1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
|
/*
* Running a child process.
*
* This file contains the code to run a subprocess and manage its output and
* exit status. It uses libevent heavily to manage the various interactions
* with the child process.
*
* Written by Russ Allbery <eagle@eyrie.org>
* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2012, 2013,
* 2014 The Board of Trustees of the Leland Stanford Junior University
*
* See LICENSE for licensing terms.
*/
#include <config.h>
#include <portable/event.h>
#include <portable/system.h>
#include <fcntl.h>
#include <grp.h>
#include <signal.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <server/internal.h>
#include <util/fdflag.h>
#include <util/macros.h>
#include <util/messages.h>
#include <util/protocol.h>
#include <util/xmalloc.h>
/*
* We would like to use event_base_loopbreak and event_base_got_break, but the
* latter was introduced in libevent 2.x. For right now, until we can rely on
* libevent 2.x, set a flag in the process struct instead. We still call
* event_base_loopbreak where we can, to keep from processing more data than
* we have to.
*
* This portability glue is specific to this file and assumes that the process
* variable is in scope to replace the event_base_got_break functionality.
*/
#ifndef HAVE_EVENT_BASE_LOOPBREAK
# define event_base_loopbreak(base) /* empty */
#endif
#ifndef HAVE_EVENT_BASE_GOT_BREAK
# define event_base_got_break(base) process->saw_error
#endif
/*
* Callback for events in input or output handling. This means either an
* error or EOF. On EOF or an EPIPE or ECONNRESET error, just deactivate the
* bufferevent. On other errors, send an error message to the client and then
* break out of the event loop.
*/
static void
handle_io_event(struct bufferevent *bev, short events, void *data)
{
struct process *process = data;
struct client *client = process->client;
/* Check for EOF, after which we should stop trying to listen. */
if (events & BEV_EVENT_EOF) {
bufferevent_disable(bev, EV_READ);
return;
}
/*
* If we get ECONNRESET or EPIPE, the client went away without bothering
* to read our data. This is the same as EOF except that we should also
* stop trying to write data.
*/
if (events & BEV_EVENT_ERROR)
if (socket_errno == ECONNRESET || socket_errno == EPIPE) {
bufferevent_disable(bev, EV_READ | EV_WRITE);
return;
}
/* Everything else is some sort of error. */
if (events & BEV_EVENT_READING)
syswarn("read from process failed");
else
syswarn("write to standard input failed");
server_send_error(client, ERROR_INTERNAL, "Internal failure");
process->saw_error = true;
event_base_loopbreak(process->loop);
}
/*
* Callback when all stdin data has been sent. We only have a callback to
* shut down our end of the socketpair so that the process gets EOF on its
* next read.
*/
static void
handle_input_end(struct bufferevent *bev, void *data)
{
struct process *process = data;
bufferevent_disable(bev, EV_WRITE);
if (shutdown(process->stdinout_fd, SHUT_WR) < 0)
sysdie("cannot shut down input side of process socket pair");
}
/*
* Callback used to handle output from a process (protocol version two or
* later). We use the same handler for both standard output and standard
* error and check the bufferevent to determine which stream we're seeing.
*
* When called, note that we saw some output, which is a flag to continue
* processing when running the event loop after the child has exited.
*/
static void
handle_output(struct bufferevent *bev, void *data)
{
int stream;
struct evbuffer *buf;
struct process *process = data;
process->saw_output = true;
stream = (bev == process->inout) ? 1 : 2;
buf = bufferevent_get_input(bev);
if (!server_v2_send_output(process->client, stream, buf)) {
process->saw_error = true;
event_base_loopbreak(process->loop);
}
}
/*
* Discard all data in the evbuffer. This handler is used with protocol
* version one when we've already read as much data as we can return to the
* remctl client.
*/
static void
handle_output_discard(struct bufferevent *bev, void *data UNUSED)
{
size_t length;
struct evbuffer *buf;
buf = bufferevent_get_input(bev);
length = evbuffer_get_length(buf);
if (evbuffer_drain(buf, length) < 0)
sysdie("internal error: cannot discard extra output");
}
/*
* Callback used to handle filling the output buffer with protocol version
* one. When this happens, we pull all of the data out into a separate
* evbuffer and then change our read callback to handle_output_discard, which
* just drains (discards) all subsequent data from the process.
*/
static void
handle_output_full(struct bufferevent *bev, void *data)
{
struct process *process = data;
bufferevent_data_cb writecb;
process->output = evbuffer_new();
if (process->output == NULL)
die("internal error: cannot create discard evbuffer");
if (bufferevent_read_buffer(bev, process->output) < 0)
die("internal error: cannot move data into output buffer");
/*
* Change the output callback. We need to be sure not to dump our input
* callback if it exists.
*
* After we see all the output that we can send to the client, we no
* longer care about error and EOF events, but if we set the callback to
* NULL here, we cause segfaults in libevent 1.4.x when we have both read
* and EOF events in the same event loop. So keep the error event handler
* since it doesn't hurt anything. This can safely be set to NULL once we
* require libevent 2.x.
*/
writecb = (process->input == NULL) ? NULL : handle_input_end;
bufferevent_setcb(bev, handle_output_discard, writecb, handle_io_event,
data);
}
/*
* Called when the process has exited. Here we reap the status and then tell
* the event loop to complete. Ignore SIGCHLD if our child process wasn't the
* one that exited.
*/
static void
handle_exit(evutil_socket_t sig UNUSED, short what UNUSED, void *data)
{
struct process *process = data;
if (waitpid(process->pid, &process->status, WNOHANG) > 0) {
process->reaped = true;
event_del(process->sigchld);
event_base_loopexit(process->loop, NULL);
}
}
/*
* Called on fatal errors in the child process before exec. This callback
* exists only to change the exit status for fatal internal errors in the
* child process before exec to -1 instead of the default of 1.
*/
static int
child_die_handler(void)
{
return -1;
}
/*
* Start the child process. This runs as a one-time event inside the event
* loop, forks off the child process, and sets up the events that process
* output from the child and send it back to the remctl client.
*/
static void
start(evutil_socket_t junk UNUSED, short what UNUSED, void *data)
{
struct process *process = data;
struct client *client = process->client;
struct event_base *loop = process->loop;
bufferevent_data_cb writecb = NULL;
socket_type stdinout_fds[2] = { INVALID_SOCKET, INVALID_SOCKET };
socket_type stderr_fds[2] = { INVALID_SOCKET, INVALID_SOCKET };
socket_type fd;
struct sigaction sa;
char *expires;
/*
* Socket pairs are used for communication with the child process that
* actually runs the command. We have to use sockets rather than pipes
* because libevent's buffevents require sockets.
*
* For protocol version one, we can use one socket pair for eerything,
* since we don't distinguish between streams. For protocol version two,
* we use one socket pair for standard intput and standard output, and a
* separate read-only one for standard error so that we can keep the
* stream separate.
*/
if (socketpair(AF_UNIX, SOCK_STREAM, 0, stdinout_fds) < 0) {
syswarn("cannot create stdin and stdout socket pair");
goto fail;
}
if (client->protocol > 1)
if (socketpair(AF_UNIX, SOCK_STREAM, 0, stderr_fds) < 0) {
syswarn("cannot create stderr socket pair");
goto fail;
}
/*
* Flush output before forking, mostly in case -S was given and we've
* therefore been writing log messages to standard output that may not
* have been flushed yet.
*/
fflush(stdout);
process->pid = fork();
switch (process->pid) {
case -1:
syswarn("cannot fork");
goto fail;
/* In the child. */
case 0:
message_fatal_cleanup = child_die_handler;
/* Close the server sides of the sockets. */
close(stdinout_fds[0]);
stdinout_fds[0] = INVALID_SOCKET;
if (stderr_fds[0] != INVALID_SOCKET) {
close(stderr_fds[0]);
stderr_fds[0] = INVALID_SOCKET;
}
/*
* Set up stdin if we have input data. If we don't have input data,
* reopen on /dev/null instead so that the process gets immediate EOF.
* Ignore failure here, since it probably won't matter and worst case
* is that we leave stdin closed.
*/
if (process->input != NULL)
dup2(stdinout_fds[1], 0);
else {
close(0);
fd = open("/dev/null", O_RDONLY);
if (fd > 0) {
dup2(fd, 0);
close(fd);
}
}
/* Set up stdout and stderr. */
dup2(stdinout_fds[1], 1);
if (client->protocol == 1)
dup2(stdinout_fds[1], 2);
else {
dup2(stderr_fds[1], 2);
close(stderr_fds[1]);
}
close(stdinout_fds[1]);
/*
* Older versions of MIT Kerberos left the replay cache file open
* across exec. Newer versions correctly set it close-on-exec, but
* close our low-numbered file descriptors anyway for older versions.
* We're just trying to get the replay cache, so we don't have to go
* very high.
*/
for (fd = 3; fd < 16; fd++)
close(fd);
/*
* Restore the default SIGPIPE handler. The server sets it to
* SIG_IGN, which is inherited by children. We want the child to have
* a default set of signal handlers.
*/
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_DFL;
if (sigaction(SIGPIPE, &sa, NULL) < 0)
sysdie("cannot clear SIGPIPE handler");
/*
* Put the authenticated principal and other connection and command
* information in the environment. REMUSER is for backwards
* compatibility with earlier versions of remctl.
*/
if (setenv("REMUSER", client->user, 1) < 0)
sysdie("cannot set REMUSER in environment");
if (setenv("REMOTE_USER", client->user, 1) < 0)
sysdie("cannot set REMOTE_USER in environment");
if (setenv("REMOTE_ADDR", client->ipaddress, 1) < 0)
sysdie("cannot set REMOTE_ADDR in environment");
if (client->hostname != NULL)
if (setenv("REMOTE_HOST", client->hostname, 1) < 0)
sysdie("cannot set REMOTE_HOST in environment");
if (setenv("REMCTL_COMMAND", process->command, 1) < 0)
sysdie("cannot set REMCTL_COMMAND in environment");
xasprintf(&expires, "%lu", (unsigned long) client->expires);
if (setenv("REMOTE_EXPIRES", expires, 1) < 0)
sysdie("cannot set REMOTE_EXPIRES in environment");
free(expires);
/* Drop privileges if requested. */
if (process->rule->user != NULL && process->rule->uid > 0) {
if (initgroups(process->rule->user, process->rule->gid) != 0)
sysdie("cannot initgroups for %s\n", process->rule->user);
if (setgid(process->rule->gid) != 0)
sysdie("cannot setgid to %d\n", process->rule->gid);
if (setuid(process->rule->uid) != 0)
sysdie("cannot setuid to %d\n", process->rule->uid);
}
/*
* Run the command. On error, we intentionally don't reveal
* information about the command we ran.
*/
if (execv(process->rule->program, process->argv) < 0)
sysdie("cannot execute command");
/* In the parent. Close the other sides of the socket pairs. */
default:
close(stdinout_fds[1]);
stdinout_fds[1] = INVALID_SOCKET;
process->stdinout_fd = stdinout_fds[0];
if (client->protocol > 1) {
close(stderr_fds[1]);
stderr_fds[1] = INVALID_SOCKET;
process->stderr_fd = stderr_fds[0];
}
}
/*
* Set up a bufferevent to consume output from the process.
*
* There are two possibilities here. For protocol version two, we use two
* bufferevents, one for standard input and output and one for standard
* error, that turn each chunk of data into a MESSAGE_OUTPUT token to the
* client. For protocol version one, we use a single bufferevent, which
* sends standard intput and collects both standard output and standard
* error, queuing it to send on process exit. In this case, stdinout_fd
* gets both streams, since there's no point in distinguishing, and we
* only need one bufferevent.
*/
fdflag_nonblocking(stdinout_fds[0], true);
process->inout = bufferevent_socket_new(loop, process->stdinout_fd, 0);
if (process->inout == NULL)
die("internal error: cannot create stdin/stdout bufferevent");
if (process->input == NULL)
bufferevent_enable(process->inout, EV_READ);
else {
writecb = handle_input_end;
bufferevent_enable(process->inout, EV_READ | EV_WRITE);
if (bufferevent_write_buffer(process->inout, process->input) < 0)
die("internal error: cannot queue input for process");
}
if (client->protocol == 1) {
bufferevent_setcb(process->inout, handle_output_full, writecb,
handle_io_event, process);
bufferevent_setwatermark(process->inout, EV_READ, TOKEN_MAX_OUTPUT_V1,
TOKEN_MAX_OUTPUT_V1);
} else {
bufferevent_setcb(process->inout, handle_output, writecb,
handle_io_event, process);
bufferevent_setwatermark(process->inout, EV_READ, 0, TOKEN_MAX_OUTPUT);
fdflag_nonblocking(stderr_fds[0], true);
process->err = bufferevent_socket_new(loop, process->stderr_fd, 0);
if (process->err == NULL)
die("internal error: cannot create stderr bufferevent");
bufferevent_enable(process->err, EV_READ);
bufferevent_setcb(process->err, handle_output, NULL,
handle_io_event, process);
bufferevent_setwatermark(process->err, EV_READ, 0, TOKEN_MAX_OUTPUT);
}
return;
fail:
if (stdinout_fds[0] != INVALID_SOCKET)
close(stdinout_fds[0]);
if (stdinout_fds[1] != INVALID_SOCKET)
close(stdinout_fds[1]);
if (stderr_fds[0] != INVALID_SOCKET)
close(stderr_fds[0]);
if (stderr_fds[1] != INVALID_SOCKET)
close(stderr_fds[1]);
server_send_error(client, ERROR_INTERNAL, "Internal failure");
process->saw_error = true;
event_base_loopbreak(process->loop);
}
/*
* Runs a process as a child to completion, capturing its output and
* processing it according to the negotiated remctl client protocol.
*
* Takes the client, the short name for the command, an argument list, the
* configuration line for that command, and the process. Returns true on
* success and false on failure.
*/
bool
server_process_run(struct process *process)
{
bool success;
struct event_base *loop;
struct client *client = process->client;
const struct timeval immediate = { 0, 0 };
/* Create the event base that we use for the event loop. */
loop = event_base_new();
process->loop = loop;
/*
* Create the event to handle SIGCHLD when the child process exits. We
* have to register this event first and then make sure that we create the
* child process inside the event loop, since otherwise we race the child
* process in setting up the event loop and may miss SIGCHLD and not
* realize the child has already exited.
*/
process->sigchld = evsignal_new(loop, SIGCHLD, handle_exit, process);
if (process->sigchld == NULL)
die("internal error: cannot create SIGCHLD processing event");
if (event_add(process->sigchld, NULL) < 0)
die("internal error: cannot add SIGCHLD processing event");
/*
* Prepare to spawn the process itself via a one-time event. This event
* will run once, immediately, and create and add further bufferevents to
* handle the output from the process. It will then self-destruct.
*/
if (event_base_once(loop, -1, EV_TIMEOUT, start, process, &immediate) < 0)
die("internal error: cannot create event to spawn the process");
/*
* Run the event loop. This will continue until handle_exit is called or
* we encounter some fatal error, in which case we'll break out of the
* loop.
*/
if (event_base_dispatch(loop) < 0)
die("internal error: process event loop failed");
/*
* We have some more work to do after client exit since there may still be
* output from the child sitting in system buffers. Therefore, we now
* repeatedly run the event loop in EVLOOP_NONBLOCK mode, only continuing
* if process->saw_output remains true and we didn't break out of the loop
* (indicating an error). The saw_output flag will be set by the event
* handlers if we see any output from the process.
*/
process->saw_output = true;
while (process->saw_output && !event_base_got_break(loop)) {
process->saw_output = false;
if (event_base_loop(loop, EVLOOP_NONBLOCK) < 0)
die("internal error: process event loop failed");
}
/* Close down the file descriptors now that we have all the data. */
close(process->stdinout_fd);
if (client->protocol > 1)
close(process->stderr_fd);
/*
* If we aborted on error, still wait for the child process to exit. We
* don't want to just exit and orphan the process since, if spawned from
* something like xinetd, the lifetime of the remctld process controls the
* rate limiting. We shouldn't deadlock here since client will get broken
* pipe errors or EOF when trying to talk to the now-closed sockets.
*
* An alternative would be to kill the child, but that could cause other
* problems if the child is doing something that shouldn't be arbitrarily
* interrupted. This approach seems safer, although has the disadvantage
* of keeping the remctld process around until the child completes.
*/
if (event_base_got_break(loop)) {
if (!process->reaped)
waitpid(process->pid, &process->status, 0);
return false;
}
/*
* For protocol version one, if the process sent more than the max output,
* we already pulled out the output we care about into process->output.
* Otherwise, we need to pull the output from the bufferevent before we
* free it.
*/
if (client->protocol == 1 && process->output == NULL) {
process->output = evbuffer_new();
if (process->output == NULL)
die("internal error: cannot create output buffer");
if (bufferevent_read_buffer(process->inout, process->output) < 0)
die("internal error: cannot read data from output buffer");
}
/* Free resources and return. */
success = !event_base_got_break(loop);
bufferevent_free(process->inout);
if (process->err != NULL)
bufferevent_free(process->err);
event_free(process->sigchld);
event_base_free(loop);
return success;
}
|
