int fd)
1337 1345 {
1338 1346 if (fd != *(int *)slavefd)
1339 1347 (void) close(fd);
1340 1348 return (0);
1341 1349 }
1342 1350
1343 1351 static void
1344 1352 set_cmdchar(char *cmdcharstr)
1345 1353 {
1346 1354 char c;
1347 1355 long lc;
1348 1356
1349 1357 if ((c = *cmdcharstr) != '\\') {
1350 1358 cmdchar = c;
1351 1359 return;
1352 1360 }
1353 1361
1354 1362 c = cmdcharstr[1];
1355 1363 if (c == '\0' || c == '\\') {
1356 1364 cmdchar = '\\';
1357 1365 return;
1358 1366 }
1359 1367
1360 1368 if (c < '0' || c > '7') {
1361 1369 zerror(gettext("Unrecognized escape character option %s"),
1362 1370 cmdcharstr);
1363 1371 usage();
1364 1372 }
1365 1373
1366 1374 lc = strtol(cmdcharstr + 1, NULL, 8);
1367 1375 if (lc < 0 || lc > 255) {
1368 1376 zerror(gettext("Octal escape character '%s' too large"),
1369 1377 cmdcharstr);
1370 1378 usage();
1371 1379 }
1372 1380 cmdchar = (char)lc;
1373 1381 }
1374 1382
1375 1383 static int
1376 1384 setup_utmpx(char *slavename)
1377 1385 {
1378 1386 struct utmpx ut;
1379 1387
1380 1388 bzero(&ut, sizeof (ut));
1381 1389 (void) strncpy(ut.ut_user, ".zlogin", sizeof (ut.ut_user));
1382 1390 (void) strncpy(ut.ut_line, slavename, sizeof (ut.ut_line));
1383 1391 ut.ut_pid = getpid();
1384 1392 ut.ut_id[0] = 'z';
1385 1393 ut.ut_id[1] = ut.ut_id[2] = ut.ut_id[3] = (char)SC_WILDC;
1386 1394 ut.ut_type = LOGIN_PROCESS;
1387 1395 (void) time(&ut.ut_tv.tv_sec);
1388 1396
1389 1397 if (makeutx(&ut) == NULL) {
1390 1398 zerror(gettext("makeutx failed"));
1391 1399 return (-1);
1392 1400 }
1393 1401 return (0);
1394 1402 }
1395 1403
1396 1404 static void
1397 1405 release_lock_file(int lockfd)
1398 1406 {
1399 1407 (void) close(lockfd);
1400 1408 }
1401 1409
1402 1410 static int
1403 1411 grab_lock_file(const char *zone_name, int *lockfd)
1404 1412 {
1405 1413 char pathbuf[PATH_MAX];
1406 1414 struct flock flock;
1407 1415
1408 1416 if (mkdir(ZONES_TMPDIR, S_IRWXU) < 0 && errno != EEXIST) {
1409 1417 zerror(gettext("could not mkdir %s: %s"), ZONES_TMPDIR,
1410 1418 strerror(errno));
1411 1419 return (-1);
1412 1420 }
1413 1421 (void) chmod(ZONES_TMPDIR, S_IRWXU);
1414 1422 (void) snprintf(pathbuf, sizeof (pathbuf), "%s/%s.zoneadm.lock",
1415 1423 ZONES_TMPDIR, zone_name);
1416 1424
1417 1425 if ((*lockfd = open(pathbuf, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR)) < 0) {
1418 1426 zerror(gettext("could not open %s: %s"), pathbuf,
1419 1427 strerror(errno));
1420 1428 return (-1);
1421 1429 }
1422 1430 /*
1423 1431 * Lock the file to synchronize with other zoneadmds
1424 1432 */
1425 1433 flock.l_type = F_WRLCK;
1426 1434 flock.l_whence = SEEK_SET;
1427 1435 flock.l_start = (off_t)0;
1428 1436 flock.l_len = (off_t)0;
1429 1437 if (fcntl(*lockfd, F_SETLKW, &flock) < 0) {
1430 1438 zerror(gettext("unable to lock %s: %s"), pathbuf,
1431 1439 strerror(errno));
1432 1440 release_lock_file(*lockfd);
1433 1441 return (-1);
1434 1442 }
1435 1443 return (Z_OK);
1436 1444 }
1437 1445
1438 1446 static int
1439 1447 start_zoneadmd(const char *zone_name)
1440 1448 {
1441 1449 pid_t retval;
1442 1450 int pstatus = 0, error = -1, lockfd, doorfd;
1443 1451 struct door_info info;
1444 1452 char doorpath[MAXPATHLEN];
1445 1453
1446 1454 (void) snprintf(doorpath, sizeof (doorpath), ZONE_DOOR_PATH, zone_name);
1447 1455
1448 1456 if (grab_lock_file(zone_name, &lockfd) != Z_OK)
1449 1457 return (-1);
1450 1458 /*
1451 1459 * We must do the door check with the lock held. Otherwise, we
1452 1460 * might race against another zoneadm/zlogin process and wind
1453 1461 * up with two processes trying to start zoneadmd at the same
1454 1462 * time. zoneadmd will detect this, and fail, but we prefer this
1455 1463 * to be as seamless as is practical, from a user perspective.
1456 1464 */
1457 1465 if ((doorfd = open(doorpath, O_RDONLY)) < 0) {
1458 1466 if (errno != ENOENT) {
1459 1467 zerror("failed to open %s: %s", doorpath,
1460 1468 strerror(errno));
1461 1469 goto out;
1462 1470 }
1463 1471 } else {
1464 1472 /*
1465 1473 * Seems to be working ok.
1466 1474 */
1467 1475 if (door_info(doorfd, &info) == 0 &&
1468 1476 ((info.di_attributes & DOOR_REVOKED) == 0)) {
1469 1477 error = 0;
1470 1478 goto out;
1471 1479 }
1472 1480 }
1473 1481
1474 1482 if ((child_pid = fork()) == -1) {
1475 1483 zperror(gettext("could not fork"));
1476 1484 goto out;
1477 1485 } else if (child_pid == 0) {
1478 1486 /* child process */
1479 1487 (void) execl("/usr/lib/zones/zoneadmd", "zoneadmd", "-z",
1480 1488 zone_name, NULL);
1481 1489 zperror(gettext("could not exec zoneadmd"));
1482 1490 _exit(1);
1483 1491 }
1484 1492
1485 1493 /* parent process */
1486 1494 do {
1487 1495 retval = waitpid(child_pid, &pstatus, 0);
1488 1496 } while (retval != child_pid);
1489 1497 if (WIFSIGNALED(pstatus) ||
1490 1498 (WIFEXITED(pstatus) && WEXITSTATUS(pstatus) != 0)) {
1491 1499 zerror(gettext("could not start %s"), "zoneadmd");
1492 1500 goto out;
1493 1501 }
1494 1502 error = 0;
1495 1503 out:
1496 1504 release_lock_file(lockfd);
1497 1505 (void) close(doorfd);
1498 1506 return (error);
1499 1507 }
1500 1508
1501 1509 static int
1502 1510 init_template(void)
1503 1511 {
1504 1512 int fd;
1505 1513 int err = 0;
1506 1514
1507 1515 fd = open64(CTFS_ROOT "/process/template", O_RDWR);
1508 1516 if (fd == -1)
1509 1517 return (-1);
1510 1518
1511 1519 /*
1512 1520 * zlogin doesn't do anything with the contract.
1513 1521 * Deliver no events, don't inherit, and allow it to be orphaned.
1514 1522 */
1515 1523 err |= ct_tmpl_set_critical(fd, 0);
1516 1524 err |= ct_tmpl_set_informative(fd, 0);
1517 1525 err |= ct_pr_tmpl_set_fatal(fd, CT_PR_EV_HWERR);
1518 1526 err |= ct_pr_tmpl_set_param(fd, CT_PR_PGRPONLY | CT_PR_REGENT);
1519 1527 if (err || ct_tmpl_activate(fd)) {
1520 1528 (void) close(fd);
1521 1529 return (-1);
1522 1530 }
1523 1531
1524 1532 return (fd);
1525 1533 }
1526 1534
1527 1535 static int
1528 1536 noninteractive_login(char *zonename, const char *user_cmd, zoneid_t zoneid,
1529 1537 char **new_args, char **new_env)
1530 1538 {
1531 1539 pid_t retval;
1532 1540 int stdin_pipe[2], stdout_pipe[2], stderr_pipe[2], dead_child_pipe[2];
1533 1541 int child_status;
1534 1542 int tmpl_fd;
1535 1543 sigset_t block_cld;
1536 1544
1537 1545 if ((tmpl_fd = init_template()) == -1) {
1538 1546 reset_tty();
1539 1547 zperror(gettext("could not create contract"));
1540 1548 return (1);
1541 1549 }
1542 1550
1543 1551 if (pipe(stdin_pipe) != 0) {
1544 1552 zperror(gettext("could not create STDIN pipe"));
1545 1553 return (1);
1546 1554 }
1547 1555 /*
1548 1556 * When the user types ^D, we get a zero length message on STDIN.
1549 1557 * We need to echo that down the pipe to send it to the other side;
1550 1558 * but by default, pipes don't propagate zero-length messages. We
1551 1559 * toggle that behavior off using I_SWROPT. See streamio(7i).
1552 1560 */
1553 1561 if (ioctl(stdin_pipe[0], I_SWROPT, SNDZERO) != 0) {
1554 1562 zperror(gettext("could not configure STDIN pipe"));
1555 1563 return (1);
1556 1564
1557 1565 }
1558 1566 if (pipe(stdout_pipe) != 0) {
1559 1567 zperror(gettext("could not create STDOUT pipe"));
1560 1568 return (1);
1561 1569 }
1562 1570 if (pipe(stderr_pipe) != 0) {
1563 1571 zperror(gettext("could not create STDERR pipe"));
1564 1572 return (1);
1565 1573 }
1566 1574
1567 1575 if (pipe(dead_child_pipe) != 0) {
1568 1576 zperror(gettext("could not create signalling pipe"));
1569 1577 return (1);
1570 1578 }
1571 1579 close_on_sig = dead_child_pipe[0];
1572 1580
1573 1581 /*
1574 1582 * If any of the pipe FD's winds up being less than STDERR, then we
1575 1583 * have a mess on our hands-- and we are lacking some of the I/O
1576 1584 * streams we would expect anyway. So we bail.
1577 1585 */
1578 1586 if (stdin_pipe[0] <= STDERR_FILENO ||
1579 1587 stdin_pipe[1] <= STDERR_FILENO ||
1580 1588 stdout_pipe[0] <= STDERR_FILENO ||
1581 1589 stdout_pipe[1] <= STDERR_FILENO ||
1582 1590 stderr_pipe[0] <= STDERR_FILENO ||
1583 1591 stderr_pipe[1] <= STDERR_FILENO ||
1584 1592 dead_child_pipe[0] <= STDERR_FILENO ||
1585 1593 dead_child_pipe[1] <= STDERR_FILENO) {
1586 1594 zperror(gettext("process lacks valid STDIN, STDOUT, STDERR"));
1587 1595 return (1);
1588 1596 }
1589 1597
1590 1598 if (prefork_dropprivs() != 0) {
1591 1599 zperror(gettext("could not allocate privilege set"));
1592 1600 return (1);
1593 1601 }
1594 1602
1595 1603 (void) sigset(SIGCLD, sigcld);
1596 1604 (void) sigemptyset(&block_cld);
1597 1605 (void) sigaddset(&block_cld, SIGCLD);
1598 1606 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
1599 1607
1600 1608 if ((child_pid = fork()) == -1) {
1601 1609 (void) ct_tmpl_clear(tmpl_fd);
1602 1610 (void) close(tmpl_fd);
1603 1611 zperror(gettext("could not fork"));
1604 1612 return (1);
1605 1613 } else if (child_pid == 0) { /* child process */
1606 1614 (void) ct_tmpl_clear(tmpl_fd);
1607 1615
1608 1616 /*
1609 1617 * Do a dance to get the pipes hooked up as FD's 0, 1 and 2.
1610 1618 */
1611 1619 (void) close(STDIN_FILENO);
1612 1620 (void) close(STDOUT_FILENO);
1613 1621 (void) close(STDERR_FILENO);
1614 1622 (void) dup2(stdin_pipe[1], STDIN_FILENO);
1615 1623 (void) dup2(stdout_pipe[1], STDOUT_FILENO);
1616 1624 (void) dup2(stderr_pipe[1], STDERR_FILENO);
1617 1625 (void) closefrom(STDERR_FILENO + 1);
1618 1626
1619 1627 (void) sigset(SIGCLD, SIG_DFL);
1620 1628 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1621 1629 /*
1622 1630 * In case any of stdin, stdout or stderr are streams,
1623 1631 * anchor them to prevent malicious I_POPs.
1624 1632 */
1625 1633 (void) ioctl(STDIN_FILENO, I_ANCHOR);
1626 1634 (void) ioctl(STDOUT_FILENO, I_ANCHOR);
1627 1635 (void) ioctl(STDERR_FILENO, I_ANCHOR);
1628 1636
1629 1637 if (zone_enter(zoneid) == -1) {
1630 1638 zerror(gettext("could not enter zone %s: %s"),
1631 1639 zonename, strerror(errno));
1632 1640 _exit(1);
1633 1641 }
1634 1642
1635 1643 /*
1636 1644 * For non-native zones, tell libc where it can find locale
1637 1645 * specific getttext() messages.
1638 1646 */
1639 1647 if (access("/.SUNWnative/usr/lib/locale", R_OK) == 0)
1640 1648 (void) bindtextdomain(TEXT_DOMAIN,
1641 1649 "/.SUNWnative/usr/lib/locale");
1642 1650 else if (access("/native/usr/lib/locale", R_OK) == 0)
1643 1651 (void) bindtextdomain(TEXT_DOMAIN,
1644 1652 "/native/usr/lib/locale");
1645 1653
1646 1654 if (!failsafe)
1647 1655 new_env = prep_env_noninteractive(user_cmd, new_env);
1648 1656
1649 1657 if (new_env == NULL) {
1650 1658 _exit(1);
1651 1659 }
1652 1660
1653 1661 /*
1654 1662 * Move into a new process group; the zone_enter will have
1655 1663 * placed us into zsched's session, and we want to be in
1656 1664 * a unique process group.
1657 1665 */
1658 1666 (void) setpgid(getpid(), getpid());
1659 1667
1660 1668 /*
1661 1669 * The child needs to run as root to
1662 1670 * execute the su program.
1663 1671 */
1664 1672 if (setuid(0) == -1) {
1665 1673 zperror(gettext("insufficient privilege"));
1666 1674 return (1);
1667 1675 }
1668 1676
1669 1677 (void) execve(new_args[0], new_args, new_env);
1670 1678 zperror(gettext("exec failure"));
1671 1679 _exit(1);
1672 1680 }
1673 1681 /* parent */
1674 1682
1675 1683 /* close pipe sides written by child */
1676 1684 (void) close(stdout_pipe[1]);
1677 1685 (void) close(stderr_pipe[1]);
1678 1686
1679 1687 (void) sigset(SIGINT, sig_forward);
1680 1688
1681 1689 postfork_dropprivs();
1682 1690
1683 1691 (void) ct_tmpl_clear(tmpl_fd);
1684 1692 (void) close(tmpl_fd);
1685 1693
1686 1694 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1687 1695 doio(stdin_pipe[0], stdin_pipe[1], stdout_pipe[0], stderr_pipe[0],
1688 1696 dead_child_pipe[1], B_TRUE);
1689 1697 do {
1690 1698 retval = waitpid(child_pid, &child_status, 0);
1691 1699 if (retval == -1) {
1692 1700 child_status = 0;
1693 1701 }
1694 1702 } while (retval != child_pid && errno != ECHILD);
1695 1703
1696 1704 return (WEXITSTATUS(child_status));
1697 1705 }
1698 1706
1699 1707 static char *
1700 1708 get_username()
1701 1709 {
1702 1710 uid_t uid;
1703 1711 struct passwd *nptr;
1704 1712
1705 1713 /*
1706 1714 * Authorizations are checked to restrict access based on the
1707 1715 * requested operation and zone name, It is assumed that the
1708 1716 * program is running with all privileges, but that the real
1709 1717 * user ID is that of the user or role on whose behalf we are
1710 1718 * operating. So we start by getting the username that will be
1711 1719 * used for subsequent authorization checks.
1712 1720 */
1713 1721
1714 1722 uid = getuid();
1715 1723 if ((nptr = getpwuid(uid)) == NULL) {
1716 1724 zerror(gettext("could not get user name."));
1717 1725 _exit(1);
1718 1726 }
1719 1727 return (nptr->pw_name);
1720 1728 }
1721 1729
1722 1730 int
1723 1731 main(int argc, char **argv)
1724 1732 {
1725 1733 int arg, console = 0;
1726 1734 zoneid_t zoneid;
1727 1735 zone_state_t st;
1728 1736 char *login = "root";
1729 1737 int lflag = 0;
1730 1738 char *zonename = NULL;
1731 1739 char **proc_args = NULL;
1732 1740 char **new_args, **new_env;
1733 1741 sigset_t block_cld;
1734 1742 char devroot[MAXPATHLEN];
1735 1743 char *slavename, slaveshortname[MAXPATHLEN];
1736 1744 priv_set_t *privset;
1737 1745 int tmpl_fd;
1738 1746 char zonebrand[MAXNAMELEN];
1739 1747 char default_brand[MAXNAMELEN];
1740 1748 struct stat sb;
1741 1749 char kernzone[ZONENAME_MAX];
1742 1750 brand_handle_t bh;
1743 1751 char user_cmd[MAXPATHLEN];
1744 1752 char authname[MAXAUTHS];
1745 1753
1746 1754 (void) setlocale(LC_ALL, "");
1747 1755 (void) textdomain(TEXT_DOMAIN);
1748 1756
1749 1757 (void) getpname(argv[0]);
1750 1758 username = get_username();
1751 1759
1752 1760 while ((arg = getopt(argc, argv, "ECR:Se:l:")) != EOF) {
1753 1761 switch (arg) {
1754 1762 case 'C':
1755 1763 console = 1;
1756 1764 break;
1757 1765 case 'E':
1758 1766 nocmdchar = 1;
1759 1767 break;
1760 1768 case 'R': /* undocumented */
1761 1769 if (*optarg != '/') {
1762 1770 zerror(gettext("root path must be absolute."));
1763 1771 exit(2);
1764 1772 }
1765 1773 if (stat(optarg, &sb) == -1 || !S_ISDIR(sb.st_mode)) {
1766 1774 zerror(
1767 1775 gettext("root path must be a directory."));
1768 1776 exit(2);
1769 1777 }
1770 1778 zonecfg_set_root(optarg);
1771 1779 break;
1772 1780 case 'S':
1773 1781 failsafe = 1;
1774 1782 break;
1775 1783 case 'e':
1776 1784 set_cmdchar(optarg);
1777 1785 break;
1778 1786 case 'l':
1779 1787 login = optarg;
1780 1788 lflag = 1;
1781 1789 break;
1782 1790 default:
1783 1791 usage();
1784 1792 }
1785 1793 }
1786 1794
1787 1795 if (console != 0 && lflag != 0) {
1788 1796 zerror(gettext("-l may not be specified for console login"));
1789 1797 usage();
1790 1798 }
1791 1799
1792 1800 if (console != 0 && failsafe != 0) {
1793 1801 zerror(gettext("-S may not be specified for console login"));
1794 1802 usage();
1795 1803 }
1796 1804
1797 1805 if (console != 0 && zonecfg_in_alt_root()) {
1798 1806 zerror(gettext("-R may not be specified for console login"));
1799 1807 exit(2);
1800 1808 }
1801 1809
1802 1810 if (failsafe != 0 && lflag != 0) {
1803 1811 zerror(gettext("-l may not be specified for failsafe login"));
1804 1812 usage();
1805 1813 }
1806 1814
1807 1815 if (optind == (argc - 1)) {
1808 1816 /*
1809 1817 * zone name, no process name; this should be an interactive
1810 1818 * as long as STDIN is really a tty.
1811 1819 */
1812 1820 if (isatty(STDIN_FILENO))
1813 1821 interactive = 1;
1814 1822 zonename = argv[optind];
1815 1823 } else if (optind < (argc - 1)) {
1816 1824 if (console) {
1817 1825 zerror(gettext("Commands may not be specified for "
1818 1826 "console login."));
1819 1827 usage();
1820 1828 }
1821 1829 /* zone name and process name, and possibly some args */
1822 1830 zonename = argv[optind];
1823 1831 proc_args = &argv[optind + 1];
1824 1832 interactive = 0;
1825 1833 } else {
1826 1834 usage();
1827 1835 }
1828 1836
1829 1837 if (getzoneid() != GLOBAL_ZONEID) {
1830 1838 zerror(gettext("'%s' may only be used from the global zone"),
1831 1839 pname);
1832 1840 return (1);
1833 1841 }
1834 1842
1835 1843 if (strcmp(zonename, GLOBAL_ZONENAME) == 0) {
1836 1844 zerror(gettext("'%s' not applicable to the global zone"),
1837 1845 pname);
1838 1846 return (1);
1839 1847 }
1840 1848
1841 1849 if (zone_get_state(zonename, &st) != Z_OK) {
1842 1850 zerror(gettext("zone '%s' unknown"), zonename);
1843 1851 return (1);
1844 1852 }
1845 1853
1846 1854 if (st < ZONE_STATE_INSTALLED) {
1847 1855 zerror(gettext("cannot login to a zone which is '%s'"),
1848 1856 zone_state_str(st));
1849 1857 return (1);
1850 1858 }
1851 1859
1852 1860 /*
1853 1861 * In both console and non-console cases, we require all privs.
1854 1862 * In the console case, because we may need to startup zoneadmd.
1855 1863 * In the non-console case in order to do zone_enter(2), zonept()
1856 1864 * and other tasks.
1857 1865 */
1858 1866
1859 1867 if ((privset = priv_allocset()) == NULL) {
1860 1868 zperror(gettext("priv_allocset failed"));
1861 1869 return (1);
1862 1870 }
1863 1871
1864 1872 if (getppriv(PRIV_EFFECTIVE, privset) != 0) {
1865 1873 zperror(gettext("getppriv failed"));
1866 1874 priv_freeset(privset);
1867 1875 return (1);
1868 1876 }
1869 1877
1870 1878 if (priv_isfullset(privset) == B_FALSE) {
1871 1879 zerror(gettext("You lack sufficient privilege to run "
1872 1880 "this command (all privs required)"));
1873 1881 priv_freeset(privset);
1874 1882 return (1);
1875 1883 }
1876 1884 priv_freeset(privset);
1877 1885
1878 1886 /*
1879 1887 * Check if user is authorized for requested usage of the zone
1880 1888 */
1881 1889
1882 1890 (void) snprintf(authname, MAXAUTHS, "%s%s%s",
1883 1891 ZONE_MANAGE_AUTH, KV_OBJECT, zonename);
1884 1892 if (chkauthattr(authname, username) == 0) {
1885 1893 if (console) {
1886 1894 zerror(gettext("%s is not authorized for console "
1887 1895 "access to %s zone."),
1888 1896 username, zonename);
1889 1897 return (1);
1890 1898 } else {
1891 1899 (void) snprintf(authname, MAXAUTHS, "%s%s%s",
1892 1900 ZONE_LOGIN_AUTH, KV_OBJECT, zonename);
1893 1901 if (failsafe || !interactive) {
1894 1902 zerror(gettext("%s is not authorized for "
1895 1903 "failsafe or non-interactive login "
1896 1904 "to %s zone."), username, zonename);
1897 1905 return (1);
1898 1906 } else if (chkauthattr(authname, username) == 0) {
1899 1907 zerror(gettext("%s is not authorized "
1900 1908 " to login to %s zone."),
1901 1909 username, zonename);
1902 1910 return (1);
1903 1911 }
1904 1912 }
1905 1913 } else {
1906 1914 forced_login = B_TRUE;
1907 1915 }
1908 1916
1909 1917 /*
1910 1918 * The console is a separate case from the rest of the code; handle
1911 1919 * it first.
1912 1920 */
1913 1921 if (console) {
1914 1922 /*
1915 1923 * Ensure that zoneadmd for this zone is running.
1916 1924 */
1917 1925 if (start_zoneadmd(zonename) == -1)
1918 1926 return (1);
1919 1927
1920 1928 /*
1921 1929 * Make contact with zoneadmd.
1922 1930 */
1923 1931 if (get_console_master(zonename) == -1)
1924 1932 return (1);
1925 1933
1926 1934 (void) printf(gettext("[Connected to zone '%s' console]\n"),
1927 1935 zonename);
1928 1936
1929 1937 if (set_tty_rawmode(STDIN_FILENO) == -1) {
1930 1938 reset_tty();
1931 1939 zperror(gettext("failed to set stdin pty to raw mode"));
1932 1940 return (1);
1933 1941 }
1934 1942
1935 1943 (void) sigset(SIGWINCH, sigwinch);
1936 1944 (void) sigwinch(0);
1937 1945
1938 1946 /*
1939 1947 * Run the I/O loop until we get disconnected.
1940 1948 */
1941 1949 doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
1942 1950 reset_tty();
1943 1951 (void) printf(gettext("\n[Connection to zone '%s' console "
1944 1952 "closed]\n"), zonename);
1945 1953
1946 1954 return (0);
1947 1955 }
1948 1956
1949 1957 if (st != ZONE_STATE_RUNNING && st != ZONE_STATE_MOUNTED) {
1950 1958 zerror(gettext("login allowed only to running zones "
1951 1959 "(%s is '%s')."), zonename, zone_state_str(st));
1952 1960 return (1);
1953 1961 }
1954 1962
1955 1963 (void) strlcpy(kernzone, zonename, sizeof (kernzone));
1956 1964 if (zonecfg_in_alt_root()) {
1957 1965 FILE *fp = zonecfg_open_scratch("", B_FALSE);
1958 1966
1959 1967 if (fp == NULL || zonecfg_find_scratch(fp, zonename,
1960 1968 zonecfg_get_root(), kernzone, sizeof (kernzone)) == -1) {
1961 1969 zerror(gettext("cannot find scratch zone %s"),
1962 1970 zonename);
1963 1971 if (fp != NULL)
1964 1972 zonecfg_close_scratch(fp);
1965 1973 return (1);
1966 1974 }
1967 1975 zonecfg_close_scratch(fp);
1968 1976 }
1969 1977
1970 1978 if ((zoneid = getzoneidbyname(kernzone)) == -1) {
1971 1979 zerror(gettext("failed to get zoneid for zone '%s'"),
1972 1980 zonename);
1973 1981 return (1);
1974 1982 }
1975 1983
1976 1984 /*
1977 1985 * We need the zone root path only if we are setting up a pty.
1978 1986 */
1979 1987 if (zone_get_devroot(zonename, devroot, sizeof (devroot)) == -1) {
1980 1988 zerror(gettext("could not get dev path for zone %s"),
1981 1989 zonename);
1982 1990 return (1);
1983 1991 }
1984 1992
1985 1993 if (zone_get_brand(zonename, zonebrand, sizeof (zonebrand)) != Z_OK) {
1986 1994 zerror(gettext("could not get brand for zone %s"), zonename);
1987 1995 return (1);
1988 1996 }
1989 1997 /*
1990 1998 * In the alternate root environment, the only supported
1991 1999 * operations are mount and unmount. In this case, just treat
1992 2000 * the zone as native if it is cluster. Cluster zones can be
1993 2001 * native for the purpose of LU or upgrade, and the cluster
1994 2002 * brand may not exist in the miniroot (such as in net install
1995 2003 * upgrade).
1996 2004 */
1997 2005 if (zonecfg_default_brand(default_brand,
1998 2006 sizeof (default_brand)) != Z_OK) {
1999 2007 zerror(gettext("unable to determine default brand"));
2000 2008 return (1);
2001 2009 }
2002 2010 if (zonecfg_in_alt_root() &&
2003 2011 strcmp(zonebrand, CLUSTER_BRAND_NAME) == 0) {
2004 2012 (void) strlcpy(zonebrand, default_brand, sizeof (zonebrand));
2005 2013 }
2006 2014
2007 2015 if ((bh = brand_open(zonebrand)) == NULL) {
2008 2016 zerror(gettext("could not open brand for zone %s"), zonename);
2009 2017 return (1);
2010 2018 }
2011 2019
2012 2020 if ((new_args = prep_args(bh, login, proc_args)) == NULL) {
2013 2021 zperror(gettext("could not assemble new arguments"));
2014 2022 brand_close(bh);
2015 2023 return (1);
2016 2024 }
2017 2025 /*
2018 2026 * Get the brand specific user_cmd. This command is used to get
2019 2027 * a passwd(4) entry for login.
2020 2028 */
2021 2029 if (!interactive && !failsafe) {
2022 2030 if (zone_get_user_cmd(bh, login, user_cmd,
2023 2031 sizeof (user_cmd)) == NULL) {
2024 2032 zerror(gettext("could not get user_cmd for zone %s"),
2025 2033 zonename);
2026 2034 brand_close(bh);
2027 2035 return (1);
2028 2036 }
2029 2037 }
2030 2038 brand_close(bh);
2031 2039
2032 2040 if ((new_env = prep_env()) == NULL) {
2033 2041 zperror(gettext("could not assemble new environment"));
2034 2042 return (1);
2035 2043 }
2036 2044
2037 2045 if (!interactive)
2038 2046 return (noninteractive_login(zonename, user_cmd, zoneid,
2039 2047 new_args, new_env));
2040 2048
2041 2049 if (zonecfg_in_alt_root()) {
2042 2050 zerror(gettext("cannot use interactive login with scratch "
2043 2051 "zone"));
2044 2052 return (1);
2045 2053 }
2046 2054
2047 2055 /*
2048 2056 * Things are more complex in interactive mode; we get the
2049 2057 * master side of the pty, then place the user's terminal into
2050 2058 * raw mode.
2051 2059 */
2052 2060 if (get_master_pty() == -1) {
2053 2061 zerror(gettext("could not setup master pty device"));
2054 2062 return (1);
2055 2063 }
2056 2064
2057 2065 /*
2058 2066 * Compute the "short name" of the pts. /dev/pts/2 --> pts/2
2059 2067 */
2060 2068 if ((slavename = ptsname(masterfd)) == NULL) {
2061 2069 zperror(gettext("failed to get name for pseudo-tty"));
2062 2070 return (1);
2063 2071 }
2064 2072 if (strncmp(slavename, "/dev/", strlen("/dev/")) == 0)
2065 2073 (void) strlcpy(slaveshortname, slavename + strlen("/dev/"),
2066 2074 sizeof (slaveshortname));
2067 2075 else
2068 2076 (void) strlcpy(slaveshortname, slavename,
2069 2077 sizeof (slaveshortname));
2070 2078
2071 2079 (void) printf(gettext("[Connected to zone '%s' %s]\n"), zonename,
2072 2080 slaveshortname);
2073 2081
2074 2082 if (set_tty_rawmode(STDIN_FILENO) == -1) {
2075 2083 reset_tty();
2076 2084 zperror(gettext("failed to set stdin pty to raw mode"));
2077 2085 return (1);
2078 2086 }
2079 2087
2080 2088 if (prefork_dropprivs() != 0) {
2081 2089 reset_tty();
2082 2090 zperror(gettext("could not allocate privilege set"));
2083 2091 return (1);
2084 2092 }
2085 2093
2086 2094 /*
2087 2095 * We must mask SIGCLD until after we have coped with the fork
2088 2096 * sufficiently to deal with it; otherwise we can race and receive the
2089 2097 * signal before child_pid has been initialized (yes, this really
2090 2098 * happens).
2091 2099 */
2092 2100 (void) sigset(SIGCLD, sigcld);
2093 2101 (void) sigemptyset(&block_cld);
2094 2102 (void) sigaddset(&block_cld, SIGCLD);
2095 2103 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
2096 2104
2097 2105 /*
2098 2106 * We activate the contract template at the last minute to
2099 2107 * avoid intermediate functions that could be using fork(2)
2100 2108 * internally.
2101 2109 */
2102 2110 if ((tmpl_fd = init_template()) == -1) {
2103 2111 reset_tty();
2104 2112 zperror(gettext("could not create contract"));
2105 2113 return (1);
2106 2114 }
2107 2115
2108 2116 if ((child_pid = fork()) == -1) {
2109 2117 (void) ct_tmpl_clear(tmpl_fd);
2110 2118 reset_tty();
2111 2119 zperror(gettext("could not fork"));
2112 2120 return (1);
2113 2121 } else if (child_pid == 0) { /* child process */
2114 2122 int slavefd, newslave;
2115 2123
2116 2124 (void) ct_tmpl_clear(tmpl_fd);
2117 2125 (void) close(tmpl_fd);
2118 2126
2119 2127 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2120 2128
2121 2129 if ((slavefd = init_slave_pty(zoneid, devroot)) == -1)
2122 2130 return (1);
2123 2131
2124 2132 /*
2125 2133 * Close all fds except for the slave pty.
2126 2134 */
2127 2135 (void) fdwalk(close_func, &slavefd);
2128 2136
2129 2137 /*
2130 2138 * Temporarily dup slavefd to stderr; that way if we have
2131 2139 * to print out that zone_enter failed, the output will
2132 2140 * have somewhere to go.
2133 2141 */
2134 2142 if (slavefd != STDERR_FILENO)
2135 2143 (void) dup2(slavefd, STDERR_FILENO);
2136 2144
2137 2145 if (zone_enter(zoneid) == -1) {
2138 2146 zerror(gettext("could not enter zone %s: %s"),
2139 2147 zonename, strerror(errno));
2140 2148 return (1);
2141 2149 }
2142 2150
2143 2151 if (slavefd != STDERR_FILENO)
2144 2152 (void) close(STDERR_FILENO);
2145 2153
2146 2154 /*
2147 2155 * We take pains to get this process into a new process
2148 2156 * group, and subsequently a new session. In this way,
2149 2157 * we'll have a session which doesn't yet have a controlling
2150 2158 * terminal. When we open the slave, it will become the
2151 2159 * controlling terminal; no PIDs concerning pgrps or sids
2152 2160 * will leak inappropriately into the zone.
2153 2161 */
2154 2162 (void) setpgrp();
2155 2163
2156 2164 /*
2157 2165 * We need the slave pty to be referenced from the zone's
2158 2166 * /dev in order to ensure that the devt's, etc are all
2159 2167 * correct. Otherwise we break ttyname and the like.
2160 2168 */
2161 2169 if ((newslave = open(slavename, O_RDWR)) == -1) {
2162 2170 (void) close(slavefd);
2163 2171 return (1);
2164 2172 }
2165 2173 (void) close(slavefd);
2166 2174 slavefd = newslave;
2167 2175
2168 2176 /*
2169 2177 * dup the slave to the various FDs, so that when the
2170 2178 * spawned process does a write/read it maps to the slave
2171 2179 * pty.
2172 2180 */
2173 2181 (void) dup2(slavefd, STDIN_FILENO);
2174 2182 (void) dup2(slavefd, STDOUT_FILENO);
2175 2183 (void) dup2(slavefd, STDERR_FILENO);
2176 2184 if (slavefd != STDIN_FILENO && slavefd != STDOUT_FILENO &&
2177 2185 slavefd != STDERR_FILENO) {
2178 2186 (void) close(slavefd);
2179 2187 }
2180 2188
2181 2189 /*
2182 2190 * In failsafe mode, we don't use login(1), so don't try
2183 2191 * setting up a utmpx entry.
2184 2192 */
2185 2193 if (!failsafe)
2186 2194 if (setup_utmpx(slaveshortname) == -1)
2187 2195 return (1);
2188 2196
2189 2197 /*
2190 2198 * The child needs to run as root to
2191 2199 * execute the brand's login program.
2192 2200 */
2193 2201 if (setuid(0) == -1) {
2194 2202 zperror(gettext("insufficient privilege"));
2195 2203 return (1);
2196 2204 }
2197 2205
2198 2206 (void) execve(new_args[0], new_args, new_env);
2199 2207 zperror(gettext("exec failure"));
2200 2208 return (1);
2201 2209 }
2202 2210
2203 2211 (void) ct_tmpl_clear(tmpl_fd);
2204 2212 (void) close(tmpl_fd);
2205 2213
2206 2214 /*
2207 2215 * The rest is only for the parent process.
2208 2216 */
2209 2217 (void) sigset(SIGWINCH, sigwinch);
2210 2218
2211 2219 postfork_dropprivs();
2212 2220
2213 2221 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2214 2222 doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
2215 2223
2216 2224 reset_tty();
2217 2225 (void) fprintf(stderr,
2218 2226 gettext("\n[Connection to zone '%s' %s closed]\n"), zonename,
2219 2227 slaveshortname);
2220 2228
2221 2229 if (pollerr != 0) {
2222 2230 (void) fprintf(stderr, gettext("Error: connection closed due "
2223 2231 "to unexpected pollevents=0x%x.\n"), pollerr);
2224 2232 return (1);
2225 2233 }
2226 2234
2227 2235 return (0);
2228 2236 }
|
↓ open down ↓ |
975 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX