2 * Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 #include <sys/types.h>
20 #include <sys/param.h>
21 #ifdef HAVE_SYS_SYSMACROS_H
22 # include <sys/sysmacros.h>
24 #include <sys/socket.h>
28 #include <sys/ioctl.h>
29 #ifdef HAVE_SYS_SELECT_H
30 # include <sys/select.h>
31 #endif /* HAVE_SYS_SELECT_H */
40 #endif /* STDC_HEADERS */
43 #endif /* HAVE_STRING_H */
46 #endif /* HAVE_STRINGS_H */
49 #endif /* HAVE_UNISTD_H */
50 #if TIME_WITH_SYS_TIME
62 #include "sudo_exec.h"
63 #include "sudo_plugin.h"
64 #include "sudo_plugin_int.h"
66 /* Shared with exec_pty.c for use with handler(). */
69 /* We keep a tailq of signals to forward to child. */
71 struct sigforward *prev, *next;
74 TQ_DECLARE(sigforward)
75 static struct sigforward_list sigfwd_list;
77 static int handle_signals(int sv[2], pid_t child, int log_io,
78 struct command_status *cstat);
79 static void forward_signals(int fd);
80 static void schedule_signal(int signo);
82 static void handler_nofwd(int s, siginfo_t *info, void *context);
86 * Fork and execute a command, returns the child's pid.
87 * Sends errno back on sv[1] if execve() fails.
89 static int fork_cmnd(struct command_details *details, int sv[2])
91 struct command_status cstat;
94 debug_decl(fork_cmnd, SUDO_DEBUG_EXEC)
96 zero_bytes(&sa, sizeof(sa));
97 sigemptyset(&sa.sa_mask);
98 sa.sa_flags = SA_INTERRUPT; /* do not restart syscalls */
99 sa.sa_handler = handler;
100 sigaction(SIGCONT, &sa, NULL);
103 * The policy plugin's session init must be run before we fork
104 * or certain pam modules won't be able to track their state.
106 if (policy_init_session(details) != true)
107 errorx(1, _("policy plugin failed session initialization"));
109 child = sudo_debug_fork();
112 error(1, _("unable to fork"));
117 close(signal_pipe[0]);
118 close(signal_pipe[1]);
119 fcntl(sv[1], F_SETFD, FD_CLOEXEC);
121 if (exec_setup(details, NULL, -1) == true) {
122 /* headed for execve() */
123 sudo_debug_execve(SUDO_DEBUG_INFO, details->command,
124 details->argv, details->envp);
125 if (details->closefrom >= 0) {
126 int maxfd = details->closefrom;
128 (void)fcntl(maxfd, F_SETFD, FD_CLOEXEC);
130 if (sudo_debug_fd_set(maxfd) != -1)
135 if (ISSET(details->flags, CD_RBAC_ENABLED)) {
136 selinux_execve(details->command, details->argv, details->envp,
137 ISSET(details->flags, CD_NOEXEC));
141 sudo_execve(details->command, details->argv, details->envp,
142 ISSET(details->flags, CD_NOEXEC));
144 sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to exec %s: %s",
145 details->command, strerror(errno));
147 cstat.type = CMD_ERRNO;
149 send(sv[1], &cstat, sizeof(cstat), 0);
150 sudo_debug_exit_int(__func__, __FILE__, __LINE__, sudo_debug_subsys, 1);
153 debug_return_int(child);
156 static struct signal_state {
159 } saved_signals[] = {
177 * Save signal handler state so it can be restored before exec.
182 struct signal_state *ss;
183 debug_decl(save_signals, SUDO_DEBUG_EXEC)
185 for (ss = saved_signals; ss->signo != -1; ss++)
186 sigaction(ss->signo, NULL, &ss->sa);
192 * Restore signal handlers to initial state.
195 restore_signals(void)
197 struct signal_state *ss;
198 debug_decl(restore_signals, SUDO_DEBUG_EXEC)
200 for (ss = saved_signals; ss->signo != -1; ss++)
201 sigaction(ss->signo, &ss->sa, NULL);
207 * Execute a command, potentially in a pty with I/O loggging.
208 * This is a little bit tricky due to how POSIX job control works and
209 * we fact that we have two different controlling terminals to deal with.
212 sudo_execute(struct command_details *details, struct command_status *cstat)
214 int maxfd, n, nready, sv[2];
215 const char *utmp_user = NULL;
220 debug_decl(sudo_execute, SUDO_DEBUG_EXEC)
222 /* If running in background mode, fork and exit. */
223 if (ISSET(details->flags, CD_BACKGROUND)) {
224 switch (sudo_debug_fork()) {
226 cstat->type = CMD_ERRNO;
228 debug_return_int(-1);
230 /* child continues without controlling terminal */
234 /* parent exits (but does not flush buffers) */
235 sudo_debug_exit_int(__func__, __FILE__, __LINE__,
236 sudo_debug_subsys, 0);
242 * If we have an I/O plugin or the policy plugin has requested one, we
243 * need to allocate a pty. It is OK to set log_io in the pty-only case
244 * as the io plugin tailqueue will be empty and no I/O logging will occur.
246 if (!tq_empty(&io_plugins) || ISSET(details->flags, CD_USE_PTY)) {
248 if (ISSET(details->flags, CD_SET_UTMP))
249 utmp_user = details->utmp_user ? details->utmp_user : user_details.username;
250 sudo_debug_printf(SUDO_DEBUG_INFO, "allocate pty for I/O logging");
251 pty_setup(details->euid, user_details.tty, utmp_user);
255 * We communicate with the child over a bi-directional pair of sockets.
256 * Parent sends signal info to child and child sends back wait status.
258 if (socketpair(PF_UNIX, SOCK_DGRAM, 0, sv) == -1)
259 error(1, _("unable to create sockets"));
262 * We use a pipe to atomically handle signal notification within
265 if (pipe_nonblock(signal_pipe) != 0)
266 error(1, _("unable to create pipe"));
268 zero_bytes(&sa, sizeof(sa));
269 sigemptyset(&sa.sa_mask);
272 * Signals to forward to the child process (excluding SIGALRM and SIGCHLD).
273 * Note: HP-UX select() will not be interrupted if SA_RESTART set.
275 sa.sa_flags = SA_INTERRUPT; /* do not restart syscalls */
276 sa.sa_handler = handler;
277 sigaction(SIGALRM, &sa, NULL);
278 sigaction(SIGCHLD, &sa, NULL);
279 sigaction(SIGPIPE, &sa, NULL);
280 sigaction(SIGTERM, &sa, NULL);
281 sigaction(SIGUSR1, &sa, NULL);
282 sigaction(SIGUSR2, &sa, NULL);
285 * When not running the command in a pty, we do not want to
286 * forward signals generated by the kernel that the child will
287 * already have received either by virtue of being in the
288 * controlling tty's process group (SIGINT, SIGQUIT) or because
289 * the session is terminating (SIGHUP).
293 sa.sa_flags |= SA_SIGINFO;
294 sa.sa_sigaction = handler_nofwd;
297 sigaction(SIGHUP, &sa, NULL);
298 sigaction(SIGINT, &sa, NULL);
299 sigaction(SIGQUIT, &sa, NULL);
301 /* Max fd we will be selecting on. */
302 maxfd = MAX(sv[0], signal_pipe[0]);
305 * Child will run the command in the pty, parent will pass data
306 * to and from pty. Adjusts maxfd as needed.
309 child = fork_pty(details, sv, &maxfd);
311 child = fork_cmnd(details, sv);
314 /* Set command timeout if specified. */
315 if (ISSET(details->flags, CD_SET_TIMEOUT))
316 alarm(details->timeout);
318 #ifdef HAVE_SETLOCALE
320 * I/O logging must be in the C locale for floating point numbers
321 * to be logged consistently.
323 setlocale(LC_ALL, "C");
327 * In the event loop we pass input from user tty to master
328 * and pass output from master to stdout and IO plugin.
330 fdsr = emalloc2(howmany(maxfd + 1, NFDBITS), sizeof(fd_mask));
331 fdsw = emalloc2(howmany(maxfd + 1, NFDBITS), sizeof(fd_mask));
333 memset(fdsw, 0, howmany(maxfd + 1, NFDBITS) * sizeof(fd_mask));
334 memset(fdsr, 0, howmany(maxfd + 1, NFDBITS) * sizeof(fd_mask));
336 FD_SET(signal_pipe[0], fdsr);
338 if (!tq_empty(&sigfwd_list))
341 fd_set_iobs(fdsr, fdsw); /* XXX - better name */
342 nready = select(maxfd + 1, fdsr, fdsw, NULL, NULL);
343 sudo_debug_printf(SUDO_DEBUG_DEBUG, "select returns %d", nready);
345 if (errno == EINTR || errno == ENOMEM)
347 if (errno == EBADF || errno == EIO) {
348 /* One of the ttys must have gone away. */
351 warning(_("select failed"));
352 sudo_debug_printf(SUDO_DEBUG_ERROR,
353 "select failure, terminating child");
354 schedule_signal(SIGKILL);
355 forward_signals(sv[0]);
358 if (FD_ISSET(sv[0], fdsw)) {
359 forward_signals(sv[0]);
361 if (FD_ISSET(signal_pipe[0], fdsr)) {
362 n = handle_signals(sv, child, log_io, cstat);
364 /* Child has exited, cstat is set, we are done. */
368 /* Error reading signal_pipe[0], should not happen. */
371 /* Restart event loop so signals get sent to child immediately. */
374 if (FD_ISSET(sv[0], fdsr)) {
375 /* read child status */
376 n = recv(sv[0], cstat, sizeof(*cstat), 0);
377 if (n != sizeof(*cstat)) {
382 * If not logging I/O we may receive ECONNRESET when
383 * the command is executed and sv is closed.
384 * It is safe to ignore this.
386 if (log_io && errno != EAGAIN) {
387 cstat->type = CMD_ERRNO;
391 sudo_debug_printf(SUDO_DEBUG_ERROR,
392 "failed to read child status: %s", strerror(errno));
394 /* Short read or EOF. */
395 sudo_debug_printf(SUDO_DEBUG_ERROR,
396 "failed to read child status: %s",
397 n ? "short read" : "EOF");
398 /* XXX - should set cstat */
402 if (cstat->type == CMD_WSTATUS) {
403 if (WIFSTOPPED(cstat->val)) {
404 /* Suspend parent and tell child how to resume on return. */
405 sudo_debug_printf(SUDO_DEBUG_INFO,
406 "child stopped, suspending parent");
407 n = suspend_parent(WSTOPSIG(cstat->val));
411 /* Child exited or was killed, either way we are done. */
412 sudo_debug_printf(SUDO_DEBUG_INFO, "child exited or was killed");
415 } else if (cstat->type == CMD_ERRNO) {
416 /* Child was unable to execute command or broken pipe. */
417 sudo_debug_printf(SUDO_DEBUG_INFO, "errno from child: %s",
418 strerror(cstat->val));
423 if (perform_io(fdsr, fdsw, cstat) != 0) {
424 /* I/O error, kill child if still alive and finish. */
425 sudo_debug_printf(SUDO_DEBUG_ERROR, "I/O error, terminating child");
426 schedule_signal(SIGKILL);
427 forward_signals(sv[0]);
433 /* Flush any remaining output and free pty-related memory. */
438 if (ISSET(details->flags, CD_RBAC_ENABLED)) {
439 /* This is probably not needed in log_io mode. */
440 if (selinux_restore_tty() != 0)
441 warningx(_("unable to restore tty label"));
447 while (!tq_empty(&sigfwd_list)) {
448 struct sigforward *sigfwd = tq_first(&sigfwd_list);
449 tq_remove(&sigfwd_list, sigfwd);
453 debug_return_int(cstat->type == CMD_ERRNO ? -1 : 0);
457 * Read signals on fd written to by handler().
458 * Returns -1 on error, 0 on child exit, else 1.
461 handle_signals(int sv[2], pid_t child, int log_io, struct command_status *cstat)
467 debug_decl(handle_signals, SUDO_DEBUG_EXEC)
470 /* read signal pipe */
471 nread = read(signal_pipe[0], &signo, sizeof(signo));
473 /* It should not be possible to get EOF but just in case. */
476 /* Restart if interrupted by signal so the pipe doesn't fill. */
479 /* If pipe is empty, we are done. */
482 sudo_debug_printf(SUDO_DEBUG_ERROR, "error reading signal pipe %s",
484 cstat->type = CMD_ERRNO;
486 debug_return_int(-1);
488 sudo_debug_printf(SUDO_DEBUG_DIAG, "received signal %d", signo);
489 if (signo == SIGCHLD) {
491 * If logging I/O, child is the intermediate process,
492 * otherwise it is the command itself.
495 pid = waitpid(child, &status, WUNTRACED|WNOHANG);
496 } while (pid == -1 && errno == EINTR);
500 * On BSD we get ECONNRESET on sv[0] if monitor dies
501 * and select() will return with sv[0] readable.
502 * On Linux that doesn't appear to happen so if the
503 * monitor dies, shut down the socketpair to force a
504 * select() notification.
506 (void) shutdown(sv[0], SHUT_WR);
508 if (WIFSTOPPED(status)) {
510 * Save the controlling terminal's process group
511 * so we can restore it after we resume.
513 pid_t saved_pgrp = (pid_t)-1;
514 int fd = open(_PATH_TTY, O_RDWR|O_NOCTTY, 0);
516 saved_pgrp = tcgetpgrp(fd);
517 if (kill(getpid(), WSTOPSIG(status)) != 0) {
518 warning("kill(%d, %d)", (int)getpid(),
522 if (saved_pgrp != (pid_t)-1)
523 (void)tcsetpgrp(fd, saved_pgrp);
527 /* Child has exited, we are done. */
528 cstat->type = CMD_WSTATUS;
536 /* Schedule signo to be forwared to the child. */
537 schedule_signal(signo);
539 /* Nothing listening on sv[0], send directly. */
540 if (signo == SIGALRM)
541 terminate_child(child, false);
542 else if (kill(child, signo) != 0)
543 warning("kill(%d, %d)", (int)child, signo);
551 * Forward signals in sigfwd_list to child listening on fd.
554 forward_signals(int sock)
556 struct sigforward *sigfwd;
557 struct command_status cstat;
559 debug_decl(forward_signals, SUDO_DEBUG_EXEC)
561 while (!tq_empty(&sigfwd_list)) {
562 sigfwd = tq_first(&sigfwd_list);
563 sudo_debug_printf(SUDO_DEBUG_INFO,
564 "sending signal %d to child over backchannel", sigfwd->signo);
565 cstat.type = CMD_SIGNO;
566 cstat.val = sigfwd->signo;
568 nsent = send(sock, &cstat, sizeof(cstat), 0);
569 } while (nsent == -1 && errno == EINTR);
570 tq_remove(&sigfwd_list, sigfwd);
572 if (nsent != sizeof(cstat)) {
573 if (errno == EPIPE) {
574 sudo_debug_printf(SUDO_DEBUG_ERROR,
575 "broken pipe writing to child over backchannel");
576 /* Other end of socket gone, empty out sigfwd_list. */
577 while (!tq_empty(&sigfwd_list)) {
578 sigfwd = tq_first(&sigfwd_list);
579 tq_remove(&sigfwd_list, sigfwd);
582 /* XXX - child (monitor) is dead, we should exit too? */
591 * Schedule a signal to be forwared.
594 schedule_signal(int signo)
596 struct sigforward *sigfwd;
597 debug_decl(schedule_signal, SUDO_DEBUG_EXEC)
599 sudo_debug_printf(SUDO_DEBUG_DIAG, "forwarding signal %d to child", signo);
601 sigfwd = ecalloc(1, sizeof(*sigfwd));
602 sigfwd->prev = sigfwd;
603 /* sigfwd->next = NULL; */
604 sigfwd->signo = signo;
605 tq_append(&sigfwd_list, sigfwd);
611 * Generic handler for signals passed from parent -> child.
612 * The other end of signal_pipe is checked in the main event loop.
617 unsigned char signo = (unsigned char)s;
620 * The pipe is non-blocking, if we overflow the kernel's pipe
621 * buffer we drop the signal. This is not a problem in practice.
623 ignore_result(write(signal_pipe[1], &signo, sizeof(signo)));
628 * Generic handler for signals passed from parent -> child.
629 * The other end of signal_pipe is checked in the main event loop.
630 * This version is for the non-pty case and does not forward
631 * signals that are generated by the kernel.
634 handler_nofwd(int s, siginfo_t *info, void *context)
636 unsigned char signo = (unsigned char)s;
638 /* Only forward user-generated signals. */
639 if (info == NULL || info->si_code <= 0) {
641 * The pipe is non-blocking, if we overflow the kernel's pipe
642 * buffer we drop the signal. This is not a problem in practice.
644 ignore_result(write(signal_pipe[1], &signo, sizeof(signo)));
647 #endif /* SA_SIGINFO */
650 * Open a pipe and make both ends non-blocking.
651 * Returns 0 on success and -1 on error.
654 pipe_nonblock(int fds[2])
657 debug_decl(pipe_nonblock, SUDO_DEBUG_EXEC)
661 flags = fcntl(fds[0], F_GETFL, 0);
662 if (flags != -1 && !ISSET(flags, O_NONBLOCK))
663 rval = fcntl(fds[0], F_SETFL, flags | O_NONBLOCK);
665 flags = fcntl(fds[1], F_GETFL, 0);
666 if (flags != -1 && !ISSET(flags, O_NONBLOCK))
667 rval = fcntl(fds[1], F_SETFL, flags | O_NONBLOCK);
675 debug_return_int(rval);