1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2013 DEY Storage Systems, Inc.
24 */
25
26 /*
27 * zlogin provides three types of login which allow users in the global
28 * zone to access non-global zones.
29 *
30 * - "interactive login" is similar to rlogin(1); for example, the user could
31 * issue 'zlogin my-zone' or 'zlogin -e ^ -l me my-zone'. The user is
32 * granted a new pty (which is then shoved into the zone), and an I/O
33 * loop between parent and child processes takes care of the interactive
34 * session. In this mode, login(1) (and its -c option, which means
35 * "already authenticated") is employed to take care of the initialization
36 * of the user's session.
37 *
38 * - "non-interactive login" is similar to su(1M); the user could issue
39 * 'zlogin my-zone ls -l' and the command would be run as specified.
40 * In this mode, zlogin sets up pipes as the communication channel, and
41 * 'su' is used to do the login setup work.
42 *
43 * - "console login" is the equivalent to accessing the tip line for a
44 * zone. For example, the user can issue 'zlogin -C my-zone'.
45 * In this mode, zlogin contacts the zoneadmd process via unix domain
46 * socket. If zoneadmd is not running, it starts it. This allows the
47 * console to be available anytime the zone is installed, regardless of
48 * whether it is running.
49 */
50
51 #include <sys/socket.h>
52 #include <sys/termios.h>
53 #include <sys/utsname.h>
54 #include <sys/stat.h>
55 #include <sys/types.h>
56 #include <sys/contract/process.h>
57 #include <sys/ctfs.h>
58 #include <sys/brand.h>
59 #include <sys/wait.h>
60 #include <alloca.h>
61 #include <assert.h>
62 #include <ctype.h>
63 #include <door.h>
64 #include <errno.h>
65 #include <nss_dbdefs.h>
66 #include <poll.h>
67 #include <priv.h>
68 #include <pwd.h>
69 #include <unistd.h>
70 #include <utmpx.h>
71 #include <sac.h>
72 #include <signal.h>
73 #include <stdarg.h>
74 #include <stdio.h>
75 #include <stdlib.h>
76 #include <string.h>
77 #include <strings.h>
78 #include <stropts.h>
79 #include <wait.h>
80 #include <zone.h>
81 #include <fcntl.h>
82 #include <libdevinfo.h>
83 #include <libintl.h>
84 #include <locale.h>
85 #include <libzonecfg.h>
86 #include <libcontract.h>
87 #include <libbrand.h>
88 #include <auth_list.h>
89 #include <auth_attr.h>
90 #include <secdb.h>
91
92 static int masterfd;
93 static struct termios save_termios;
94 static struct termios effective_termios;
95 static int save_fd;
96 static struct winsize winsize;
97 static volatile int dead;
98 static volatile pid_t child_pid = -1;
99 static int interactive = 0;
100 static priv_set_t *dropprivs;
101
102 static int nocmdchar = 0;
103 static int failsafe = 0;
104 static char cmdchar = '~';
105 static int quiet = 0;
106
107 static int pollerr = 0;
108
109 static const char *pname;
110 static char *username;
111
112 /*
113 * When forced_login is true, the user is not prompted
114 * for an authentication password in the target zone.
115 */
116 static boolean_t forced_login = B_FALSE;
117
118 #if !defined(TEXT_DOMAIN) /* should be defined by cc -D */
119 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it wasn't */
120 #endif
121
122 #define SUPATH "/usr/bin/su"
123 #define FAILSAFESHELL "/sbin/sh"
124 #define DEFAULTSHELL "/sbin/sh"
125 #define DEF_PATH "/usr/sbin:/usr/bin"
126
127 #define CLUSTER_BRAND_NAME "cluster"
128
129 /*
130 * The ZLOGIN_BUFSIZ is larger than PIPE_BUF so we can be sure we're clearing
131 * out the pipe when the child is exiting. The ZLOGIN_RDBUFSIZ must be less
132 * than ZLOGIN_BUFSIZ (because we share the buffer in doio). This value is
133 * also chosen in conjunction with the HI_WATER setting to make sure we
134 * don't fill up the pipe. We can write FIFOHIWAT (16k) into the pipe before
135 * blocking. By having ZLOGIN_RDBUFSIZ set to 1k and HI_WATER set to 8k, we
136 * know we can always write a ZLOGIN_RDBUFSIZ chunk into the pipe when there
137 * is less than HI_WATER data already in the pipe.
138 */
139 #define ZLOGIN_BUFSIZ 8192
140 #define ZLOGIN_RDBUFSIZ 1024
141 #define HI_WATER 8192
142
143 /*
144 * See canonify() below. CANONIFY_LEN is the maximum length that a
145 * "canonical" sequence will expand to (backslash, three octal digits, NUL).
146 */
147 #define CANONIFY_LEN 5
148
149 static void
150 usage(void)
151 {
152 (void) fprintf(stderr, gettext("usage: %s [ -QCES ] [ -e cmdchar ] "
153 "[-l user] zonename [command [args ...] ]\n"), pname);
154 exit(2);
155 }
156
157 static const char *
158 getpname(const char *arg0)
159 {
160 const char *p = strrchr(arg0, '/');
161
162 if (p == NULL)
163 p = arg0;
164 else
165 p++;
166
167 pname = p;
168 return (p);
169 }
170
171 static void
172 zerror(const char *fmt, ...)
173 {
174 va_list alist;
175
176 (void) fprintf(stderr, "%s: ", pname);
177 va_start(alist, fmt);
178 (void) vfprintf(stderr, fmt, alist);
179 va_end(alist);
180 (void) fprintf(stderr, "\n");
181 }
182
183 static void
184 zperror(const char *str)
185 {
186 const char *estr;
187
188 if ((estr = strerror(errno)) != NULL)
189 (void) fprintf(stderr, "%s: %s: %s\n", pname, str, estr);
190 else
191 (void) fprintf(stderr, "%s: %s: errno %d\n", pname, str, errno);
192 }
193
194 /*
195 * The first part of our privilege dropping scheme needs to be called before
196 * fork(), since we must have it for security; we don't want to be surprised
197 * later that we couldn't allocate the privset.
198 */
199 static int
200 prefork_dropprivs()
201 {
202 if ((dropprivs = priv_allocset()) == NULL)
203 return (1);
204
205 priv_basicset(dropprivs);
206 (void) priv_delset(dropprivs, PRIV_PROC_INFO);
207 (void) priv_delset(dropprivs, PRIV_PROC_FORK);
208 (void) priv_delset(dropprivs, PRIV_PROC_EXEC);
209 (void) priv_delset(dropprivs, PRIV_FILE_LINK_ANY);
210
211 /*
212 * We need to keep the basic privilege PROC_SESSION and all unknown
213 * basic privileges as well as the privileges PROC_ZONE and
214 * PROC_OWNER in order to query session information and
215 * send signals.
216 */
217 if (interactive == 0) {
218 (void) priv_addset(dropprivs, PRIV_PROC_ZONE);
219 (void) priv_addset(dropprivs, PRIV_PROC_OWNER);
220 } else {
221 (void) priv_delset(dropprivs, PRIV_PROC_SESSION);
222 }
223
224 return (0);
225 }
226
227 /*
228 * The second part of the privilege drop. We are paranoid about being attacked
229 * by the zone, so we drop all privileges. This should prevent a compromise
230 * which gets us to fork(), exec(), symlink(), etc.
231 */
232 static void
233 postfork_dropprivs()
234 {
235 if ((setppriv(PRIV_SET, PRIV_PERMITTED, dropprivs)) == -1) {
236 zperror(gettext("Warning: could not set permitted privileges"));
237 }
238 if ((setppriv(PRIV_SET, PRIV_LIMIT, dropprivs)) == -1) {
239 zperror(gettext("Warning: could not set limit privileges"));
240 }
241 if ((setppriv(PRIV_SET, PRIV_INHERITABLE, dropprivs)) == -1) {
242 zperror(gettext("Warning: could not set inheritable "
243 "privileges"));
244 }
245 }
246
247 /*
248 * Create the unix domain socket and call the zoneadmd server; handshake
249 * with it to determine whether it will allow us to connect.
250 */
251 static int
252 get_console_master(const char *zname)
253 {
254 int sockfd = -1;
255 struct sockaddr_un servaddr;
256 char clientid[MAXPATHLEN];
257 char handshake[MAXPATHLEN], c;
258 int msglen;
259 int i = 0, err = 0;
260
261 if ((sockfd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
262 zperror(gettext("could not create socket"));
263 return (-1);
264 }
265
266 bzero(&servaddr, sizeof (servaddr));
267 servaddr.sun_family = AF_UNIX;
268 (void) snprintf(servaddr.sun_path, sizeof (servaddr.sun_path),
269 "%s/%s.console_sock", ZONES_TMPDIR, zname);
270
271 if (connect(sockfd, (struct sockaddr *)&servaddr,
272 sizeof (servaddr)) == -1) {
273 zperror(gettext("Could not connect to zone console"));
274 goto bad;
275 }
276 masterfd = sockfd;
277
278 msglen = snprintf(clientid, sizeof (clientid), "IDENT %lu %s\n",
279 getpid(), setlocale(LC_MESSAGES, NULL));
280
281 if (msglen >= sizeof (clientid) || msglen < 0) {
282 zerror("protocol error");
283 goto bad;
284 }
285
286 if (write(masterfd, clientid, msglen) != msglen) {
287 zerror("protocol error");
288 goto bad;
289 }
290
291 bzero(handshake, sizeof (handshake));
292
293 /*
294 * Take care not to accumulate more than our fill, and leave room for
295 * the NUL at the end.
296 */
297 while ((err = read(masterfd, &c, 1)) == 1) {
298 if (i >= (sizeof (handshake) - 1))
299 break;
300 if (c == '\n')
301 break;
302 handshake[i] = c;
303 i++;
304 }
305
306 /*
307 * If something went wrong during the handshake we bail; perhaps
308 * the server died off.
309 */
310 if (err == -1) {
311 zperror(gettext("Could not connect to zone console"));
312 goto bad;
313 }
314
315 if (strncmp(handshake, "OK", sizeof (handshake)) == 0)
316 return (0);
317
318 zerror(gettext("Console is already in use by process ID %s."),
319 handshake);
320 bad:
321 (void) close(sockfd);
322 masterfd = -1;
323 return (-1);
324 }
325
326
327 /*
328 * Routines to handle pty creation upon zone entry and to shuttle I/O back
329 * and forth between the two terminals. We also compute and store the
330 * name of the slave terminal associated with the master side.
331 */
332 static int
333 get_master_pty()
334 {
335 if ((masterfd = open("/dev/ptmx", O_RDWR|O_NONBLOCK)) < 0) {
336 zperror(gettext("failed to obtain a pseudo-tty"));
337 return (-1);
338 }
339 if (tcgetattr(STDIN_FILENO, &save_termios) == -1) {
340 zperror(gettext("failed to get terminal settings from stdin"));
341 return (-1);
342 }
343 (void) ioctl(STDIN_FILENO, TIOCGWINSZ, (char *)&winsize);
344
345 return (0);
346 }
347
348 /*
349 * This is a bit tricky; normally a pts device will belong to the zone it
350 * is granted to. But in the case of "entering" a zone, we need to establish
351 * the pty before entering the zone so that we can vector I/O to and from it
352 * from the global zone.
353 *
354 * We use the zonept() call to let the ptm driver know what we are up to;
355 * the only other hairy bit is the setting of zoneslavename (which happens
356 * above, in get_master_pty()).
357 */
358 static int
359 init_slave_pty(zoneid_t zoneid, char *devroot)
360 {
361 int slavefd = -1;
362 char *slavename, zoneslavename[MAXPATHLEN];
363
364 /*
365 * Set slave permissions, zone the pts, then unlock it.
366 */
367 if (grantpt(masterfd) != 0) {
368 zperror(gettext("grantpt failed"));
369 return (-1);
370 }
371
372 if (unlockpt(masterfd) != 0) {
373 zperror(gettext("unlockpt failed"));
374 return (-1);
375 }
376
377 /*
378 * We must open the slave side before zoning this pty; otherwise
379 * the kernel would refuse us the open-- zoning a pty makes it
380 * inaccessible to the global zone. Note we are trying to open
381 * the device node via the $ZONEROOT/dev path for this pty.
382 *
383 * Later we'll close the slave out when once we've opened it again
384 * from within the target zone. Blarg.
385 */
386 if ((slavename = ptsname(masterfd)) == NULL) {
387 zperror(gettext("failed to get name for pseudo-tty"));
388 return (-1);
389 }
390
391 (void) snprintf(zoneslavename, sizeof (zoneslavename), "%s%s",
392 devroot, slavename);
393
394 if ((slavefd = open(zoneslavename, O_RDWR)) < 0) {
395 zerror(gettext("failed to open %s: %s"), zoneslavename,
396 strerror(errno));
397 return (-1);
398 }
399
400 /*
401 * Push hardware emulation (ptem), line discipline (ldterm),
402 * and V7/4BSD/Xenix compatibility (ttcompat) modules.
403 */
404 if (ioctl(slavefd, I_PUSH, "ptem") == -1) {
405 zperror(gettext("failed to push ptem module"));
406 if (!failsafe)
407 goto bad;
408 }
409
410 /*
411 * Anchor the stream to prevent malicious I_POPs; we prefer to do
412 * this prior to entering the zone so that we can detect any errors
413 * early, and so that we can set the anchor from the global zone.
414 */
415 if (ioctl(slavefd, I_ANCHOR) == -1) {
416 zperror(gettext("failed to set stream anchor"));
417 if (!failsafe)
418 goto bad;
419 }
420
421 if (ioctl(slavefd, I_PUSH, "ldterm") == -1) {
422 zperror(gettext("failed to push ldterm module"));
423 if (!failsafe)
424 goto bad;
425 }
426 if (ioctl(slavefd, I_PUSH, "ttcompat") == -1) {
427 zperror(gettext("failed to push ttcompat module"));
428 if (!failsafe)
429 goto bad;
430 }
431
432 /*
433 * Propagate terminal settings from the external term to the new one.
434 */
435 if (tcsetattr(slavefd, TCSAFLUSH, &save_termios) == -1) {
436 zperror(gettext("failed to set terminal settings"));
437 if (!failsafe)
438 goto bad;
439 }
440 (void) ioctl(slavefd, TIOCSWINSZ, (char *)&winsize);
441
442 if (zonept(masterfd, zoneid) != 0) {
443 zperror(gettext("could not set zoneid of pty"));
444 goto bad;
445 }
446
447 return (slavefd);
448
449 bad:
450 (void) close(slavefd);
451 return (-1);
452 }
453
454 /*
455 * Place terminal into raw mode.
456 */
457 static int
458 set_tty_rawmode(int fd)
459 {
460 struct termios term;
461 if (tcgetattr(fd, &term) < 0) {
462 zperror(gettext("failed to get user terminal settings"));
463 return (-1);
464 }
465
466 /* Stash for later, so we can revert back to previous mode */
467 save_termios = term;
468 save_fd = fd;
469
470 /* disable 8->7 bit strip, start/stop, enable any char to restart */
471 term.c_iflag &= ~(ISTRIP|IXON|IXANY);
472 /* disable NL->CR, CR->NL, ignore CR, UPPER->lower */
473 term.c_iflag &= ~(INLCR|ICRNL|IGNCR|IUCLC);
474 /* disable output post-processing */
475 term.c_oflag &= ~OPOST;
476 /* disable canonical mode, signal chars, echo & extended functions */
477 term.c_lflag &= ~(ICANON|ISIG|ECHO|IEXTEN);
478
479 term.c_cc[VMIN] = 1; /* byte-at-a-time */
480 term.c_cc[VTIME] = 0;
481
482 if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &term)) {
483 zperror(gettext("failed to set user terminal to raw mode"));
484 return (-1);
485 }
486
487 /*
488 * We need to know the value of VEOF so that we can properly process for
489 * client-side ~<EOF>. But we have obliterated VEOF in term,
490 * because VMIN overloads the same array slot in non-canonical mode.
491 * Stupid @&^%!
492 *
493 * So here we construct the "effective" termios from the current
494 * terminal settings, and the corrected VEOF and VEOL settings.
495 */
496 if (tcgetattr(STDIN_FILENO, &effective_termios) < 0) {
497 zperror(gettext("failed to get user terminal settings"));
498 return (-1);
499 }
500 effective_termios.c_cc[VEOF] = save_termios.c_cc[VEOF];
501 effective_termios.c_cc[VEOL] = save_termios.c_cc[VEOL];
502
503 return (0);
504 }
505
506 /*
507 * Copy terminal window size from our terminal to the pts.
508 */
509 /*ARGSUSED*/
510 static void
511 sigwinch(int s)
512 {
513 struct winsize ws;
514
515 if (ioctl(0, TIOCGWINSZ, &ws) == 0)
516 (void) ioctl(masterfd, TIOCSWINSZ, &ws);
517 }
518
519 static volatile int close_on_sig = -1;
520
521 static void
522 /*ARGSUSED*/
523 sigcld(int s)
524 {
525 int status;
526 pid_t pid;
527
528 /*
529 * Peek at the exit status. If this isn't the process we cared
530 * about, then just reap it.
531 */
532 if ((pid = waitpid(child_pid, &status, WNOHANG|WNOWAIT)) != -1) {
533 if (pid == child_pid &&
534 (WIFEXITED(status) || WIFSIGNALED(status))) {
535 dead = 1;
536 if (close_on_sig != -1) {
537 (void) write(close_on_sig, "a", 1);
538 (void) close(close_on_sig);
539 close_on_sig = -1;
540 }
541 } else {
542 (void) waitpid(pid, &status, WNOHANG);
543 }
544 }
545 }
546
547 /*
548 * Some signals (currently, SIGINT) must be forwarded on to the process
549 * group of the child process.
550 */
551 static void
552 sig_forward(int s)
553 {
554 if (child_pid != -1) {
555 pid_t pgid = getpgid(child_pid);
556 if (pgid != -1)
557 (void) sigsend(P_PGID, pgid, s);
558 }
559 }
560
561 /*
562 * reset terminal settings for global environment
563 */
564 static void
565 reset_tty()
566 {
567 (void) tcsetattr(save_fd, TCSADRAIN, &save_termios);
568 }
569
570 /*
571 * Convert character to printable representation, for display with locally
572 * echoed command characters (like when we need to display ~^D)
573 */
574 static void
575 canonify(char c, char *cc)
576 {
577 if (isprint(c)) {
578 cc[0] = c;
579 cc[1] = '\0';
580 } else if (c >= 0 && c <= 31) { /* ^@ through ^_ */
581 cc[0] = '^';
582 cc[1] = c + '@';
583 cc[2] = '\0';
584 } else {
585 cc[0] = '\\';
586 cc[1] = ((c >> 6) & 7) + '0';
587 cc[2] = ((c >> 3) & 7) + '0';
588 cc[3] = (c & 7) + '0';
589 cc[4] = '\0';
590 }
591 }
592
593 /*
594 * process_user_input watches the input stream for the escape sequence for
595 * 'quit' (by default, tilde-period). Because we might be fed just one
596 * keystroke at a time, state associated with the user input (are we at the
597 * beginning of the line? are we locally echoing the next character?) is
598 * maintained by beginning_of_line and local_echo across calls to the routine.
599 * If the write to outfd fails, we'll try to read from infd in an attempt
600 * to prevent deadlock between the two processes.
601 *
602 * This routine returns -1 when the 'quit' escape sequence has been issued,
603 * or an error is encountered, 1 if stdin is EOF, and 0 otherwise.
604 */
605 static int
606 process_user_input(int outfd, int infd)
607 {
608 static boolean_t beginning_of_line = B_TRUE;
609 static boolean_t local_echo = B_FALSE;
610 char ibuf[ZLOGIN_BUFSIZ];
611 int nbytes;
612 char *buf = ibuf;
613 char c = *buf;
614
615 nbytes = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
616 if (nbytes == -1 && (errno != EINTR || dead))
617 return (-1);
618
619 if (nbytes == -1) /* The read was interrupted. */
620 return (0);
621
622 /* 0 read means EOF, close the pipe to the child */
623 if (nbytes == 0)
624 return (1);
625
626 for (c = *buf; nbytes > 0; c = *buf, --nbytes) {
627 buf++;
628 if (beginning_of_line && !nocmdchar) {
629 beginning_of_line = B_FALSE;
630 if (c == cmdchar) {
631 local_echo = B_TRUE;
632 continue;
633 }
634 } else if (local_echo) {
635 local_echo = B_FALSE;
636 if (c == '.' || c == effective_termios.c_cc[VEOF]) {
637 char cc[CANONIFY_LEN];
638
639 canonify(c, cc);
640 (void) write(STDOUT_FILENO, &cmdchar, 1);
641 (void) write(STDOUT_FILENO, cc, strlen(cc));
642 return (-1);
643 }
644 }
645 retry:
646 if (write(outfd, &c, 1) <= 0) {
647 /*
648 * Since the fd we are writing to is opened with
649 * O_NONBLOCK it is possible to get EAGAIN if the
650 * pipe is full. One way this could happen is if we
651 * are writing a lot of data into the pipe in this loop
652 * and the application on the other end is echoing that
653 * data back out to its stdout. The output pipe can
654 * fill up since we are stuck here in this loop and not
655 * draining the other pipe. We can try to read some of
656 * the data to see if we can drain the pipe so that the
657 * application can continue to make progress. The read
658 * is non-blocking so we won't hang here. We also wait
659 * a bit before retrying since there could be other
660 * reasons why the pipe is full and we don't want to
661 * continuously retry.
662 */
663 if (errno == EAGAIN) {
664 struct timespec rqtp;
665 int ln;
666 char obuf[ZLOGIN_BUFSIZ];
667
668 if ((ln = read(infd, obuf, ZLOGIN_BUFSIZ)) > 0)
669 (void) write(STDOUT_FILENO, obuf, ln);
670
671 /* sleep for 10 milliseconds */
672 rqtp.tv_sec = 0;
673 rqtp.tv_nsec = 10 * (NANOSEC / MILLISEC);
674 (void) nanosleep(&rqtp, NULL);
675 if (!dead)
676 goto retry;
677 }
678
679 return (-1);
680 }
681 beginning_of_line = (c == '\r' || c == '\n' ||
682 c == effective_termios.c_cc[VKILL] ||
683 c == effective_termios.c_cc[VEOL] ||
684 c == effective_termios.c_cc[VSUSP] ||
685 c == effective_termios.c_cc[VINTR]);
686 }
687 return (0);
688 }
689
690 /*
691 * This function prevents deadlock between zlogin and the application in the
692 * zone that it is talking to. This can happen when we read from zlogin's
693 * stdin and write the data down the pipe to the application. If the pipe
694 * is full, we'll block in the write. Because zlogin could be blocked in
695 * the write, it would never read the application's stdout/stderr so the
696 * application can then block on those writes (when the pipe fills up). If the
697 * the application gets blocked this way, it can never get around to reading
698 * its stdin so that zlogin can unblock from its write. Once in this state,
699 * the two processes are deadlocked.
700 *
701 * To prevent this, we want to verify that we can write into the pipe before we
702 * read from our stdin. If the pipe already is pretty full, we bypass the read
703 * for now. We'll circle back here again after the poll() so that we can
704 * try again. When this function is called, we already know there is data
705 * ready to read on STDIN_FILENO. We return -1 if there is a problem, 1 if
706 * stdin is EOF, and 0 if everything is ok (even though we might not have
707 * read/written any data into the pipe on this iteration).
708 */
709 static int
710 process_raw_input(int stdin_fd, int appin_fd)
711 {
712 int cc;
713 struct stat64 sb;
714 char ibuf[ZLOGIN_RDBUFSIZ];
715
716 /* Check how much data is already in the pipe */
717 if (fstat64(appin_fd, &sb) == -1) {
718 perror("stat failed");
719 return (-1);
720 }
721
722 if (dead)
723 return (-1);
724
725 /*
726 * The pipe already has a lot of data in it, don't write any more
727 * right now.
728 */
729 if (sb.st_size >= HI_WATER)
730 return (0);
731
732 cc = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
733 if (cc == -1 && (errno != EINTR || dead))
734 return (-1);
735
736 if (cc == -1) /* The read was interrupted. */
737 return (0);
738
739 /* 0 read means EOF, close the pipe to the child */
740 if (cc == 0)
741 return (1);
742
743 /*
744 * stdin_fd is stdin of the target; so, the thing we'll write the user
745 * data *to*.
746 */
747 if (write(stdin_fd, ibuf, cc) == -1)
748 return (-1);
749
750 return (0);
751 }
752
753 /*
754 * Write the output from the application running in the zone. We can get
755 * a signal during the write (usually it would be SIGCHLD when the application
756 * has exited) so we loop to make sure we have written all of the data we read.
757 */
758 static int
759 process_output(int in_fd, int out_fd)
760 {
761 int wrote = 0;
762 int cc;
763 char ibuf[ZLOGIN_BUFSIZ];
764
765 cc = read(in_fd, ibuf, ZLOGIN_BUFSIZ);
766 if (cc == -1 && (errno != EINTR || dead))
767 return (-1);
768 if (cc == 0) /* EOF */
769 return (-1);
770 if (cc == -1) /* The read was interrupted. */
771 return (0);
772
773 do {
774 int len;
775
776 len = write(out_fd, ibuf + wrote, cc - wrote);
777 if (len == -1 && errno != EINTR)
778 return (-1);
779 if (len != -1)
780 wrote += len;
781 } while (wrote < cc);
782
783 return (0);
784 }
785
786 /*
787 * This is the main I/O loop, and is shared across all zlogin modes.
788 * Parameters:
789 * stdin_fd: The fd representing 'stdin' for the slave side; input to
790 * the zone will be written here.
791 *
792 * appin_fd: The fd representing the other end of the 'stdin' pipe (when
793 * we're running non-interactive); used in process_raw_input
794 * to ensure we don't fill up the application's stdin pipe.
795 *
796 * stdout_fd: The fd representing 'stdout' for the slave side; output
797 * from the zone will arrive here.
798 *
799 * stderr_fd: The fd representing 'stderr' for the slave side; output
800 * from the zone will arrive here.
801 *
802 * raw_mode: If TRUE, then no processing (for example, for '~.') will
803 * be performed on the input coming from STDIN.
804 *
805 * stderr_fd may be specified as -1 if there is no stderr (only non-interactive
806 * mode supplies a stderr).
807 *
808 */
809 static void
810 doio(int stdin_fd, int appin_fd, int stdout_fd, int stderr_fd, int sig_fd,
811 boolean_t raw_mode)
812 {
813 struct pollfd pollfds[4];
814 char ibuf[ZLOGIN_BUFSIZ];
815 int cc, ret;
816
817 /* read from stdout of zone and write to stdout of global zone */
818 pollfds[0].fd = stdout_fd;
819 pollfds[0].events = POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI;
820
821 /* read from stderr of zone and write to stderr of global zone */
822 pollfds[1].fd = stderr_fd;
823 pollfds[1].events = pollfds[0].events;
824
825 /* read from stdin of global zone and write to stdin of zone */
826 pollfds[2].fd = STDIN_FILENO;
827 pollfds[2].events = pollfds[0].events;
828
829 /* read from signalling pipe so we know when child dies */
830 pollfds[3].fd = sig_fd;
831 pollfds[3].events = pollfds[0].events;
832
833 for (;;) {
834 pollfds[0].revents = pollfds[1].revents =
835 pollfds[2].revents = pollfds[3].revents = 0;
836
837 if (dead)
838 break;
839
840 /*
841 * There is a race condition here where we can receive the
842 * child death signal, set the dead flag, but since we have
843 * passed the test above, we would go into poll and hang.
844 * To avoid this we use the sig_fd as an additional poll fd.
845 * The signal handler writes into the other end of this pipe
846 * when the child dies so that the poll will always see that
847 * input and proceed. We just loop around at that point and
848 * then notice the dead flag.
849 */
850
851 ret = poll(pollfds,
852 sizeof (pollfds) / sizeof (struct pollfd), -1);
853
854 if (ret == -1 && errno != EINTR) {
855 perror("poll failed");
856 break;
857 }
858
859 if (errno == EINTR && dead) {
860 break;
861 }
862
863 /* event from master side stdout */
864 if (pollfds[0].revents) {
865 if (pollfds[0].revents &
866 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
867 if (process_output(stdout_fd, STDOUT_FILENO)
868 != 0)
869 break;
870 } else {
871 pollerr = pollfds[0].revents;
872 break;
873 }
874 }
875
876 /* event from master side stderr */
877 if (pollfds[1].revents) {
878 if (pollfds[1].revents &
879 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
880 if (process_output(stderr_fd, STDERR_FILENO)
881 != 0)
882 break;
883 } else {
884 pollerr = pollfds[1].revents;
885 break;
886 }
887 }
888
889 /* event from user STDIN side */
890 if (pollfds[2].revents) {
891 if (pollfds[2].revents &
892 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
893 /*
894 * stdin fd is stdin of the target; so,
895 * the thing we'll write the user data *to*.
896 *
897 * Also, unlike on the output side, we
898 * close the pipe on a zero-length message.
899 */
900 int res;
901
902 if (raw_mode)
903 res = process_raw_input(stdin_fd,
904 appin_fd);
905 else
906 res = process_user_input(stdin_fd,
907 stdout_fd);
908
909 if (res < 0)
910 break;
911 if (res > 0) {
912 /* EOF (close) child's stdin_fd */
913 pollfds[2].fd = -1;
914 while ((res = close(stdin_fd)) != 0 &&
915 errno == EINTR)
916 ;
917 if (res != 0)
918 break;
919 }
920
921 } else if (raw_mode && pollfds[2].revents & POLLHUP) {
922 /*
923 * It's OK to get a POLLHUP on STDIN-- it
924 * always happens if you do:
925 *
926 * echo foo | zlogin <zone> <command>
927 *
928 * We reset fd to -1 in this case to clear
929 * the condition and close the pipe (EOF) to
930 * the other side in order to wrap things up.
931 */
932 int res;
933
934 pollfds[2].fd = -1;
935 while ((res = close(stdin_fd)) != 0 &&
936 errno == EINTR)
937 ;
938 if (res != 0)
939 break;
940 } else {
941 pollerr = pollfds[2].revents;
942 break;
943 }
944 }
945 }
946
947 /*
948 * We are in the midst of dying, but try to poll with a short
949 * timeout to see if we can catch the last bit of I/O from the
950 * children.
951 */
952 retry:
953 pollfds[0].revents = pollfds[1].revents = 0;
954 (void) poll(pollfds, 2, 100);
955 if (pollfds[0].revents &
956 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
957 if ((cc = read(stdout_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
958 (void) write(STDOUT_FILENO, ibuf, cc);
959 goto retry;
960 }
961 }
962 if (pollfds[1].revents &
963 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
964 if ((cc = read(stderr_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
965 (void) write(STDERR_FILENO, ibuf, cc);
966 goto retry;
967 }
968 }
969 }
970
971 /*
972 * Fetch the user_cmd brand hook for getting a user's passwd(4) entry.
973 */
974 static const char *
975 zone_get_user_cmd(brand_handle_t bh, const char *login, char *user_cmd,
976 size_t len)
977 {
978 bzero(user_cmd, sizeof (user_cmd));
979 if (brand_get_user_cmd(bh, login, user_cmd, len) != 0)
980 return (NULL);
981
982 return (user_cmd);
983 }
984
985 /* From libc */
986 extern int str2passwd(const char *, int, void *, char *, int);
987
988 /*
989 * exec() the user_cmd brand hook, and convert the output string to a
990 * struct passwd. This is to be called after zone_enter().
991 *
992 */
993 static struct passwd *
994 zone_get_user_pw(const char *user_cmd, struct passwd *pwent, char *pwbuf,
995 int pwbuflen)
996 {
997 char pwline[NSS_BUFLEN_PASSWD];
998 char *cin = NULL;
999 FILE *fin;
1000 int status;
1001
1002 assert(getzoneid() != GLOBAL_ZONEID);
1003
1004 if ((fin = popen(user_cmd, "r")) == NULL)
1005 return (NULL);
1006
1007 while (cin == NULL && !feof(fin))
1008 cin = fgets(pwline, sizeof (pwline), fin);
1009
1010 if (cin == NULL) {
1011 (void) pclose(fin);
1012 return (NULL);
1013 }
1014
1015 status = pclose(fin);
1016 if (!WIFEXITED(status))
1017 return (NULL);
1018 if (WEXITSTATUS(status) != 0)
1019 return (NULL);
1020
1021 if (str2passwd(pwline, sizeof (pwline), pwent, pwbuf, pwbuflen) == 0)
1022 return (pwent);
1023 else
1024 return (NULL);
1025 }
1026
1027 static char **
1028 zone_login_cmd(brand_handle_t bh, const char *login)
1029 {
1030 static char result_buf[ARG_MAX];
1031 char **new_argv, *ptr, *lasts;
1032 int n, a;
1033
1034 /* Get the login command for the target zone. */
1035 bzero(result_buf, sizeof (result_buf));
1036
1037 if (forced_login) {
1038 if (brand_get_forcedlogin_cmd(bh, login,
1039 result_buf, sizeof (result_buf)) != 0)
1040 return (NULL);
1041 } else {
1042 if (brand_get_login_cmd(bh, login,
1043 result_buf, sizeof (result_buf)) != 0)
1044 return (NULL);
1045 }
1046
1047 /*
1048 * We got back a string that we'd like to execute. But since
1049 * we're not doing the execution via a shell we'll need to convert
1050 * the exec string to an array of strings. We'll do that here
1051 * but we're going to be very simplistic about it and break stuff
1052 * up based on spaces. We're not even going to support any kind
1053 * of quoting or escape characters. It's truly amazing that
1054 * there is no library function in OpenSolaris to do this for us.
1055 */
1056
1057 /*
1058 * Be paranoid. Since we're deliniating based on spaces make
1059 * sure there are no adjacent spaces.
1060 */
1061 if (strstr(result_buf, " ") != NULL)
1062 return (NULL);
1063
1064 /* Remove any trailing whitespace. */
1065 n = strlen(result_buf);
1066 if (result_buf[n - 1] == ' ')
1067 result_buf[n - 1] = '\0';
1068
1069 /* Count how many elements there are in the exec string. */
1070 ptr = result_buf;
1071 for (n = 2; ((ptr = strchr(ptr + 1, (int)' ')) != NULL); n++)
1072 ;
1073
1074 /* Allocate the argv array that we're going to return. */
1075 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1076 return (NULL);
1077
1078 /* Tokenize the exec string and return. */
1079 a = 0;
1080 new_argv[a++] = result_buf;
1081 if (n > 2) {
1082 (void) strtok_r(result_buf, " ", &lasts);
1083 while ((new_argv[a++] = strtok_r(NULL, " ", &lasts)) != NULL)
1084 ;
1085 } else {
1086 new_argv[a++] = NULL;
1087 }
1088 assert(n == a);
1089 return (new_argv);
1090 }
1091
1092 /*
1093 * Prepare argv array for exec'd process; if we're passing commands to the
1094 * new process, then use su(1M) to do the invocation. Otherwise, use
1095 * 'login -z <from_zonename> -f' (-z is an undocumented option which tells
1096 * login that we're coming from another zone, and to disregard its CONSOLE
1097 * checks).
1098 */
1099 static char **
1100 prep_args(brand_handle_t bh, const char *login, char **argv)
1101 {
1102 int argc = 0, a = 0, i, n = -1;
1103 char **new_argv;
1104
1105 if (argv != NULL) {
1106 size_t subshell_len = 1;
1107 char *subshell;
1108
1109 while (argv[argc] != NULL)
1110 argc++;
1111
1112 for (i = 0; i < argc; i++) {
1113 subshell_len += strlen(argv[i]) + 1;
1114 }
1115 if ((subshell = calloc(1, subshell_len)) == NULL)
1116 return (NULL);
1117
1118 for (i = 0; i < argc; i++) {
1119 (void) strcat(subshell, argv[i]);
1120 (void) strcat(subshell, " ");
1121 }
1122
1123 if (failsafe) {
1124 n = 4;
1125 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1126 return (NULL);
1127
1128 new_argv[a++] = FAILSAFESHELL;
1129 } else {
1130 n = 5;
1131 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1132 return (NULL);
1133
1134 new_argv[a++] = SUPATH;
1135 if (strcmp(login, "root") != 0) {
1136 new_argv[a++] = "-";
1137 n++;
1138 }
1139 new_argv[a++] = (char *)login;
1140 }
1141 new_argv[a++] = "-c";
1142 new_argv[a++] = subshell;
1143 new_argv[a++] = NULL;
1144 assert(a == n);
1145 } else {
1146 if (failsafe) {
1147 n = 2;
1148 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1149 return (NULL);
1150 new_argv[a++] = FAILSAFESHELL;
1151 new_argv[a++] = NULL;
1152 assert(n == a);
1153 } else {
1154 new_argv = zone_login_cmd(bh, login);
1155 }
1156 }
1157
1158 return (new_argv);
1159 }
1160
1161 /*
1162 * Helper routine for prep_env below.
1163 */
1164 static char *
1165 add_env(char *name, char *value)
1166 {
1167 size_t sz = strlen(name) + strlen(value) + 2; /* name, =, value, NUL */
1168 char *str;
1169
1170 if ((str = malloc(sz)) == NULL)
1171 return (NULL);
1172
1173 (void) snprintf(str, sz, "%s=%s", name, value);
1174 return (str);
1175 }
1176
1177 /*
1178 * Prepare envp array for exec'd process.
1179 */
1180 static char **
1181 prep_env()
1182 {
1183 int e = 0, size = 1;
1184 char **new_env, *estr;
1185 char *term = getenv("TERM");
1186
1187 size++; /* for $PATH */
1188 if (term != NULL)
1189 size++;
1190
1191 /*
1192 * In failsafe mode we set $HOME, since '-l' isn't valid in this mode.
1193 * We also set $SHELL, since neither login nor su will be around to do
1194 * it.
1195 */
1196 if (failsafe)
1197 size += 2;
1198
1199 if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1200 return (NULL);
1201
1202 if ((estr = add_env("PATH", DEF_PATH)) == NULL)
1203 return (NULL);
1204 new_env[e++] = estr;
1205
1206 if (term != NULL) {
1207 if ((estr = add_env("TERM", term)) == NULL)
1208 return (NULL);
1209 new_env[e++] = estr;
1210 }
1211
1212 if (failsafe) {
1213 if ((estr = add_env("HOME", "/")) == NULL)
1214 return (NULL);
1215 new_env[e++] = estr;
1216
1217 if ((estr = add_env("SHELL", FAILSAFESHELL)) == NULL)
1218 return (NULL);
1219 new_env[e++] = estr;
1220 }
1221
1222 new_env[e++] = NULL;
1223
1224 assert(e == size);
1225
1226 return (new_env);
1227 }
1228
1229 /*
1230 * Finish the preparation of the envp array for exec'd non-interactive
1231 * zlogins. This is called in the child process *after* we zone_enter(), since
1232 * it derives things we can only know within the zone, such as $HOME, $SHELL,
1233 * etc. We need only do this in the non-interactive, mode, since otherwise
1234 * login(1) will do it. We don't do this in failsafe mode, since it presents
1235 * additional ways in which the command could fail, and we'd prefer to avoid
1236 * that.
1237 */
1238 static char **
1239 prep_env_noninteractive(const char *user_cmd, char **env)
1240 {
1241 size_t size;
1242 char **new_env;
1243 int e, i;
1244 char *estr;
1245 char varmail[LOGNAME_MAX + 11]; /* strlen(/var/mail/) = 10, NUL */
1246 char pwbuf[NSS_BUFLEN_PASSWD + 1];
1247 struct passwd pwent;
1248 struct passwd *pw = NULL;
1249
1250 assert(env != NULL);
1251 assert(failsafe == 0);
1252
1253 /*
1254 * Exec the "user_cmd" brand hook to get a pwent for the
1255 * login user. If this fails, HOME will be set to "/", SHELL
1256 * will be set to $DEFAULTSHELL, and we will continue to exec
1257 * SUPATH <login> -c <cmd>.
1258 */
1259 pw = zone_get_user_pw(user_cmd, &pwent, pwbuf, sizeof (pwbuf));
1260
1261 /*
1262 * Get existing envp size.
1263 */
1264 for (size = 0; env[size] != NULL; size++)
1265 ;
1266
1267 e = size;
1268
1269 /*
1270 * Finish filling out the environment; we duplicate the environment
1271 * setup described in login(1), for lack of a better precedent.
1272 */
1273 if (pw != NULL)
1274 size += 3; /* LOGNAME, HOME, MAIL */
1275 else
1276 size += 1; /* HOME */
1277
1278 size++; /* always fill in SHELL */
1279 size++; /* terminating NULL */
1280
1281 if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1282 goto malloc_fail;
1283
1284 /*
1285 * Copy existing elements of env into new_env.
1286 */
1287 for (i = 0; env[i] != NULL; i++) {
1288 if ((new_env[i] = strdup(env[i])) == NULL)
1289 goto malloc_fail;
1290 }
1291 assert(e == i);
1292
1293 if (pw != NULL) {
1294 if ((estr = add_env("LOGNAME", pw->pw_name)) == NULL)
1295 goto malloc_fail;
1296 new_env[e++] = estr;
1297
1298 if ((estr = add_env("HOME", pw->pw_dir)) == NULL)
1299 goto malloc_fail;
1300 new_env[e++] = estr;
1301
1302 if (chdir(pw->pw_dir) != 0)
1303 zerror(gettext("Could not chdir to home directory "
1304 "%s: %s"), pw->pw_dir, strerror(errno));
1305
1306 (void) snprintf(varmail, sizeof (varmail), "/var/mail/%s",
1307 pw->pw_name);
1308 if ((estr = add_env("MAIL", varmail)) == NULL)
1309 goto malloc_fail;
1310 new_env[e++] = estr;
1311 } else {
1312 if ((estr = add_env("HOME", "/")) == NULL)
1313 goto malloc_fail;
1314 new_env[e++] = estr;
1315 }
1316
1317 if (pw != NULL && strlen(pw->pw_shell) > 0) {
1318 if ((estr = add_env("SHELL", pw->pw_shell)) == NULL)
1319 goto malloc_fail;
1320 new_env[e++] = estr;
1321 } else {
1322 if ((estr = add_env("SHELL", DEFAULTSHELL)) == NULL)
1323 goto malloc_fail;
1324 new_env[e++] = estr;
1325 }
1326
1327 new_env[e++] = NULL; /* add terminating NULL */
1328
1329 assert(e == size);
1330 return (new_env);
1331
1332 malloc_fail:
1333 zperror(gettext("failed to allocate memory for process environment"));
1334 return (NULL);
1335 }
1336
1337 static int
1338 close_func(void *slavefd, int fd)
1339 {
1340 if (fd != *(int *)slavefd)
1341 (void) close(fd);
1342 return (0);
1343 }
1344
1345 static void
1346 set_cmdchar(char *cmdcharstr)
1347 {
1348 char c;
1349 long lc;
1350
1351 if ((c = *cmdcharstr) != '\\') {
1352 cmdchar = c;
1353 return;
1354 }
1355
1356 c = cmdcharstr[1];
1357 if (c == '\0' || c == '\\') {
1358 cmdchar = '\\';
1359 return;
1360 }
1361
1362 if (c < '0' || c > '7') {
1363 zerror(gettext("Unrecognized escape character option %s"),
1364 cmdcharstr);
1365 usage();
1366 }
1367
1368 lc = strtol(cmdcharstr + 1, NULL, 8);
1369 if (lc < 0 || lc > 255) {
1370 zerror(gettext("Octal escape character '%s' too large"),
1371 cmdcharstr);
1372 usage();
1373 }
1374 cmdchar = (char)lc;
1375 }
1376
1377 static int
1378 setup_utmpx(char *slavename)
1379 {
1380 struct utmpx ut;
1381
1382 bzero(&ut, sizeof (ut));
1383 (void) strncpy(ut.ut_user, ".zlogin", sizeof (ut.ut_user));
1384 (void) strncpy(ut.ut_line, slavename, sizeof (ut.ut_line));
1385 ut.ut_pid = getpid();
1386 ut.ut_id[0] = 'z';
1387 ut.ut_id[1] = ut.ut_id[2] = ut.ut_id[3] = (char)SC_WILDC;
1388 ut.ut_type = LOGIN_PROCESS;
1389 (void) time(&ut.ut_tv.tv_sec);
1390
1391 if (makeutx(&ut) == NULL) {
1392 zerror(gettext("makeutx failed"));
1393 return (-1);
1394 }
1395 return (0);
1396 }
1397
1398 static void
1399 release_lock_file(int lockfd)
1400 {
1401 (void) close(lockfd);
1402 }
1403
1404 static int
1405 grab_lock_file(const char *zone_name, int *lockfd)
1406 {
1407 char pathbuf[PATH_MAX];
1408 struct flock flock;
1409
1410 if (mkdir(ZONES_TMPDIR, S_IRWXU) < 0 && errno != EEXIST) {
1411 zerror(gettext("could not mkdir %s: %s"), ZONES_TMPDIR,
1412 strerror(errno));
1413 return (-1);
1414 }
1415 (void) chmod(ZONES_TMPDIR, S_IRWXU);
1416 (void) snprintf(pathbuf, sizeof (pathbuf), "%s/%s.zoneadm.lock",
1417 ZONES_TMPDIR, zone_name);
1418
1419 if ((*lockfd = open(pathbuf, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR)) < 0) {
1420 zerror(gettext("could not open %s: %s"), pathbuf,
1421 strerror(errno));
1422 return (-1);
1423 }
1424 /*
1425 * Lock the file to synchronize with other zoneadmds
1426 */
1427 flock.l_type = F_WRLCK;
1428 flock.l_whence = SEEK_SET;
1429 flock.l_start = (off_t)0;
1430 flock.l_len = (off_t)0;
1431 if (fcntl(*lockfd, F_SETLKW, &flock) < 0) {
1432 zerror(gettext("unable to lock %s: %s"), pathbuf,
1433 strerror(errno));
1434 release_lock_file(*lockfd);
1435 return (-1);
1436 }
1437 return (Z_OK);
1438 }
1439
1440 static int
1441 start_zoneadmd(const char *zone_name)
1442 {
1443 pid_t retval;
1444 int pstatus = 0, error = -1, lockfd, doorfd;
1445 struct door_info info;
1446 char doorpath[MAXPATHLEN];
1447
1448 (void) snprintf(doorpath, sizeof (doorpath), ZONE_DOOR_PATH, zone_name);
1449
1450 if (grab_lock_file(zone_name, &lockfd) != Z_OK)
1451 return (-1);
1452 /*
1453 * We must do the door check with the lock held. Otherwise, we
1454 * might race against another zoneadm/zlogin process and wind
1455 * up with two processes trying to start zoneadmd at the same
1456 * time. zoneadmd will detect this, and fail, but we prefer this
1457 * to be as seamless as is practical, from a user perspective.
1458 */
1459 if ((doorfd = open(doorpath, O_RDONLY)) < 0) {
1460 if (errno != ENOENT) {
1461 zerror("failed to open %s: %s", doorpath,
1462 strerror(errno));
1463 goto out;
1464 }
1465 } else {
1466 /*
1467 * Seems to be working ok.
1468 */
1469 if (door_info(doorfd, &info) == 0 &&
1470 ((info.di_attributes & DOOR_REVOKED) == 0)) {
1471 error = 0;
1472 goto out;
1473 }
1474 }
1475
1476 if ((child_pid = fork()) == -1) {
1477 zperror(gettext("could not fork"));
1478 goto out;
1479 } else if (child_pid == 0) {
1480 /* child process */
1481 (void) execl("/usr/lib/zones/zoneadmd", "zoneadmd", "-z",
1482 zone_name, NULL);
1483 zperror(gettext("could not exec zoneadmd"));
1484 _exit(1);
1485 }
1486
1487 /* parent process */
1488 do {
1489 retval = waitpid(child_pid, &pstatus, 0);
1490 } while (retval != child_pid);
1491 if (WIFSIGNALED(pstatus) ||
1492 (WIFEXITED(pstatus) && WEXITSTATUS(pstatus) != 0)) {
1493 zerror(gettext("could not start %s"), "zoneadmd");
1494 goto out;
1495 }
1496 error = 0;
1497 out:
1498 release_lock_file(lockfd);
1499 (void) close(doorfd);
1500 return (error);
1501 }
1502
1503 static int
1504 init_template(void)
1505 {
1506 int fd;
1507 int err = 0;
1508
1509 fd = open64(CTFS_ROOT "/process/template", O_RDWR);
1510 if (fd == -1)
1511 return (-1);
1512
1513 /*
1514 * zlogin doesn't do anything with the contract.
1515 * Deliver no events, don't inherit, and allow it to be orphaned.
1516 */
1517 err |= ct_tmpl_set_critical(fd, 0);
1518 err |= ct_tmpl_set_informative(fd, 0);
1519 err |= ct_pr_tmpl_set_fatal(fd, CT_PR_EV_HWERR);
1520 err |= ct_pr_tmpl_set_param(fd, CT_PR_PGRPONLY | CT_PR_REGENT);
1521 if (err || ct_tmpl_activate(fd)) {
1522 (void) close(fd);
1523 return (-1);
1524 }
1525
1526 return (fd);
1527 }
1528
1529 static int
1530 noninteractive_login(char *zonename, const char *user_cmd, zoneid_t zoneid,
1531 char **new_args, char **new_env)
1532 {
1533 pid_t retval;
1534 int stdin_pipe[2], stdout_pipe[2], stderr_pipe[2], dead_child_pipe[2];
1535 int child_status;
1536 int tmpl_fd;
1537 sigset_t block_cld;
1538
1539 if ((tmpl_fd = init_template()) == -1) {
1540 reset_tty();
1541 zperror(gettext("could not create contract"));
1542 return (1);
1543 }
1544
1545 if (pipe(stdin_pipe) != 0) {
1546 zperror(gettext("could not create STDIN pipe"));
1547 return (1);
1548 }
1549 /*
1550 * When the user types ^D, we get a zero length message on STDIN.
1551 * We need to echo that down the pipe to send it to the other side;
1552 * but by default, pipes don't propagate zero-length messages. We
1553 * toggle that behavior off using I_SWROPT. See streamio(7i).
1554 */
1555 if (ioctl(stdin_pipe[0], I_SWROPT, SNDZERO) != 0) {
1556 zperror(gettext("could not configure STDIN pipe"));
1557 return (1);
1558
1559 }
1560 if (pipe(stdout_pipe) != 0) {
1561 zperror(gettext("could not create STDOUT pipe"));
1562 return (1);
1563 }
1564 if (pipe(stderr_pipe) != 0) {
1565 zperror(gettext("could not create STDERR pipe"));
1566 return (1);
1567 }
1568
1569 if (pipe(dead_child_pipe) != 0) {
1570 zperror(gettext("could not create signalling pipe"));
1571 return (1);
1572 }
1573 close_on_sig = dead_child_pipe[0];
1574
1575 /*
1576 * If any of the pipe FD's winds up being less than STDERR, then we
1577 * have a mess on our hands-- and we are lacking some of the I/O
1578 * streams we would expect anyway. So we bail.
1579 */
1580 if (stdin_pipe[0] <= STDERR_FILENO ||
1581 stdin_pipe[1] <= STDERR_FILENO ||
1582 stdout_pipe[0] <= STDERR_FILENO ||
1583 stdout_pipe[1] <= STDERR_FILENO ||
1584 stderr_pipe[0] <= STDERR_FILENO ||
1585 stderr_pipe[1] <= STDERR_FILENO ||
1586 dead_child_pipe[0] <= STDERR_FILENO ||
1587 dead_child_pipe[1] <= STDERR_FILENO) {
1588 zperror(gettext("process lacks valid STDIN, STDOUT, STDERR"));
1589 return (1);
1590 }
1591
1592 if (prefork_dropprivs() != 0) {
1593 zperror(gettext("could not allocate privilege set"));
1594 return (1);
1595 }
1596
1597 (void) sigset(SIGCLD, sigcld);
1598 (void) sigemptyset(&block_cld);
1599 (void) sigaddset(&block_cld, SIGCLD);
1600 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
1601
1602 if ((child_pid = fork()) == -1) {
1603 (void) ct_tmpl_clear(tmpl_fd);
1604 (void) close(tmpl_fd);
1605 zperror(gettext("could not fork"));
1606 return (1);
1607 } else if (child_pid == 0) { /* child process */
1608 (void) ct_tmpl_clear(tmpl_fd);
1609
1610 /*
1611 * Do a dance to get the pipes hooked up as FD's 0, 1 and 2.
1612 */
1613 (void) close(STDIN_FILENO);
1614 (void) close(STDOUT_FILENO);
1615 (void) close(STDERR_FILENO);
1616 (void) dup2(stdin_pipe[1], STDIN_FILENO);
1617 (void) dup2(stdout_pipe[1], STDOUT_FILENO);
1618 (void) dup2(stderr_pipe[1], STDERR_FILENO);
1619 (void) closefrom(STDERR_FILENO + 1);
1620
1621 (void) sigset(SIGCLD, SIG_DFL);
1622 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1623 /*
1624 * In case any of stdin, stdout or stderr are streams,
1625 * anchor them to prevent malicious I_POPs.
1626 */
1627 (void) ioctl(STDIN_FILENO, I_ANCHOR);
1628 (void) ioctl(STDOUT_FILENO, I_ANCHOR);
1629 (void) ioctl(STDERR_FILENO, I_ANCHOR);
1630
1631 if (zone_enter(zoneid) == -1) {
1632 zerror(gettext("could not enter zone %s: %s"),
1633 zonename, strerror(errno));
1634 _exit(1);
1635 }
1636
1637 /*
1638 * For non-native zones, tell libc where it can find locale
1639 * specific getttext() messages.
1640 */
1641 if (access("/.SUNWnative/usr/lib/locale", R_OK) == 0)
1642 (void) bindtextdomain(TEXT_DOMAIN,
1643 "/.SUNWnative/usr/lib/locale");
1644 else if (access("/native/usr/lib/locale", R_OK) == 0)
1645 (void) bindtextdomain(TEXT_DOMAIN,
1646 "/native/usr/lib/locale");
1647
1648 if (!failsafe)
1649 new_env = prep_env_noninteractive(user_cmd, new_env);
1650
1651 if (new_env == NULL) {
1652 _exit(1);
1653 }
1654
1655 /*
1656 * Move into a new process group; the zone_enter will have
1657 * placed us into zsched's session, and we want to be in
1658 * a unique process group.
1659 */
1660 (void) setpgid(getpid(), getpid());
1661
1662 /*
1663 * The child needs to run as root to
1664 * execute the su program.
1665 */
1666 if (setuid(0) == -1) {
1667 zperror(gettext("insufficient privilege"));
1668 return (1);
1669 }
1670
1671 (void) execve(new_args[0], new_args, new_env);
1672 zperror(gettext("exec failure"));
1673 _exit(1);
1674 }
1675 /* parent */
1676
1677 /* close pipe sides written by child */
1678 (void) close(stdout_pipe[1]);
1679 (void) close(stderr_pipe[1]);
1680
1681 (void) sigset(SIGINT, sig_forward);
1682
1683 postfork_dropprivs();
1684
1685 (void) ct_tmpl_clear(tmpl_fd);
1686 (void) close(tmpl_fd);
1687
1688 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1689 doio(stdin_pipe[0], stdin_pipe[1], stdout_pipe[0], stderr_pipe[0],
1690 dead_child_pipe[1], B_TRUE);
1691 do {
1692 retval = waitpid(child_pid, &child_status, 0);
1693 if (retval == -1) {
1694 child_status = 0;
1695 }
1696 } while (retval != child_pid && errno != ECHILD);
1697
1698 return (WEXITSTATUS(child_status));
1699 }
1700
1701 static char *
1702 get_username()
1703 {
1704 uid_t uid;
1705 struct passwd *nptr;
1706
1707 /*
1708 * Authorizations are checked to restrict access based on the
1709 * requested operation and zone name, It is assumed that the
1710 * program is running with all privileges, but that the real
1711 * user ID is that of the user or role on whose behalf we are
1712 * operating. So we start by getting the username that will be
1713 * used for subsequent authorization checks.
1714 */
1715
1716 uid = getuid();
1717 if ((nptr = getpwuid(uid)) == NULL) {
1718 zerror(gettext("could not get user name."));
1719 _exit(1);
1720 }
1721 return (nptr->pw_name);
1722 }
1723
1724 int
1725 main(int argc, char **argv)
1726 {
1727 int arg, console = 0;
1728 zoneid_t zoneid;
1729 zone_state_t st;
1730 char *login = "root";
1731 int lflag = 0;
1732 char *zonename = NULL;
1733 char **proc_args = NULL;
1734 char **new_args, **new_env;
1735 sigset_t block_cld;
1736 char devroot[MAXPATHLEN];
1737 char *slavename, slaveshortname[MAXPATHLEN];
1738 priv_set_t *privset;
1739 int tmpl_fd;
1740 char zonebrand[MAXNAMELEN];
1741 char default_brand[MAXNAMELEN];
1742 struct stat sb;
1743 char kernzone[ZONENAME_MAX];
1744 brand_handle_t bh;
1745 char user_cmd[MAXPATHLEN];
1746 char authname[MAXAUTHS];
1747
1748 (void) setlocale(LC_ALL, "");
1749 (void) textdomain(TEXT_DOMAIN);
1750
1751 (void) getpname(argv[0]);
1752 username = get_username();
1753
1754 while ((arg = getopt(argc, argv, "ECR:Se:l:Q")) != EOF) {
1755 switch (arg) {
1756 case 'C':
1757 console = 1;
1758 break;
1759 case 'E':
1760 nocmdchar = 1;
1761 break;
1762 case 'R': /* undocumented */
1763 if (*optarg != '/') {
1764 zerror(gettext("root path must be absolute."));
1765 exit(2);
1766 }
1767 if (stat(optarg, &sb) == -1 || !S_ISDIR(sb.st_mode)) {
1768 zerror(
1769 gettext("root path must be a directory."));
1770 exit(2);
1771 }
1772 zonecfg_set_root(optarg);
1773 break;
1774 case 'Q':
1775 quiet = 1;
1776 break;
1777 case 'S':
1778 failsafe = 1;
1779 break;
1780 case 'e':
1781 set_cmdchar(optarg);
1782 break;
1783 case 'l':
1784 login = optarg;
1785 lflag = 1;
1786 break;
1787 default:
1788 usage();
1789 }
1790 }
1791
1792 if (console != 0 && lflag != 0) {
1793 zerror(gettext("-l may not be specified for console login"));
1794 usage();
1795 }
1796
1797 if (console != 0 && failsafe != 0) {
1798 zerror(gettext("-S may not be specified for console login"));
1799 usage();
1800 }
1801
1802 if (console != 0 && zonecfg_in_alt_root()) {
1803 zerror(gettext("-R may not be specified for console login"));
1804 exit(2);
1805 }
1806
1807 if (failsafe != 0 && lflag != 0) {
1808 zerror(gettext("-l may not be specified for failsafe login"));
1809 usage();
1810 }
1811
1812 if (optind == (argc - 1)) {
1813 /*
1814 * zone name, no process name; this should be an interactive
1815 * as long as STDIN is really a tty.
1816 */
1817 if (isatty(STDIN_FILENO))
1818 interactive = 1;
1819 zonename = argv[optind];
1820 } else if (optind < (argc - 1)) {
1821 if (console) {
1822 zerror(gettext("Commands may not be specified for "
1823 "console login."));
1824 usage();
1825 }
1826 /* zone name and process name, and possibly some args */
1827 zonename = argv[optind];
1828 proc_args = &argv[optind + 1];
1829 interactive = 0;
1830 } else {
1831 usage();
1832 }
1833
1834 if (getzoneid() != GLOBAL_ZONEID) {
1835 zerror(gettext("'%s' may only be used from the global zone"),
1836 pname);
1837 return (1);
1838 }
1839
1840 if (strcmp(zonename, GLOBAL_ZONENAME) == 0) {
1841 zerror(gettext("'%s' not applicable to the global zone"),
1842 pname);
1843 return (1);
1844 }
1845
1846 if (zone_get_state(zonename, &st) != Z_OK) {
1847 zerror(gettext("zone '%s' unknown"), zonename);
1848 return (1);
1849 }
1850
1851 if (st < ZONE_STATE_INSTALLED) {
1852 zerror(gettext("cannot login to a zone which is '%s'"),
1853 zone_state_str(st));
1854 return (1);
1855 }
1856
1857 /*
1858 * In both console and non-console cases, we require all privs.
1859 * In the console case, because we may need to startup zoneadmd.
1860 * In the non-console case in order to do zone_enter(2), zonept()
1861 * and other tasks.
1862 */
1863
1864 if ((privset = priv_allocset()) == NULL) {
1865 zperror(gettext("priv_allocset failed"));
1866 return (1);
1867 }
1868
1869 if (getppriv(PRIV_EFFECTIVE, privset) != 0) {
1870 zperror(gettext("getppriv failed"));
1871 priv_freeset(privset);
1872 return (1);
1873 }
1874
1875 if (priv_isfullset(privset) == B_FALSE) {
1876 zerror(gettext("You lack sufficient privilege to run "
1877 "this command (all privs required)"));
1878 priv_freeset(privset);
1879 return (1);
1880 }
1881 priv_freeset(privset);
1882
1883 /*
1884 * Check if user is authorized for requested usage of the zone
1885 */
1886
1887 (void) snprintf(authname, MAXAUTHS, "%s%s%s",
1888 ZONE_MANAGE_AUTH, KV_OBJECT, zonename);
1889 if (chkauthattr(authname, username) == 0) {
1890 if (console) {
1891 zerror(gettext("%s is not authorized for console "
1892 "access to %s zone."),
1893 username, zonename);
1894 return (1);
1895 } else {
1896 (void) snprintf(authname, MAXAUTHS, "%s%s%s",
1897 ZONE_LOGIN_AUTH, KV_OBJECT, zonename);
1898 if (failsafe || !interactive) {
1899 zerror(gettext("%s is not authorized for "
1900 "failsafe or non-interactive login "
1901 "to %s zone."), username, zonename);
1902 return (1);
1903 } else if (chkauthattr(authname, username) == 0) {
1904 zerror(gettext("%s is not authorized "
1905 " to login to %s zone."),
1906 username, zonename);
1907 return (1);
1908 }
1909 }
1910 } else {
1911 forced_login = B_TRUE;
1912 }
1913
1914 /*
1915 * The console is a separate case from the rest of the code; handle
1916 * it first.
1917 */
1918 if (console) {
1919 /*
1920 * Ensure that zoneadmd for this zone is running.
1921 */
1922 if (start_zoneadmd(zonename) == -1)
1923 return (1);
1924
1925 /*
1926 * Make contact with zoneadmd.
1927 */
1928 if (get_console_master(zonename) == -1)
1929 return (1);
1930
1931 if (!quiet)
1932 (void) printf(
1933 gettext("[Connected to zone '%s' console]\n"),
1934 zonename);
1935
1936 if (set_tty_rawmode(STDIN_FILENO) == -1) {
1937 reset_tty();
1938 zperror(gettext("failed to set stdin pty to raw mode"));
1939 return (1);
1940 }
1941
1942 (void) sigset(SIGWINCH, sigwinch);
1943 (void) sigwinch(0);
1944
1945 /*
1946 * Run the I/O loop until we get disconnected.
1947 */
1948 doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
1949 reset_tty();
1950 if (!quiet)
1951 (void) printf(
1952 gettext("\n[Connection to zone '%s' console "
1953 "closed]\n"), zonename);
1954
1955 return (0);
1956 }
1957
1958 if (st != ZONE_STATE_RUNNING && st != ZONE_STATE_MOUNTED) {
1959 zerror(gettext("login allowed only to running zones "
1960 "(%s is '%s')."), zonename, zone_state_str(st));
1961 return (1);
1962 }
1963
1964 (void) strlcpy(kernzone, zonename, sizeof (kernzone));
1965 if (zonecfg_in_alt_root()) {
1966 FILE *fp = zonecfg_open_scratch("", B_FALSE);
1967
1968 if (fp == NULL || zonecfg_find_scratch(fp, zonename,
1969 zonecfg_get_root(), kernzone, sizeof (kernzone)) == -1) {
1970 zerror(gettext("cannot find scratch zone %s"),
1971 zonename);
1972 if (fp != NULL)
1973 zonecfg_close_scratch(fp);
1974 return (1);
1975 }
1976 zonecfg_close_scratch(fp);
1977 }
1978
1979 if ((zoneid = getzoneidbyname(kernzone)) == -1) {
1980 zerror(gettext("failed to get zoneid for zone '%s'"),
1981 zonename);
1982 return (1);
1983 }
1984
1985 /*
1986 * We need the zone root path only if we are setting up a pty.
1987 */
1988 if (zone_get_devroot(zonename, devroot, sizeof (devroot)) == -1) {
1989 zerror(gettext("could not get dev path for zone %s"),
1990 zonename);
1991 return (1);
1992 }
1993
1994 if (zone_get_brand(zonename, zonebrand, sizeof (zonebrand)) != Z_OK) {
1995 zerror(gettext("could not get brand for zone %s"), zonename);
1996 return (1);
1997 }
1998 /*
1999 * In the alternate root environment, the only supported
2000 * operations are mount and unmount. In this case, just treat
2001 * the zone as native if it is cluster. Cluster zones can be
2002 * native for the purpose of LU or upgrade, and the cluster
2003 * brand may not exist in the miniroot (such as in net install
2004 * upgrade).
2005 */
2006 if (zonecfg_default_brand(default_brand,
2007 sizeof (default_brand)) != Z_OK) {
2008 zerror(gettext("unable to determine default brand"));
2009 return (1);
2010 }
2011 if (zonecfg_in_alt_root() &&
2012 strcmp(zonebrand, CLUSTER_BRAND_NAME) == 0) {
2013 (void) strlcpy(zonebrand, default_brand, sizeof (zonebrand));
2014 }
2015
2016 if ((bh = brand_open(zonebrand)) == NULL) {
2017 zerror(gettext("could not open brand for zone %s"), zonename);
2018 return (1);
2019 }
2020
2021 if ((new_args = prep_args(bh, login, proc_args)) == NULL) {
2022 zperror(gettext("could not assemble new arguments"));
2023 brand_close(bh);
2024 return (1);
2025 }
2026 /*
2027 * Get the brand specific user_cmd. This command is used to get
2028 * a passwd(4) entry for login.
2029 */
2030 if (!interactive && !failsafe) {
2031 if (zone_get_user_cmd(bh, login, user_cmd,
2032 sizeof (user_cmd)) == NULL) {
2033 zerror(gettext("could not get user_cmd for zone %s"),
2034 zonename);
2035 brand_close(bh);
2036 return (1);
2037 }
2038 }
2039 brand_close(bh);
2040
2041 if ((new_env = prep_env()) == NULL) {
2042 zperror(gettext("could not assemble new environment"));
2043 return (1);
2044 }
2045
2046 if (!interactive)
2047 return (noninteractive_login(zonename, user_cmd, zoneid,
2048 new_args, new_env));
2049
2050 if (zonecfg_in_alt_root()) {
2051 zerror(gettext("cannot use interactive login with scratch "
2052 "zone"));
2053 return (1);
2054 }
2055
2056 /*
2057 * Things are more complex in interactive mode; we get the
2058 * master side of the pty, then place the user's terminal into
2059 * raw mode.
2060 */
2061 if (get_master_pty() == -1) {
2062 zerror(gettext("could not setup master pty device"));
2063 return (1);
2064 }
2065
2066 /*
2067 * Compute the "short name" of the pts. /dev/pts/2 --> pts/2
2068 */
2069 if ((slavename = ptsname(masterfd)) == NULL) {
2070 zperror(gettext("failed to get name for pseudo-tty"));
2071 return (1);
2072 }
2073 if (strncmp(slavename, "/dev/", strlen("/dev/")) == 0)
2074 (void) strlcpy(slaveshortname, slavename + strlen("/dev/"),
2075 sizeof (slaveshortname));
2076 else
2077 (void) strlcpy(slaveshortname, slavename,
2078 sizeof (slaveshortname));
2079
2080 if (!quiet)
2081 (void) printf(gettext("[Connected to zone '%s' %s]\n"),
2082 zonename, slaveshortname);
2083
2084 if (set_tty_rawmode(STDIN_FILENO) == -1) {
2085 reset_tty();
2086 zperror(gettext("failed to set stdin pty to raw mode"));
2087 return (1);
2088 }
2089
2090 if (prefork_dropprivs() != 0) {
2091 reset_tty();
2092 zperror(gettext("could not allocate privilege set"));
2093 return (1);
2094 }
2095
2096 /*
2097 * We must mask SIGCLD until after we have coped with the fork
2098 * sufficiently to deal with it; otherwise we can race and receive the
2099 * signal before child_pid has been initialized (yes, this really
2100 * happens).
2101 */
2102 (void) sigset(SIGCLD, sigcld);
2103 (void) sigemptyset(&block_cld);
2104 (void) sigaddset(&block_cld, SIGCLD);
2105 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
2106
2107 /*
2108 * We activate the contract template at the last minute to
2109 * avoid intermediate functions that could be using fork(2)
2110 * internally.
2111 */
2112 if ((tmpl_fd = init_template()) == -1) {
2113 reset_tty();
2114 zperror(gettext("could not create contract"));
2115 return (1);
2116 }
2117
2118 if ((child_pid = fork()) == -1) {
2119 (void) ct_tmpl_clear(tmpl_fd);
2120 reset_tty();
2121 zperror(gettext("could not fork"));
2122 return (1);
2123 } else if (child_pid == 0) { /* child process */
2124 int slavefd, newslave;
2125
2126 (void) ct_tmpl_clear(tmpl_fd);
2127 (void) close(tmpl_fd);
2128
2129 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2130
2131 if ((slavefd = init_slave_pty(zoneid, devroot)) == -1)
2132 return (1);
2133
2134 /*
2135 * Close all fds except for the slave pty.
2136 */
2137 (void) fdwalk(close_func, &slavefd);
2138
2139 /*
2140 * Temporarily dup slavefd to stderr; that way if we have
2141 * to print out that zone_enter failed, the output will
2142 * have somewhere to go.
2143 */
2144 if (slavefd != STDERR_FILENO)
2145 (void) dup2(slavefd, STDERR_FILENO);
2146
2147 if (zone_enter(zoneid) == -1) {
2148 zerror(gettext("could not enter zone %s: %s"),
2149 zonename, strerror(errno));
2150 return (1);
2151 }
2152
2153 if (slavefd != STDERR_FILENO)
2154 (void) close(STDERR_FILENO);
2155
2156 /*
2157 * We take pains to get this process into a new process
2158 * group, and subsequently a new session. In this way,
2159 * we'll have a session which doesn't yet have a controlling
2160 * terminal. When we open the slave, it will become the
2161 * controlling terminal; no PIDs concerning pgrps or sids
2162 * will leak inappropriately into the zone.
2163 */
2164 (void) setpgrp();
2165
2166 /*
2167 * We need the slave pty to be referenced from the zone's
2168 * /dev in order to ensure that the devt's, etc are all
2169 * correct. Otherwise we break ttyname and the like.
2170 */
2171 if ((newslave = open(slavename, O_RDWR)) == -1) {
2172 (void) close(slavefd);
2173 return (1);
2174 }
2175 (void) close(slavefd);
2176 slavefd = newslave;
2177
2178 /*
2179 * dup the slave to the various FDs, so that when the
2180 * spawned process does a write/read it maps to the slave
2181 * pty.
2182 */
2183 (void) dup2(slavefd, STDIN_FILENO);
2184 (void) dup2(slavefd, STDOUT_FILENO);
2185 (void) dup2(slavefd, STDERR_FILENO);
2186 if (slavefd != STDIN_FILENO && slavefd != STDOUT_FILENO &&
2187 slavefd != STDERR_FILENO) {
2188 (void) close(slavefd);
2189 }
2190
2191 /*
2192 * In failsafe mode, we don't use login(1), so don't try
2193 * setting up a utmpx entry.
2194 */
2195 if (!failsafe)
2196 if (setup_utmpx(slaveshortname) == -1)
2197 return (1);
2198
2199 /*
2200 * The child needs to run as root to
2201 * execute the brand's login program.
2202 */
2203 if (setuid(0) == -1) {
2204 zperror(gettext("insufficient privilege"));
2205 return (1);
2206 }
2207
2208 (void) execve(new_args[0], new_args, new_env);
2209 zperror(gettext("exec failure"));
2210 return (1);
2211 }
2212
2213 (void) ct_tmpl_clear(tmpl_fd);
2214 (void) close(tmpl_fd);
2215
2216 /*
2217 * The rest is only for the parent process.
2218 */
2219 (void) sigset(SIGWINCH, sigwinch);
2220
2221 postfork_dropprivs();
2222
2223 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2224 doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
2225
2226 reset_tty();
2227 if (!quiet)
2228 (void) fprintf(stderr,
2229 gettext("\n[Connection to zone '%s' %s closed]\n"),
2230 zonename, slaveshortname);
2231
2232 if (pollerr != 0) {
2233 (void) fprintf(stderr, gettext("Error: connection closed due "
2234 "to unexpected pollevents=0x%x.\n"), pollerr);
2235 return (1);
2236 }
2237
2238 return (0);
2239 }