Print this page
4823 don't open-code NSEC2MSEC and MSEC2NSEC
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/cmd/zlogin/zlogin.c
+++ new/usr/src/cmd/zlogin/zlogin.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 23 * Copyright 2013 DEY Storage Systems, Inc.
24 24 * Copyright (c) 2014 Gary Mills
25 25 * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
26 26 */
27 27
28 28 /*
29 29 * zlogin provides three types of login which allow users in the global
30 30 * zone to access non-global zones.
31 31 *
32 32 * - "interactive login" is similar to rlogin(1); for example, the user could
33 33 * issue 'zlogin my-zone' or 'zlogin -e ^ -l me my-zone'. The user is
34 34 * granted a new pty (which is then shoved into the zone), and an I/O
35 35 * loop between parent and child processes takes care of the interactive
36 36 * session. In this mode, login(1) (and its -c option, which means
37 37 * "already authenticated") is employed to take care of the initialization
38 38 * of the user's session.
39 39 *
40 40 * - "non-interactive login" is similar to su(1M); the user could issue
41 41 * 'zlogin my-zone ls -l' and the command would be run as specified.
42 42 * In this mode, zlogin sets up pipes as the communication channel, and
43 43 * 'su' is used to do the login setup work.
44 44 *
45 45 * - "console login" is the equivalent to accessing the tip line for a
46 46 * zone. For example, the user can issue 'zlogin -C my-zone'.
47 47 * In this mode, zlogin contacts the zoneadmd process via unix domain
48 48 * socket. If zoneadmd is not running, it starts it. This allows the
49 49 * console to be available anytime the zone is installed, regardless of
50 50 * whether it is running.
51 51 */
52 52
53 53 #include <sys/socket.h>
54 54 #include <sys/termios.h>
55 55 #include <sys/utsname.h>
56 56 #include <sys/stat.h>
57 57 #include <sys/types.h>
58 58 #include <sys/contract/process.h>
59 59 #include <sys/ctfs.h>
60 60 #include <sys/brand.h>
61 61 #include <sys/wait.h>
62 62 #include <alloca.h>
63 63 #include <assert.h>
64 64 #include <ctype.h>
65 65 #include <paths.h>
66 66 #include <door.h>
67 67 #include <errno.h>
68 68 #include <nss_dbdefs.h>
69 69 #include <poll.h>
70 70 #include <priv.h>
71 71 #include <pwd.h>
72 72 #include <unistd.h>
73 73 #include <utmpx.h>
74 74 #include <sac.h>
75 75 #include <signal.h>
76 76 #include <stdarg.h>
77 77 #include <stdio.h>
78 78 #include <stdlib.h>
79 79 #include <string.h>
80 80 #include <strings.h>
81 81 #include <stropts.h>
82 82 #include <wait.h>
83 83 #include <zone.h>
84 84 #include <fcntl.h>
85 85 #include <libdevinfo.h>
86 86 #include <libintl.h>
87 87 #include <locale.h>
88 88 #include <libzonecfg.h>
89 89 #include <libcontract.h>
90 90 #include <libbrand.h>
91 91 #include <auth_list.h>
92 92 #include <auth_attr.h>
93 93 #include <secdb.h>
94 94
95 95 static int masterfd;
96 96 static struct termios save_termios;
97 97 static struct termios effective_termios;
98 98 static int save_fd;
99 99 static struct winsize winsize;
100 100 static volatile int dead;
101 101 static volatile pid_t child_pid = -1;
102 102 static int interactive = 0;
103 103 static priv_set_t *dropprivs;
104 104
105 105 static int nocmdchar = 0;
106 106 static int failsafe = 0;
107 107 static char cmdchar = '~';
108 108 static int quiet = 0;
109 109
110 110 static int pollerr = 0;
111 111
112 112 static const char *pname;
113 113 static char *username;
114 114
115 115 /*
116 116 * When forced_login is true, the user is not prompted
117 117 * for an authentication password in the target zone.
118 118 */
119 119 static boolean_t forced_login = B_FALSE;
120 120
121 121 #if !defined(TEXT_DOMAIN) /* should be defined by cc -D */
122 122 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it wasn't */
123 123 #endif
124 124
125 125 #define SUPATH "/usr/bin/su"
126 126 #define FAILSAFESHELL "/sbin/sh"
127 127 #define DEFAULTSHELL "/sbin/sh"
128 128 #define DEF_PATH "/usr/sbin:/usr/bin"
129 129
130 130 #define CLUSTER_BRAND_NAME "cluster"
131 131
132 132 /*
133 133 * The ZLOGIN_BUFSIZ is larger than PIPE_BUF so we can be sure we're clearing
134 134 * out the pipe when the child is exiting. The ZLOGIN_RDBUFSIZ must be less
135 135 * than ZLOGIN_BUFSIZ (because we share the buffer in doio). This value is
136 136 * also chosen in conjunction with the HI_WATER setting to make sure we
137 137 * don't fill up the pipe. We can write FIFOHIWAT (16k) into the pipe before
138 138 * blocking. By having ZLOGIN_RDBUFSIZ set to 1k and HI_WATER set to 8k, we
139 139 * know we can always write a ZLOGIN_RDBUFSIZ chunk into the pipe when there
140 140 * is less than HI_WATER data already in the pipe.
141 141 */
142 142 #define ZLOGIN_BUFSIZ 8192
143 143 #define ZLOGIN_RDBUFSIZ 1024
144 144 #define HI_WATER 8192
145 145
146 146 /*
147 147 * See canonify() below. CANONIFY_LEN is the maximum length that a
148 148 * "canonical" sequence will expand to (backslash, three octal digits, NUL).
149 149 */
150 150 #define CANONIFY_LEN 5
151 151
152 152 static void
153 153 usage(void)
154 154 {
155 155 (void) fprintf(stderr, gettext("usage: %s [ -nQCES ] [ -e cmdchar ] "
156 156 "[-l user] zonename [command [args ...] ]\n"), pname);
157 157 exit(2);
158 158 }
159 159
160 160 static const char *
161 161 getpname(const char *arg0)
162 162 {
163 163 const char *p = strrchr(arg0, '/');
164 164
165 165 if (p == NULL)
166 166 p = arg0;
167 167 else
168 168 p++;
169 169
170 170 pname = p;
171 171 return (p);
172 172 }
173 173
174 174 static void
175 175 zerror(const char *fmt, ...)
176 176 {
177 177 va_list alist;
178 178
179 179 (void) fprintf(stderr, "%s: ", pname);
180 180 va_start(alist, fmt);
181 181 (void) vfprintf(stderr, fmt, alist);
182 182 va_end(alist);
183 183 (void) fprintf(stderr, "\n");
184 184 }
185 185
186 186 static void
187 187 zperror(const char *str)
188 188 {
189 189 const char *estr;
190 190
191 191 if ((estr = strerror(errno)) != NULL)
192 192 (void) fprintf(stderr, "%s: %s: %s\n", pname, str, estr);
193 193 else
194 194 (void) fprintf(stderr, "%s: %s: errno %d\n", pname, str, errno);
195 195 }
196 196
197 197 /*
198 198 * The first part of our privilege dropping scheme needs to be called before
199 199 * fork(), since we must have it for security; we don't want to be surprised
200 200 * later that we couldn't allocate the privset.
201 201 */
202 202 static int
203 203 prefork_dropprivs()
204 204 {
205 205 if ((dropprivs = priv_allocset()) == NULL)
206 206 return (1);
207 207
208 208 priv_basicset(dropprivs);
209 209 (void) priv_delset(dropprivs, PRIV_PROC_INFO);
210 210 (void) priv_delset(dropprivs, PRIV_PROC_FORK);
211 211 (void) priv_delset(dropprivs, PRIV_PROC_EXEC);
212 212 (void) priv_delset(dropprivs, PRIV_FILE_LINK_ANY);
213 213
214 214 /*
215 215 * We need to keep the basic privilege PROC_SESSION and all unknown
216 216 * basic privileges as well as the privileges PROC_ZONE and
217 217 * PROC_OWNER in order to query session information and
218 218 * send signals.
219 219 */
220 220 if (interactive == 0) {
221 221 (void) priv_addset(dropprivs, PRIV_PROC_ZONE);
222 222 (void) priv_addset(dropprivs, PRIV_PROC_OWNER);
223 223 } else {
224 224 (void) priv_delset(dropprivs, PRIV_PROC_SESSION);
225 225 }
226 226
227 227 return (0);
228 228 }
229 229
230 230 /*
231 231 * The second part of the privilege drop. We are paranoid about being attacked
232 232 * by the zone, so we drop all privileges. This should prevent a compromise
233 233 * which gets us to fork(), exec(), symlink(), etc.
234 234 */
235 235 static void
236 236 postfork_dropprivs()
237 237 {
238 238 if ((setppriv(PRIV_SET, PRIV_PERMITTED, dropprivs)) == -1) {
239 239 zperror(gettext("Warning: could not set permitted privileges"));
240 240 }
241 241 if ((setppriv(PRIV_SET, PRIV_LIMIT, dropprivs)) == -1) {
242 242 zperror(gettext("Warning: could not set limit privileges"));
243 243 }
244 244 if ((setppriv(PRIV_SET, PRIV_INHERITABLE, dropprivs)) == -1) {
245 245 zperror(gettext("Warning: could not set inheritable "
246 246 "privileges"));
247 247 }
248 248 }
249 249
250 250 /*
251 251 * Create the unix domain socket and call the zoneadmd server; handshake
252 252 * with it to determine whether it will allow us to connect.
253 253 */
254 254 static int
255 255 get_console_master(const char *zname)
256 256 {
257 257 int sockfd = -1;
258 258 struct sockaddr_un servaddr;
259 259 char clientid[MAXPATHLEN];
260 260 char handshake[MAXPATHLEN], c;
261 261 int msglen;
262 262 int i = 0, err = 0;
263 263
264 264 if ((sockfd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
265 265 zperror(gettext("could not create socket"));
266 266 return (-1);
267 267 }
268 268
269 269 bzero(&servaddr, sizeof (servaddr));
270 270 servaddr.sun_family = AF_UNIX;
271 271 (void) snprintf(servaddr.sun_path, sizeof (servaddr.sun_path),
272 272 "%s/%s.console_sock", ZONES_TMPDIR, zname);
273 273
274 274 if (connect(sockfd, (struct sockaddr *)&servaddr,
275 275 sizeof (servaddr)) == -1) {
276 276 zperror(gettext("Could not connect to zone console"));
277 277 goto bad;
278 278 }
279 279 masterfd = sockfd;
280 280
281 281 msglen = snprintf(clientid, sizeof (clientid), "IDENT %lu %s\n",
282 282 getpid(), setlocale(LC_MESSAGES, NULL));
283 283
284 284 if (msglen >= sizeof (clientid) || msglen < 0) {
285 285 zerror("protocol error");
286 286 goto bad;
287 287 }
288 288
289 289 if (write(masterfd, clientid, msglen) != msglen) {
290 290 zerror("protocol error");
291 291 goto bad;
292 292 }
293 293
294 294 bzero(handshake, sizeof (handshake));
295 295
296 296 /*
297 297 * Take care not to accumulate more than our fill, and leave room for
298 298 * the NUL at the end.
299 299 */
300 300 while ((err = read(masterfd, &c, 1)) == 1) {
301 301 if (i >= (sizeof (handshake) - 1))
302 302 break;
303 303 if (c == '\n')
304 304 break;
305 305 handshake[i] = c;
306 306 i++;
307 307 }
308 308
309 309 /*
310 310 * If something went wrong during the handshake we bail; perhaps
311 311 * the server died off.
312 312 */
313 313 if (err == -1) {
314 314 zperror(gettext("Could not connect to zone console"));
315 315 goto bad;
316 316 }
317 317
318 318 if (strncmp(handshake, "OK", sizeof (handshake)) == 0)
319 319 return (0);
320 320
321 321 zerror(gettext("Console is already in use by process ID %s."),
322 322 handshake);
323 323 bad:
324 324 (void) close(sockfd);
325 325 masterfd = -1;
326 326 return (-1);
327 327 }
328 328
329 329
330 330 /*
331 331 * Routines to handle pty creation upon zone entry and to shuttle I/O back
332 332 * and forth between the two terminals. We also compute and store the
333 333 * name of the slave terminal associated with the master side.
334 334 */
335 335 static int
336 336 get_master_pty()
337 337 {
338 338 if ((masterfd = open("/dev/ptmx", O_RDWR|O_NONBLOCK)) < 0) {
339 339 zperror(gettext("failed to obtain a pseudo-tty"));
340 340 return (-1);
341 341 }
342 342 if (tcgetattr(STDIN_FILENO, &save_termios) == -1) {
343 343 zperror(gettext("failed to get terminal settings from stdin"));
344 344 return (-1);
345 345 }
346 346 (void) ioctl(STDIN_FILENO, TIOCGWINSZ, (char *)&winsize);
347 347
348 348 return (0);
349 349 }
350 350
351 351 /*
352 352 * This is a bit tricky; normally a pts device will belong to the zone it
353 353 * is granted to. But in the case of "entering" a zone, we need to establish
354 354 * the pty before entering the zone so that we can vector I/O to and from it
355 355 * from the global zone.
356 356 *
357 357 * We use the zonept() call to let the ptm driver know what we are up to;
358 358 * the only other hairy bit is the setting of zoneslavename (which happens
359 359 * above, in get_master_pty()).
360 360 */
361 361 static int
362 362 init_slave_pty(zoneid_t zoneid, char *devroot)
363 363 {
364 364 int slavefd = -1;
365 365 char *slavename, zoneslavename[MAXPATHLEN];
366 366
367 367 /*
368 368 * Set slave permissions, zone the pts, then unlock it.
369 369 */
370 370 if (grantpt(masterfd) != 0) {
371 371 zperror(gettext("grantpt failed"));
372 372 return (-1);
373 373 }
374 374
375 375 if (unlockpt(masterfd) != 0) {
376 376 zperror(gettext("unlockpt failed"));
377 377 return (-1);
378 378 }
379 379
380 380 /*
381 381 * We must open the slave side before zoning this pty; otherwise
382 382 * the kernel would refuse us the open-- zoning a pty makes it
383 383 * inaccessible to the global zone. Note we are trying to open
384 384 * the device node via the $ZONEROOT/dev path for this pty.
385 385 *
386 386 * Later we'll close the slave out when once we've opened it again
387 387 * from within the target zone. Blarg.
388 388 */
389 389 if ((slavename = ptsname(masterfd)) == NULL) {
390 390 zperror(gettext("failed to get name for pseudo-tty"));
391 391 return (-1);
392 392 }
393 393
394 394 (void) snprintf(zoneslavename, sizeof (zoneslavename), "%s%s",
395 395 devroot, slavename);
396 396
397 397 if ((slavefd = open(zoneslavename, O_RDWR)) < 0) {
398 398 zerror(gettext("failed to open %s: %s"), zoneslavename,
399 399 strerror(errno));
400 400 return (-1);
401 401 }
402 402
403 403 /*
404 404 * Push hardware emulation (ptem), line discipline (ldterm),
405 405 * and V7/4BSD/Xenix compatibility (ttcompat) modules.
406 406 */
407 407 if (ioctl(slavefd, I_PUSH, "ptem") == -1) {
408 408 zperror(gettext("failed to push ptem module"));
409 409 if (!failsafe)
410 410 goto bad;
411 411 }
412 412
413 413 /*
414 414 * Anchor the stream to prevent malicious I_POPs; we prefer to do
415 415 * this prior to entering the zone so that we can detect any errors
416 416 * early, and so that we can set the anchor from the global zone.
417 417 */
418 418 if (ioctl(slavefd, I_ANCHOR) == -1) {
419 419 zperror(gettext("failed to set stream anchor"));
420 420 if (!failsafe)
421 421 goto bad;
422 422 }
423 423
424 424 if (ioctl(slavefd, I_PUSH, "ldterm") == -1) {
425 425 zperror(gettext("failed to push ldterm module"));
426 426 if (!failsafe)
427 427 goto bad;
428 428 }
429 429 if (ioctl(slavefd, I_PUSH, "ttcompat") == -1) {
430 430 zperror(gettext("failed to push ttcompat module"));
431 431 if (!failsafe)
432 432 goto bad;
433 433 }
434 434
435 435 /*
436 436 * Propagate terminal settings from the external term to the new one.
437 437 */
438 438 if (tcsetattr(slavefd, TCSAFLUSH, &save_termios) == -1) {
439 439 zperror(gettext("failed to set terminal settings"));
440 440 if (!failsafe)
441 441 goto bad;
442 442 }
443 443 (void) ioctl(slavefd, TIOCSWINSZ, (char *)&winsize);
444 444
445 445 if (zonept(masterfd, zoneid) != 0) {
446 446 zperror(gettext("could not set zoneid of pty"));
447 447 goto bad;
448 448 }
449 449
450 450 return (slavefd);
451 451
452 452 bad:
453 453 (void) close(slavefd);
454 454 return (-1);
455 455 }
456 456
457 457 /*
458 458 * Place terminal into raw mode.
459 459 */
460 460 static int
461 461 set_tty_rawmode(int fd)
462 462 {
463 463 struct termios term;
464 464 if (tcgetattr(fd, &term) < 0) {
465 465 zperror(gettext("failed to get user terminal settings"));
466 466 return (-1);
467 467 }
468 468
469 469 /* Stash for later, so we can revert back to previous mode */
470 470 save_termios = term;
471 471 save_fd = fd;
472 472
473 473 /* disable 8->7 bit strip, start/stop, enable any char to restart */
474 474 term.c_iflag &= ~(ISTRIP|IXON|IXANY);
475 475 /* disable NL->CR, CR->NL, ignore CR, UPPER->lower */
476 476 term.c_iflag &= ~(INLCR|ICRNL|IGNCR|IUCLC);
477 477 /* disable output post-processing */
478 478 term.c_oflag &= ~OPOST;
479 479 /* disable canonical mode, signal chars, echo & extended functions */
480 480 term.c_lflag &= ~(ICANON|ISIG|ECHO|IEXTEN);
481 481
482 482 term.c_cc[VMIN] = 1; /* byte-at-a-time */
483 483 term.c_cc[VTIME] = 0;
484 484
485 485 if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &term)) {
486 486 zperror(gettext("failed to set user terminal to raw mode"));
487 487 return (-1);
488 488 }
489 489
490 490 /*
491 491 * We need to know the value of VEOF so that we can properly process for
492 492 * client-side ~<EOF>. But we have obliterated VEOF in term,
493 493 * because VMIN overloads the same array slot in non-canonical mode.
494 494 * Stupid @&^%!
495 495 *
496 496 * So here we construct the "effective" termios from the current
497 497 * terminal settings, and the corrected VEOF and VEOL settings.
498 498 */
499 499 if (tcgetattr(STDIN_FILENO, &effective_termios) < 0) {
500 500 zperror(gettext("failed to get user terminal settings"));
501 501 return (-1);
502 502 }
503 503 effective_termios.c_cc[VEOF] = save_termios.c_cc[VEOF];
504 504 effective_termios.c_cc[VEOL] = save_termios.c_cc[VEOL];
505 505
506 506 return (0);
507 507 }
508 508
509 509 /*
510 510 * Copy terminal window size from our terminal to the pts.
511 511 */
512 512 /*ARGSUSED*/
513 513 static void
514 514 sigwinch(int s)
515 515 {
516 516 struct winsize ws;
517 517
518 518 if (ioctl(0, TIOCGWINSZ, &ws) == 0)
519 519 (void) ioctl(masterfd, TIOCSWINSZ, &ws);
520 520 }
521 521
522 522 static volatile int close_on_sig = -1;
523 523
524 524 static void
525 525 /*ARGSUSED*/
526 526 sigcld(int s)
527 527 {
528 528 int status;
529 529 pid_t pid;
530 530
531 531 /*
532 532 * Peek at the exit status. If this isn't the process we cared
533 533 * about, then just reap it.
534 534 */
535 535 if ((pid = waitpid(child_pid, &status, WNOHANG|WNOWAIT)) != -1) {
536 536 if (pid == child_pid &&
537 537 (WIFEXITED(status) || WIFSIGNALED(status))) {
538 538 dead = 1;
539 539 if (close_on_sig != -1) {
540 540 (void) write(close_on_sig, "a", 1);
541 541 (void) close(close_on_sig);
542 542 close_on_sig = -1;
543 543 }
544 544 } else {
545 545 (void) waitpid(pid, &status, WNOHANG);
546 546 }
547 547 }
548 548 }
549 549
550 550 /*
551 551 * Some signals (currently, SIGINT) must be forwarded on to the process
552 552 * group of the child process.
553 553 */
554 554 static void
555 555 sig_forward(int s)
556 556 {
557 557 if (child_pid != -1) {
558 558 (void) sigsend(P_PGID, child_pid, s);
559 559 }
560 560 }
561 561
562 562 /*
563 563 * reset terminal settings for global environment
564 564 */
565 565 static void
566 566 reset_tty()
567 567 {
568 568 (void) tcsetattr(save_fd, TCSADRAIN, &save_termios);
569 569 }
570 570
571 571 /*
572 572 * Convert character to printable representation, for display with locally
573 573 * echoed command characters (like when we need to display ~^D)
574 574 */
575 575 static void
576 576 canonify(char c, char *cc)
577 577 {
578 578 if (isprint(c)) {
579 579 cc[0] = c;
580 580 cc[1] = '\0';
581 581 } else if (c >= 0 && c <= 31) { /* ^@ through ^_ */
582 582 cc[0] = '^';
583 583 cc[1] = c + '@';
584 584 cc[2] = '\0';
585 585 } else {
586 586 cc[0] = '\\';
587 587 cc[1] = ((c >> 6) & 7) + '0';
588 588 cc[2] = ((c >> 3) & 7) + '0';
589 589 cc[3] = (c & 7) + '0';
590 590 cc[4] = '\0';
591 591 }
592 592 }
593 593
594 594 /*
595 595 * process_user_input watches the input stream for the escape sequence for
596 596 * 'quit' (by default, tilde-period). Because we might be fed just one
597 597 * keystroke at a time, state associated with the user input (are we at the
598 598 * beginning of the line? are we locally echoing the next character?) is
599 599 * maintained by beginning_of_line and local_echo across calls to the routine.
600 600 * If the write to outfd fails, we'll try to read from infd in an attempt
601 601 * to prevent deadlock between the two processes.
602 602 *
603 603 * This routine returns -1 when the 'quit' escape sequence has been issued,
604 604 * or an error is encountered, 1 if stdin is EOF, and 0 otherwise.
605 605 */
606 606 static int
607 607 process_user_input(int outfd, int infd)
608 608 {
609 609 static boolean_t beginning_of_line = B_TRUE;
610 610 static boolean_t local_echo = B_FALSE;
611 611 char ibuf[ZLOGIN_BUFSIZ];
612 612 int nbytes;
613 613 char *buf = ibuf;
614 614 char c = *buf;
615 615
616 616 nbytes = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
617 617 if (nbytes == -1 && (errno != EINTR || dead))
618 618 return (-1);
619 619
620 620 if (nbytes == -1) /* The read was interrupted. */
621 621 return (0);
622 622
623 623 /* 0 read means EOF, close the pipe to the child */
624 624 if (nbytes == 0)
625 625 return (1);
626 626
627 627 for (c = *buf; nbytes > 0; c = *buf, --nbytes) {
628 628 buf++;
629 629 if (beginning_of_line && !nocmdchar) {
630 630 beginning_of_line = B_FALSE;
631 631 if (c == cmdchar) {
632 632 local_echo = B_TRUE;
633 633 continue;
634 634 }
635 635 } else if (local_echo) {
636 636 local_echo = B_FALSE;
637 637 if (c == '.' || c == effective_termios.c_cc[VEOF]) {
638 638 char cc[CANONIFY_LEN];
639 639
640 640 canonify(c, cc);
641 641 (void) write(STDOUT_FILENO, &cmdchar, 1);
642 642 (void) write(STDOUT_FILENO, cc, strlen(cc));
643 643 return (-1);
644 644 }
645 645 }
646 646 retry:
647 647 if (write(outfd, &c, 1) <= 0) {
648 648 /*
649 649 * Since the fd we are writing to is opened with
650 650 * O_NONBLOCK it is possible to get EAGAIN if the
651 651 * pipe is full. One way this could happen is if we
652 652 * are writing a lot of data into the pipe in this loop
653 653 * and the application on the other end is echoing that
654 654 * data back out to its stdout. The output pipe can
655 655 * fill up since we are stuck here in this loop and not
656 656 * draining the other pipe. We can try to read some of
657 657 * the data to see if we can drain the pipe so that the
658 658 * application can continue to make progress. The read
659 659 * is non-blocking so we won't hang here. We also wait
660 660 * a bit before retrying since there could be other
661 661 * reasons why the pipe is full and we don't want to
662 662 * continuously retry.
663 663 */
↓ open down ↓ |
663 lines elided |
↑ open up ↑ |
664 664 if (errno == EAGAIN) {
665 665 struct timespec rqtp;
666 666 int ln;
667 667 char obuf[ZLOGIN_BUFSIZ];
668 668
669 669 if ((ln = read(infd, obuf, ZLOGIN_BUFSIZ)) > 0)
670 670 (void) write(STDOUT_FILENO, obuf, ln);
671 671
672 672 /* sleep for 10 milliseconds */
673 673 rqtp.tv_sec = 0;
674 - rqtp.tv_nsec = 10 * (NANOSEC / MILLISEC);
674 + rqtp.tv_nsec = MSEC2NSEC(10);
675 675 (void) nanosleep(&rqtp, NULL);
676 676 if (!dead)
677 677 goto retry;
678 678 }
679 679
680 680 return (-1);
681 681 }
682 682 beginning_of_line = (c == '\r' || c == '\n' ||
683 683 c == effective_termios.c_cc[VKILL] ||
684 684 c == effective_termios.c_cc[VEOL] ||
685 685 c == effective_termios.c_cc[VSUSP] ||
686 686 c == effective_termios.c_cc[VINTR]);
687 687 }
688 688 return (0);
689 689 }
690 690
691 691 /*
692 692 * This function prevents deadlock between zlogin and the application in the
693 693 * zone that it is talking to. This can happen when we read from zlogin's
694 694 * stdin and write the data down the pipe to the application. If the pipe
695 695 * is full, we'll block in the write. Because zlogin could be blocked in
696 696 * the write, it would never read the application's stdout/stderr so the
697 697 * application can then block on those writes (when the pipe fills up). If the
698 698 * the application gets blocked this way, it can never get around to reading
699 699 * its stdin so that zlogin can unblock from its write. Once in this state,
700 700 * the two processes are deadlocked.
701 701 *
702 702 * To prevent this, we want to verify that we can write into the pipe before we
703 703 * read from our stdin. If the pipe already is pretty full, we bypass the read
704 704 * for now. We'll circle back here again after the poll() so that we can
705 705 * try again. When this function is called, we already know there is data
706 706 * ready to read on STDIN_FILENO. We return -1 if there is a problem, 1 if
707 707 * stdin is EOF, and 0 if everything is ok (even though we might not have
708 708 * read/written any data into the pipe on this iteration).
709 709 */
710 710 static int
711 711 process_raw_input(int stdin_fd, int appin_fd)
712 712 {
713 713 int cc;
714 714 struct stat64 sb;
715 715 char ibuf[ZLOGIN_RDBUFSIZ];
716 716
717 717 /* Check how much data is already in the pipe */
718 718 if (fstat64(appin_fd, &sb) == -1) {
719 719 perror("stat failed");
720 720 return (-1);
721 721 }
722 722
723 723 if (dead)
724 724 return (-1);
725 725
726 726 /*
727 727 * The pipe already has a lot of data in it, don't write any more
728 728 * right now.
729 729 */
730 730 if (sb.st_size >= HI_WATER)
731 731 return (0);
732 732
733 733 cc = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
734 734 if (cc == -1 && (errno != EINTR || dead))
735 735 return (-1);
736 736
737 737 if (cc == -1) /* The read was interrupted. */
738 738 return (0);
739 739
740 740 /* 0 read means EOF, close the pipe to the child */
741 741 if (cc == 0)
742 742 return (1);
743 743
744 744 /*
745 745 * stdin_fd is stdin of the target; so, the thing we'll write the user
746 746 * data *to*.
747 747 */
748 748 if (write(stdin_fd, ibuf, cc) == -1)
749 749 return (-1);
750 750
751 751 return (0);
752 752 }
753 753
754 754 /*
755 755 * Write the output from the application running in the zone. We can get
756 756 * a signal during the write (usually it would be SIGCHLD when the application
757 757 * has exited) so we loop to make sure we have written all of the data we read.
758 758 */
759 759 static int
760 760 process_output(int in_fd, int out_fd)
761 761 {
762 762 int wrote = 0;
763 763 int cc;
764 764 char ibuf[ZLOGIN_BUFSIZ];
765 765
766 766 cc = read(in_fd, ibuf, ZLOGIN_BUFSIZ);
767 767 if (cc == -1 && (errno != EINTR || dead))
768 768 return (-1);
769 769 if (cc == 0) /* EOF */
770 770 return (-1);
771 771 if (cc == -1) /* The read was interrupted. */
772 772 return (0);
773 773
774 774 do {
775 775 int len;
776 776
777 777 len = write(out_fd, ibuf + wrote, cc - wrote);
778 778 if (len == -1 && errno != EINTR)
779 779 return (-1);
780 780 if (len != -1)
781 781 wrote += len;
782 782 } while (wrote < cc);
783 783
784 784 return (0);
785 785 }
786 786
787 787 /*
788 788 * This is the main I/O loop, and is shared across all zlogin modes.
789 789 * Parameters:
790 790 * stdin_fd: The fd representing 'stdin' for the slave side; input to
791 791 * the zone will be written here.
792 792 *
793 793 * appin_fd: The fd representing the other end of the 'stdin' pipe (when
794 794 * we're running non-interactive); used in process_raw_input
795 795 * to ensure we don't fill up the application's stdin pipe.
796 796 *
797 797 * stdout_fd: The fd representing 'stdout' for the slave side; output
798 798 * from the zone will arrive here.
799 799 *
800 800 * stderr_fd: The fd representing 'stderr' for the slave side; output
801 801 * from the zone will arrive here.
802 802 *
803 803 * raw_mode: If TRUE, then no processing (for example, for '~.') will
804 804 * be performed on the input coming from STDIN.
805 805 *
806 806 * stderr_fd may be specified as -1 if there is no stderr (only non-interactive
807 807 * mode supplies a stderr).
808 808 *
809 809 */
810 810 static void
811 811 doio(int stdin_fd, int appin_fd, int stdout_fd, int stderr_fd, int sig_fd,
812 812 boolean_t raw_mode)
813 813 {
814 814 struct pollfd pollfds[4];
815 815 char ibuf[ZLOGIN_BUFSIZ];
816 816 int cc, ret;
817 817
818 818 /* read from stdout of zone and write to stdout of global zone */
819 819 pollfds[0].fd = stdout_fd;
820 820 pollfds[0].events = POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI;
821 821
822 822 /* read from stderr of zone and write to stderr of global zone */
823 823 pollfds[1].fd = stderr_fd;
824 824 pollfds[1].events = pollfds[0].events;
825 825
826 826 /* read from stdin of global zone and write to stdin of zone */
827 827 pollfds[2].fd = STDIN_FILENO;
828 828 pollfds[2].events = pollfds[0].events;
829 829
830 830 /* read from signalling pipe so we know when child dies */
831 831 pollfds[3].fd = sig_fd;
832 832 pollfds[3].events = pollfds[0].events;
833 833
834 834 for (;;) {
835 835 pollfds[0].revents = pollfds[1].revents =
836 836 pollfds[2].revents = pollfds[3].revents = 0;
837 837
838 838 if (dead)
839 839 break;
840 840
841 841 /*
842 842 * There is a race condition here where we can receive the
843 843 * child death signal, set the dead flag, but since we have
844 844 * passed the test above, we would go into poll and hang.
845 845 * To avoid this we use the sig_fd as an additional poll fd.
846 846 * The signal handler writes into the other end of this pipe
847 847 * when the child dies so that the poll will always see that
848 848 * input and proceed. We just loop around at that point and
849 849 * then notice the dead flag.
850 850 */
851 851
852 852 ret = poll(pollfds,
853 853 sizeof (pollfds) / sizeof (struct pollfd), -1);
854 854
855 855 if (ret == -1 && errno != EINTR) {
856 856 perror("poll failed");
857 857 break;
858 858 }
859 859
860 860 if (errno == EINTR && dead) {
861 861 break;
862 862 }
863 863
864 864 /* event from master side stdout */
865 865 if (pollfds[0].revents) {
866 866 if (pollfds[0].revents &
867 867 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
868 868 if (process_output(stdout_fd, STDOUT_FILENO)
869 869 != 0)
870 870 break;
871 871 } else {
872 872 pollerr = pollfds[0].revents;
873 873 break;
874 874 }
875 875 }
876 876
877 877 /* event from master side stderr */
878 878 if (pollfds[1].revents) {
879 879 if (pollfds[1].revents &
880 880 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
881 881 if (process_output(stderr_fd, STDERR_FILENO)
882 882 != 0)
883 883 break;
884 884 } else {
885 885 pollerr = pollfds[1].revents;
886 886 break;
887 887 }
888 888 }
889 889
890 890 /* event from user STDIN side */
891 891 if (pollfds[2].revents) {
892 892 if (pollfds[2].revents &
893 893 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
894 894 /*
895 895 * stdin fd is stdin of the target; so,
896 896 * the thing we'll write the user data *to*.
897 897 *
898 898 * Also, unlike on the output side, we
899 899 * close the pipe on a zero-length message.
900 900 */
901 901 int res;
902 902
903 903 if (raw_mode)
904 904 res = process_raw_input(stdin_fd,
905 905 appin_fd);
906 906 else
907 907 res = process_user_input(stdin_fd,
908 908 stdout_fd);
909 909
910 910 if (res < 0)
911 911 break;
912 912 if (res > 0) {
913 913 /* EOF (close) child's stdin_fd */
914 914 pollfds[2].fd = -1;
915 915 while ((res = close(stdin_fd)) != 0 &&
916 916 errno == EINTR)
917 917 ;
918 918 if (res != 0)
919 919 break;
920 920 }
921 921
922 922 } else if (raw_mode && pollfds[2].revents & POLLHUP) {
923 923 /*
924 924 * It's OK to get a POLLHUP on STDIN-- it
925 925 * always happens if you do:
926 926 *
927 927 * echo foo | zlogin <zone> <command>
928 928 *
929 929 * We reset fd to -1 in this case to clear
930 930 * the condition and close the pipe (EOF) to
931 931 * the other side in order to wrap things up.
932 932 */
933 933 int res;
934 934
935 935 pollfds[2].fd = -1;
936 936 while ((res = close(stdin_fd)) != 0 &&
937 937 errno == EINTR)
938 938 ;
939 939 if (res != 0)
940 940 break;
941 941 } else {
942 942 pollerr = pollfds[2].revents;
943 943 break;
944 944 }
945 945 }
946 946 }
947 947
948 948 /*
949 949 * We are in the midst of dying, but try to poll with a short
950 950 * timeout to see if we can catch the last bit of I/O from the
951 951 * children.
952 952 */
953 953 retry:
954 954 pollfds[0].revents = pollfds[1].revents = 0;
955 955 (void) poll(pollfds, 2, 100);
956 956 if (pollfds[0].revents &
957 957 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
958 958 if ((cc = read(stdout_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
959 959 (void) write(STDOUT_FILENO, ibuf, cc);
960 960 goto retry;
961 961 }
962 962 }
963 963 if (pollfds[1].revents &
964 964 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
965 965 if ((cc = read(stderr_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
966 966 (void) write(STDERR_FILENO, ibuf, cc);
967 967 goto retry;
968 968 }
969 969 }
970 970 }
971 971
972 972 /*
973 973 * Fetch the user_cmd brand hook for getting a user's passwd(4) entry.
974 974 */
975 975 static const char *
976 976 zone_get_user_cmd(brand_handle_t bh, const char *login, char *user_cmd,
977 977 size_t len)
978 978 {
979 979 bzero(user_cmd, sizeof (user_cmd));
980 980 if (brand_get_user_cmd(bh, login, user_cmd, len) != 0)
981 981 return (NULL);
982 982
983 983 return (user_cmd);
984 984 }
985 985
986 986 /* From libc */
987 987 extern int str2passwd(const char *, int, void *, char *, int);
988 988
989 989 /*
990 990 * exec() the user_cmd brand hook, and convert the output string to a
991 991 * struct passwd. This is to be called after zone_enter().
992 992 *
993 993 */
994 994 static struct passwd *
995 995 zone_get_user_pw(const char *user_cmd, struct passwd *pwent, char *pwbuf,
996 996 int pwbuflen)
997 997 {
998 998 char pwline[NSS_BUFLEN_PASSWD];
999 999 char *cin = NULL;
1000 1000 FILE *fin;
1001 1001 int status;
1002 1002
1003 1003 assert(getzoneid() != GLOBAL_ZONEID);
1004 1004
1005 1005 if ((fin = popen(user_cmd, "r")) == NULL)
1006 1006 return (NULL);
1007 1007
1008 1008 while (cin == NULL && !feof(fin))
1009 1009 cin = fgets(pwline, sizeof (pwline), fin);
1010 1010
1011 1011 if (cin == NULL) {
1012 1012 (void) pclose(fin);
1013 1013 return (NULL);
1014 1014 }
1015 1015
1016 1016 status = pclose(fin);
1017 1017 if (!WIFEXITED(status))
1018 1018 return (NULL);
1019 1019 if (WEXITSTATUS(status) != 0)
1020 1020 return (NULL);
1021 1021
1022 1022 if (str2passwd(pwline, sizeof (pwline), pwent, pwbuf, pwbuflen) == 0)
1023 1023 return (pwent);
1024 1024 else
1025 1025 return (NULL);
1026 1026 }
1027 1027
1028 1028 static char **
1029 1029 zone_login_cmd(brand_handle_t bh, const char *login)
1030 1030 {
1031 1031 static char result_buf[ARG_MAX];
1032 1032 char **new_argv, *ptr, *lasts;
1033 1033 int n, a;
1034 1034
1035 1035 /* Get the login command for the target zone. */
1036 1036 bzero(result_buf, sizeof (result_buf));
1037 1037
1038 1038 if (forced_login) {
1039 1039 if (brand_get_forcedlogin_cmd(bh, login,
1040 1040 result_buf, sizeof (result_buf)) != 0)
1041 1041 return (NULL);
1042 1042 } else {
1043 1043 if (brand_get_login_cmd(bh, login,
1044 1044 result_buf, sizeof (result_buf)) != 0)
1045 1045 return (NULL);
1046 1046 }
1047 1047
1048 1048 /*
1049 1049 * We got back a string that we'd like to execute. But since
1050 1050 * we're not doing the execution via a shell we'll need to convert
1051 1051 * the exec string to an array of strings. We'll do that here
1052 1052 * but we're going to be very simplistic about it and break stuff
1053 1053 * up based on spaces. We're not even going to support any kind
1054 1054 * of quoting or escape characters. It's truly amazing that
1055 1055 * there is no library function in OpenSolaris to do this for us.
1056 1056 */
1057 1057
1058 1058 /*
1059 1059 * Be paranoid. Since we're deliniating based on spaces make
1060 1060 * sure there are no adjacent spaces.
1061 1061 */
1062 1062 if (strstr(result_buf, " ") != NULL)
1063 1063 return (NULL);
1064 1064
1065 1065 /* Remove any trailing whitespace. */
1066 1066 n = strlen(result_buf);
1067 1067 if (result_buf[n - 1] == ' ')
1068 1068 result_buf[n - 1] = '\0';
1069 1069
1070 1070 /* Count how many elements there are in the exec string. */
1071 1071 ptr = result_buf;
1072 1072 for (n = 2; ((ptr = strchr(ptr + 1, (int)' ')) != NULL); n++)
1073 1073 ;
1074 1074
1075 1075 /* Allocate the argv array that we're going to return. */
1076 1076 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1077 1077 return (NULL);
1078 1078
1079 1079 /* Tokenize the exec string and return. */
1080 1080 a = 0;
1081 1081 new_argv[a++] = result_buf;
1082 1082 if (n > 2) {
1083 1083 (void) strtok_r(result_buf, " ", &lasts);
1084 1084 while ((new_argv[a++] = strtok_r(NULL, " ", &lasts)) != NULL)
1085 1085 ;
1086 1086 } else {
1087 1087 new_argv[a++] = NULL;
1088 1088 }
1089 1089 assert(n == a);
1090 1090 return (new_argv);
1091 1091 }
1092 1092
1093 1093 /*
1094 1094 * Prepare argv array for exec'd process; if we're passing commands to the
1095 1095 * new process, then use su(1M) to do the invocation. Otherwise, use
1096 1096 * 'login -z <from_zonename> -f' (-z is an undocumented option which tells
1097 1097 * login that we're coming from another zone, and to disregard its CONSOLE
1098 1098 * checks).
1099 1099 */
1100 1100 static char **
1101 1101 prep_args(brand_handle_t bh, const char *login, char **argv)
1102 1102 {
1103 1103 int argc = 0, a = 0, i, n = -1;
1104 1104 char **new_argv;
1105 1105
1106 1106 if (argv != NULL) {
1107 1107 size_t subshell_len = 1;
1108 1108 char *subshell;
1109 1109
1110 1110 while (argv[argc] != NULL)
1111 1111 argc++;
1112 1112
1113 1113 for (i = 0; i < argc; i++) {
1114 1114 subshell_len += strlen(argv[i]) + 1;
1115 1115 }
1116 1116 if ((subshell = calloc(1, subshell_len)) == NULL)
1117 1117 return (NULL);
1118 1118
1119 1119 for (i = 0; i < argc; i++) {
1120 1120 (void) strcat(subshell, argv[i]);
1121 1121 (void) strcat(subshell, " ");
1122 1122 }
1123 1123
1124 1124 if (failsafe) {
1125 1125 n = 4;
1126 1126 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1127 1127 return (NULL);
1128 1128
1129 1129 new_argv[a++] = FAILSAFESHELL;
1130 1130 } else {
1131 1131 n = 5;
1132 1132 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1133 1133 return (NULL);
1134 1134
1135 1135 new_argv[a++] = SUPATH;
1136 1136 if (strcmp(login, "root") != 0) {
1137 1137 new_argv[a++] = "-";
1138 1138 n++;
1139 1139 }
1140 1140 new_argv[a++] = (char *)login;
1141 1141 }
1142 1142 new_argv[a++] = "-c";
1143 1143 new_argv[a++] = subshell;
1144 1144 new_argv[a++] = NULL;
1145 1145 assert(a == n);
1146 1146 } else {
1147 1147 if (failsafe) {
1148 1148 n = 2;
1149 1149 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1150 1150 return (NULL);
1151 1151 new_argv[a++] = FAILSAFESHELL;
1152 1152 new_argv[a++] = NULL;
1153 1153 assert(n == a);
1154 1154 } else {
1155 1155 new_argv = zone_login_cmd(bh, login);
1156 1156 }
1157 1157 }
1158 1158
1159 1159 return (new_argv);
1160 1160 }
1161 1161
1162 1162 /*
1163 1163 * Helper routine for prep_env below.
1164 1164 */
1165 1165 static char *
1166 1166 add_env(char *name, char *value)
1167 1167 {
1168 1168 size_t sz = strlen(name) + strlen(value) + 2; /* name, =, value, NUL */
1169 1169 char *str;
1170 1170
1171 1171 if ((str = malloc(sz)) == NULL)
1172 1172 return (NULL);
1173 1173
1174 1174 (void) snprintf(str, sz, "%s=%s", name, value);
1175 1175 return (str);
1176 1176 }
1177 1177
1178 1178 /*
1179 1179 * Prepare envp array for exec'd process.
1180 1180 */
1181 1181 static char **
1182 1182 prep_env()
1183 1183 {
1184 1184 int e = 0, size = 1;
1185 1185 char **new_env, *estr;
1186 1186 char *term = getenv("TERM");
1187 1187
1188 1188 size++; /* for $PATH */
1189 1189 if (term != NULL)
1190 1190 size++;
1191 1191
1192 1192 /*
1193 1193 * In failsafe mode we set $HOME, since '-l' isn't valid in this mode.
1194 1194 * We also set $SHELL, since neither login nor su will be around to do
1195 1195 * it.
1196 1196 */
1197 1197 if (failsafe)
1198 1198 size += 2;
1199 1199
1200 1200 if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1201 1201 return (NULL);
1202 1202
1203 1203 if ((estr = add_env("PATH", DEF_PATH)) == NULL)
1204 1204 return (NULL);
1205 1205 new_env[e++] = estr;
1206 1206
1207 1207 if (term != NULL) {
1208 1208 if ((estr = add_env("TERM", term)) == NULL)
1209 1209 return (NULL);
1210 1210 new_env[e++] = estr;
1211 1211 }
1212 1212
1213 1213 if (failsafe) {
1214 1214 if ((estr = add_env("HOME", "/")) == NULL)
1215 1215 return (NULL);
1216 1216 new_env[e++] = estr;
1217 1217
1218 1218 if ((estr = add_env("SHELL", FAILSAFESHELL)) == NULL)
1219 1219 return (NULL);
1220 1220 new_env[e++] = estr;
1221 1221 }
1222 1222
1223 1223 new_env[e++] = NULL;
1224 1224
1225 1225 assert(e == size);
1226 1226
1227 1227 return (new_env);
1228 1228 }
1229 1229
1230 1230 /*
1231 1231 * Finish the preparation of the envp array for exec'd non-interactive
1232 1232 * zlogins. This is called in the child process *after* we zone_enter(), since
1233 1233 * it derives things we can only know within the zone, such as $HOME, $SHELL,
1234 1234 * etc. We need only do this in the non-interactive, mode, since otherwise
1235 1235 * login(1) will do it. We don't do this in failsafe mode, since it presents
1236 1236 * additional ways in which the command could fail, and we'd prefer to avoid
1237 1237 * that.
1238 1238 */
1239 1239 static char **
1240 1240 prep_env_noninteractive(const char *user_cmd, char **env)
1241 1241 {
1242 1242 size_t size;
1243 1243 char **new_env;
1244 1244 int e, i;
1245 1245 char *estr;
1246 1246 char varmail[LOGNAME_MAX + 11]; /* strlen(/var/mail/) = 10, NUL */
1247 1247 char pwbuf[NSS_BUFLEN_PASSWD + 1];
1248 1248 struct passwd pwent;
1249 1249 struct passwd *pw = NULL;
1250 1250
1251 1251 assert(env != NULL);
1252 1252 assert(failsafe == 0);
1253 1253
1254 1254 /*
1255 1255 * Exec the "user_cmd" brand hook to get a pwent for the
1256 1256 * login user. If this fails, HOME will be set to "/", SHELL
1257 1257 * will be set to $DEFAULTSHELL, and we will continue to exec
1258 1258 * SUPATH <login> -c <cmd>.
1259 1259 */
1260 1260 pw = zone_get_user_pw(user_cmd, &pwent, pwbuf, sizeof (pwbuf));
1261 1261
1262 1262 /*
1263 1263 * Get existing envp size.
1264 1264 */
1265 1265 for (size = 0; env[size] != NULL; size++)
1266 1266 ;
1267 1267
1268 1268 e = size;
1269 1269
1270 1270 /*
1271 1271 * Finish filling out the environment; we duplicate the environment
1272 1272 * setup described in login(1), for lack of a better precedent.
1273 1273 */
1274 1274 if (pw != NULL)
1275 1275 size += 3; /* LOGNAME, HOME, MAIL */
1276 1276 else
1277 1277 size += 1; /* HOME */
1278 1278
1279 1279 size++; /* always fill in SHELL */
1280 1280 size++; /* terminating NULL */
1281 1281
1282 1282 if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1283 1283 goto malloc_fail;
1284 1284
1285 1285 /*
1286 1286 * Copy existing elements of env into new_env.
1287 1287 */
1288 1288 for (i = 0; env[i] != NULL; i++) {
1289 1289 if ((new_env[i] = strdup(env[i])) == NULL)
1290 1290 goto malloc_fail;
1291 1291 }
1292 1292 assert(e == i);
1293 1293
1294 1294 if (pw != NULL) {
1295 1295 if ((estr = add_env("LOGNAME", pw->pw_name)) == NULL)
1296 1296 goto malloc_fail;
1297 1297 new_env[e++] = estr;
1298 1298
1299 1299 if ((estr = add_env("HOME", pw->pw_dir)) == NULL)
1300 1300 goto malloc_fail;
1301 1301 new_env[e++] = estr;
1302 1302
1303 1303 if (chdir(pw->pw_dir) != 0)
1304 1304 zerror(gettext("Could not chdir to home directory "
1305 1305 "%s: %s"), pw->pw_dir, strerror(errno));
1306 1306
1307 1307 (void) snprintf(varmail, sizeof (varmail), "/var/mail/%s",
1308 1308 pw->pw_name);
1309 1309 if ((estr = add_env("MAIL", varmail)) == NULL)
1310 1310 goto malloc_fail;
1311 1311 new_env[e++] = estr;
1312 1312 } else {
1313 1313 if ((estr = add_env("HOME", "/")) == NULL)
1314 1314 goto malloc_fail;
1315 1315 new_env[e++] = estr;
1316 1316 }
1317 1317
1318 1318 if (pw != NULL && strlen(pw->pw_shell) > 0) {
1319 1319 if ((estr = add_env("SHELL", pw->pw_shell)) == NULL)
1320 1320 goto malloc_fail;
1321 1321 new_env[e++] = estr;
1322 1322 } else {
1323 1323 if ((estr = add_env("SHELL", DEFAULTSHELL)) == NULL)
1324 1324 goto malloc_fail;
1325 1325 new_env[e++] = estr;
1326 1326 }
1327 1327
1328 1328 new_env[e++] = NULL; /* add terminating NULL */
1329 1329
1330 1330 assert(e == size);
1331 1331 return (new_env);
1332 1332
1333 1333 malloc_fail:
1334 1334 zperror(gettext("failed to allocate memory for process environment"));
1335 1335 return (NULL);
1336 1336 }
1337 1337
1338 1338 static int
1339 1339 close_func(void *slavefd, int fd)
1340 1340 {
1341 1341 if (fd != *(int *)slavefd)
1342 1342 (void) close(fd);
1343 1343 return (0);
1344 1344 }
1345 1345
1346 1346 static void
1347 1347 set_cmdchar(char *cmdcharstr)
1348 1348 {
1349 1349 char c;
1350 1350 long lc;
1351 1351
1352 1352 if ((c = *cmdcharstr) != '\\') {
1353 1353 cmdchar = c;
1354 1354 return;
1355 1355 }
1356 1356
1357 1357 c = cmdcharstr[1];
1358 1358 if (c == '\0' || c == '\\') {
1359 1359 cmdchar = '\\';
1360 1360 return;
1361 1361 }
1362 1362
1363 1363 if (c < '0' || c > '7') {
1364 1364 zerror(gettext("Unrecognized escape character option %s"),
1365 1365 cmdcharstr);
1366 1366 usage();
1367 1367 }
1368 1368
1369 1369 lc = strtol(cmdcharstr + 1, NULL, 8);
1370 1370 if (lc < 0 || lc > 255) {
1371 1371 zerror(gettext("Octal escape character '%s' too large"),
1372 1372 cmdcharstr);
1373 1373 usage();
1374 1374 }
1375 1375 cmdchar = (char)lc;
1376 1376 }
1377 1377
1378 1378 static int
1379 1379 setup_utmpx(char *slavename)
1380 1380 {
1381 1381 struct utmpx ut;
1382 1382
1383 1383 bzero(&ut, sizeof (ut));
1384 1384 (void) strncpy(ut.ut_user, ".zlogin", sizeof (ut.ut_user));
1385 1385 (void) strncpy(ut.ut_line, slavename, sizeof (ut.ut_line));
1386 1386 ut.ut_pid = getpid();
1387 1387 ut.ut_id[0] = 'z';
1388 1388 ut.ut_id[1] = ut.ut_id[2] = ut.ut_id[3] = (char)SC_WILDC;
1389 1389 ut.ut_type = LOGIN_PROCESS;
1390 1390 (void) time(&ut.ut_tv.tv_sec);
1391 1391
1392 1392 if (makeutx(&ut) == NULL) {
1393 1393 zerror(gettext("makeutx failed"));
1394 1394 return (-1);
1395 1395 }
1396 1396 return (0);
1397 1397 }
1398 1398
1399 1399 static void
1400 1400 release_lock_file(int lockfd)
1401 1401 {
1402 1402 (void) close(lockfd);
1403 1403 }
1404 1404
1405 1405 static int
1406 1406 grab_lock_file(const char *zone_name, int *lockfd)
1407 1407 {
1408 1408 char pathbuf[PATH_MAX];
1409 1409 struct flock flock;
1410 1410
1411 1411 if (mkdir(ZONES_TMPDIR, S_IRWXU) < 0 && errno != EEXIST) {
1412 1412 zerror(gettext("could not mkdir %s: %s"), ZONES_TMPDIR,
1413 1413 strerror(errno));
1414 1414 return (-1);
1415 1415 }
1416 1416 (void) chmod(ZONES_TMPDIR, S_IRWXU);
1417 1417 (void) snprintf(pathbuf, sizeof (pathbuf), "%s/%s.zoneadm.lock",
1418 1418 ZONES_TMPDIR, zone_name);
1419 1419
1420 1420 if ((*lockfd = open(pathbuf, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR)) < 0) {
1421 1421 zerror(gettext("could not open %s: %s"), pathbuf,
1422 1422 strerror(errno));
1423 1423 return (-1);
1424 1424 }
1425 1425 /*
1426 1426 * Lock the file to synchronize with other zoneadmds
1427 1427 */
1428 1428 flock.l_type = F_WRLCK;
1429 1429 flock.l_whence = SEEK_SET;
1430 1430 flock.l_start = (off_t)0;
1431 1431 flock.l_len = (off_t)0;
1432 1432 if (fcntl(*lockfd, F_SETLKW, &flock) < 0) {
1433 1433 zerror(gettext("unable to lock %s: %s"), pathbuf,
1434 1434 strerror(errno));
1435 1435 release_lock_file(*lockfd);
1436 1436 return (-1);
1437 1437 }
1438 1438 return (Z_OK);
1439 1439 }
1440 1440
1441 1441 static int
1442 1442 start_zoneadmd(const char *zone_name)
1443 1443 {
1444 1444 pid_t retval;
1445 1445 int pstatus = 0, error = -1, lockfd, doorfd;
1446 1446 struct door_info info;
1447 1447 char doorpath[MAXPATHLEN];
1448 1448
1449 1449 (void) snprintf(doorpath, sizeof (doorpath), ZONE_DOOR_PATH, zone_name);
1450 1450
1451 1451 if (grab_lock_file(zone_name, &lockfd) != Z_OK)
1452 1452 return (-1);
1453 1453 /*
1454 1454 * We must do the door check with the lock held. Otherwise, we
1455 1455 * might race against another zoneadm/zlogin process and wind
1456 1456 * up with two processes trying to start zoneadmd at the same
1457 1457 * time. zoneadmd will detect this, and fail, but we prefer this
1458 1458 * to be as seamless as is practical, from a user perspective.
1459 1459 */
1460 1460 if ((doorfd = open(doorpath, O_RDONLY)) < 0) {
1461 1461 if (errno != ENOENT) {
1462 1462 zerror("failed to open %s: %s", doorpath,
1463 1463 strerror(errno));
1464 1464 goto out;
1465 1465 }
1466 1466 } else {
1467 1467 /*
1468 1468 * Seems to be working ok.
1469 1469 */
1470 1470 if (door_info(doorfd, &info) == 0 &&
1471 1471 ((info.di_attributes & DOOR_REVOKED) == 0)) {
1472 1472 error = 0;
1473 1473 goto out;
1474 1474 }
1475 1475 }
1476 1476
1477 1477 if ((child_pid = fork()) == -1) {
1478 1478 zperror(gettext("could not fork"));
1479 1479 goto out;
1480 1480 } else if (child_pid == 0) {
1481 1481 /* child process */
1482 1482 (void) execl("/usr/lib/zones/zoneadmd", "zoneadmd", "-z",
1483 1483 zone_name, NULL);
1484 1484 zperror(gettext("could not exec zoneadmd"));
1485 1485 _exit(1);
1486 1486 }
1487 1487
1488 1488 /* parent process */
1489 1489 do {
1490 1490 retval = waitpid(child_pid, &pstatus, 0);
1491 1491 } while (retval != child_pid);
1492 1492 if (WIFSIGNALED(pstatus) ||
1493 1493 (WIFEXITED(pstatus) && WEXITSTATUS(pstatus) != 0)) {
1494 1494 zerror(gettext("could not start %s"), "zoneadmd");
1495 1495 goto out;
1496 1496 }
1497 1497 error = 0;
1498 1498 out:
1499 1499 release_lock_file(lockfd);
1500 1500 (void) close(doorfd);
1501 1501 return (error);
1502 1502 }
1503 1503
1504 1504 static int
1505 1505 init_template(void)
1506 1506 {
1507 1507 int fd;
1508 1508 int err = 0;
1509 1509
1510 1510 fd = open64(CTFS_ROOT "/process/template", O_RDWR);
1511 1511 if (fd == -1)
1512 1512 return (-1);
1513 1513
1514 1514 /*
1515 1515 * zlogin doesn't do anything with the contract.
1516 1516 * Deliver no events, don't inherit, and allow it to be orphaned.
1517 1517 */
1518 1518 err |= ct_tmpl_set_critical(fd, 0);
1519 1519 err |= ct_tmpl_set_informative(fd, 0);
1520 1520 err |= ct_pr_tmpl_set_fatal(fd, CT_PR_EV_HWERR);
1521 1521 err |= ct_pr_tmpl_set_param(fd, CT_PR_PGRPONLY | CT_PR_REGENT);
1522 1522 if (err || ct_tmpl_activate(fd)) {
1523 1523 (void) close(fd);
1524 1524 return (-1);
1525 1525 }
1526 1526
1527 1527 return (fd);
1528 1528 }
1529 1529
1530 1530 static int
1531 1531 noninteractive_login(char *zonename, const char *user_cmd, zoneid_t zoneid,
1532 1532 char **new_args, char **new_env)
1533 1533 {
1534 1534 pid_t retval;
1535 1535 int stdin_pipe[2], stdout_pipe[2], stderr_pipe[2], dead_child_pipe[2];
1536 1536 int child_status;
1537 1537 int tmpl_fd;
1538 1538 sigset_t block_cld;
1539 1539
1540 1540 if ((tmpl_fd = init_template()) == -1) {
1541 1541 reset_tty();
1542 1542 zperror(gettext("could not create contract"));
1543 1543 return (1);
1544 1544 }
1545 1545
1546 1546 if (pipe(stdin_pipe) != 0) {
1547 1547 zperror(gettext("could not create STDIN pipe"));
1548 1548 return (1);
1549 1549 }
1550 1550 /*
1551 1551 * When the user types ^D, we get a zero length message on STDIN.
1552 1552 * We need to echo that down the pipe to send it to the other side;
1553 1553 * but by default, pipes don't propagate zero-length messages. We
1554 1554 * toggle that behavior off using I_SWROPT. See streamio(7i).
1555 1555 */
1556 1556 if (ioctl(stdin_pipe[0], I_SWROPT, SNDZERO) != 0) {
1557 1557 zperror(gettext("could not configure STDIN pipe"));
1558 1558 return (1);
1559 1559
1560 1560 }
1561 1561 if (pipe(stdout_pipe) != 0) {
1562 1562 zperror(gettext("could not create STDOUT pipe"));
1563 1563 return (1);
1564 1564 }
1565 1565 if (pipe(stderr_pipe) != 0) {
1566 1566 zperror(gettext("could not create STDERR pipe"));
1567 1567 return (1);
1568 1568 }
1569 1569
1570 1570 if (pipe(dead_child_pipe) != 0) {
1571 1571 zperror(gettext("could not create signalling pipe"));
1572 1572 return (1);
1573 1573 }
1574 1574 close_on_sig = dead_child_pipe[0];
1575 1575
1576 1576 /*
1577 1577 * If any of the pipe FD's winds up being less than STDERR, then we
1578 1578 * have a mess on our hands-- and we are lacking some of the I/O
1579 1579 * streams we would expect anyway. So we bail.
1580 1580 */
1581 1581 if (stdin_pipe[0] <= STDERR_FILENO ||
1582 1582 stdin_pipe[1] <= STDERR_FILENO ||
1583 1583 stdout_pipe[0] <= STDERR_FILENO ||
1584 1584 stdout_pipe[1] <= STDERR_FILENO ||
1585 1585 stderr_pipe[0] <= STDERR_FILENO ||
1586 1586 stderr_pipe[1] <= STDERR_FILENO ||
1587 1587 dead_child_pipe[0] <= STDERR_FILENO ||
1588 1588 dead_child_pipe[1] <= STDERR_FILENO) {
1589 1589 zperror(gettext("process lacks valid STDIN, STDOUT, STDERR"));
1590 1590 return (1);
1591 1591 }
1592 1592
1593 1593 if (prefork_dropprivs() != 0) {
1594 1594 zperror(gettext("could not allocate privilege set"));
1595 1595 return (1);
1596 1596 }
1597 1597
1598 1598 (void) sigset(SIGCLD, sigcld);
1599 1599 (void) sigemptyset(&block_cld);
1600 1600 (void) sigaddset(&block_cld, SIGCLD);
1601 1601 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
1602 1602
1603 1603 if ((child_pid = fork()) == -1) {
1604 1604 (void) ct_tmpl_clear(tmpl_fd);
1605 1605 (void) close(tmpl_fd);
1606 1606 zperror(gettext("could not fork"));
1607 1607 return (1);
1608 1608 } else if (child_pid == 0) { /* child process */
1609 1609 (void) ct_tmpl_clear(tmpl_fd);
1610 1610
1611 1611 /*
1612 1612 * Do a dance to get the pipes hooked up as FD's 0, 1 and 2.
1613 1613 */
1614 1614 (void) close(STDIN_FILENO);
1615 1615 (void) close(STDOUT_FILENO);
1616 1616 (void) close(STDERR_FILENO);
1617 1617 (void) dup2(stdin_pipe[1], STDIN_FILENO);
1618 1618 (void) dup2(stdout_pipe[1], STDOUT_FILENO);
1619 1619 (void) dup2(stderr_pipe[1], STDERR_FILENO);
1620 1620 (void) closefrom(STDERR_FILENO + 1);
1621 1621
1622 1622 (void) sigset(SIGCLD, SIG_DFL);
1623 1623 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1624 1624 /*
1625 1625 * In case any of stdin, stdout or stderr are streams,
1626 1626 * anchor them to prevent malicious I_POPs.
1627 1627 */
1628 1628 (void) ioctl(STDIN_FILENO, I_ANCHOR);
1629 1629 (void) ioctl(STDOUT_FILENO, I_ANCHOR);
1630 1630 (void) ioctl(STDERR_FILENO, I_ANCHOR);
1631 1631
1632 1632 if (zone_enter(zoneid) == -1) {
1633 1633 zerror(gettext("could not enter zone %s: %s"),
1634 1634 zonename, strerror(errno));
1635 1635 _exit(1);
1636 1636 }
1637 1637
1638 1638 /*
1639 1639 * For non-native zones, tell libc where it can find locale
1640 1640 * specific getttext() messages.
1641 1641 */
1642 1642 if (access("/.SUNWnative/usr/lib/locale", R_OK) == 0)
1643 1643 (void) bindtextdomain(TEXT_DOMAIN,
1644 1644 "/.SUNWnative/usr/lib/locale");
1645 1645 else if (access("/native/usr/lib/locale", R_OK) == 0)
1646 1646 (void) bindtextdomain(TEXT_DOMAIN,
1647 1647 "/native/usr/lib/locale");
1648 1648
1649 1649 if (!failsafe)
1650 1650 new_env = prep_env_noninteractive(user_cmd, new_env);
1651 1651
1652 1652 if (new_env == NULL) {
1653 1653 _exit(1);
1654 1654 }
1655 1655
1656 1656 /*
1657 1657 * Move into a new process group; the zone_enter will have
1658 1658 * placed us into zsched's session, and we want to be in
1659 1659 * a unique process group.
1660 1660 */
1661 1661 (void) setpgid(getpid(), getpid());
1662 1662
1663 1663 /*
1664 1664 * The child needs to run as root to
1665 1665 * execute the su program.
1666 1666 */
1667 1667 if (setuid(0) == -1) {
1668 1668 zperror(gettext("insufficient privilege"));
1669 1669 return (1);
1670 1670 }
1671 1671
1672 1672 (void) execve(new_args[0], new_args, new_env);
1673 1673 zperror(gettext("exec failure"));
1674 1674 _exit(1);
1675 1675 }
1676 1676 /* parent */
1677 1677
1678 1678 /* close pipe sides written by child */
1679 1679 (void) close(stdout_pipe[1]);
1680 1680 (void) close(stderr_pipe[1]);
1681 1681
1682 1682 (void) sigset(SIGINT, sig_forward);
1683 1683
1684 1684 postfork_dropprivs();
1685 1685
1686 1686 (void) ct_tmpl_clear(tmpl_fd);
1687 1687 (void) close(tmpl_fd);
1688 1688
1689 1689 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1690 1690 doio(stdin_pipe[0], stdin_pipe[1], stdout_pipe[0], stderr_pipe[0],
1691 1691 dead_child_pipe[1], B_TRUE);
1692 1692 do {
1693 1693 retval = waitpid(child_pid, &child_status, 0);
1694 1694 if (retval == -1) {
1695 1695 child_status = 0;
1696 1696 }
1697 1697 } while (retval != child_pid && errno != ECHILD);
1698 1698
1699 1699 return (WEXITSTATUS(child_status));
1700 1700 }
1701 1701
1702 1702 static char *
1703 1703 get_username()
1704 1704 {
1705 1705 uid_t uid;
1706 1706 struct passwd *nptr;
1707 1707
1708 1708 /*
1709 1709 * Authorizations are checked to restrict access based on the
1710 1710 * requested operation and zone name, It is assumed that the
1711 1711 * program is running with all privileges, but that the real
1712 1712 * user ID is that of the user or role on whose behalf we are
1713 1713 * operating. So we start by getting the username that will be
1714 1714 * used for subsequent authorization checks.
1715 1715 */
1716 1716
1717 1717 uid = getuid();
1718 1718 if ((nptr = getpwuid(uid)) == NULL) {
1719 1719 zerror(gettext("could not get user name."));
1720 1720 _exit(1);
1721 1721 }
1722 1722 return (nptr->pw_name);
1723 1723 }
1724 1724
1725 1725 int
1726 1726 main(int argc, char **argv)
1727 1727 {
1728 1728 int arg, console = 0;
1729 1729 zoneid_t zoneid;
1730 1730 zone_state_t st;
1731 1731 char *login = "root";
1732 1732 int lflag = 0;
1733 1733 int nflag = 0;
1734 1734 char *zonename = NULL;
1735 1735 char **proc_args = NULL;
1736 1736 char **new_args, **new_env;
1737 1737 sigset_t block_cld;
1738 1738 char devroot[MAXPATHLEN];
1739 1739 char *slavename, slaveshortname[MAXPATHLEN];
1740 1740 priv_set_t *privset;
1741 1741 int tmpl_fd;
1742 1742 char zonebrand[MAXNAMELEN];
1743 1743 char default_brand[MAXNAMELEN];
1744 1744 struct stat sb;
1745 1745 char kernzone[ZONENAME_MAX];
1746 1746 brand_handle_t bh;
1747 1747 char user_cmd[MAXPATHLEN];
1748 1748 char authname[MAXAUTHS];
1749 1749
1750 1750 (void) setlocale(LC_ALL, "");
1751 1751 (void) textdomain(TEXT_DOMAIN);
1752 1752
1753 1753 (void) getpname(argv[0]);
1754 1754 username = get_username();
1755 1755
1756 1756 while ((arg = getopt(argc, argv, "nECR:Se:l:Q")) != EOF) {
1757 1757 switch (arg) {
1758 1758 case 'C':
1759 1759 console = 1;
1760 1760 break;
1761 1761 case 'E':
1762 1762 nocmdchar = 1;
1763 1763 break;
1764 1764 case 'R': /* undocumented */
1765 1765 if (*optarg != '/') {
1766 1766 zerror(gettext("root path must be absolute."));
1767 1767 exit(2);
1768 1768 }
1769 1769 if (stat(optarg, &sb) == -1 || !S_ISDIR(sb.st_mode)) {
1770 1770 zerror(
1771 1771 gettext("root path must be a directory."));
1772 1772 exit(2);
1773 1773 }
1774 1774 zonecfg_set_root(optarg);
1775 1775 break;
1776 1776 case 'Q':
1777 1777 quiet = 1;
1778 1778 break;
1779 1779 case 'S':
1780 1780 failsafe = 1;
1781 1781 break;
1782 1782 case 'e':
1783 1783 set_cmdchar(optarg);
1784 1784 break;
1785 1785 case 'l':
1786 1786 login = optarg;
1787 1787 lflag = 1;
1788 1788 break;
1789 1789 case 'n':
1790 1790 nflag = 1;
1791 1791 break;
1792 1792 default:
1793 1793 usage();
1794 1794 }
1795 1795 }
1796 1796
1797 1797 if (console != 0) {
1798 1798
1799 1799 if (lflag != 0) {
1800 1800 zerror(gettext(
1801 1801 "-l may not be specified for console login"));
1802 1802 usage();
1803 1803 }
1804 1804
1805 1805 if (nflag != 0) {
1806 1806 zerror(gettext(
1807 1807 "-n may not be specified for console login"));
1808 1808 usage();
1809 1809 }
1810 1810
1811 1811 if (failsafe != 0) {
1812 1812 zerror(gettext(
1813 1813 "-S may not be specified for console login"));
1814 1814 usage();
1815 1815 }
1816 1816
1817 1817 if (zonecfg_in_alt_root()) {
1818 1818 zerror(gettext(
1819 1819 "-R may not be specified for console login"));
1820 1820 exit(2);
1821 1821 }
1822 1822
1823 1823 }
1824 1824
1825 1825 if (failsafe != 0 && lflag != 0) {
1826 1826 zerror(gettext("-l may not be specified for failsafe login"));
1827 1827 usage();
1828 1828 }
1829 1829
1830 1830 if (optind == (argc - 1)) {
1831 1831 /*
1832 1832 * zone name, no process name; this should be an interactive
1833 1833 * as long as STDIN is really a tty.
1834 1834 */
1835 1835 if (nflag != 0) {
1836 1836 zerror(gettext(
1837 1837 "-n may not be specified for interactive login"));
1838 1838 usage();
1839 1839 }
1840 1840 if (isatty(STDIN_FILENO))
1841 1841 interactive = 1;
1842 1842 zonename = argv[optind];
1843 1843 } else if (optind < (argc - 1)) {
1844 1844 if (console) {
1845 1845 zerror(gettext("Commands may not be specified for "
1846 1846 "console login."));
1847 1847 usage();
1848 1848 }
1849 1849 /* zone name and process name, and possibly some args */
1850 1850 zonename = argv[optind];
1851 1851 proc_args = &argv[optind + 1];
1852 1852 interactive = 0;
1853 1853 } else {
1854 1854 usage();
1855 1855 }
1856 1856
1857 1857 if (getzoneid() != GLOBAL_ZONEID) {
1858 1858 zerror(gettext("'%s' may only be used from the global zone"),
1859 1859 pname);
1860 1860 return (1);
1861 1861 }
1862 1862
1863 1863 if (strcmp(zonename, GLOBAL_ZONENAME) == 0) {
1864 1864 zerror(gettext("'%s' not applicable to the global zone"),
1865 1865 pname);
1866 1866 return (1);
1867 1867 }
1868 1868
1869 1869 if (zone_get_state(zonename, &st) != Z_OK) {
1870 1870 zerror(gettext("zone '%s' unknown"), zonename);
1871 1871 return (1);
1872 1872 }
1873 1873
1874 1874 if (st < ZONE_STATE_INSTALLED) {
1875 1875 zerror(gettext("cannot login to a zone which is '%s'"),
1876 1876 zone_state_str(st));
1877 1877 return (1);
1878 1878 }
1879 1879
1880 1880 /*
1881 1881 * In both console and non-console cases, we require all privs.
1882 1882 * In the console case, because we may need to startup zoneadmd.
1883 1883 * In the non-console case in order to do zone_enter(2), zonept()
1884 1884 * and other tasks.
1885 1885 */
1886 1886
1887 1887 if ((privset = priv_allocset()) == NULL) {
1888 1888 zperror(gettext("priv_allocset failed"));
1889 1889 return (1);
1890 1890 }
1891 1891
1892 1892 if (getppriv(PRIV_EFFECTIVE, privset) != 0) {
1893 1893 zperror(gettext("getppriv failed"));
1894 1894 priv_freeset(privset);
1895 1895 return (1);
1896 1896 }
1897 1897
1898 1898 if (priv_isfullset(privset) == B_FALSE) {
1899 1899 zerror(gettext("You lack sufficient privilege to run "
1900 1900 "this command (all privs required)"));
1901 1901 priv_freeset(privset);
1902 1902 return (1);
1903 1903 }
1904 1904 priv_freeset(privset);
1905 1905
1906 1906 /*
1907 1907 * Check if user is authorized for requested usage of the zone
1908 1908 */
1909 1909
1910 1910 (void) snprintf(authname, MAXAUTHS, "%s%s%s",
1911 1911 ZONE_MANAGE_AUTH, KV_OBJECT, zonename);
1912 1912 if (chkauthattr(authname, username) == 0) {
1913 1913 if (console) {
1914 1914 zerror(gettext("%s is not authorized for console "
1915 1915 "access to %s zone."),
1916 1916 username, zonename);
1917 1917 return (1);
1918 1918 } else {
1919 1919 (void) snprintf(authname, MAXAUTHS, "%s%s%s",
1920 1920 ZONE_LOGIN_AUTH, KV_OBJECT, zonename);
1921 1921 if (failsafe || !interactive) {
1922 1922 zerror(gettext("%s is not authorized for "
1923 1923 "failsafe or non-interactive login "
1924 1924 "to %s zone."), username, zonename);
1925 1925 return (1);
1926 1926 } else if (chkauthattr(authname, username) == 0) {
1927 1927 zerror(gettext("%s is not authorized "
1928 1928 " to login to %s zone."),
1929 1929 username, zonename);
1930 1930 return (1);
1931 1931 }
1932 1932 }
1933 1933 } else {
1934 1934 forced_login = B_TRUE;
1935 1935 }
1936 1936
1937 1937 /*
1938 1938 * The console is a separate case from the rest of the code; handle
1939 1939 * it first.
1940 1940 */
1941 1941 if (console) {
1942 1942 /*
1943 1943 * Ensure that zoneadmd for this zone is running.
1944 1944 */
1945 1945 if (start_zoneadmd(zonename) == -1)
1946 1946 return (1);
1947 1947
1948 1948 /*
1949 1949 * Make contact with zoneadmd.
1950 1950 */
1951 1951 if (get_console_master(zonename) == -1)
1952 1952 return (1);
1953 1953
1954 1954 if (!quiet)
1955 1955 (void) printf(
1956 1956 gettext("[Connected to zone '%s' console]\n"),
1957 1957 zonename);
1958 1958
1959 1959 if (set_tty_rawmode(STDIN_FILENO) == -1) {
1960 1960 reset_tty();
1961 1961 zperror(gettext("failed to set stdin pty to raw mode"));
1962 1962 return (1);
1963 1963 }
1964 1964
1965 1965 (void) sigset(SIGWINCH, sigwinch);
1966 1966 (void) sigwinch(0);
1967 1967
1968 1968 /*
1969 1969 * Run the I/O loop until we get disconnected.
1970 1970 */
1971 1971 doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
1972 1972 reset_tty();
1973 1973 if (!quiet)
1974 1974 (void) printf(
1975 1975 gettext("\n[Connection to zone '%s' console "
1976 1976 "closed]\n"), zonename);
1977 1977
1978 1978 return (0);
1979 1979 }
1980 1980
1981 1981 if (st != ZONE_STATE_RUNNING && st != ZONE_STATE_MOUNTED) {
1982 1982 zerror(gettext("login allowed only to running zones "
1983 1983 "(%s is '%s')."), zonename, zone_state_str(st));
1984 1984 return (1);
1985 1985 }
1986 1986
1987 1987 (void) strlcpy(kernzone, zonename, sizeof (kernzone));
1988 1988 if (zonecfg_in_alt_root()) {
1989 1989 FILE *fp = zonecfg_open_scratch("", B_FALSE);
1990 1990
1991 1991 if (fp == NULL || zonecfg_find_scratch(fp, zonename,
1992 1992 zonecfg_get_root(), kernzone, sizeof (kernzone)) == -1) {
1993 1993 zerror(gettext("cannot find scratch zone %s"),
1994 1994 zonename);
1995 1995 if (fp != NULL)
1996 1996 zonecfg_close_scratch(fp);
1997 1997 return (1);
1998 1998 }
1999 1999 zonecfg_close_scratch(fp);
2000 2000 }
2001 2001
2002 2002 if ((zoneid = getzoneidbyname(kernzone)) == -1) {
2003 2003 zerror(gettext("failed to get zoneid for zone '%s'"),
2004 2004 zonename);
2005 2005 return (1);
2006 2006 }
2007 2007
2008 2008 /*
2009 2009 * We need the zone root path only if we are setting up a pty.
2010 2010 */
2011 2011 if (zone_get_devroot(zonename, devroot, sizeof (devroot)) == -1) {
2012 2012 zerror(gettext("could not get dev path for zone %s"),
2013 2013 zonename);
2014 2014 return (1);
2015 2015 }
2016 2016
2017 2017 if (zone_get_brand(zonename, zonebrand, sizeof (zonebrand)) != Z_OK) {
2018 2018 zerror(gettext("could not get brand for zone %s"), zonename);
2019 2019 return (1);
2020 2020 }
2021 2021 /*
2022 2022 * In the alternate root environment, the only supported
2023 2023 * operations are mount and unmount. In this case, just treat
2024 2024 * the zone as native if it is cluster. Cluster zones can be
2025 2025 * native for the purpose of LU or upgrade, and the cluster
2026 2026 * brand may not exist in the miniroot (such as in net install
2027 2027 * upgrade).
2028 2028 */
2029 2029 if (zonecfg_default_brand(default_brand,
2030 2030 sizeof (default_brand)) != Z_OK) {
2031 2031 zerror(gettext("unable to determine default brand"));
2032 2032 return (1);
2033 2033 }
2034 2034 if (zonecfg_in_alt_root() &&
2035 2035 strcmp(zonebrand, CLUSTER_BRAND_NAME) == 0) {
2036 2036 (void) strlcpy(zonebrand, default_brand, sizeof (zonebrand));
2037 2037 }
2038 2038
2039 2039 if ((bh = brand_open(zonebrand)) == NULL) {
2040 2040 zerror(gettext("could not open brand for zone %s"), zonename);
2041 2041 return (1);
2042 2042 }
2043 2043
2044 2044 if ((new_args = prep_args(bh, login, proc_args)) == NULL) {
2045 2045 zperror(gettext("could not assemble new arguments"));
2046 2046 brand_close(bh);
2047 2047 return (1);
2048 2048 }
2049 2049 /*
2050 2050 * Get the brand specific user_cmd. This command is used to get
2051 2051 * a passwd(4) entry for login.
2052 2052 */
2053 2053 if (!interactive && !failsafe) {
2054 2054 if (zone_get_user_cmd(bh, login, user_cmd,
2055 2055 sizeof (user_cmd)) == NULL) {
2056 2056 zerror(gettext("could not get user_cmd for zone %s"),
2057 2057 zonename);
2058 2058 brand_close(bh);
2059 2059 return (1);
2060 2060 }
2061 2061 }
2062 2062 brand_close(bh);
2063 2063
2064 2064 if ((new_env = prep_env()) == NULL) {
2065 2065 zperror(gettext("could not assemble new environment"));
2066 2066 return (1);
2067 2067 }
2068 2068
2069 2069 if (!interactive) {
2070 2070 if (nflag) {
2071 2071 int nfd;
2072 2072
2073 2073 if ((nfd = open(_PATH_DEVNULL, O_RDONLY)) < 0) {
2074 2074 zperror(gettext("failed to open null device"));
2075 2075 return (1);
2076 2076 }
2077 2077 if (nfd != STDIN_FILENO) {
2078 2078 if (dup2(nfd, STDIN_FILENO) < 0) {
2079 2079 zperror(gettext(
2080 2080 "failed to dup2 null device"));
2081 2081 return (1);
2082 2082 }
2083 2083 (void) close(nfd);
2084 2084 }
2085 2085 /* /dev/null is now standard input */
2086 2086 }
2087 2087 return (noninteractive_login(zonename, user_cmd, zoneid,
2088 2088 new_args, new_env));
2089 2089 }
2090 2090
2091 2091 if (zonecfg_in_alt_root()) {
2092 2092 zerror(gettext("cannot use interactive login with scratch "
2093 2093 "zone"));
2094 2094 return (1);
2095 2095 }
2096 2096
2097 2097 /*
2098 2098 * Things are more complex in interactive mode; we get the
2099 2099 * master side of the pty, then place the user's terminal into
2100 2100 * raw mode.
2101 2101 */
2102 2102 if (get_master_pty() == -1) {
2103 2103 zerror(gettext("could not setup master pty device"));
2104 2104 return (1);
2105 2105 }
2106 2106
2107 2107 /*
2108 2108 * Compute the "short name" of the pts. /dev/pts/2 --> pts/2
2109 2109 */
2110 2110 if ((slavename = ptsname(masterfd)) == NULL) {
2111 2111 zperror(gettext("failed to get name for pseudo-tty"));
2112 2112 return (1);
2113 2113 }
2114 2114 if (strncmp(slavename, "/dev/", strlen("/dev/")) == 0)
2115 2115 (void) strlcpy(slaveshortname, slavename + strlen("/dev/"),
2116 2116 sizeof (slaveshortname));
2117 2117 else
2118 2118 (void) strlcpy(slaveshortname, slavename,
2119 2119 sizeof (slaveshortname));
2120 2120
2121 2121 if (!quiet)
2122 2122 (void) printf(gettext("[Connected to zone '%s' %s]\n"),
2123 2123 zonename, slaveshortname);
2124 2124
2125 2125 if (set_tty_rawmode(STDIN_FILENO) == -1) {
2126 2126 reset_tty();
2127 2127 zperror(gettext("failed to set stdin pty to raw mode"));
2128 2128 return (1);
2129 2129 }
2130 2130
2131 2131 if (prefork_dropprivs() != 0) {
2132 2132 reset_tty();
2133 2133 zperror(gettext("could not allocate privilege set"));
2134 2134 return (1);
2135 2135 }
2136 2136
2137 2137 /*
2138 2138 * We must mask SIGCLD until after we have coped with the fork
2139 2139 * sufficiently to deal with it; otherwise we can race and receive the
2140 2140 * signal before child_pid has been initialized (yes, this really
2141 2141 * happens).
2142 2142 */
2143 2143 (void) sigset(SIGCLD, sigcld);
2144 2144 (void) sigemptyset(&block_cld);
2145 2145 (void) sigaddset(&block_cld, SIGCLD);
2146 2146 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
2147 2147
2148 2148 /*
2149 2149 * We activate the contract template at the last minute to
2150 2150 * avoid intermediate functions that could be using fork(2)
2151 2151 * internally.
2152 2152 */
2153 2153 if ((tmpl_fd = init_template()) == -1) {
2154 2154 reset_tty();
2155 2155 zperror(gettext("could not create contract"));
2156 2156 return (1);
2157 2157 }
2158 2158
2159 2159 if ((child_pid = fork()) == -1) {
2160 2160 (void) ct_tmpl_clear(tmpl_fd);
2161 2161 reset_tty();
2162 2162 zperror(gettext("could not fork"));
2163 2163 return (1);
2164 2164 } else if (child_pid == 0) { /* child process */
2165 2165 int slavefd, newslave;
2166 2166
2167 2167 (void) ct_tmpl_clear(tmpl_fd);
2168 2168 (void) close(tmpl_fd);
2169 2169
2170 2170 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2171 2171
2172 2172 if ((slavefd = init_slave_pty(zoneid, devroot)) == -1)
2173 2173 return (1);
2174 2174
2175 2175 /*
2176 2176 * Close all fds except for the slave pty.
2177 2177 */
2178 2178 (void) fdwalk(close_func, &slavefd);
2179 2179
2180 2180 /*
2181 2181 * Temporarily dup slavefd to stderr; that way if we have
2182 2182 * to print out that zone_enter failed, the output will
2183 2183 * have somewhere to go.
2184 2184 */
2185 2185 if (slavefd != STDERR_FILENO)
2186 2186 (void) dup2(slavefd, STDERR_FILENO);
2187 2187
2188 2188 if (zone_enter(zoneid) == -1) {
2189 2189 zerror(gettext("could not enter zone %s: %s"),
2190 2190 zonename, strerror(errno));
2191 2191 return (1);
2192 2192 }
2193 2193
2194 2194 if (slavefd != STDERR_FILENO)
2195 2195 (void) close(STDERR_FILENO);
2196 2196
2197 2197 /*
2198 2198 * We take pains to get this process into a new process
2199 2199 * group, and subsequently a new session. In this way,
2200 2200 * we'll have a session which doesn't yet have a controlling
2201 2201 * terminal. When we open the slave, it will become the
2202 2202 * controlling terminal; no PIDs concerning pgrps or sids
2203 2203 * will leak inappropriately into the zone.
2204 2204 */
2205 2205 (void) setpgrp();
2206 2206
2207 2207 /*
2208 2208 * We need the slave pty to be referenced from the zone's
2209 2209 * /dev in order to ensure that the devt's, etc are all
2210 2210 * correct. Otherwise we break ttyname and the like.
2211 2211 */
2212 2212 if ((newslave = open(slavename, O_RDWR)) == -1) {
2213 2213 (void) close(slavefd);
2214 2214 return (1);
2215 2215 }
2216 2216 (void) close(slavefd);
2217 2217 slavefd = newslave;
2218 2218
2219 2219 /*
2220 2220 * dup the slave to the various FDs, so that when the
2221 2221 * spawned process does a write/read it maps to the slave
2222 2222 * pty.
2223 2223 */
2224 2224 (void) dup2(slavefd, STDIN_FILENO);
2225 2225 (void) dup2(slavefd, STDOUT_FILENO);
2226 2226 (void) dup2(slavefd, STDERR_FILENO);
2227 2227 if (slavefd != STDIN_FILENO && slavefd != STDOUT_FILENO &&
2228 2228 slavefd != STDERR_FILENO) {
2229 2229 (void) close(slavefd);
2230 2230 }
2231 2231
2232 2232 /*
2233 2233 * In failsafe mode, we don't use login(1), so don't try
2234 2234 * setting up a utmpx entry.
2235 2235 */
2236 2236 if (!failsafe)
2237 2237 if (setup_utmpx(slaveshortname) == -1)
2238 2238 return (1);
2239 2239
2240 2240 /*
2241 2241 * The child needs to run as root to
2242 2242 * execute the brand's login program.
2243 2243 */
2244 2244 if (setuid(0) == -1) {
2245 2245 zperror(gettext("insufficient privilege"));
2246 2246 return (1);
2247 2247 }
2248 2248
2249 2249 (void) execve(new_args[0], new_args, new_env);
2250 2250 zperror(gettext("exec failure"));
2251 2251 return (1);
2252 2252 }
2253 2253
2254 2254 (void) ct_tmpl_clear(tmpl_fd);
2255 2255 (void) close(tmpl_fd);
2256 2256
2257 2257 /*
2258 2258 * The rest is only for the parent process.
2259 2259 */
2260 2260 (void) sigset(SIGWINCH, sigwinch);
2261 2261
2262 2262 postfork_dropprivs();
2263 2263
2264 2264 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2265 2265 doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
2266 2266
2267 2267 reset_tty();
2268 2268 if (!quiet)
2269 2269 (void) fprintf(stderr,
2270 2270 gettext("\n[Connection to zone '%s' %s closed]\n"),
2271 2271 zonename, slaveshortname);
2272 2272
2273 2273 if (pollerr != 0) {
2274 2274 (void) fprintf(stderr, gettext("Error: connection closed due "
2275 2275 "to unexpected pollevents=0x%x.\n"), pollerr);
2276 2276 return (1);
2277 2277 }
2278 2278
2279 2279 return (0);
2280 2280 }
↓ open down ↓ |
1596 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX