Print this page
3091 add -n to zlogin so its more compatible with rsh command line
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/cmd/zlogin/zlogin.c
+++ new/usr/src/cmd/zlogin/zlogin.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
↓ open down ↓ |
13 lines elided |
↑ open up ↑ |
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 23 * Copyright 2013 DEY Storage Systems, Inc.
24 + * Copyright (c) 2014 Gary Mills
24 25 */
25 26
26 27 /*
27 28 * zlogin provides three types of login which allow users in the global
28 29 * zone to access non-global zones.
29 30 *
30 31 * - "interactive login" is similar to rlogin(1); for example, the user could
31 32 * issue 'zlogin my-zone' or 'zlogin -e ^ -l me my-zone'. The user is
32 33 * granted a new pty (which is then shoved into the zone), and an I/O
33 34 * loop between parent and child processes takes care of the interactive
34 35 * session. In this mode, login(1) (and its -c option, which means
35 36 * "already authenticated") is employed to take care of the initialization
36 37 * of the user's session.
37 38 *
38 39 * - "non-interactive login" is similar to su(1M); the user could issue
39 40 * 'zlogin my-zone ls -l' and the command would be run as specified.
40 41 * In this mode, zlogin sets up pipes as the communication channel, and
41 42 * 'su' is used to do the login setup work.
42 43 *
43 44 * - "console login" is the equivalent to accessing the tip line for a
44 45 * zone. For example, the user can issue 'zlogin -C my-zone'.
45 46 * In this mode, zlogin contacts the zoneadmd process via unix domain
46 47 * socket. If zoneadmd is not running, it starts it. This allows the
47 48 * console to be available anytime the zone is installed, regardless of
48 49 * whether it is running.
49 50 */
50 51
51 52 #include <sys/socket.h>
52 53 #include <sys/termios.h>
↓ open down ↓ |
19 lines elided |
↑ open up ↑ |
53 54 #include <sys/utsname.h>
54 55 #include <sys/stat.h>
55 56 #include <sys/types.h>
56 57 #include <sys/contract/process.h>
57 58 #include <sys/ctfs.h>
58 59 #include <sys/brand.h>
59 60 #include <sys/wait.h>
60 61 #include <alloca.h>
61 62 #include <assert.h>
62 63 #include <ctype.h>
64 +#include <paths.h>
63 65 #include <door.h>
64 66 #include <errno.h>
65 67 #include <nss_dbdefs.h>
66 68 #include <poll.h>
67 69 #include <priv.h>
68 70 #include <pwd.h>
69 71 #include <unistd.h>
70 72 #include <utmpx.h>
71 73 #include <sac.h>
72 74 #include <signal.h>
73 75 #include <stdarg.h>
74 76 #include <stdio.h>
75 77 #include <stdlib.h>
76 78 #include <string.h>
77 79 #include <strings.h>
78 80 #include <stropts.h>
79 81 #include <wait.h>
80 82 #include <zone.h>
81 83 #include <fcntl.h>
82 84 #include <libdevinfo.h>
83 85 #include <libintl.h>
84 86 #include <locale.h>
85 87 #include <libzonecfg.h>
86 88 #include <libcontract.h>
87 89 #include <libbrand.h>
88 90 #include <auth_list.h>
89 91 #include <auth_attr.h>
90 92 #include <secdb.h>
91 93
92 94 static int masterfd;
93 95 static struct termios save_termios;
94 96 static struct termios effective_termios;
95 97 static int save_fd;
96 98 static struct winsize winsize;
97 99 static volatile int dead;
98 100 static volatile pid_t child_pid = -1;
99 101 static int interactive = 0;
100 102 static priv_set_t *dropprivs;
101 103
102 104 static int nocmdchar = 0;
103 105 static int failsafe = 0;
104 106 static char cmdchar = '~';
105 107 static int quiet = 0;
106 108
107 109 static int pollerr = 0;
108 110
109 111 static const char *pname;
110 112 static char *username;
111 113
112 114 /*
113 115 * When forced_login is true, the user is not prompted
114 116 * for an authentication password in the target zone.
115 117 */
116 118 static boolean_t forced_login = B_FALSE;
117 119
118 120 #if !defined(TEXT_DOMAIN) /* should be defined by cc -D */
119 121 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it wasn't */
120 122 #endif
121 123
122 124 #define SUPATH "/usr/bin/su"
123 125 #define FAILSAFESHELL "/sbin/sh"
124 126 #define DEFAULTSHELL "/sbin/sh"
125 127 #define DEF_PATH "/usr/sbin:/usr/bin"
126 128
127 129 #define CLUSTER_BRAND_NAME "cluster"
128 130
129 131 /*
130 132 * The ZLOGIN_BUFSIZ is larger than PIPE_BUF so we can be sure we're clearing
131 133 * out the pipe when the child is exiting. The ZLOGIN_RDBUFSIZ must be less
132 134 * than ZLOGIN_BUFSIZ (because we share the buffer in doio). This value is
133 135 * also chosen in conjunction with the HI_WATER setting to make sure we
134 136 * don't fill up the pipe. We can write FIFOHIWAT (16k) into the pipe before
135 137 * blocking. By having ZLOGIN_RDBUFSIZ set to 1k and HI_WATER set to 8k, we
136 138 * know we can always write a ZLOGIN_RDBUFSIZ chunk into the pipe when there
137 139 * is less than HI_WATER data already in the pipe.
138 140 */
139 141 #define ZLOGIN_BUFSIZ 8192
140 142 #define ZLOGIN_RDBUFSIZ 1024
141 143 #define HI_WATER 8192
↓ open down ↓ |
69 lines elided |
↑ open up ↑ |
142 144
143 145 /*
144 146 * See canonify() below. CANONIFY_LEN is the maximum length that a
145 147 * "canonical" sequence will expand to (backslash, three octal digits, NUL).
146 148 */
147 149 #define CANONIFY_LEN 5
148 150
149 151 static void
150 152 usage(void)
151 153 {
152 - (void) fprintf(stderr, gettext("usage: %s [ -QCES ] [ -e cmdchar ] "
154 + (void) fprintf(stderr, gettext("usage: %s [ -nQCES ] [ -e cmdchar ] "
153 155 "[-l user] zonename [command [args ...] ]\n"), pname);
154 156 exit(2);
155 157 }
156 158
157 159 static const char *
158 160 getpname(const char *arg0)
159 161 {
160 162 const char *p = strrchr(arg0, '/');
161 163
162 164 if (p == NULL)
163 165 p = arg0;
164 166 else
165 167 p++;
166 168
167 169 pname = p;
168 170 return (p);
169 171 }
170 172
171 173 static void
172 174 zerror(const char *fmt, ...)
173 175 {
174 176 va_list alist;
175 177
176 178 (void) fprintf(stderr, "%s: ", pname);
177 179 va_start(alist, fmt);
178 180 (void) vfprintf(stderr, fmt, alist);
179 181 va_end(alist);
180 182 (void) fprintf(stderr, "\n");
181 183 }
182 184
183 185 static void
184 186 zperror(const char *str)
185 187 {
186 188 const char *estr;
187 189
188 190 if ((estr = strerror(errno)) != NULL)
189 191 (void) fprintf(stderr, "%s: %s: %s\n", pname, str, estr);
190 192 else
191 193 (void) fprintf(stderr, "%s: %s: errno %d\n", pname, str, errno);
192 194 }
193 195
194 196 /*
195 197 * The first part of our privilege dropping scheme needs to be called before
196 198 * fork(), since we must have it for security; we don't want to be surprised
197 199 * later that we couldn't allocate the privset.
198 200 */
199 201 static int
200 202 prefork_dropprivs()
201 203 {
202 204 if ((dropprivs = priv_allocset()) == NULL)
203 205 return (1);
204 206
205 207 priv_basicset(dropprivs);
206 208 (void) priv_delset(dropprivs, PRIV_PROC_INFO);
207 209 (void) priv_delset(dropprivs, PRIV_PROC_FORK);
208 210 (void) priv_delset(dropprivs, PRIV_PROC_EXEC);
209 211 (void) priv_delset(dropprivs, PRIV_FILE_LINK_ANY);
210 212
211 213 /*
212 214 * We need to keep the basic privilege PROC_SESSION and all unknown
213 215 * basic privileges as well as the privileges PROC_ZONE and
214 216 * PROC_OWNER in order to query session information and
215 217 * send signals.
216 218 */
217 219 if (interactive == 0) {
218 220 (void) priv_addset(dropprivs, PRIV_PROC_ZONE);
219 221 (void) priv_addset(dropprivs, PRIV_PROC_OWNER);
220 222 } else {
221 223 (void) priv_delset(dropprivs, PRIV_PROC_SESSION);
222 224 }
223 225
224 226 return (0);
225 227 }
226 228
227 229 /*
228 230 * The second part of the privilege drop. We are paranoid about being attacked
229 231 * by the zone, so we drop all privileges. This should prevent a compromise
230 232 * which gets us to fork(), exec(), symlink(), etc.
231 233 */
232 234 static void
233 235 postfork_dropprivs()
234 236 {
235 237 if ((setppriv(PRIV_SET, PRIV_PERMITTED, dropprivs)) == -1) {
236 238 zperror(gettext("Warning: could not set permitted privileges"));
237 239 }
238 240 if ((setppriv(PRIV_SET, PRIV_LIMIT, dropprivs)) == -1) {
239 241 zperror(gettext("Warning: could not set limit privileges"));
240 242 }
241 243 if ((setppriv(PRIV_SET, PRIV_INHERITABLE, dropprivs)) == -1) {
242 244 zperror(gettext("Warning: could not set inheritable "
243 245 "privileges"));
244 246 }
245 247 }
246 248
247 249 /*
248 250 * Create the unix domain socket and call the zoneadmd server; handshake
249 251 * with it to determine whether it will allow us to connect.
250 252 */
251 253 static int
252 254 get_console_master(const char *zname)
253 255 {
254 256 int sockfd = -1;
255 257 struct sockaddr_un servaddr;
256 258 char clientid[MAXPATHLEN];
257 259 char handshake[MAXPATHLEN], c;
258 260 int msglen;
259 261 int i = 0, err = 0;
260 262
261 263 if ((sockfd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
262 264 zperror(gettext("could not create socket"));
263 265 return (-1);
264 266 }
265 267
266 268 bzero(&servaddr, sizeof (servaddr));
267 269 servaddr.sun_family = AF_UNIX;
268 270 (void) snprintf(servaddr.sun_path, sizeof (servaddr.sun_path),
269 271 "%s/%s.console_sock", ZONES_TMPDIR, zname);
270 272
271 273 if (connect(sockfd, (struct sockaddr *)&servaddr,
272 274 sizeof (servaddr)) == -1) {
273 275 zperror(gettext("Could not connect to zone console"));
274 276 goto bad;
275 277 }
276 278 masterfd = sockfd;
277 279
278 280 msglen = snprintf(clientid, sizeof (clientid), "IDENT %lu %s\n",
279 281 getpid(), setlocale(LC_MESSAGES, NULL));
280 282
281 283 if (msglen >= sizeof (clientid) || msglen < 0) {
282 284 zerror("protocol error");
283 285 goto bad;
284 286 }
285 287
286 288 if (write(masterfd, clientid, msglen) != msglen) {
287 289 zerror("protocol error");
288 290 goto bad;
289 291 }
290 292
291 293 bzero(handshake, sizeof (handshake));
292 294
293 295 /*
294 296 * Take care not to accumulate more than our fill, and leave room for
295 297 * the NUL at the end.
296 298 */
297 299 while ((err = read(masterfd, &c, 1)) == 1) {
298 300 if (i >= (sizeof (handshake) - 1))
299 301 break;
300 302 if (c == '\n')
301 303 break;
302 304 handshake[i] = c;
303 305 i++;
304 306 }
305 307
306 308 /*
307 309 * If something went wrong during the handshake we bail; perhaps
308 310 * the server died off.
309 311 */
310 312 if (err == -1) {
311 313 zperror(gettext("Could not connect to zone console"));
312 314 goto bad;
313 315 }
314 316
315 317 if (strncmp(handshake, "OK", sizeof (handshake)) == 0)
316 318 return (0);
317 319
318 320 zerror(gettext("Console is already in use by process ID %s."),
319 321 handshake);
320 322 bad:
321 323 (void) close(sockfd);
322 324 masterfd = -1;
323 325 return (-1);
324 326 }
325 327
326 328
327 329 /*
328 330 * Routines to handle pty creation upon zone entry and to shuttle I/O back
329 331 * and forth between the two terminals. We also compute and store the
330 332 * name of the slave terminal associated with the master side.
331 333 */
332 334 static int
333 335 get_master_pty()
334 336 {
335 337 if ((masterfd = open("/dev/ptmx", O_RDWR|O_NONBLOCK)) < 0) {
336 338 zperror(gettext("failed to obtain a pseudo-tty"));
337 339 return (-1);
338 340 }
339 341 if (tcgetattr(STDIN_FILENO, &save_termios) == -1) {
340 342 zperror(gettext("failed to get terminal settings from stdin"));
341 343 return (-1);
342 344 }
343 345 (void) ioctl(STDIN_FILENO, TIOCGWINSZ, (char *)&winsize);
344 346
345 347 return (0);
346 348 }
347 349
348 350 /*
349 351 * This is a bit tricky; normally a pts device will belong to the zone it
350 352 * is granted to. But in the case of "entering" a zone, we need to establish
351 353 * the pty before entering the zone so that we can vector I/O to and from it
352 354 * from the global zone.
353 355 *
354 356 * We use the zonept() call to let the ptm driver know what we are up to;
355 357 * the only other hairy bit is the setting of zoneslavename (which happens
356 358 * above, in get_master_pty()).
357 359 */
358 360 static int
359 361 init_slave_pty(zoneid_t zoneid, char *devroot)
360 362 {
361 363 int slavefd = -1;
362 364 char *slavename, zoneslavename[MAXPATHLEN];
363 365
364 366 /*
365 367 * Set slave permissions, zone the pts, then unlock it.
366 368 */
367 369 if (grantpt(masterfd) != 0) {
368 370 zperror(gettext("grantpt failed"));
369 371 return (-1);
370 372 }
371 373
372 374 if (unlockpt(masterfd) != 0) {
373 375 zperror(gettext("unlockpt failed"));
374 376 return (-1);
375 377 }
376 378
377 379 /*
378 380 * We must open the slave side before zoning this pty; otherwise
379 381 * the kernel would refuse us the open-- zoning a pty makes it
380 382 * inaccessible to the global zone. Note we are trying to open
381 383 * the device node via the $ZONEROOT/dev path for this pty.
382 384 *
383 385 * Later we'll close the slave out when once we've opened it again
384 386 * from within the target zone. Blarg.
385 387 */
386 388 if ((slavename = ptsname(masterfd)) == NULL) {
387 389 zperror(gettext("failed to get name for pseudo-tty"));
388 390 return (-1);
389 391 }
390 392
391 393 (void) snprintf(zoneslavename, sizeof (zoneslavename), "%s%s",
392 394 devroot, slavename);
393 395
394 396 if ((slavefd = open(zoneslavename, O_RDWR)) < 0) {
395 397 zerror(gettext("failed to open %s: %s"), zoneslavename,
396 398 strerror(errno));
397 399 return (-1);
398 400 }
399 401
400 402 /*
401 403 * Push hardware emulation (ptem), line discipline (ldterm),
402 404 * and V7/4BSD/Xenix compatibility (ttcompat) modules.
403 405 */
404 406 if (ioctl(slavefd, I_PUSH, "ptem") == -1) {
405 407 zperror(gettext("failed to push ptem module"));
406 408 if (!failsafe)
407 409 goto bad;
408 410 }
409 411
410 412 /*
411 413 * Anchor the stream to prevent malicious I_POPs; we prefer to do
412 414 * this prior to entering the zone so that we can detect any errors
413 415 * early, and so that we can set the anchor from the global zone.
414 416 */
415 417 if (ioctl(slavefd, I_ANCHOR) == -1) {
416 418 zperror(gettext("failed to set stream anchor"));
417 419 if (!failsafe)
418 420 goto bad;
419 421 }
420 422
421 423 if (ioctl(slavefd, I_PUSH, "ldterm") == -1) {
422 424 zperror(gettext("failed to push ldterm module"));
423 425 if (!failsafe)
424 426 goto bad;
425 427 }
426 428 if (ioctl(slavefd, I_PUSH, "ttcompat") == -1) {
427 429 zperror(gettext("failed to push ttcompat module"));
428 430 if (!failsafe)
429 431 goto bad;
430 432 }
431 433
432 434 /*
433 435 * Propagate terminal settings from the external term to the new one.
434 436 */
435 437 if (tcsetattr(slavefd, TCSAFLUSH, &save_termios) == -1) {
436 438 zperror(gettext("failed to set terminal settings"));
437 439 if (!failsafe)
438 440 goto bad;
439 441 }
440 442 (void) ioctl(slavefd, TIOCSWINSZ, (char *)&winsize);
441 443
442 444 if (zonept(masterfd, zoneid) != 0) {
443 445 zperror(gettext("could not set zoneid of pty"));
444 446 goto bad;
445 447 }
446 448
447 449 return (slavefd);
448 450
449 451 bad:
450 452 (void) close(slavefd);
451 453 return (-1);
452 454 }
453 455
454 456 /*
455 457 * Place terminal into raw mode.
456 458 */
457 459 static int
458 460 set_tty_rawmode(int fd)
459 461 {
460 462 struct termios term;
461 463 if (tcgetattr(fd, &term) < 0) {
462 464 zperror(gettext("failed to get user terminal settings"));
463 465 return (-1);
464 466 }
465 467
466 468 /* Stash for later, so we can revert back to previous mode */
467 469 save_termios = term;
468 470 save_fd = fd;
469 471
470 472 /* disable 8->7 bit strip, start/stop, enable any char to restart */
471 473 term.c_iflag &= ~(ISTRIP|IXON|IXANY);
472 474 /* disable NL->CR, CR->NL, ignore CR, UPPER->lower */
473 475 term.c_iflag &= ~(INLCR|ICRNL|IGNCR|IUCLC);
474 476 /* disable output post-processing */
475 477 term.c_oflag &= ~OPOST;
476 478 /* disable canonical mode, signal chars, echo & extended functions */
477 479 term.c_lflag &= ~(ICANON|ISIG|ECHO|IEXTEN);
478 480
479 481 term.c_cc[VMIN] = 1; /* byte-at-a-time */
480 482 term.c_cc[VTIME] = 0;
481 483
482 484 if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &term)) {
483 485 zperror(gettext("failed to set user terminal to raw mode"));
484 486 return (-1);
485 487 }
486 488
487 489 /*
488 490 * We need to know the value of VEOF so that we can properly process for
489 491 * client-side ~<EOF>. But we have obliterated VEOF in term,
490 492 * because VMIN overloads the same array slot in non-canonical mode.
491 493 * Stupid @&^%!
492 494 *
493 495 * So here we construct the "effective" termios from the current
494 496 * terminal settings, and the corrected VEOF and VEOL settings.
495 497 */
496 498 if (tcgetattr(STDIN_FILENO, &effective_termios) < 0) {
497 499 zperror(gettext("failed to get user terminal settings"));
498 500 return (-1);
499 501 }
500 502 effective_termios.c_cc[VEOF] = save_termios.c_cc[VEOF];
501 503 effective_termios.c_cc[VEOL] = save_termios.c_cc[VEOL];
502 504
503 505 return (0);
504 506 }
505 507
506 508 /*
507 509 * Copy terminal window size from our terminal to the pts.
508 510 */
509 511 /*ARGSUSED*/
510 512 static void
511 513 sigwinch(int s)
512 514 {
513 515 struct winsize ws;
514 516
515 517 if (ioctl(0, TIOCGWINSZ, &ws) == 0)
516 518 (void) ioctl(masterfd, TIOCSWINSZ, &ws);
517 519 }
518 520
519 521 static volatile int close_on_sig = -1;
520 522
521 523 static void
522 524 /*ARGSUSED*/
523 525 sigcld(int s)
524 526 {
525 527 int status;
526 528 pid_t pid;
527 529
528 530 /*
529 531 * Peek at the exit status. If this isn't the process we cared
530 532 * about, then just reap it.
531 533 */
532 534 if ((pid = waitpid(child_pid, &status, WNOHANG|WNOWAIT)) != -1) {
533 535 if (pid == child_pid &&
534 536 (WIFEXITED(status) || WIFSIGNALED(status))) {
535 537 dead = 1;
536 538 if (close_on_sig != -1) {
537 539 (void) write(close_on_sig, "a", 1);
538 540 (void) close(close_on_sig);
539 541 close_on_sig = -1;
540 542 }
541 543 } else {
542 544 (void) waitpid(pid, &status, WNOHANG);
543 545 }
544 546 }
545 547 }
546 548
547 549 /*
548 550 * Some signals (currently, SIGINT) must be forwarded on to the process
549 551 * group of the child process.
550 552 */
551 553 static void
552 554 sig_forward(int s)
553 555 {
554 556 if (child_pid != -1) {
555 557 pid_t pgid = getpgid(child_pid);
556 558 if (pgid != -1)
557 559 (void) sigsend(P_PGID, pgid, s);
558 560 }
559 561 }
560 562
561 563 /*
562 564 * reset terminal settings for global environment
563 565 */
564 566 static void
565 567 reset_tty()
566 568 {
567 569 (void) tcsetattr(save_fd, TCSADRAIN, &save_termios);
568 570 }
569 571
570 572 /*
571 573 * Convert character to printable representation, for display with locally
572 574 * echoed command characters (like when we need to display ~^D)
573 575 */
574 576 static void
575 577 canonify(char c, char *cc)
576 578 {
577 579 if (isprint(c)) {
578 580 cc[0] = c;
579 581 cc[1] = '\0';
580 582 } else if (c >= 0 && c <= 31) { /* ^@ through ^_ */
581 583 cc[0] = '^';
582 584 cc[1] = c + '@';
583 585 cc[2] = '\0';
584 586 } else {
585 587 cc[0] = '\\';
586 588 cc[1] = ((c >> 6) & 7) + '0';
587 589 cc[2] = ((c >> 3) & 7) + '0';
588 590 cc[3] = (c & 7) + '0';
589 591 cc[4] = '\0';
590 592 }
591 593 }
592 594
593 595 /*
594 596 * process_user_input watches the input stream for the escape sequence for
595 597 * 'quit' (by default, tilde-period). Because we might be fed just one
596 598 * keystroke at a time, state associated with the user input (are we at the
597 599 * beginning of the line? are we locally echoing the next character?) is
598 600 * maintained by beginning_of_line and local_echo across calls to the routine.
599 601 * If the write to outfd fails, we'll try to read from infd in an attempt
600 602 * to prevent deadlock between the two processes.
601 603 *
602 604 * This routine returns -1 when the 'quit' escape sequence has been issued,
603 605 * or an error is encountered, 1 if stdin is EOF, and 0 otherwise.
604 606 */
605 607 static int
606 608 process_user_input(int outfd, int infd)
607 609 {
608 610 static boolean_t beginning_of_line = B_TRUE;
609 611 static boolean_t local_echo = B_FALSE;
610 612 char ibuf[ZLOGIN_BUFSIZ];
611 613 int nbytes;
612 614 char *buf = ibuf;
613 615 char c = *buf;
614 616
615 617 nbytes = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
616 618 if (nbytes == -1 && (errno != EINTR || dead))
617 619 return (-1);
618 620
619 621 if (nbytes == -1) /* The read was interrupted. */
620 622 return (0);
621 623
622 624 /* 0 read means EOF, close the pipe to the child */
623 625 if (nbytes == 0)
624 626 return (1);
625 627
626 628 for (c = *buf; nbytes > 0; c = *buf, --nbytes) {
627 629 buf++;
628 630 if (beginning_of_line && !nocmdchar) {
629 631 beginning_of_line = B_FALSE;
630 632 if (c == cmdchar) {
631 633 local_echo = B_TRUE;
632 634 continue;
633 635 }
634 636 } else if (local_echo) {
635 637 local_echo = B_FALSE;
636 638 if (c == '.' || c == effective_termios.c_cc[VEOF]) {
637 639 char cc[CANONIFY_LEN];
638 640
639 641 canonify(c, cc);
640 642 (void) write(STDOUT_FILENO, &cmdchar, 1);
641 643 (void) write(STDOUT_FILENO, cc, strlen(cc));
642 644 return (-1);
643 645 }
644 646 }
645 647 retry:
646 648 if (write(outfd, &c, 1) <= 0) {
647 649 /*
648 650 * Since the fd we are writing to is opened with
649 651 * O_NONBLOCK it is possible to get EAGAIN if the
650 652 * pipe is full. One way this could happen is if we
651 653 * are writing a lot of data into the pipe in this loop
652 654 * and the application on the other end is echoing that
653 655 * data back out to its stdout. The output pipe can
654 656 * fill up since we are stuck here in this loop and not
655 657 * draining the other pipe. We can try to read some of
656 658 * the data to see if we can drain the pipe so that the
657 659 * application can continue to make progress. The read
658 660 * is non-blocking so we won't hang here. We also wait
659 661 * a bit before retrying since there could be other
660 662 * reasons why the pipe is full and we don't want to
661 663 * continuously retry.
662 664 */
663 665 if (errno == EAGAIN) {
664 666 struct timespec rqtp;
665 667 int ln;
666 668 char obuf[ZLOGIN_BUFSIZ];
667 669
668 670 if ((ln = read(infd, obuf, ZLOGIN_BUFSIZ)) > 0)
669 671 (void) write(STDOUT_FILENO, obuf, ln);
670 672
671 673 /* sleep for 10 milliseconds */
672 674 rqtp.tv_sec = 0;
673 675 rqtp.tv_nsec = 10 * (NANOSEC / MILLISEC);
674 676 (void) nanosleep(&rqtp, NULL);
675 677 if (!dead)
676 678 goto retry;
677 679 }
678 680
679 681 return (-1);
680 682 }
681 683 beginning_of_line = (c == '\r' || c == '\n' ||
682 684 c == effective_termios.c_cc[VKILL] ||
683 685 c == effective_termios.c_cc[VEOL] ||
684 686 c == effective_termios.c_cc[VSUSP] ||
685 687 c == effective_termios.c_cc[VINTR]);
686 688 }
687 689 return (0);
688 690 }
689 691
690 692 /*
691 693 * This function prevents deadlock between zlogin and the application in the
692 694 * zone that it is talking to. This can happen when we read from zlogin's
693 695 * stdin and write the data down the pipe to the application. If the pipe
694 696 * is full, we'll block in the write. Because zlogin could be blocked in
695 697 * the write, it would never read the application's stdout/stderr so the
696 698 * application can then block on those writes (when the pipe fills up). If the
697 699 * the application gets blocked this way, it can never get around to reading
698 700 * its stdin so that zlogin can unblock from its write. Once in this state,
699 701 * the two processes are deadlocked.
700 702 *
701 703 * To prevent this, we want to verify that we can write into the pipe before we
702 704 * read from our stdin. If the pipe already is pretty full, we bypass the read
703 705 * for now. We'll circle back here again after the poll() so that we can
704 706 * try again. When this function is called, we already know there is data
705 707 * ready to read on STDIN_FILENO. We return -1 if there is a problem, 1 if
706 708 * stdin is EOF, and 0 if everything is ok (even though we might not have
707 709 * read/written any data into the pipe on this iteration).
708 710 */
709 711 static int
710 712 process_raw_input(int stdin_fd, int appin_fd)
711 713 {
712 714 int cc;
713 715 struct stat64 sb;
714 716 char ibuf[ZLOGIN_RDBUFSIZ];
715 717
716 718 /* Check how much data is already in the pipe */
717 719 if (fstat64(appin_fd, &sb) == -1) {
718 720 perror("stat failed");
719 721 return (-1);
720 722 }
721 723
722 724 if (dead)
723 725 return (-1);
724 726
725 727 /*
726 728 * The pipe already has a lot of data in it, don't write any more
727 729 * right now.
728 730 */
729 731 if (sb.st_size >= HI_WATER)
730 732 return (0);
731 733
732 734 cc = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
733 735 if (cc == -1 && (errno != EINTR || dead))
734 736 return (-1);
735 737
736 738 if (cc == -1) /* The read was interrupted. */
737 739 return (0);
738 740
739 741 /* 0 read means EOF, close the pipe to the child */
740 742 if (cc == 0)
741 743 return (1);
742 744
743 745 /*
744 746 * stdin_fd is stdin of the target; so, the thing we'll write the user
745 747 * data *to*.
746 748 */
747 749 if (write(stdin_fd, ibuf, cc) == -1)
748 750 return (-1);
749 751
750 752 return (0);
751 753 }
752 754
753 755 /*
754 756 * Write the output from the application running in the zone. We can get
755 757 * a signal during the write (usually it would be SIGCHLD when the application
756 758 * has exited) so we loop to make sure we have written all of the data we read.
757 759 */
758 760 static int
759 761 process_output(int in_fd, int out_fd)
760 762 {
761 763 int wrote = 0;
762 764 int cc;
763 765 char ibuf[ZLOGIN_BUFSIZ];
764 766
765 767 cc = read(in_fd, ibuf, ZLOGIN_BUFSIZ);
766 768 if (cc == -1 && (errno != EINTR || dead))
767 769 return (-1);
768 770 if (cc == 0) /* EOF */
769 771 return (-1);
770 772 if (cc == -1) /* The read was interrupted. */
771 773 return (0);
772 774
773 775 do {
774 776 int len;
775 777
776 778 len = write(out_fd, ibuf + wrote, cc - wrote);
777 779 if (len == -1 && errno != EINTR)
778 780 return (-1);
779 781 if (len != -1)
780 782 wrote += len;
781 783 } while (wrote < cc);
782 784
783 785 return (0);
784 786 }
785 787
786 788 /*
787 789 * This is the main I/O loop, and is shared across all zlogin modes.
788 790 * Parameters:
789 791 * stdin_fd: The fd representing 'stdin' for the slave side; input to
790 792 * the zone will be written here.
791 793 *
792 794 * appin_fd: The fd representing the other end of the 'stdin' pipe (when
793 795 * we're running non-interactive); used in process_raw_input
794 796 * to ensure we don't fill up the application's stdin pipe.
795 797 *
796 798 * stdout_fd: The fd representing 'stdout' for the slave side; output
797 799 * from the zone will arrive here.
798 800 *
799 801 * stderr_fd: The fd representing 'stderr' for the slave side; output
800 802 * from the zone will arrive here.
801 803 *
802 804 * raw_mode: If TRUE, then no processing (for example, for '~.') will
803 805 * be performed on the input coming from STDIN.
804 806 *
805 807 * stderr_fd may be specified as -1 if there is no stderr (only non-interactive
806 808 * mode supplies a stderr).
807 809 *
808 810 */
809 811 static void
810 812 doio(int stdin_fd, int appin_fd, int stdout_fd, int stderr_fd, int sig_fd,
811 813 boolean_t raw_mode)
812 814 {
813 815 struct pollfd pollfds[4];
814 816 char ibuf[ZLOGIN_BUFSIZ];
815 817 int cc, ret;
816 818
817 819 /* read from stdout of zone and write to stdout of global zone */
818 820 pollfds[0].fd = stdout_fd;
819 821 pollfds[0].events = POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI;
820 822
821 823 /* read from stderr of zone and write to stderr of global zone */
822 824 pollfds[1].fd = stderr_fd;
823 825 pollfds[1].events = pollfds[0].events;
824 826
825 827 /* read from stdin of global zone and write to stdin of zone */
826 828 pollfds[2].fd = STDIN_FILENO;
827 829 pollfds[2].events = pollfds[0].events;
828 830
829 831 /* read from signalling pipe so we know when child dies */
830 832 pollfds[3].fd = sig_fd;
831 833 pollfds[3].events = pollfds[0].events;
832 834
833 835 for (;;) {
834 836 pollfds[0].revents = pollfds[1].revents =
835 837 pollfds[2].revents = pollfds[3].revents = 0;
836 838
837 839 if (dead)
838 840 break;
839 841
840 842 /*
841 843 * There is a race condition here where we can receive the
842 844 * child death signal, set the dead flag, but since we have
843 845 * passed the test above, we would go into poll and hang.
844 846 * To avoid this we use the sig_fd as an additional poll fd.
845 847 * The signal handler writes into the other end of this pipe
846 848 * when the child dies so that the poll will always see that
847 849 * input and proceed. We just loop around at that point and
848 850 * then notice the dead flag.
849 851 */
850 852
851 853 ret = poll(pollfds,
852 854 sizeof (pollfds) / sizeof (struct pollfd), -1);
853 855
854 856 if (ret == -1 && errno != EINTR) {
855 857 perror("poll failed");
856 858 break;
857 859 }
858 860
859 861 if (errno == EINTR && dead) {
860 862 break;
861 863 }
862 864
863 865 /* event from master side stdout */
864 866 if (pollfds[0].revents) {
865 867 if (pollfds[0].revents &
866 868 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
867 869 if (process_output(stdout_fd, STDOUT_FILENO)
868 870 != 0)
869 871 break;
870 872 } else {
871 873 pollerr = pollfds[0].revents;
872 874 break;
873 875 }
874 876 }
875 877
876 878 /* event from master side stderr */
877 879 if (pollfds[1].revents) {
878 880 if (pollfds[1].revents &
879 881 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
880 882 if (process_output(stderr_fd, STDERR_FILENO)
881 883 != 0)
882 884 break;
883 885 } else {
884 886 pollerr = pollfds[1].revents;
885 887 break;
886 888 }
887 889 }
888 890
889 891 /* event from user STDIN side */
890 892 if (pollfds[2].revents) {
891 893 if (pollfds[2].revents &
892 894 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
893 895 /*
894 896 * stdin fd is stdin of the target; so,
895 897 * the thing we'll write the user data *to*.
896 898 *
897 899 * Also, unlike on the output side, we
898 900 * close the pipe on a zero-length message.
899 901 */
900 902 int res;
901 903
902 904 if (raw_mode)
903 905 res = process_raw_input(stdin_fd,
904 906 appin_fd);
905 907 else
906 908 res = process_user_input(stdin_fd,
907 909 stdout_fd);
908 910
909 911 if (res < 0)
910 912 break;
911 913 if (res > 0) {
912 914 /* EOF (close) child's stdin_fd */
913 915 pollfds[2].fd = -1;
914 916 while ((res = close(stdin_fd)) != 0 &&
915 917 errno == EINTR)
916 918 ;
917 919 if (res != 0)
918 920 break;
919 921 }
920 922
921 923 } else if (raw_mode && pollfds[2].revents & POLLHUP) {
922 924 /*
923 925 * It's OK to get a POLLHUP on STDIN-- it
924 926 * always happens if you do:
925 927 *
926 928 * echo foo | zlogin <zone> <command>
927 929 *
928 930 * We reset fd to -1 in this case to clear
929 931 * the condition and close the pipe (EOF) to
930 932 * the other side in order to wrap things up.
931 933 */
932 934 int res;
933 935
934 936 pollfds[2].fd = -1;
935 937 while ((res = close(stdin_fd)) != 0 &&
936 938 errno == EINTR)
937 939 ;
938 940 if (res != 0)
939 941 break;
940 942 } else {
941 943 pollerr = pollfds[2].revents;
942 944 break;
943 945 }
944 946 }
945 947 }
946 948
947 949 /*
948 950 * We are in the midst of dying, but try to poll with a short
949 951 * timeout to see if we can catch the last bit of I/O from the
950 952 * children.
951 953 */
952 954 retry:
953 955 pollfds[0].revents = pollfds[1].revents = 0;
954 956 (void) poll(pollfds, 2, 100);
955 957 if (pollfds[0].revents &
956 958 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
957 959 if ((cc = read(stdout_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
958 960 (void) write(STDOUT_FILENO, ibuf, cc);
959 961 goto retry;
960 962 }
961 963 }
962 964 if (pollfds[1].revents &
963 965 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
964 966 if ((cc = read(stderr_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
965 967 (void) write(STDERR_FILENO, ibuf, cc);
966 968 goto retry;
967 969 }
968 970 }
969 971 }
970 972
971 973 /*
972 974 * Fetch the user_cmd brand hook for getting a user's passwd(4) entry.
973 975 */
974 976 static const char *
975 977 zone_get_user_cmd(brand_handle_t bh, const char *login, char *user_cmd,
976 978 size_t len)
977 979 {
978 980 bzero(user_cmd, sizeof (user_cmd));
979 981 if (brand_get_user_cmd(bh, login, user_cmd, len) != 0)
980 982 return (NULL);
981 983
982 984 return (user_cmd);
983 985 }
984 986
985 987 /* From libc */
986 988 extern int str2passwd(const char *, int, void *, char *, int);
987 989
988 990 /*
989 991 * exec() the user_cmd brand hook, and convert the output string to a
990 992 * struct passwd. This is to be called after zone_enter().
991 993 *
992 994 */
993 995 static struct passwd *
994 996 zone_get_user_pw(const char *user_cmd, struct passwd *pwent, char *pwbuf,
995 997 int pwbuflen)
996 998 {
997 999 char pwline[NSS_BUFLEN_PASSWD];
998 1000 char *cin = NULL;
999 1001 FILE *fin;
1000 1002 int status;
1001 1003
1002 1004 assert(getzoneid() != GLOBAL_ZONEID);
1003 1005
1004 1006 if ((fin = popen(user_cmd, "r")) == NULL)
1005 1007 return (NULL);
1006 1008
1007 1009 while (cin == NULL && !feof(fin))
1008 1010 cin = fgets(pwline, sizeof (pwline), fin);
1009 1011
1010 1012 if (cin == NULL) {
1011 1013 (void) pclose(fin);
1012 1014 return (NULL);
1013 1015 }
1014 1016
1015 1017 status = pclose(fin);
1016 1018 if (!WIFEXITED(status))
1017 1019 return (NULL);
1018 1020 if (WEXITSTATUS(status) != 0)
1019 1021 return (NULL);
1020 1022
1021 1023 if (str2passwd(pwline, sizeof (pwline), pwent, pwbuf, pwbuflen) == 0)
1022 1024 return (pwent);
1023 1025 else
1024 1026 return (NULL);
1025 1027 }
1026 1028
1027 1029 static char **
1028 1030 zone_login_cmd(brand_handle_t bh, const char *login)
1029 1031 {
1030 1032 static char result_buf[ARG_MAX];
1031 1033 char **new_argv, *ptr, *lasts;
1032 1034 int n, a;
1033 1035
1034 1036 /* Get the login command for the target zone. */
1035 1037 bzero(result_buf, sizeof (result_buf));
1036 1038
1037 1039 if (forced_login) {
1038 1040 if (brand_get_forcedlogin_cmd(bh, login,
1039 1041 result_buf, sizeof (result_buf)) != 0)
1040 1042 return (NULL);
1041 1043 } else {
1042 1044 if (brand_get_login_cmd(bh, login,
1043 1045 result_buf, sizeof (result_buf)) != 0)
1044 1046 return (NULL);
1045 1047 }
1046 1048
1047 1049 /*
1048 1050 * We got back a string that we'd like to execute. But since
1049 1051 * we're not doing the execution via a shell we'll need to convert
1050 1052 * the exec string to an array of strings. We'll do that here
1051 1053 * but we're going to be very simplistic about it and break stuff
1052 1054 * up based on spaces. We're not even going to support any kind
1053 1055 * of quoting or escape characters. It's truly amazing that
1054 1056 * there is no library function in OpenSolaris to do this for us.
1055 1057 */
1056 1058
1057 1059 /*
1058 1060 * Be paranoid. Since we're deliniating based on spaces make
1059 1061 * sure there are no adjacent spaces.
1060 1062 */
1061 1063 if (strstr(result_buf, " ") != NULL)
1062 1064 return (NULL);
1063 1065
1064 1066 /* Remove any trailing whitespace. */
1065 1067 n = strlen(result_buf);
1066 1068 if (result_buf[n - 1] == ' ')
1067 1069 result_buf[n - 1] = '\0';
1068 1070
1069 1071 /* Count how many elements there are in the exec string. */
1070 1072 ptr = result_buf;
1071 1073 for (n = 2; ((ptr = strchr(ptr + 1, (int)' ')) != NULL); n++)
1072 1074 ;
1073 1075
1074 1076 /* Allocate the argv array that we're going to return. */
1075 1077 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1076 1078 return (NULL);
1077 1079
1078 1080 /* Tokenize the exec string and return. */
1079 1081 a = 0;
1080 1082 new_argv[a++] = result_buf;
1081 1083 if (n > 2) {
1082 1084 (void) strtok_r(result_buf, " ", &lasts);
1083 1085 while ((new_argv[a++] = strtok_r(NULL, " ", &lasts)) != NULL)
1084 1086 ;
1085 1087 } else {
1086 1088 new_argv[a++] = NULL;
1087 1089 }
1088 1090 assert(n == a);
1089 1091 return (new_argv);
1090 1092 }
1091 1093
1092 1094 /*
1093 1095 * Prepare argv array for exec'd process; if we're passing commands to the
1094 1096 * new process, then use su(1M) to do the invocation. Otherwise, use
1095 1097 * 'login -z <from_zonename> -f' (-z is an undocumented option which tells
1096 1098 * login that we're coming from another zone, and to disregard its CONSOLE
1097 1099 * checks).
1098 1100 */
1099 1101 static char **
1100 1102 prep_args(brand_handle_t bh, const char *login, char **argv)
1101 1103 {
1102 1104 int argc = 0, a = 0, i, n = -1;
1103 1105 char **new_argv;
1104 1106
1105 1107 if (argv != NULL) {
1106 1108 size_t subshell_len = 1;
1107 1109 char *subshell;
1108 1110
1109 1111 while (argv[argc] != NULL)
1110 1112 argc++;
1111 1113
1112 1114 for (i = 0; i < argc; i++) {
1113 1115 subshell_len += strlen(argv[i]) + 1;
1114 1116 }
1115 1117 if ((subshell = calloc(1, subshell_len)) == NULL)
1116 1118 return (NULL);
1117 1119
1118 1120 for (i = 0; i < argc; i++) {
1119 1121 (void) strcat(subshell, argv[i]);
1120 1122 (void) strcat(subshell, " ");
1121 1123 }
1122 1124
1123 1125 if (failsafe) {
1124 1126 n = 4;
1125 1127 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1126 1128 return (NULL);
1127 1129
1128 1130 new_argv[a++] = FAILSAFESHELL;
1129 1131 } else {
1130 1132 n = 5;
1131 1133 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1132 1134 return (NULL);
1133 1135
1134 1136 new_argv[a++] = SUPATH;
1135 1137 if (strcmp(login, "root") != 0) {
1136 1138 new_argv[a++] = "-";
1137 1139 n++;
1138 1140 }
1139 1141 new_argv[a++] = (char *)login;
1140 1142 }
1141 1143 new_argv[a++] = "-c";
1142 1144 new_argv[a++] = subshell;
1143 1145 new_argv[a++] = NULL;
1144 1146 assert(a == n);
1145 1147 } else {
1146 1148 if (failsafe) {
1147 1149 n = 2;
1148 1150 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1149 1151 return (NULL);
1150 1152 new_argv[a++] = FAILSAFESHELL;
1151 1153 new_argv[a++] = NULL;
1152 1154 assert(n == a);
1153 1155 } else {
1154 1156 new_argv = zone_login_cmd(bh, login);
1155 1157 }
1156 1158 }
1157 1159
1158 1160 return (new_argv);
1159 1161 }
1160 1162
1161 1163 /*
1162 1164 * Helper routine for prep_env below.
1163 1165 */
1164 1166 static char *
1165 1167 add_env(char *name, char *value)
1166 1168 {
1167 1169 size_t sz = strlen(name) + strlen(value) + 2; /* name, =, value, NUL */
1168 1170 char *str;
1169 1171
1170 1172 if ((str = malloc(sz)) == NULL)
1171 1173 return (NULL);
1172 1174
1173 1175 (void) snprintf(str, sz, "%s=%s", name, value);
1174 1176 return (str);
1175 1177 }
1176 1178
1177 1179 /*
1178 1180 * Prepare envp array for exec'd process.
1179 1181 */
1180 1182 static char **
1181 1183 prep_env()
1182 1184 {
1183 1185 int e = 0, size = 1;
1184 1186 char **new_env, *estr;
1185 1187 char *term = getenv("TERM");
1186 1188
1187 1189 size++; /* for $PATH */
1188 1190 if (term != NULL)
1189 1191 size++;
1190 1192
1191 1193 /*
1192 1194 * In failsafe mode we set $HOME, since '-l' isn't valid in this mode.
1193 1195 * We also set $SHELL, since neither login nor su will be around to do
1194 1196 * it.
1195 1197 */
1196 1198 if (failsafe)
1197 1199 size += 2;
1198 1200
1199 1201 if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1200 1202 return (NULL);
1201 1203
1202 1204 if ((estr = add_env("PATH", DEF_PATH)) == NULL)
1203 1205 return (NULL);
1204 1206 new_env[e++] = estr;
1205 1207
1206 1208 if (term != NULL) {
1207 1209 if ((estr = add_env("TERM", term)) == NULL)
1208 1210 return (NULL);
1209 1211 new_env[e++] = estr;
1210 1212 }
1211 1213
1212 1214 if (failsafe) {
1213 1215 if ((estr = add_env("HOME", "/")) == NULL)
1214 1216 return (NULL);
1215 1217 new_env[e++] = estr;
1216 1218
1217 1219 if ((estr = add_env("SHELL", FAILSAFESHELL)) == NULL)
1218 1220 return (NULL);
1219 1221 new_env[e++] = estr;
1220 1222 }
1221 1223
1222 1224 new_env[e++] = NULL;
1223 1225
1224 1226 assert(e == size);
1225 1227
1226 1228 return (new_env);
1227 1229 }
1228 1230
1229 1231 /*
1230 1232 * Finish the preparation of the envp array for exec'd non-interactive
1231 1233 * zlogins. This is called in the child process *after* we zone_enter(), since
1232 1234 * it derives things we can only know within the zone, such as $HOME, $SHELL,
1233 1235 * etc. We need only do this in the non-interactive, mode, since otherwise
1234 1236 * login(1) will do it. We don't do this in failsafe mode, since it presents
1235 1237 * additional ways in which the command could fail, and we'd prefer to avoid
1236 1238 * that.
1237 1239 */
1238 1240 static char **
1239 1241 prep_env_noninteractive(const char *user_cmd, char **env)
1240 1242 {
1241 1243 size_t size;
1242 1244 char **new_env;
1243 1245 int e, i;
1244 1246 char *estr;
1245 1247 char varmail[LOGNAME_MAX + 11]; /* strlen(/var/mail/) = 10, NUL */
1246 1248 char pwbuf[NSS_BUFLEN_PASSWD + 1];
1247 1249 struct passwd pwent;
1248 1250 struct passwd *pw = NULL;
1249 1251
1250 1252 assert(env != NULL);
1251 1253 assert(failsafe == 0);
1252 1254
1253 1255 /*
1254 1256 * Exec the "user_cmd" brand hook to get a pwent for the
1255 1257 * login user. If this fails, HOME will be set to "/", SHELL
1256 1258 * will be set to $DEFAULTSHELL, and we will continue to exec
1257 1259 * SUPATH <login> -c <cmd>.
1258 1260 */
1259 1261 pw = zone_get_user_pw(user_cmd, &pwent, pwbuf, sizeof (pwbuf));
1260 1262
1261 1263 /*
1262 1264 * Get existing envp size.
1263 1265 */
1264 1266 for (size = 0; env[size] != NULL; size++)
1265 1267 ;
1266 1268
1267 1269 e = size;
1268 1270
1269 1271 /*
1270 1272 * Finish filling out the environment; we duplicate the environment
1271 1273 * setup described in login(1), for lack of a better precedent.
1272 1274 */
1273 1275 if (pw != NULL)
1274 1276 size += 3; /* LOGNAME, HOME, MAIL */
1275 1277 else
1276 1278 size += 1; /* HOME */
1277 1279
1278 1280 size++; /* always fill in SHELL */
1279 1281 size++; /* terminating NULL */
1280 1282
1281 1283 if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1282 1284 goto malloc_fail;
1283 1285
1284 1286 /*
1285 1287 * Copy existing elements of env into new_env.
1286 1288 */
1287 1289 for (i = 0; env[i] != NULL; i++) {
1288 1290 if ((new_env[i] = strdup(env[i])) == NULL)
1289 1291 goto malloc_fail;
1290 1292 }
1291 1293 assert(e == i);
1292 1294
1293 1295 if (pw != NULL) {
1294 1296 if ((estr = add_env("LOGNAME", pw->pw_name)) == NULL)
1295 1297 goto malloc_fail;
1296 1298 new_env[e++] = estr;
1297 1299
1298 1300 if ((estr = add_env("HOME", pw->pw_dir)) == NULL)
1299 1301 goto malloc_fail;
1300 1302 new_env[e++] = estr;
1301 1303
1302 1304 if (chdir(pw->pw_dir) != 0)
1303 1305 zerror(gettext("Could not chdir to home directory "
1304 1306 "%s: %s"), pw->pw_dir, strerror(errno));
1305 1307
1306 1308 (void) snprintf(varmail, sizeof (varmail), "/var/mail/%s",
1307 1309 pw->pw_name);
1308 1310 if ((estr = add_env("MAIL", varmail)) == NULL)
1309 1311 goto malloc_fail;
1310 1312 new_env[e++] = estr;
1311 1313 } else {
1312 1314 if ((estr = add_env("HOME", "/")) == NULL)
1313 1315 goto malloc_fail;
1314 1316 new_env[e++] = estr;
1315 1317 }
1316 1318
1317 1319 if (pw != NULL && strlen(pw->pw_shell) > 0) {
1318 1320 if ((estr = add_env("SHELL", pw->pw_shell)) == NULL)
1319 1321 goto malloc_fail;
1320 1322 new_env[e++] = estr;
1321 1323 } else {
1322 1324 if ((estr = add_env("SHELL", DEFAULTSHELL)) == NULL)
1323 1325 goto malloc_fail;
1324 1326 new_env[e++] = estr;
1325 1327 }
1326 1328
1327 1329 new_env[e++] = NULL; /* add terminating NULL */
1328 1330
1329 1331 assert(e == size);
1330 1332 return (new_env);
1331 1333
1332 1334 malloc_fail:
1333 1335 zperror(gettext("failed to allocate memory for process environment"));
1334 1336 return (NULL);
1335 1337 }
1336 1338
1337 1339 static int
1338 1340 close_func(void *slavefd, int fd)
1339 1341 {
1340 1342 if (fd != *(int *)slavefd)
1341 1343 (void) close(fd);
1342 1344 return (0);
1343 1345 }
1344 1346
1345 1347 static void
1346 1348 set_cmdchar(char *cmdcharstr)
1347 1349 {
1348 1350 char c;
1349 1351 long lc;
1350 1352
1351 1353 if ((c = *cmdcharstr) != '\\') {
1352 1354 cmdchar = c;
1353 1355 return;
1354 1356 }
1355 1357
1356 1358 c = cmdcharstr[1];
1357 1359 if (c == '\0' || c == '\\') {
1358 1360 cmdchar = '\\';
1359 1361 return;
1360 1362 }
1361 1363
1362 1364 if (c < '0' || c > '7') {
1363 1365 zerror(gettext("Unrecognized escape character option %s"),
1364 1366 cmdcharstr);
1365 1367 usage();
1366 1368 }
1367 1369
1368 1370 lc = strtol(cmdcharstr + 1, NULL, 8);
1369 1371 if (lc < 0 || lc > 255) {
1370 1372 zerror(gettext("Octal escape character '%s' too large"),
1371 1373 cmdcharstr);
1372 1374 usage();
1373 1375 }
1374 1376 cmdchar = (char)lc;
1375 1377 }
1376 1378
1377 1379 static int
1378 1380 setup_utmpx(char *slavename)
1379 1381 {
1380 1382 struct utmpx ut;
1381 1383
1382 1384 bzero(&ut, sizeof (ut));
1383 1385 (void) strncpy(ut.ut_user, ".zlogin", sizeof (ut.ut_user));
1384 1386 (void) strncpy(ut.ut_line, slavename, sizeof (ut.ut_line));
1385 1387 ut.ut_pid = getpid();
1386 1388 ut.ut_id[0] = 'z';
1387 1389 ut.ut_id[1] = ut.ut_id[2] = ut.ut_id[3] = (char)SC_WILDC;
1388 1390 ut.ut_type = LOGIN_PROCESS;
1389 1391 (void) time(&ut.ut_tv.tv_sec);
1390 1392
1391 1393 if (makeutx(&ut) == NULL) {
1392 1394 zerror(gettext("makeutx failed"));
1393 1395 return (-1);
1394 1396 }
1395 1397 return (0);
1396 1398 }
1397 1399
1398 1400 static void
1399 1401 release_lock_file(int lockfd)
1400 1402 {
1401 1403 (void) close(lockfd);
1402 1404 }
1403 1405
1404 1406 static int
1405 1407 grab_lock_file(const char *zone_name, int *lockfd)
1406 1408 {
1407 1409 char pathbuf[PATH_MAX];
1408 1410 struct flock flock;
1409 1411
1410 1412 if (mkdir(ZONES_TMPDIR, S_IRWXU) < 0 && errno != EEXIST) {
1411 1413 zerror(gettext("could not mkdir %s: %s"), ZONES_TMPDIR,
1412 1414 strerror(errno));
1413 1415 return (-1);
1414 1416 }
1415 1417 (void) chmod(ZONES_TMPDIR, S_IRWXU);
1416 1418 (void) snprintf(pathbuf, sizeof (pathbuf), "%s/%s.zoneadm.lock",
1417 1419 ZONES_TMPDIR, zone_name);
1418 1420
1419 1421 if ((*lockfd = open(pathbuf, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR)) < 0) {
1420 1422 zerror(gettext("could not open %s: %s"), pathbuf,
1421 1423 strerror(errno));
1422 1424 return (-1);
1423 1425 }
1424 1426 /*
1425 1427 * Lock the file to synchronize with other zoneadmds
1426 1428 */
1427 1429 flock.l_type = F_WRLCK;
1428 1430 flock.l_whence = SEEK_SET;
1429 1431 flock.l_start = (off_t)0;
1430 1432 flock.l_len = (off_t)0;
1431 1433 if (fcntl(*lockfd, F_SETLKW, &flock) < 0) {
1432 1434 zerror(gettext("unable to lock %s: %s"), pathbuf,
1433 1435 strerror(errno));
1434 1436 release_lock_file(*lockfd);
1435 1437 return (-1);
1436 1438 }
1437 1439 return (Z_OK);
1438 1440 }
1439 1441
1440 1442 static int
1441 1443 start_zoneadmd(const char *zone_name)
1442 1444 {
1443 1445 pid_t retval;
1444 1446 int pstatus = 0, error = -1, lockfd, doorfd;
1445 1447 struct door_info info;
1446 1448 char doorpath[MAXPATHLEN];
1447 1449
1448 1450 (void) snprintf(doorpath, sizeof (doorpath), ZONE_DOOR_PATH, zone_name);
1449 1451
1450 1452 if (grab_lock_file(zone_name, &lockfd) != Z_OK)
1451 1453 return (-1);
1452 1454 /*
1453 1455 * We must do the door check with the lock held. Otherwise, we
1454 1456 * might race against another zoneadm/zlogin process and wind
1455 1457 * up with two processes trying to start zoneadmd at the same
1456 1458 * time. zoneadmd will detect this, and fail, but we prefer this
1457 1459 * to be as seamless as is practical, from a user perspective.
1458 1460 */
1459 1461 if ((doorfd = open(doorpath, O_RDONLY)) < 0) {
1460 1462 if (errno != ENOENT) {
1461 1463 zerror("failed to open %s: %s", doorpath,
1462 1464 strerror(errno));
1463 1465 goto out;
1464 1466 }
1465 1467 } else {
1466 1468 /*
1467 1469 * Seems to be working ok.
1468 1470 */
1469 1471 if (door_info(doorfd, &info) == 0 &&
1470 1472 ((info.di_attributes & DOOR_REVOKED) == 0)) {
1471 1473 error = 0;
1472 1474 goto out;
1473 1475 }
1474 1476 }
1475 1477
1476 1478 if ((child_pid = fork()) == -1) {
1477 1479 zperror(gettext("could not fork"));
1478 1480 goto out;
1479 1481 } else if (child_pid == 0) {
1480 1482 /* child process */
1481 1483 (void) execl("/usr/lib/zones/zoneadmd", "zoneadmd", "-z",
1482 1484 zone_name, NULL);
1483 1485 zperror(gettext("could not exec zoneadmd"));
1484 1486 _exit(1);
1485 1487 }
1486 1488
1487 1489 /* parent process */
1488 1490 do {
1489 1491 retval = waitpid(child_pid, &pstatus, 0);
1490 1492 } while (retval != child_pid);
1491 1493 if (WIFSIGNALED(pstatus) ||
1492 1494 (WIFEXITED(pstatus) && WEXITSTATUS(pstatus) != 0)) {
1493 1495 zerror(gettext("could not start %s"), "zoneadmd");
1494 1496 goto out;
1495 1497 }
1496 1498 error = 0;
1497 1499 out:
1498 1500 release_lock_file(lockfd);
1499 1501 (void) close(doorfd);
1500 1502 return (error);
1501 1503 }
1502 1504
1503 1505 static int
1504 1506 init_template(void)
1505 1507 {
1506 1508 int fd;
1507 1509 int err = 0;
1508 1510
1509 1511 fd = open64(CTFS_ROOT "/process/template", O_RDWR);
1510 1512 if (fd == -1)
1511 1513 return (-1);
1512 1514
1513 1515 /*
1514 1516 * zlogin doesn't do anything with the contract.
1515 1517 * Deliver no events, don't inherit, and allow it to be orphaned.
1516 1518 */
1517 1519 err |= ct_tmpl_set_critical(fd, 0);
1518 1520 err |= ct_tmpl_set_informative(fd, 0);
1519 1521 err |= ct_pr_tmpl_set_fatal(fd, CT_PR_EV_HWERR);
1520 1522 err |= ct_pr_tmpl_set_param(fd, CT_PR_PGRPONLY | CT_PR_REGENT);
1521 1523 if (err || ct_tmpl_activate(fd)) {
1522 1524 (void) close(fd);
1523 1525 return (-1);
1524 1526 }
1525 1527
1526 1528 return (fd);
1527 1529 }
1528 1530
1529 1531 static int
1530 1532 noninteractive_login(char *zonename, const char *user_cmd, zoneid_t zoneid,
1531 1533 char **new_args, char **new_env)
1532 1534 {
1533 1535 pid_t retval;
1534 1536 int stdin_pipe[2], stdout_pipe[2], stderr_pipe[2], dead_child_pipe[2];
1535 1537 int child_status;
1536 1538 int tmpl_fd;
1537 1539 sigset_t block_cld;
1538 1540
1539 1541 if ((tmpl_fd = init_template()) == -1) {
1540 1542 reset_tty();
1541 1543 zperror(gettext("could not create contract"));
1542 1544 return (1);
1543 1545 }
1544 1546
1545 1547 if (pipe(stdin_pipe) != 0) {
1546 1548 zperror(gettext("could not create STDIN pipe"));
1547 1549 return (1);
1548 1550 }
1549 1551 /*
1550 1552 * When the user types ^D, we get a zero length message on STDIN.
1551 1553 * We need to echo that down the pipe to send it to the other side;
1552 1554 * but by default, pipes don't propagate zero-length messages. We
1553 1555 * toggle that behavior off using I_SWROPT. See streamio(7i).
1554 1556 */
1555 1557 if (ioctl(stdin_pipe[0], I_SWROPT, SNDZERO) != 0) {
1556 1558 zperror(gettext("could not configure STDIN pipe"));
1557 1559 return (1);
1558 1560
1559 1561 }
1560 1562 if (pipe(stdout_pipe) != 0) {
1561 1563 zperror(gettext("could not create STDOUT pipe"));
1562 1564 return (1);
1563 1565 }
1564 1566 if (pipe(stderr_pipe) != 0) {
1565 1567 zperror(gettext("could not create STDERR pipe"));
1566 1568 return (1);
1567 1569 }
1568 1570
1569 1571 if (pipe(dead_child_pipe) != 0) {
1570 1572 zperror(gettext("could not create signalling pipe"));
1571 1573 return (1);
1572 1574 }
1573 1575 close_on_sig = dead_child_pipe[0];
1574 1576
1575 1577 /*
1576 1578 * If any of the pipe FD's winds up being less than STDERR, then we
1577 1579 * have a mess on our hands-- and we are lacking some of the I/O
1578 1580 * streams we would expect anyway. So we bail.
1579 1581 */
1580 1582 if (stdin_pipe[0] <= STDERR_FILENO ||
1581 1583 stdin_pipe[1] <= STDERR_FILENO ||
1582 1584 stdout_pipe[0] <= STDERR_FILENO ||
1583 1585 stdout_pipe[1] <= STDERR_FILENO ||
1584 1586 stderr_pipe[0] <= STDERR_FILENO ||
1585 1587 stderr_pipe[1] <= STDERR_FILENO ||
1586 1588 dead_child_pipe[0] <= STDERR_FILENO ||
1587 1589 dead_child_pipe[1] <= STDERR_FILENO) {
1588 1590 zperror(gettext("process lacks valid STDIN, STDOUT, STDERR"));
1589 1591 return (1);
1590 1592 }
1591 1593
1592 1594 if (prefork_dropprivs() != 0) {
1593 1595 zperror(gettext("could not allocate privilege set"));
1594 1596 return (1);
1595 1597 }
1596 1598
1597 1599 (void) sigset(SIGCLD, sigcld);
1598 1600 (void) sigemptyset(&block_cld);
1599 1601 (void) sigaddset(&block_cld, SIGCLD);
1600 1602 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
1601 1603
1602 1604 if ((child_pid = fork()) == -1) {
1603 1605 (void) ct_tmpl_clear(tmpl_fd);
1604 1606 (void) close(tmpl_fd);
1605 1607 zperror(gettext("could not fork"));
1606 1608 return (1);
1607 1609 } else if (child_pid == 0) { /* child process */
1608 1610 (void) ct_tmpl_clear(tmpl_fd);
1609 1611
1610 1612 /*
1611 1613 * Do a dance to get the pipes hooked up as FD's 0, 1 and 2.
1612 1614 */
1613 1615 (void) close(STDIN_FILENO);
1614 1616 (void) close(STDOUT_FILENO);
1615 1617 (void) close(STDERR_FILENO);
1616 1618 (void) dup2(stdin_pipe[1], STDIN_FILENO);
1617 1619 (void) dup2(stdout_pipe[1], STDOUT_FILENO);
1618 1620 (void) dup2(stderr_pipe[1], STDERR_FILENO);
1619 1621 (void) closefrom(STDERR_FILENO + 1);
1620 1622
1621 1623 (void) sigset(SIGCLD, SIG_DFL);
1622 1624 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1623 1625 /*
1624 1626 * In case any of stdin, stdout or stderr are streams,
1625 1627 * anchor them to prevent malicious I_POPs.
1626 1628 */
1627 1629 (void) ioctl(STDIN_FILENO, I_ANCHOR);
1628 1630 (void) ioctl(STDOUT_FILENO, I_ANCHOR);
1629 1631 (void) ioctl(STDERR_FILENO, I_ANCHOR);
1630 1632
1631 1633 if (zone_enter(zoneid) == -1) {
1632 1634 zerror(gettext("could not enter zone %s: %s"),
1633 1635 zonename, strerror(errno));
1634 1636 _exit(1);
1635 1637 }
1636 1638
1637 1639 /*
1638 1640 * For non-native zones, tell libc where it can find locale
1639 1641 * specific getttext() messages.
1640 1642 */
1641 1643 if (access("/.SUNWnative/usr/lib/locale", R_OK) == 0)
1642 1644 (void) bindtextdomain(TEXT_DOMAIN,
1643 1645 "/.SUNWnative/usr/lib/locale");
1644 1646 else if (access("/native/usr/lib/locale", R_OK) == 0)
1645 1647 (void) bindtextdomain(TEXT_DOMAIN,
1646 1648 "/native/usr/lib/locale");
1647 1649
1648 1650 if (!failsafe)
1649 1651 new_env = prep_env_noninteractive(user_cmd, new_env);
1650 1652
1651 1653 if (new_env == NULL) {
1652 1654 _exit(1);
1653 1655 }
1654 1656
1655 1657 /*
1656 1658 * Move into a new process group; the zone_enter will have
1657 1659 * placed us into zsched's session, and we want to be in
1658 1660 * a unique process group.
1659 1661 */
1660 1662 (void) setpgid(getpid(), getpid());
1661 1663
1662 1664 /*
1663 1665 * The child needs to run as root to
1664 1666 * execute the su program.
1665 1667 */
1666 1668 if (setuid(0) == -1) {
1667 1669 zperror(gettext("insufficient privilege"));
1668 1670 return (1);
1669 1671 }
1670 1672
1671 1673 (void) execve(new_args[0], new_args, new_env);
1672 1674 zperror(gettext("exec failure"));
1673 1675 _exit(1);
1674 1676 }
1675 1677 /* parent */
1676 1678
1677 1679 /* close pipe sides written by child */
1678 1680 (void) close(stdout_pipe[1]);
1679 1681 (void) close(stderr_pipe[1]);
1680 1682
1681 1683 (void) sigset(SIGINT, sig_forward);
1682 1684
1683 1685 postfork_dropprivs();
1684 1686
1685 1687 (void) ct_tmpl_clear(tmpl_fd);
1686 1688 (void) close(tmpl_fd);
1687 1689
1688 1690 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1689 1691 doio(stdin_pipe[0], stdin_pipe[1], stdout_pipe[0], stderr_pipe[0],
1690 1692 dead_child_pipe[1], B_TRUE);
1691 1693 do {
1692 1694 retval = waitpid(child_pid, &child_status, 0);
1693 1695 if (retval == -1) {
1694 1696 child_status = 0;
1695 1697 }
1696 1698 } while (retval != child_pid && errno != ECHILD);
1697 1699
1698 1700 return (WEXITSTATUS(child_status));
1699 1701 }
1700 1702
1701 1703 static char *
1702 1704 get_username()
1703 1705 {
1704 1706 uid_t uid;
1705 1707 struct passwd *nptr;
1706 1708
1707 1709 /*
1708 1710 * Authorizations are checked to restrict access based on the
1709 1711 * requested operation and zone name, It is assumed that the
1710 1712 * program is running with all privileges, but that the real
1711 1713 * user ID is that of the user or role on whose behalf we are
1712 1714 * operating. So we start by getting the username that will be
1713 1715 * used for subsequent authorization checks.
1714 1716 */
1715 1717
1716 1718 uid = getuid();
1717 1719 if ((nptr = getpwuid(uid)) == NULL) {
1718 1720 zerror(gettext("could not get user name."));
1719 1721 _exit(1);
1720 1722 }
1721 1723 return (nptr->pw_name);
↓ open down ↓ |
1559 lines elided |
↑ open up ↑ |
1722 1724 }
1723 1725
1724 1726 int
1725 1727 main(int argc, char **argv)
1726 1728 {
1727 1729 int arg, console = 0;
1728 1730 zoneid_t zoneid;
1729 1731 zone_state_t st;
1730 1732 char *login = "root";
1731 1733 int lflag = 0;
1734 + int nflag = 0;
1732 1735 char *zonename = NULL;
1733 1736 char **proc_args = NULL;
1734 1737 char **new_args, **new_env;
1735 1738 sigset_t block_cld;
1736 1739 char devroot[MAXPATHLEN];
1737 1740 char *slavename, slaveshortname[MAXPATHLEN];
1738 1741 priv_set_t *privset;
1739 1742 int tmpl_fd;
1740 1743 char zonebrand[MAXNAMELEN];
1741 1744 char default_brand[MAXNAMELEN];
1742 1745 struct stat sb;
1743 1746 char kernzone[ZONENAME_MAX];
↓ open down ↓ |
2 lines elided |
↑ open up ↑ |
1744 1747 brand_handle_t bh;
1745 1748 char user_cmd[MAXPATHLEN];
1746 1749 char authname[MAXAUTHS];
1747 1750
1748 1751 (void) setlocale(LC_ALL, "");
1749 1752 (void) textdomain(TEXT_DOMAIN);
1750 1753
1751 1754 (void) getpname(argv[0]);
1752 1755 username = get_username();
1753 1756
1754 - while ((arg = getopt(argc, argv, "ECR:Se:l:Q")) != EOF) {
1757 + while ((arg = getopt(argc, argv, "nECR:Se:l:Q")) != EOF) {
1755 1758 switch (arg) {
1756 1759 case 'C':
1757 1760 console = 1;
1758 1761 break;
1759 1762 case 'E':
1760 1763 nocmdchar = 1;
1761 1764 break;
1762 1765 case 'R': /* undocumented */
1763 1766 if (*optarg != '/') {
1764 1767 zerror(gettext("root path must be absolute."));
1765 1768 exit(2);
1766 1769 }
1767 1770 if (stat(optarg, &sb) == -1 || !S_ISDIR(sb.st_mode)) {
1768 1771 zerror(
1769 1772 gettext("root path must be a directory."));
1770 1773 exit(2);
1771 1774 }
1772 1775 zonecfg_set_root(optarg);
1773 1776 break;
1774 1777 case 'Q':
1775 1778 quiet = 1;
1776 1779 break;
↓ open down ↓ |
12 lines elided |
↑ open up ↑ |
1777 1780 case 'S':
1778 1781 failsafe = 1;
1779 1782 break;
1780 1783 case 'e':
1781 1784 set_cmdchar(optarg);
1782 1785 break;
1783 1786 case 'l':
1784 1787 login = optarg;
1785 1788 lflag = 1;
1786 1789 break;
1790 + case 'n':
1791 + nflag = 1;
1792 + break;
1787 1793 default:
1788 1794 usage();
1789 1795 }
1790 1796 }
1791 1797
1792 - if (console != 0 && lflag != 0) {
1793 - zerror(gettext("-l may not be specified for console login"));
1794 - usage();
1795 - }
1798 + if (console != 0) {
1796 1799
1797 - if (console != 0 && failsafe != 0) {
1798 - zerror(gettext("-S may not be specified for console login"));
1799 - usage();
1800 - }
1800 + if (lflag != 0) {
1801 + zerror(gettext(
1802 + "-l may not be specified for console login"));
1803 + usage();
1804 + }
1801 1805
1802 - if (console != 0 && zonecfg_in_alt_root()) {
1803 - zerror(gettext("-R may not be specified for console login"));
1804 - exit(2);
1806 + if (nflag != 0) {
1807 + zerror(gettext(
1808 + "-n may not be specified for console login"));
1809 + usage();
1810 + }
1811 +
1812 + if (failsafe != 0) {
1813 + zerror(gettext(
1814 + "-S may not be specified for console login"));
1815 + usage();
1816 + }
1817 +
1818 + if (zonecfg_in_alt_root()) {
1819 + zerror(gettext(
1820 + "-R may not be specified for console login"));
1821 + exit(2);
1822 + }
1823 +
1805 1824 }
1806 1825
1807 1826 if (failsafe != 0 && lflag != 0) {
1808 1827 zerror(gettext("-l may not be specified for failsafe login"));
1809 1828 usage();
1810 1829 }
1811 1830
1812 1831 if (optind == (argc - 1)) {
1813 1832 /*
1814 1833 * zone name, no process name; this should be an interactive
1815 1834 * as long as STDIN is really a tty.
1816 1835 */
1836 + if (nflag != 0) {
1837 + zerror(gettext(
1838 + "-n may not be specified for interactive login"));
1839 + usage();
1840 + }
1817 1841 if (isatty(STDIN_FILENO))
1818 1842 interactive = 1;
1819 1843 zonename = argv[optind];
1820 1844 } else if (optind < (argc - 1)) {
1821 1845 if (console) {
1822 1846 zerror(gettext("Commands may not be specified for "
1823 1847 "console login."));
1824 1848 usage();
1825 1849 }
1826 1850 /* zone name and process name, and possibly some args */
1827 1851 zonename = argv[optind];
1828 1852 proc_args = &argv[optind + 1];
1829 1853 interactive = 0;
1830 1854 } else {
1831 1855 usage();
1832 1856 }
1833 1857
1834 1858 if (getzoneid() != GLOBAL_ZONEID) {
1835 1859 zerror(gettext("'%s' may only be used from the global zone"),
1836 1860 pname);
1837 1861 return (1);
1838 1862 }
1839 1863
1840 1864 if (strcmp(zonename, GLOBAL_ZONENAME) == 0) {
1841 1865 zerror(gettext("'%s' not applicable to the global zone"),
1842 1866 pname);
1843 1867 return (1);
1844 1868 }
1845 1869
1846 1870 if (zone_get_state(zonename, &st) != Z_OK) {
1847 1871 zerror(gettext("zone '%s' unknown"), zonename);
1848 1872 return (1);
1849 1873 }
1850 1874
1851 1875 if (st < ZONE_STATE_INSTALLED) {
1852 1876 zerror(gettext("cannot login to a zone which is '%s'"),
1853 1877 zone_state_str(st));
1854 1878 return (1);
1855 1879 }
1856 1880
1857 1881 /*
1858 1882 * In both console and non-console cases, we require all privs.
1859 1883 * In the console case, because we may need to startup zoneadmd.
1860 1884 * In the non-console case in order to do zone_enter(2), zonept()
1861 1885 * and other tasks.
1862 1886 */
1863 1887
1864 1888 if ((privset = priv_allocset()) == NULL) {
1865 1889 zperror(gettext("priv_allocset failed"));
1866 1890 return (1);
1867 1891 }
1868 1892
1869 1893 if (getppriv(PRIV_EFFECTIVE, privset) != 0) {
1870 1894 zperror(gettext("getppriv failed"));
1871 1895 priv_freeset(privset);
1872 1896 return (1);
1873 1897 }
1874 1898
1875 1899 if (priv_isfullset(privset) == B_FALSE) {
1876 1900 zerror(gettext("You lack sufficient privilege to run "
1877 1901 "this command (all privs required)"));
1878 1902 priv_freeset(privset);
1879 1903 return (1);
1880 1904 }
1881 1905 priv_freeset(privset);
1882 1906
1883 1907 /*
1884 1908 * Check if user is authorized for requested usage of the zone
1885 1909 */
1886 1910
1887 1911 (void) snprintf(authname, MAXAUTHS, "%s%s%s",
1888 1912 ZONE_MANAGE_AUTH, KV_OBJECT, zonename);
1889 1913 if (chkauthattr(authname, username) == 0) {
1890 1914 if (console) {
1891 1915 zerror(gettext("%s is not authorized for console "
1892 1916 "access to %s zone."),
1893 1917 username, zonename);
1894 1918 return (1);
1895 1919 } else {
1896 1920 (void) snprintf(authname, MAXAUTHS, "%s%s%s",
1897 1921 ZONE_LOGIN_AUTH, KV_OBJECT, zonename);
1898 1922 if (failsafe || !interactive) {
1899 1923 zerror(gettext("%s is not authorized for "
1900 1924 "failsafe or non-interactive login "
1901 1925 "to %s zone."), username, zonename);
1902 1926 return (1);
1903 1927 } else if (chkauthattr(authname, username) == 0) {
1904 1928 zerror(gettext("%s is not authorized "
1905 1929 " to login to %s zone."),
1906 1930 username, zonename);
1907 1931 return (1);
1908 1932 }
1909 1933 }
1910 1934 } else {
1911 1935 forced_login = B_TRUE;
1912 1936 }
1913 1937
1914 1938 /*
1915 1939 * The console is a separate case from the rest of the code; handle
1916 1940 * it first.
1917 1941 */
1918 1942 if (console) {
1919 1943 /*
1920 1944 * Ensure that zoneadmd for this zone is running.
1921 1945 */
1922 1946 if (start_zoneadmd(zonename) == -1)
1923 1947 return (1);
1924 1948
1925 1949 /*
1926 1950 * Make contact with zoneadmd.
1927 1951 */
1928 1952 if (get_console_master(zonename) == -1)
1929 1953 return (1);
1930 1954
1931 1955 if (!quiet)
1932 1956 (void) printf(
1933 1957 gettext("[Connected to zone '%s' console]\n"),
1934 1958 zonename);
1935 1959
1936 1960 if (set_tty_rawmode(STDIN_FILENO) == -1) {
1937 1961 reset_tty();
1938 1962 zperror(gettext("failed to set stdin pty to raw mode"));
1939 1963 return (1);
1940 1964 }
1941 1965
1942 1966 (void) sigset(SIGWINCH, sigwinch);
1943 1967 (void) sigwinch(0);
1944 1968
1945 1969 /*
1946 1970 * Run the I/O loop until we get disconnected.
1947 1971 */
1948 1972 doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
1949 1973 reset_tty();
1950 1974 if (!quiet)
1951 1975 (void) printf(
1952 1976 gettext("\n[Connection to zone '%s' console "
1953 1977 "closed]\n"), zonename);
1954 1978
1955 1979 return (0);
1956 1980 }
1957 1981
1958 1982 if (st != ZONE_STATE_RUNNING && st != ZONE_STATE_MOUNTED) {
1959 1983 zerror(gettext("login allowed only to running zones "
1960 1984 "(%s is '%s')."), zonename, zone_state_str(st));
1961 1985 return (1);
1962 1986 }
1963 1987
1964 1988 (void) strlcpy(kernzone, zonename, sizeof (kernzone));
1965 1989 if (zonecfg_in_alt_root()) {
1966 1990 FILE *fp = zonecfg_open_scratch("", B_FALSE);
1967 1991
1968 1992 if (fp == NULL || zonecfg_find_scratch(fp, zonename,
1969 1993 zonecfg_get_root(), kernzone, sizeof (kernzone)) == -1) {
1970 1994 zerror(gettext("cannot find scratch zone %s"),
1971 1995 zonename);
1972 1996 if (fp != NULL)
1973 1997 zonecfg_close_scratch(fp);
1974 1998 return (1);
1975 1999 }
1976 2000 zonecfg_close_scratch(fp);
1977 2001 }
1978 2002
1979 2003 if ((zoneid = getzoneidbyname(kernzone)) == -1) {
1980 2004 zerror(gettext("failed to get zoneid for zone '%s'"),
1981 2005 zonename);
1982 2006 return (1);
1983 2007 }
1984 2008
1985 2009 /*
1986 2010 * We need the zone root path only if we are setting up a pty.
1987 2011 */
1988 2012 if (zone_get_devroot(zonename, devroot, sizeof (devroot)) == -1) {
1989 2013 zerror(gettext("could not get dev path for zone %s"),
1990 2014 zonename);
1991 2015 return (1);
1992 2016 }
1993 2017
1994 2018 if (zone_get_brand(zonename, zonebrand, sizeof (zonebrand)) != Z_OK) {
1995 2019 zerror(gettext("could not get brand for zone %s"), zonename);
1996 2020 return (1);
1997 2021 }
1998 2022 /*
1999 2023 * In the alternate root environment, the only supported
2000 2024 * operations are mount and unmount. In this case, just treat
2001 2025 * the zone as native if it is cluster. Cluster zones can be
2002 2026 * native for the purpose of LU or upgrade, and the cluster
2003 2027 * brand may not exist in the miniroot (such as in net install
2004 2028 * upgrade).
2005 2029 */
2006 2030 if (zonecfg_default_brand(default_brand,
2007 2031 sizeof (default_brand)) != Z_OK) {
2008 2032 zerror(gettext("unable to determine default brand"));
2009 2033 return (1);
2010 2034 }
2011 2035 if (zonecfg_in_alt_root() &&
2012 2036 strcmp(zonebrand, CLUSTER_BRAND_NAME) == 0) {
2013 2037 (void) strlcpy(zonebrand, default_brand, sizeof (zonebrand));
2014 2038 }
2015 2039
2016 2040 if ((bh = brand_open(zonebrand)) == NULL) {
2017 2041 zerror(gettext("could not open brand for zone %s"), zonename);
2018 2042 return (1);
2019 2043 }
2020 2044
2021 2045 if ((new_args = prep_args(bh, login, proc_args)) == NULL) {
2022 2046 zperror(gettext("could not assemble new arguments"));
2023 2047 brand_close(bh);
2024 2048 return (1);
2025 2049 }
2026 2050 /*
2027 2051 * Get the brand specific user_cmd. This command is used to get
2028 2052 * a passwd(4) entry for login.
2029 2053 */
2030 2054 if (!interactive && !failsafe) {
2031 2055 if (zone_get_user_cmd(bh, login, user_cmd,
2032 2056 sizeof (user_cmd)) == NULL) {
2033 2057 zerror(gettext("could not get user_cmd for zone %s"),
2034 2058 zonename);
2035 2059 brand_close(bh);
↓ open down ↓ |
209 lines elided |
↑ open up ↑ |
2036 2060 return (1);
2037 2061 }
2038 2062 }
2039 2063 brand_close(bh);
2040 2064
2041 2065 if ((new_env = prep_env()) == NULL) {
2042 2066 zperror(gettext("could not assemble new environment"));
2043 2067 return (1);
2044 2068 }
2045 2069
2046 - if (!interactive)
2070 + if (!interactive) {
2071 + if (nflag) {
2072 + int nfd;
2073 +
2074 + if ((nfd = open(_PATH_DEVNULL, O_RDONLY)) < 0) {
2075 + zperror(gettext("failed to open null device"));
2076 + return (1);
2077 + }
2078 + if (nfd != STDIN_FILENO) {
2079 + if (dup2(nfd, STDIN_FILENO) < 0) {
2080 + zperror(gettext(
2081 + "failed to dup2 null device"));
2082 + return (1);
2083 + }
2084 + (void) close(nfd);
2085 + }
2086 + /* /dev/null is now standard input */
2087 + }
2047 2088 return (noninteractive_login(zonename, user_cmd, zoneid,
2048 2089 new_args, new_env));
2090 + }
2049 2091
2050 2092 if (zonecfg_in_alt_root()) {
2051 2093 zerror(gettext("cannot use interactive login with scratch "
2052 2094 "zone"));
2053 2095 return (1);
2054 2096 }
2055 2097
2056 2098 /*
2057 2099 * Things are more complex in interactive mode; we get the
2058 2100 * master side of the pty, then place the user's terminal into
2059 2101 * raw mode.
2060 2102 */
2061 2103 if (get_master_pty() == -1) {
2062 2104 zerror(gettext("could not setup master pty device"));
2063 2105 return (1);
2064 2106 }
2065 2107
2066 2108 /*
2067 2109 * Compute the "short name" of the pts. /dev/pts/2 --> pts/2
2068 2110 */
2069 2111 if ((slavename = ptsname(masterfd)) == NULL) {
2070 2112 zperror(gettext("failed to get name for pseudo-tty"));
2071 2113 return (1);
2072 2114 }
2073 2115 if (strncmp(slavename, "/dev/", strlen("/dev/")) == 0)
2074 2116 (void) strlcpy(slaveshortname, slavename + strlen("/dev/"),
2075 2117 sizeof (slaveshortname));
2076 2118 else
2077 2119 (void) strlcpy(slaveshortname, slavename,
2078 2120 sizeof (slaveshortname));
2079 2121
2080 2122 if (!quiet)
2081 2123 (void) printf(gettext("[Connected to zone '%s' %s]\n"),
2082 2124 zonename, slaveshortname);
2083 2125
2084 2126 if (set_tty_rawmode(STDIN_FILENO) == -1) {
2085 2127 reset_tty();
2086 2128 zperror(gettext("failed to set stdin pty to raw mode"));
2087 2129 return (1);
2088 2130 }
2089 2131
2090 2132 if (prefork_dropprivs() != 0) {
2091 2133 reset_tty();
2092 2134 zperror(gettext("could not allocate privilege set"));
2093 2135 return (1);
2094 2136 }
2095 2137
2096 2138 /*
2097 2139 * We must mask SIGCLD until after we have coped with the fork
2098 2140 * sufficiently to deal with it; otherwise we can race and receive the
2099 2141 * signal before child_pid has been initialized (yes, this really
2100 2142 * happens).
2101 2143 */
2102 2144 (void) sigset(SIGCLD, sigcld);
2103 2145 (void) sigemptyset(&block_cld);
2104 2146 (void) sigaddset(&block_cld, SIGCLD);
2105 2147 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
2106 2148
2107 2149 /*
2108 2150 * We activate the contract template at the last minute to
2109 2151 * avoid intermediate functions that could be using fork(2)
2110 2152 * internally.
2111 2153 */
2112 2154 if ((tmpl_fd = init_template()) == -1) {
2113 2155 reset_tty();
2114 2156 zperror(gettext("could not create contract"));
2115 2157 return (1);
2116 2158 }
2117 2159
2118 2160 if ((child_pid = fork()) == -1) {
2119 2161 (void) ct_tmpl_clear(tmpl_fd);
2120 2162 reset_tty();
2121 2163 zperror(gettext("could not fork"));
2122 2164 return (1);
2123 2165 } else if (child_pid == 0) { /* child process */
2124 2166 int slavefd, newslave;
2125 2167
2126 2168 (void) ct_tmpl_clear(tmpl_fd);
2127 2169 (void) close(tmpl_fd);
2128 2170
2129 2171 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2130 2172
2131 2173 if ((slavefd = init_slave_pty(zoneid, devroot)) == -1)
2132 2174 return (1);
2133 2175
2134 2176 /*
2135 2177 * Close all fds except for the slave pty.
2136 2178 */
2137 2179 (void) fdwalk(close_func, &slavefd);
2138 2180
2139 2181 /*
2140 2182 * Temporarily dup slavefd to stderr; that way if we have
2141 2183 * to print out that zone_enter failed, the output will
2142 2184 * have somewhere to go.
2143 2185 */
2144 2186 if (slavefd != STDERR_FILENO)
2145 2187 (void) dup2(slavefd, STDERR_FILENO);
2146 2188
2147 2189 if (zone_enter(zoneid) == -1) {
2148 2190 zerror(gettext("could not enter zone %s: %s"),
2149 2191 zonename, strerror(errno));
2150 2192 return (1);
2151 2193 }
2152 2194
2153 2195 if (slavefd != STDERR_FILENO)
2154 2196 (void) close(STDERR_FILENO);
2155 2197
2156 2198 /*
2157 2199 * We take pains to get this process into a new process
2158 2200 * group, and subsequently a new session. In this way,
2159 2201 * we'll have a session which doesn't yet have a controlling
2160 2202 * terminal. When we open the slave, it will become the
2161 2203 * controlling terminal; no PIDs concerning pgrps or sids
2162 2204 * will leak inappropriately into the zone.
2163 2205 */
2164 2206 (void) setpgrp();
2165 2207
2166 2208 /*
2167 2209 * We need the slave pty to be referenced from the zone's
2168 2210 * /dev in order to ensure that the devt's, etc are all
2169 2211 * correct. Otherwise we break ttyname and the like.
2170 2212 */
2171 2213 if ((newslave = open(slavename, O_RDWR)) == -1) {
2172 2214 (void) close(slavefd);
2173 2215 return (1);
2174 2216 }
2175 2217 (void) close(slavefd);
2176 2218 slavefd = newslave;
2177 2219
2178 2220 /*
2179 2221 * dup the slave to the various FDs, so that when the
2180 2222 * spawned process does a write/read it maps to the slave
2181 2223 * pty.
2182 2224 */
2183 2225 (void) dup2(slavefd, STDIN_FILENO);
2184 2226 (void) dup2(slavefd, STDOUT_FILENO);
2185 2227 (void) dup2(slavefd, STDERR_FILENO);
2186 2228 if (slavefd != STDIN_FILENO && slavefd != STDOUT_FILENO &&
2187 2229 slavefd != STDERR_FILENO) {
2188 2230 (void) close(slavefd);
2189 2231 }
2190 2232
2191 2233 /*
2192 2234 * In failsafe mode, we don't use login(1), so don't try
2193 2235 * setting up a utmpx entry.
2194 2236 */
2195 2237 if (!failsafe)
2196 2238 if (setup_utmpx(slaveshortname) == -1)
2197 2239 return (1);
2198 2240
2199 2241 /*
2200 2242 * The child needs to run as root to
2201 2243 * execute the brand's login program.
2202 2244 */
2203 2245 if (setuid(0) == -1) {
2204 2246 zperror(gettext("insufficient privilege"));
2205 2247 return (1);
2206 2248 }
2207 2249
2208 2250 (void) execve(new_args[0], new_args, new_env);
2209 2251 zperror(gettext("exec failure"));
2210 2252 return (1);
2211 2253 }
2212 2254
2213 2255 (void) ct_tmpl_clear(tmpl_fd);
2214 2256 (void) close(tmpl_fd);
2215 2257
2216 2258 /*
2217 2259 * The rest is only for the parent process.
2218 2260 */
2219 2261 (void) sigset(SIGWINCH, sigwinch);
2220 2262
2221 2263 postfork_dropprivs();
2222 2264
2223 2265 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2224 2266 doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
2225 2267
2226 2268 reset_tty();
2227 2269 if (!quiet)
2228 2270 (void) fprintf(stderr,
2229 2271 gettext("\n[Connection to zone '%s' %s closed]\n"),
2230 2272 zonename, slaveshortname);
2231 2273
2232 2274 if (pollerr != 0) {
2233 2275 (void) fprintf(stderr, gettext("Error: connection closed due "
2234 2276 "to unexpected pollevents=0x%x.\n"), pollerr);
2235 2277 return (1);
2236 2278 }
2237 2279
2238 2280 return (0);
2239 2281 }
↓ open down ↓ |
181 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX