2 * Copyright (c) 2009-2011 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 #include <sys/types.h>
20 #include <sys/param.h>
21 #ifdef HAVE_SYS_SYSMACROS_H
22 # include <sys/sysmacros.h>
24 #include <sys/socket.h>
28 #include <sys/ioctl.h>
29 #ifdef HAVE_SYS_SELECT_H
30 # include <sys/select.h>
31 #endif /* HAVE_SYS_SELECT_H */
40 #endif /* STDC_HEADERS */
43 #endif /* HAVE_STRING_H */
46 #endif /* HAVE_STRINGS_H */
49 #endif /* HAVE_UNISTD_H */
50 #if TIME_WITH_SYS_TIME
62 #include "sudo_exec.h"
63 #include "sudo_plugin.h"
64 #include "sudo_plugin_int.h"
66 /* Shared with exec_pty.c for use with handler(). */
69 /* We keep a tailq of signals to forward to child. */
71 struct sigforward *prev, *next;
74 TQ_DECLARE(sigforward)
75 static struct sigforward_list sigfwd_list;
77 static int handle_signals(int fd, pid_t child, int log_io,
78 struct command_status *cstat);
79 static void forward_signals(int fd);
80 static void schedule_signal(int signo);
83 * Like execve(2) but falls back to running through /bin/sh
84 * ala execvp(3) if we get ENOEXEC.
87 my_execve(const char *path, char *const argv[], char *const envp[])
89 execve(path, argv, envp);
90 if (errno == ENOEXEC) {
94 for (argc = 0; argv[argc] != NULL; argc++)
96 nargv = emalloc2(argc + 2, sizeof(char *));
98 nargv[1] = (char *)path;
99 memcpy(nargv + 2, argv + 1, argc * sizeof(char *));
100 execve(_PATH_BSHELL, nargv, envp);
107 * Fork and execute a command, returns the child's pid.
108 * Sends errno back on sv[1] if execve() fails.
110 static int fork_cmnd(struct command_details *details, int sv[2])
112 struct command_status cstat;
116 zero_bytes(&sa, sizeof(sa));
117 sigemptyset(&sa.sa_mask);
118 sa.sa_flags = SA_INTERRUPT; /* do not restart syscalls */
119 sa.sa_handler = handler;
120 sigaction(SIGCONT, &sa, NULL);
125 error(1, _("unable to fork"));
130 close(signal_pipe[0]);
131 close(signal_pipe[1]);
132 fcntl(sv[1], F_SETFD, FD_CLOEXEC);
134 if (exec_setup(details, NULL, -1) == TRUE) {
135 /* headed for execve() */
136 if (details->closefrom >= 0)
137 closefrom(details->closefrom);
139 if (ISSET(details->flags, CD_RBAC_ENABLED))
140 selinux_execve(details->command, details->argv, details->envp);
143 my_execve(details->command, details->argv, details->envp);
145 cstat.type = CMD_ERRNO;
147 send(sv[1], &cstat, sizeof(cstat), 0);
153 static struct signal_state {
156 } saved_signals[] = {
174 * Save signal handler state so it can be restored before exec.
179 struct signal_state *ss;
181 for (ss = saved_signals; ss->signo != -1; ss++)
182 sigaction(ss->signo, NULL, &ss->sa);
186 * Restore signal handlers to initial state.
189 restore_signals(void)
191 struct signal_state *ss;
193 for (ss = saved_signals; ss->signo != -1; ss++)
194 sigaction(ss->signo, &ss->sa, NULL);
198 * Execute a command, potentially in a pty with I/O loggging.
199 * This is a little bit tricky due to how POSIX job control works and
200 * we fact that we have two different controlling terminals to deal with.
203 sudo_execve(struct command_details *details, struct command_status *cstat)
205 int maxfd, n, nready, sv[2], log_io = FALSE;
206 const char *utmp_user = NULL;
211 /* If running in background mode, fork and exit. */
212 if (ISSET(details->flags, CD_BACKGROUND)) {
215 cstat->type = CMD_ERRNO;
219 /* child continues without controlling terminal */
223 /* parent exits (but does not flush buffers) */
229 * If we have an I/O plugin or the policy plugin has requested one, we
230 * need to allocate a pty. It is OK to set log_io in the pty-only case
231 * as the io plugin tailqueue will be empty and no I/O logging will occur.
233 if (!tq_empty(&io_plugins) || ISSET(details->flags, CD_USE_PTY)) {
235 if (ISSET(details->flags, CD_SET_UTMP))
236 utmp_user = details->utmp_user ? details->utmp_user : user_details.username;
237 sudo_debug(8, "allocate pty for I/O logging");
238 pty_setup(details->euid, user_details.tty, utmp_user);
242 * We communicate with the child over a bi-directional pair of sockets.
243 * Parent sends signal info to child and child sends back wait status.
245 if (socketpair(PF_UNIX, SOCK_DGRAM, 0, sv) == -1)
246 error(1, _("unable to create sockets"));
249 * We use a pipe to atomically handle signal notification within
252 if (pipe_nonblock(signal_pipe) != 0)
253 error(1, _("unable to create pipe"));
255 zero_bytes(&sa, sizeof(sa));
256 sigemptyset(&sa.sa_mask);
259 * Signals for forward to the child process (excluding SIGALRM and SIGCHLD).
260 * Note: HP-UX select() will not be interrupted if SA_RESTART set.
262 sa.sa_flags = SA_INTERRUPT; /* do not restart syscalls */
263 sa.sa_handler = handler;
264 sigaction(SIGALRM, &sa, NULL);
265 sigaction(SIGCHLD, &sa, NULL);
266 sigaction(SIGHUP, &sa, NULL);
267 sigaction(SIGINT, &sa, NULL);
268 sigaction(SIGPIPE, &sa, NULL);
269 sigaction(SIGQUIT, &sa, NULL);
270 sigaction(SIGTERM, &sa, NULL);
271 sigaction(SIGUSR1, &sa, NULL);
272 sigaction(SIGUSR2, &sa, NULL);
274 /* Max fd we will be selecting on. */
275 maxfd = MAX(sv[0], signal_pipe[0]);
278 * Child will run the command in the pty, parent will pass data
279 * to and from pty. Adjusts maxfd as needed.
282 child = fork_pty(details, sv, &maxfd);
284 child = fork_cmnd(details, sv);
287 /* Set command timeout if specified. */
288 if (ISSET(details->flags, CD_SET_TIMEOUT))
289 alarm(details->timeout);
291 #ifdef HAVE_SETLOCALE
293 * I/O logging must be in the C locale for floating point numbers
294 * to be logged consistently.
296 setlocale(LC_ALL, "C");
300 * In the event loop we pass input from user tty to master
301 * and pass output from master to stdout and IO plugin.
303 fdsr = (fd_set *)emalloc2(howmany(maxfd + 1, NFDBITS), sizeof(fd_mask));
304 fdsw = (fd_set *)emalloc2(howmany(maxfd + 1, NFDBITS), sizeof(fd_mask));
306 zero_bytes(fdsw, howmany(maxfd + 1, NFDBITS) * sizeof(fd_mask));
307 zero_bytes(fdsr, howmany(maxfd + 1, NFDBITS) * sizeof(fd_mask));
309 FD_SET(signal_pipe[0], fdsr);
311 if (!tq_empty(&sigfwd_list))
314 fd_set_iobs(fdsr, fdsw); /* XXX - better name */
315 nready = select(maxfd + 1, fdsr, fdsw, NULL, NULL);
319 error(1, _("select failed"));
321 if (FD_ISSET(sv[0], fdsw)) {
322 forward_signals(sv[0]);
324 if (FD_ISSET(signal_pipe[0], fdsr)) {
325 n = handle_signals(signal_pipe[0], child, log_io, cstat);
327 /* Child has exited, cstat is set, we are done. */
331 /* Error reading signal_pipe[0], should not happen. */
334 /* Restart event loop so signals get sent to child immediately. */
337 if (FD_ISSET(sv[0], fdsr)) {
338 /* read child status */
339 n = recv(sv[0], cstat, sizeof(*cstat), 0);
344 * If not logging I/O we will receive ECONNRESET when
345 * the command is executed. It is safe to ignore this.
347 if (log_io && errno != EAGAIN) {
348 cstat->type = CMD_ERRNO;
353 if (cstat->type == CMD_WSTATUS) {
354 if (WIFSTOPPED(cstat->val)) {
355 /* Suspend parent and tell child how to resume on return. */
356 sudo_debug(8, "child stopped, suspending parent");
357 n = suspend_parent(WSTOPSIG(cstat->val));
361 /* Child exited or was killed, either way we are done. */
364 } else if (cstat->type == CMD_ERRNO) {
365 /* Child was unable to execute command or broken pipe. */
370 if (perform_io(fdsr, fdsw, cstat) != 0) {
371 /* I/O error, kill child if still alive and finish. */
372 schedule_signal(SIGKILL);
373 forward_signals(sv[0]);
379 /* Flush any remaining output and free pty-related memory. */
384 if (ISSET(details->flags, CD_RBAC_ENABLED)) {
385 /* This is probably not needed in log_io mode. */
386 if (selinux_restore_tty() != 0)
387 warningx(_("unable to restore tty label"));
394 while (!tq_empty(&sigfwd_list)) {
395 struct sigforward *sigfwd = tq_first(&sigfwd_list);
396 tq_remove(&sigfwd_list, sigfwd);
400 return cstat->type == CMD_ERRNO ? -1 : 0;
404 * Read signals on fd written to by handler().
405 * Returns -1 on error, 0 on child exit, else 1.
408 handle_signals(int fd, pid_t child, int log_io, struct command_status *cstat)
416 /* read signal pipe */
417 nread = read(signal_pipe[0], &signo, sizeof(signo));
419 /* It should not be possible to get EOF but just in case. */
422 /* Restart if interrupted by signal so the pipe doesn't fill. */
425 /* If pipe is empty, we are done. */
428 sudo_debug(9, "error reading signal pipe %s", strerror(errno));
429 cstat->type = CMD_ERRNO;
433 sudo_debug(9, "received signal %d", signo);
434 if (signo == SIGCHLD) {
436 * If logging I/O, child is the intermediate process,
437 * otherwise it is the command itself.
440 pid = waitpid(child, &status, WUNTRACED|WNOHANG);
441 } while (pid == -1 && errno == EINTR);
443 /* If not logging I/O and child has exited we are done. */
445 if (WIFSTOPPED(status)) {
447 * Save the controlling terminal's process group
448 * so we can restore it after we resume.
450 pid_t saved_pgrp = (pid_t)-1;
451 int fd = open(_PATH_TTY, O_RDWR|O_NOCTTY, 0);
453 saved_pgrp = tcgetpgrp(fd);
454 if (kill(getpid(), WSTOPSIG(status)) != 0) {
455 warning("kill(%d, %d)", (int)getpid(),
459 if (saved_pgrp != (pid_t)-1)
460 (void)tcsetpgrp(fd, saved_pgrp);
464 /* Child has exited, we are done. */
465 cstat->type = CMD_WSTATUS;
470 /* Else we get ECONNRESET on sv[0] if child dies. */
474 /* Schedule signo to be forwared to the child. */
475 schedule_signal(signo);
477 /* Nothing listening on sv[0], send directly. */
478 if (signo == SIGALRM)
479 terminate_child(child, FALSE);
480 else if (kill(child, signo) != 0)
481 warning("kill(%d, %d)", (int)child, signo);
489 * Forward signals in sigfwd_list to child listening on fd.
492 forward_signals(int sock)
494 struct sigforward *sigfwd;
495 struct command_status cstat;
498 while (!tq_empty(&sigfwd_list)) {
499 sigfwd = tq_first(&sigfwd_list);
500 sudo_debug(9, "sending signal %d to child over backchannel",
502 cstat.type = CMD_SIGNO;
503 cstat.val = sigfwd->signo;
505 nsent = send(sock, &cstat, sizeof(cstat), 0);
506 } while (nsent == -1 && errno == EINTR);
507 tq_remove(&sigfwd_list, sigfwd);
509 if (nsent != sizeof(cstat)) {
510 if (errno == EPIPE) {
511 /* Other end of socket gone, empty out sigfwd_list. */
512 while (!tq_empty(&sigfwd_list)) {
513 sigfwd = tq_first(&sigfwd_list);
514 tq_remove(&sigfwd_list, sigfwd);
524 * Schedule a signal to be forwared.
527 schedule_signal(int signo)
529 struct sigforward *sigfwd;
531 sigfwd = emalloc(sizeof(*sigfwd));
532 sigfwd->prev = sigfwd;
534 sigfwd->signo = signo;
535 tq_append(&sigfwd_list, sigfwd);
539 * Generic handler for signals passed from parent -> child.
540 * The other end of signal_pipe is checked in the main event loop.
545 unsigned char signo = (unsigned char)s;
548 * The pipe is non-blocking, if we overflow the kernel's pipe
549 * buffer we drop the signal. This is not a problem in practice.
551 if (write(signal_pipe[1], &signo, sizeof(signo)) == -1)
556 * Open a pipe and make both ends non-blocking.
557 * Returns 0 on success and -1 on error.
560 pipe_nonblock(int fds[2])
566 flags = fcntl(fds[0], F_GETFL, 0);
567 if (flags != -1 && !ISSET(flags, O_NONBLOCK))
568 rval = fcntl(fds[0], F_SETFL, flags | O_NONBLOCK);
570 flags = fcntl(fds[1], F_GETFL, 0);
571 if (flags != -1 && !ISSET(flags, O_NONBLOCK))
572 rval = fcntl(fds[1], F_SETFL, flags | O_NONBLOCK);