1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2013 DEY Storage Systems, Inc.
24 * Copyright (c) 2014 Gary Mills
25 * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
26 */
27
28 /*
29 * zlogin provides three types of login which allow users in the global
30 * zone to access non-global zones.
31 *
32 * - "interactive login" is similar to rlogin(1); for example, the user could
33 * issue 'zlogin my-zone' or 'zlogin -e ^ -l me my-zone'. The user is
34 * granted a new pty (which is then shoved into the zone), and an I/O
35 * loop between parent and child processes takes care of the interactive
36 * session. In this mode, login(1) (and its -c option, which means
37 * "already authenticated") is employed to take care of the initialization
38 * of the user's session.
39 *
40 * - "non-interactive login" is similar to su(1M); the user could issue
41 * 'zlogin my-zone ls -l' and the command would be run as specified.
42 * In this mode, zlogin sets up pipes as the communication channel, and
43 * 'su' is used to do the login setup work.
44 *
45 * - "console login" is the equivalent to accessing the tip line for a
46 * zone. For example, the user can issue 'zlogin -C my-zone'.
47 * In this mode, zlogin contacts the zoneadmd process via unix domain
48 * socket. If zoneadmd is not running, it starts it. This allows the
49 * console to be available anytime the zone is installed, regardless of
50 * whether it is running.
51 */
52
53 #include <sys/socket.h>
54 #include <sys/termios.h>
55 #include <sys/utsname.h>
56 #include <sys/stat.h>
57 #include <sys/types.h>
58 #include <sys/contract/process.h>
59 #include <sys/ctfs.h>
60 #include <sys/brand.h>
61 #include <sys/wait.h>
62 #include <alloca.h>
63 #include <assert.h>
64 #include <ctype.h>
65 #include <paths.h>
66 #include <door.h>
67 #include <errno.h>
68 #include <nss_dbdefs.h>
69 #include <poll.h>
70 #include <priv.h>
71 #include <pwd.h>
72 #include <unistd.h>
73 #include <utmpx.h>
74 #include <sac.h>
75 #include <signal.h>
76 #include <stdarg.h>
77 #include <stdio.h>
78 #include <stdlib.h>
79 #include <string.h>
80 #include <strings.h>
81 #include <stropts.h>
82 #include <wait.h>
83 #include <zone.h>
84 #include <fcntl.h>
85 #include <libdevinfo.h>
86 #include <libintl.h>
87 #include <locale.h>
88 #include <libzonecfg.h>
89 #include <libcontract.h>
90 #include <libbrand.h>
91 #include <auth_list.h>
92 #include <auth_attr.h>
93 #include <secdb.h>
94
95 static int masterfd;
96 static struct termios save_termios;
97 static struct termios effective_termios;
98 static int save_fd;
99 static struct winsize winsize;
100 static volatile int dead;
101 static volatile pid_t child_pid = -1;
102 static int interactive = 0;
103 static priv_set_t *dropprivs;
104
105 static int nocmdchar = 0;
106 static int failsafe = 0;
107 static int disconnect = 0;
108 static char cmdchar = '~';
109 static int quiet = 0;
110
111 static int pollerr = 0;
112
113 static const char *pname;
114 static char *username;
115
116 /*
117 * When forced_login is true, the user is not prompted
118 * for an authentication password in the target zone.
119 */
120 static boolean_t forced_login = B_FALSE;
121
122 #if !defined(TEXT_DOMAIN) /* should be defined by cc -D */
123 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it wasn't */
124 #endif
125
126 #define SUPATH "/usr/bin/su"
127 #define FAILSAFESHELL "/sbin/sh"
128 #define DEFAULTSHELL "/sbin/sh"
129 #define DEF_PATH "/usr/sbin:/usr/bin"
130
131 #define CLUSTER_BRAND_NAME "cluster"
132
133 /*
134 * The ZLOGIN_BUFSIZ is larger than PIPE_BUF so we can be sure we're clearing
135 * out the pipe when the child is exiting. The ZLOGIN_RDBUFSIZ must be less
136 * than ZLOGIN_BUFSIZ (because we share the buffer in doio). This value is
137 * also chosen in conjunction with the HI_WATER setting to make sure we
138 * don't fill up the pipe. We can write FIFOHIWAT (16k) into the pipe before
139 * blocking. By having ZLOGIN_RDBUFSIZ set to 1k and HI_WATER set to 8k, we
140 * know we can always write a ZLOGIN_RDBUFSIZ chunk into the pipe when there
141 * is less than HI_WATER data already in the pipe.
142 */
143 #define ZLOGIN_BUFSIZ 8192
144 #define ZLOGIN_RDBUFSIZ 1024
145 #define HI_WATER 8192
146
147 /*
148 * See canonify() below. CANONIFY_LEN is the maximum length that a
149 * "canonical" sequence will expand to (backslash, three octal digits, NUL).
150 */
151 #define CANONIFY_LEN 5
152
153 static void
usage(void)154 usage(void)
155 {
156 (void) fprintf(stderr, gettext("usage: %s [ -dnQCES ] [ -e cmdchar ] "
157 "[-l user] zonename [command [args ...] ]\n"), pname);
158 exit(2);
159 }
160
161 static const char *
getpname(const char * arg0)162 getpname(const char *arg0)
163 {
164 const char *p = strrchr(arg0, '/');
165
166 if (p == NULL)
167 p = arg0;
168 else
169 p++;
170
171 pname = p;
172 return (p);
173 }
174
175 static void
zerror(const char * fmt,...)176 zerror(const char *fmt, ...)
177 {
178 va_list alist;
179
180 (void) fprintf(stderr, "%s: ", pname);
181 va_start(alist, fmt);
182 (void) vfprintf(stderr, fmt, alist);
183 va_end(alist);
184 (void) fprintf(stderr, "\n");
185 }
186
187 static void
zperror(const char * str)188 zperror(const char *str)
189 {
190 const char *estr;
191
192 if ((estr = strerror(errno)) != NULL)
193 (void) fprintf(stderr, "%s: %s: %s\n", pname, str, estr);
194 else
195 (void) fprintf(stderr, "%s: %s: errno %d\n", pname, str, errno);
196 }
197
198 /*
199 * The first part of our privilege dropping scheme needs to be called before
200 * fork(), since we must have it for security; we don't want to be surprised
201 * later that we couldn't allocate the privset.
202 */
203 static int
prefork_dropprivs()204 prefork_dropprivs()
205 {
206 if ((dropprivs = priv_allocset()) == NULL)
207 return (1);
208
209 priv_basicset(dropprivs);
210 (void) priv_delset(dropprivs, PRIV_PROC_INFO);
211 (void) priv_delset(dropprivs, PRIV_PROC_FORK);
212 (void) priv_delset(dropprivs, PRIV_PROC_EXEC);
213 (void) priv_delset(dropprivs, PRIV_FILE_LINK_ANY);
214
215 /*
216 * We need to keep the basic privilege PROC_SESSION and all unknown
217 * basic privileges as well as the privileges PROC_ZONE and
218 * PROC_OWNER in order to query session information and
219 * send signals.
220 */
221 if (interactive == 0) {
222 (void) priv_addset(dropprivs, PRIV_PROC_ZONE);
223 (void) priv_addset(dropprivs, PRIV_PROC_OWNER);
224 } else {
225 (void) priv_delset(dropprivs, PRIV_PROC_SESSION);
226 }
227
228 return (0);
229 }
230
231 /*
232 * The second part of the privilege drop. We are paranoid about being attacked
233 * by the zone, so we drop all privileges. This should prevent a compromise
234 * which gets us to fork(), exec(), symlink(), etc.
235 */
236 static void
postfork_dropprivs()237 postfork_dropprivs()
238 {
239 if ((setppriv(PRIV_SET, PRIV_PERMITTED, dropprivs)) == -1) {
240 zperror(gettext("Warning: could not set permitted privileges"));
241 }
242 if ((setppriv(PRIV_SET, PRIV_LIMIT, dropprivs)) == -1) {
243 zperror(gettext("Warning: could not set limit privileges"));
244 }
245 if ((setppriv(PRIV_SET, PRIV_INHERITABLE, dropprivs)) == -1) {
246 zperror(gettext("Warning: could not set inheritable "
247 "privileges"));
248 }
249 }
250
251 /*
252 * Create the unix domain socket and call the zoneadmd server; handshake
253 * with it to determine whether it will allow us to connect.
254 */
255 static int
get_console_master(const char * zname)256 get_console_master(const char *zname)
257 {
258 int sockfd = -1;
259 struct sockaddr_un servaddr;
260 char clientid[MAXPATHLEN];
261 char handshake[MAXPATHLEN], c;
262 int msglen;
263 int i = 0, err = 0;
264
265 if ((sockfd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
266 zperror(gettext("could not create socket"));
267 return (-1);
268 }
269
270 bzero(&servaddr, sizeof (servaddr));
271 servaddr.sun_family = AF_UNIX;
272 (void) snprintf(servaddr.sun_path, sizeof (servaddr.sun_path),
273 "%s/%s.console_sock", ZONES_TMPDIR, zname);
274
275 if (connect(sockfd, (struct sockaddr *)&servaddr,
276 sizeof (servaddr)) == -1) {
277 zperror(gettext("Could not connect to zone console"));
278 goto bad;
279 }
280 masterfd = sockfd;
281
282 msglen = snprintf(clientid, sizeof (clientid), "IDENT %lu %s %d\n",
283 getpid(), setlocale(LC_MESSAGES, NULL), disconnect);
284
285 if (msglen >= sizeof (clientid) || msglen < 0) {
286 zerror("protocol error");
287 goto bad;
288 }
289
290 if (write(masterfd, clientid, msglen) != msglen) {
291 zerror("protocol error");
292 goto bad;
293 }
294
295 bzero(handshake, sizeof (handshake));
296
297 /*
298 * Take care not to accumulate more than our fill, and leave room for
299 * the NUL at the end.
300 */
301 while ((err = read(masterfd, &c, 1)) == 1) {
302 if (i >= (sizeof (handshake) - 1))
303 break;
304 if (c == '\n')
305 break;
306 handshake[i] = c;
307 i++;
308 }
309
310 /*
311 * If something went wrong during the handshake we bail; perhaps
312 * the server died off.
313 */
314 if (err == -1) {
315 zperror(gettext("Could not connect to zone console"));
316 goto bad;
317 }
318
319 if (strncmp(handshake, "OK", sizeof (handshake)) == 0)
320 return (0);
321
322 zerror(gettext("Console is already in use by process ID %s."),
323 handshake);
324 bad:
325 (void) close(sockfd);
326 masterfd = -1;
327 return (-1);
328 }
329
330
331 /*
332 * Routines to handle pty creation upon zone entry and to shuttle I/O back
333 * and forth between the two terminals. We also compute and store the
334 * name of the slave terminal associated with the master side.
335 */
336 static int
get_master_pty()337 get_master_pty()
338 {
339 if ((masterfd = open("/dev/ptmx", O_RDWR|O_NONBLOCK)) < 0) {
340 zperror(gettext("failed to obtain a pseudo-tty"));
341 return (-1);
342 }
343 if (tcgetattr(STDIN_FILENO, &save_termios) == -1) {
344 zperror(gettext("failed to get terminal settings from stdin"));
345 return (-1);
346 }
347 (void) ioctl(STDIN_FILENO, TIOCGWINSZ, (char *)&winsize);
348
349 return (0);
350 }
351
352 /*
353 * This is a bit tricky; normally a pts device will belong to the zone it
354 * is granted to. But in the case of "entering" a zone, we need to establish
355 * the pty before entering the zone so that we can vector I/O to and from it
356 * from the global zone.
357 *
358 * We use the zonept() call to let the ptm driver know what we are up to;
359 * the only other hairy bit is the setting of zoneslavename (which happens
360 * above, in get_master_pty()).
361 */
362 static int
init_slave_pty(zoneid_t zoneid,char * devroot)363 init_slave_pty(zoneid_t zoneid, char *devroot)
364 {
365 int slavefd = -1;
366 char *slavename, zoneslavename[MAXPATHLEN];
367
368 /*
369 * Set slave permissions, zone the pts, then unlock it.
370 */
371 if (grantpt(masterfd) != 0) {
372 zperror(gettext("grantpt failed"));
373 return (-1);
374 }
375
376 if (unlockpt(masterfd) != 0) {
377 zperror(gettext("unlockpt failed"));
378 return (-1);
379 }
380
381 /*
382 * We must open the slave side before zoning this pty; otherwise
383 * the kernel would refuse us the open-- zoning a pty makes it
384 * inaccessible to the global zone. Note we are trying to open
385 * the device node via the $ZONEROOT/dev path for this pty.
386 *
387 * Later we'll close the slave out when once we've opened it again
388 * from within the target zone. Blarg.
389 */
390 if ((slavename = ptsname(masterfd)) == NULL) {
391 zperror(gettext("failed to get name for pseudo-tty"));
392 return (-1);
393 }
394
395 (void) snprintf(zoneslavename, sizeof (zoneslavename), "%s%s",
396 devroot, slavename);
397
398 if ((slavefd = open(zoneslavename, O_RDWR)) < 0) {
399 zerror(gettext("failed to open %s: %s"), zoneslavename,
400 strerror(errno));
401 return (-1);
402 }
403
404 /*
405 * Push hardware emulation (ptem), line discipline (ldterm),
406 * and V7/4BSD/Xenix compatibility (ttcompat) modules.
407 */
408 if (ioctl(slavefd, I_PUSH, "ptem") == -1) {
409 zperror(gettext("failed to push ptem module"));
410 if (!failsafe)
411 goto bad;
412 }
413
414 /*
415 * Anchor the stream to prevent malicious I_POPs; we prefer to do
416 * this prior to entering the zone so that we can detect any errors
417 * early, and so that we can set the anchor from the global zone.
418 */
419 if (ioctl(slavefd, I_ANCHOR) == -1) {
420 zperror(gettext("failed to set stream anchor"));
421 if (!failsafe)
422 goto bad;
423 }
424
425 if (ioctl(slavefd, I_PUSH, "ldterm") == -1) {
426 zperror(gettext("failed to push ldterm module"));
427 if (!failsafe)
428 goto bad;
429 }
430 if (ioctl(slavefd, I_PUSH, "ttcompat") == -1) {
431 zperror(gettext("failed to push ttcompat module"));
432 if (!failsafe)
433 goto bad;
434 }
435
436 /*
437 * Propagate terminal settings from the external term to the new one.
438 */
439 if (tcsetattr(slavefd, TCSAFLUSH, &save_termios) == -1) {
440 zperror(gettext("failed to set terminal settings"));
441 if (!failsafe)
442 goto bad;
443 }
444 (void) ioctl(slavefd, TIOCSWINSZ, (char *)&winsize);
445
446 if (zonept(masterfd, zoneid) != 0) {
447 zperror(gettext("could not set zoneid of pty"));
448 goto bad;
449 }
450
451 return (slavefd);
452
453 bad:
454 (void) close(slavefd);
455 return (-1);
456 }
457
458 /*
459 * Place terminal into raw mode.
460 */
461 static int
set_tty_rawmode(int fd)462 set_tty_rawmode(int fd)
463 {
464 struct termios term;
465 if (tcgetattr(fd, &term) < 0) {
466 zperror(gettext("failed to get user terminal settings"));
467 return (-1);
468 }
469
470 /* Stash for later, so we can revert back to previous mode */
471 save_termios = term;
472 save_fd = fd;
473
474 /* disable 8->7 bit strip, start/stop, enable any char to restart */
475 term.c_iflag &= ~(ISTRIP|IXON|IXANY);
476 /* disable NL->CR, CR->NL, ignore CR, UPPER->lower */
477 term.c_iflag &= ~(INLCR|ICRNL|IGNCR|IUCLC);
478 /* disable output post-processing */
479 term.c_oflag &= ~OPOST;
480 /* disable canonical mode, signal chars, echo & extended functions */
481 term.c_lflag &= ~(ICANON|ISIG|ECHO|IEXTEN);
482
483 term.c_cc[VMIN] = 1; /* byte-at-a-time */
484 term.c_cc[VTIME] = 0;
485
486 if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &term)) {
487 zperror(gettext("failed to set user terminal to raw mode"));
488 return (-1);
489 }
490
491 /*
492 * We need to know the value of VEOF so that we can properly process for
493 * client-side ~<EOF>. But we have obliterated VEOF in term,
494 * because VMIN overloads the same array slot in non-canonical mode.
495 * Stupid @&^%!
496 *
497 * So here we construct the "effective" termios from the current
498 * terminal settings, and the corrected VEOF and VEOL settings.
499 */
500 if (tcgetattr(STDIN_FILENO, &effective_termios) < 0) {
501 zperror(gettext("failed to get user terminal settings"));
502 return (-1);
503 }
504 effective_termios.c_cc[VEOF] = save_termios.c_cc[VEOF];
505 effective_termios.c_cc[VEOL] = save_termios.c_cc[VEOL];
506
507 return (0);
508 }
509
510 /*
511 * Copy terminal window size from our terminal to the pts.
512 */
513 /*ARGSUSED*/
514 static void
sigwinch(int s)515 sigwinch(int s)
516 {
517 struct winsize ws;
518
519 if (ioctl(0, TIOCGWINSZ, &ws) == 0)
520 (void) ioctl(masterfd, TIOCSWINSZ, &ws);
521 }
522
523 static volatile int close_on_sig = -1;
524
525 static void
526 /*ARGSUSED*/
sigcld(int s)527 sigcld(int s)
528 {
529 int status;
530 pid_t pid;
531
532 /*
533 * Peek at the exit status. If this isn't the process we cared
534 * about, then just reap it.
535 */
536 if ((pid = waitpid(child_pid, &status, WNOHANG|WNOWAIT)) != -1) {
537 if (pid == child_pid &&
538 (WIFEXITED(status) || WIFSIGNALED(status))) {
539 dead = 1;
540 if (close_on_sig != -1) {
541 (void) write(close_on_sig, "a", 1);
542 (void) close(close_on_sig);
543 close_on_sig = -1;
544 }
545 } else {
546 (void) waitpid(pid, &status, WNOHANG);
547 }
548 }
549 }
550
551 /*
552 * Some signals (currently, SIGINT) must be forwarded on to the process
553 * group of the child process.
554 */
555 static void
sig_forward(int s)556 sig_forward(int s)
557 {
558 if (child_pid != -1) {
559 (void) sigsend(P_PGID, child_pid, s);
560 }
561 }
562
563 /*
564 * reset terminal settings for global environment
565 */
566 static void
reset_tty()567 reset_tty()
568 {
569 (void) tcsetattr(save_fd, TCSADRAIN, &save_termios);
570 }
571
572 /*
573 * Convert character to printable representation, for display with locally
574 * echoed command characters (like when we need to display ~^D)
575 */
576 static void
canonify(char c,char * cc)577 canonify(char c, char *cc)
578 {
579 if (isprint(c)) {
580 cc[0] = c;
581 cc[1] = '\0';
582 } else if (c >= 0 && c <= 31) { /* ^@ through ^_ */
583 cc[0] = '^';
584 cc[1] = c + '@';
585 cc[2] = '\0';
586 } else {
587 cc[0] = '\\';
588 cc[1] = ((c >> 6) & 7) + '0';
589 cc[2] = ((c >> 3) & 7) + '0';
590 cc[3] = (c & 7) + '0';
591 cc[4] = '\0';
592 }
593 }
594
595 /*
596 * process_user_input watches the input stream for the escape sequence for
597 * 'quit' (by default, tilde-period). Because we might be fed just one
598 * keystroke at a time, state associated with the user input (are we at the
599 * beginning of the line? are we locally echoing the next character?) is
600 * maintained by beginning_of_line and local_echo across calls to the routine.
601 * If the write to outfd fails, we'll try to read from infd in an attempt
602 * to prevent deadlock between the two processes.
603 *
604 * This routine returns -1 when the 'quit' escape sequence has been issued,
605 * or an error is encountered, 1 if stdin is EOF, and 0 otherwise.
606 */
607 static int
process_user_input(int outfd,int infd)608 process_user_input(int outfd, int infd)
609 {
610 static boolean_t beginning_of_line = B_TRUE;
611 static boolean_t local_echo = B_FALSE;
612 char ibuf[ZLOGIN_BUFSIZ];
613 int nbytes;
614 char *buf = ibuf;
615 char c = *buf;
616
617 nbytes = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
618 if (nbytes == -1 && (errno != EINTR || dead))
619 return (-1);
620
621 if (nbytes == -1) /* The read was interrupted. */
622 return (0);
623
624 /* 0 read means EOF, close the pipe to the child */
625 if (nbytes == 0)
626 return (1);
627
628 for (c = *buf; nbytes > 0; c = *buf, --nbytes) {
629 buf++;
630 if (beginning_of_line && !nocmdchar) {
631 beginning_of_line = B_FALSE;
632 if (c == cmdchar) {
633 local_echo = B_TRUE;
634 continue;
635 }
636 } else if (local_echo) {
637 local_echo = B_FALSE;
638 if (c == '.' || c == effective_termios.c_cc[VEOF]) {
639 char cc[CANONIFY_LEN];
640
641 canonify(c, cc);
642 (void) write(STDOUT_FILENO, &cmdchar, 1);
643 (void) write(STDOUT_FILENO, cc, strlen(cc));
644 return (-1);
645 }
646 }
647 retry:
648 if (write(outfd, &c, 1) <= 0) {
649 /*
650 * Since the fd we are writing to is opened with
651 * O_NONBLOCK it is possible to get EAGAIN if the
652 * pipe is full. One way this could happen is if we
653 * are writing a lot of data into the pipe in this loop
654 * and the application on the other end is echoing that
655 * data back out to its stdout. The output pipe can
656 * fill up since we are stuck here in this loop and not
657 * draining the other pipe. We can try to read some of
658 * the data to see if we can drain the pipe so that the
659 * application can continue to make progress. The read
660 * is non-blocking so we won't hang here. We also wait
661 * a bit before retrying since there could be other
662 * reasons why the pipe is full and we don't want to
663 * continuously retry.
664 */
665 if (errno == EAGAIN) {
666 struct timespec rqtp;
667 int ln;
668 char obuf[ZLOGIN_BUFSIZ];
669
670 if ((ln = read(infd, obuf, ZLOGIN_BUFSIZ)) > 0)
671 (void) write(STDOUT_FILENO, obuf, ln);
672
673 /* sleep for 10 milliseconds */
674 rqtp.tv_sec = 0;
675 rqtp.tv_nsec = MSEC2NSEC(10);
676 (void) nanosleep(&rqtp, NULL);
677 if (!dead)
678 goto retry;
679 }
680
681 return (-1);
682 }
683 beginning_of_line = (c == '\r' || c == '\n' ||
684 c == effective_termios.c_cc[VKILL] ||
685 c == effective_termios.c_cc[VEOL] ||
686 c == effective_termios.c_cc[VSUSP] ||
687 c == effective_termios.c_cc[VINTR]);
688 }
689 return (0);
690 }
691
692 /*
693 * This function prevents deadlock between zlogin and the application in the
694 * zone that it is talking to. This can happen when we read from zlogin's
695 * stdin and write the data down the pipe to the application. If the pipe
696 * is full, we'll block in the write. Because zlogin could be blocked in
697 * the write, it would never read the application's stdout/stderr so the
698 * application can then block on those writes (when the pipe fills up). If the
699 * the application gets blocked this way, it can never get around to reading
700 * its stdin so that zlogin can unblock from its write. Once in this state,
701 * the two processes are deadlocked.
702 *
703 * To prevent this, we want to verify that we can write into the pipe before we
704 * read from our stdin. If the pipe already is pretty full, we bypass the read
705 * for now. We'll circle back here again after the poll() so that we can
706 * try again. When this function is called, we already know there is data
707 * ready to read on STDIN_FILENO. We return -1 if there is a problem, 1 if
708 * stdin is EOF, and 0 if everything is ok (even though we might not have
709 * read/written any data into the pipe on this iteration).
710 */
711 static int
process_raw_input(int stdin_fd,int appin_fd)712 process_raw_input(int stdin_fd, int appin_fd)
713 {
714 int cc;
715 struct stat64 sb;
716 char ibuf[ZLOGIN_RDBUFSIZ];
717
718 /* Check how much data is already in the pipe */
719 if (fstat64(appin_fd, &sb) == -1) {
720 perror("stat failed");
721 return (-1);
722 }
723
724 if (dead)
725 return (-1);
726
727 /*
728 * The pipe already has a lot of data in it, don't write any more
729 * right now.
730 */
731 if (sb.st_size >= HI_WATER)
732 return (0);
733
734 cc = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
735 if (cc == -1 && (errno != EINTR || dead))
736 return (-1);
737
738 if (cc == -1) /* The read was interrupted. */
739 return (0);
740
741 /* 0 read means EOF, close the pipe to the child */
742 if (cc == 0)
743 return (1);
744
745 /*
746 * stdin_fd is stdin of the target; so, the thing we'll write the user
747 * data *to*.
748 */
749 if (write(stdin_fd, ibuf, cc) == -1)
750 return (-1);
751
752 return (0);
753 }
754
755 /*
756 * Write the output from the application running in the zone. We can get
757 * a signal during the write (usually it would be SIGCHLD when the application
758 * has exited) so we loop to make sure we have written all of the data we read.
759 */
760 static int
process_output(int in_fd,int out_fd)761 process_output(int in_fd, int out_fd)
762 {
763 int wrote = 0;
764 int cc;
765 char ibuf[ZLOGIN_BUFSIZ];
766
767 cc = read(in_fd, ibuf, ZLOGIN_BUFSIZ);
768 if (cc == -1 && (errno != EINTR || dead))
769 return (-1);
770 if (cc == 0) /* EOF */
771 return (-1);
772 if (cc == -1) /* The read was interrupted. */
773 return (0);
774
775 do {
776 int len;
777
778 len = write(out_fd, ibuf + wrote, cc - wrote);
779 if (len == -1 && errno != EINTR)
780 return (-1);
781 if (len != -1)
782 wrote += len;
783 } while (wrote < cc);
784
785 return (0);
786 }
787
788 /*
789 * This is the main I/O loop, and is shared across all zlogin modes.
790 * Parameters:
791 * stdin_fd: The fd representing 'stdin' for the slave side; input to
792 * the zone will be written here.
793 *
794 * appin_fd: The fd representing the other end of the 'stdin' pipe (when
795 * we're running non-interactive); used in process_raw_input
796 * to ensure we don't fill up the application's stdin pipe.
797 *
798 * stdout_fd: The fd representing 'stdout' for the slave side; output
799 * from the zone will arrive here.
800 *
801 * stderr_fd: The fd representing 'stderr' for the slave side; output
802 * from the zone will arrive here.
803 *
804 * raw_mode: If TRUE, then no processing (for example, for '~.') will
805 * be performed on the input coming from STDIN.
806 *
807 * stderr_fd may be specified as -1 if there is no stderr (only non-interactive
808 * mode supplies a stderr).
809 *
810 */
811 static void
doio(int stdin_fd,int appin_fd,int stdout_fd,int stderr_fd,int sig_fd,boolean_t raw_mode)812 doio(int stdin_fd, int appin_fd, int stdout_fd, int stderr_fd, int sig_fd,
813 boolean_t raw_mode)
814 {
815 struct pollfd pollfds[4];
816 char ibuf[ZLOGIN_BUFSIZ];
817 int cc, ret;
818
819 /* read from stdout of zone and write to stdout of global zone */
820 pollfds[0].fd = stdout_fd;
821 pollfds[0].events = POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI;
822
823 /* read from stderr of zone and write to stderr of global zone */
824 pollfds[1].fd = stderr_fd;
825 pollfds[1].events = pollfds[0].events;
826
827 /* read from stdin of global zone and write to stdin of zone */
828 pollfds[2].fd = STDIN_FILENO;
829 pollfds[2].events = pollfds[0].events;
830
831 /* read from signalling pipe so we know when child dies */
832 pollfds[3].fd = sig_fd;
833 pollfds[3].events = pollfds[0].events;
834
835 for (;;) {
836 pollfds[0].revents = pollfds[1].revents =
837 pollfds[2].revents = pollfds[3].revents = 0;
838
839 if (dead)
840 break;
841
842 /*
843 * There is a race condition here where we can receive the
844 * child death signal, set the dead flag, but since we have
845 * passed the test above, we would go into poll and hang.
846 * To avoid this we use the sig_fd as an additional poll fd.
847 * The signal handler writes into the other end of this pipe
848 * when the child dies so that the poll will always see that
849 * input and proceed. We just loop around at that point and
850 * then notice the dead flag.
851 */
852
853 ret = poll(pollfds,
854 sizeof (pollfds) / sizeof (struct pollfd), -1);
855
856 if (ret == -1 && errno != EINTR) {
857 perror("poll failed");
858 break;
859 }
860
861 if (errno == EINTR && dead) {
862 break;
863 }
864
865 /* event from master side stdout */
866 if (pollfds[0].revents) {
867 if (pollfds[0].revents &
868 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
869 if (process_output(stdout_fd, STDOUT_FILENO)
870 != 0)
871 break;
872 } else {
873 pollerr = pollfds[0].revents;
874 break;
875 }
876 }
877
878 /* event from master side stderr */
879 if (pollfds[1].revents) {
880 if (pollfds[1].revents &
881 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
882 if (process_output(stderr_fd, STDERR_FILENO)
883 != 0)
884 break;
885 } else {
886 pollerr = pollfds[1].revents;
887 break;
888 }
889 }
890
891 /* event from user STDIN side */
892 if (pollfds[2].revents) {
893 if (pollfds[2].revents &
894 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
895 /*
896 * stdin fd is stdin of the target; so,
897 * the thing we'll write the user data *to*.
898 *
899 * Also, unlike on the output side, we
900 * close the pipe on a zero-length message.
901 */
902 int res;
903
904 if (raw_mode)
905 res = process_raw_input(stdin_fd,
906 appin_fd);
907 else
908 res = process_user_input(stdin_fd,
909 stdout_fd);
910
911 if (res < 0)
912 break;
913 if (res > 0) {
914 /* EOF (close) child's stdin_fd */
915 pollfds[2].fd = -1;
916 while ((res = close(stdin_fd)) != 0 &&
917 errno == EINTR)
918 ;
919 if (res != 0)
920 break;
921 }
922
923 } else if (raw_mode && pollfds[2].revents & POLLHUP) {
924 /*
925 * It's OK to get a POLLHUP on STDIN-- it
926 * always happens if you do:
927 *
928 * echo foo | zlogin <zone> <command>
929 *
930 * We reset fd to -1 in this case to clear
931 * the condition and close the pipe (EOF) to
932 * the other side in order to wrap things up.
933 */
934 int res;
935
936 pollfds[2].fd = -1;
937 while ((res = close(stdin_fd)) != 0 &&
938 errno == EINTR)
939 ;
940 if (res != 0)
941 break;
942 } else {
943 pollerr = pollfds[2].revents;
944 break;
945 }
946 }
947 }
948
949 /*
950 * We are in the midst of dying, but try to poll with a short
951 * timeout to see if we can catch the last bit of I/O from the
952 * children.
953 */
954 retry:
955 pollfds[0].revents = pollfds[1].revents = 0;
956 (void) poll(pollfds, 2, 100);
957 if (pollfds[0].revents &
958 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
959 if ((cc = read(stdout_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
960 (void) write(STDOUT_FILENO, ibuf, cc);
961 goto retry;
962 }
963 }
964 if (pollfds[1].revents &
965 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
966 if ((cc = read(stderr_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
967 (void) write(STDERR_FILENO, ibuf, cc);
968 goto retry;
969 }
970 }
971 }
972
973 /*
974 * Fetch the user_cmd brand hook for getting a user's passwd(4) entry.
975 */
976 static const char *
zone_get_user_cmd(brand_handle_t bh,const char * login,char * user_cmd,size_t len)977 zone_get_user_cmd(brand_handle_t bh, const char *login, char *user_cmd,
978 size_t len)
979 {
980 bzero(user_cmd, sizeof (user_cmd));
981 if (brand_get_user_cmd(bh, login, user_cmd, len) != 0)
982 return (NULL);
983
984 return (user_cmd);
985 }
986
987 /* From libc */
988 extern int str2passwd(const char *, int, void *, char *, int);
989
990 /*
991 * exec() the user_cmd brand hook, and convert the output string to a
992 * struct passwd. This is to be called after zone_enter().
993 *
994 */
995 static struct passwd *
zone_get_user_pw(const char * user_cmd,struct passwd * pwent,char * pwbuf,int pwbuflen)996 zone_get_user_pw(const char *user_cmd, struct passwd *pwent, char *pwbuf,
997 int pwbuflen)
998 {
999 char pwline[NSS_BUFLEN_PASSWD];
1000 char *cin = NULL;
1001 FILE *fin;
1002 int status;
1003
1004 assert(getzoneid() != GLOBAL_ZONEID);
1005
1006 if ((fin = popen(user_cmd, "r")) == NULL)
1007 return (NULL);
1008
1009 while (cin == NULL && !feof(fin))
1010 cin = fgets(pwline, sizeof (pwline), fin);
1011
1012 if (cin == NULL) {
1013 (void) pclose(fin);
1014 return (NULL);
1015 }
1016
1017 status = pclose(fin);
1018 if (!WIFEXITED(status))
1019 return (NULL);
1020 if (WEXITSTATUS(status) != 0)
1021 return (NULL);
1022
1023 if (str2passwd(pwline, sizeof (pwline), pwent, pwbuf, pwbuflen) == 0)
1024 return (pwent);
1025 else
1026 return (NULL);
1027 }
1028
1029 static char **
zone_login_cmd(brand_handle_t bh,const char * login)1030 zone_login_cmd(brand_handle_t bh, const char *login)
1031 {
1032 static char result_buf[ARG_MAX];
1033 char **new_argv, *ptr, *lasts;
1034 int n, a;
1035
1036 /* Get the login command for the target zone. */
1037 bzero(result_buf, sizeof (result_buf));
1038
1039 if (forced_login) {
1040 if (brand_get_forcedlogin_cmd(bh, login,
1041 result_buf, sizeof (result_buf)) != 0)
1042 return (NULL);
1043 } else {
1044 if (brand_get_login_cmd(bh, login,
1045 result_buf, sizeof (result_buf)) != 0)
1046 return (NULL);
1047 }
1048
1049 /*
1050 * We got back a string that we'd like to execute. But since
1051 * we're not doing the execution via a shell we'll need to convert
1052 * the exec string to an array of strings. We'll do that here
1053 * but we're going to be very simplistic about it and break stuff
1054 * up based on spaces. We're not even going to support any kind
1055 * of quoting or escape characters. It's truly amazing that
1056 * there is no library function in OpenSolaris to do this for us.
1057 */
1058
1059 /*
1060 * Be paranoid. Since we're deliniating based on spaces make
1061 * sure there are no adjacent spaces.
1062 */
1063 if (strstr(result_buf, " ") != NULL)
1064 return (NULL);
1065
1066 /* Remove any trailing whitespace. */
1067 n = strlen(result_buf);
1068 if (result_buf[n - 1] == ' ')
1069 result_buf[n - 1] = '\0';
1070
1071 /* Count how many elements there are in the exec string. */
1072 ptr = result_buf;
1073 for (n = 2; ((ptr = strchr(ptr + 1, (int)' ')) != NULL); n++)
1074 ;
1075
1076 /* Allocate the argv array that we're going to return. */
1077 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1078 return (NULL);
1079
1080 /* Tokenize the exec string and return. */
1081 a = 0;
1082 new_argv[a++] = result_buf;
1083 if (n > 2) {
1084 (void) strtok_r(result_buf, " ", &lasts);
1085 while ((new_argv[a++] = strtok_r(NULL, " ", &lasts)) != NULL)
1086 ;
1087 } else {
1088 new_argv[a++] = NULL;
1089 }
1090 assert(n == a);
1091 return (new_argv);
1092 }
1093
1094 /*
1095 * Prepare argv array for exec'd process; if we're passing commands to the
1096 * new process, then use su(1M) to do the invocation. Otherwise, use
1097 * 'login -z <from_zonename> -f' (-z is an undocumented option which tells
1098 * login that we're coming from another zone, and to disregard its CONSOLE
1099 * checks).
1100 */
1101 static char **
prep_args(brand_handle_t bh,const char * login,char ** argv)1102 prep_args(brand_handle_t bh, const char *login, char **argv)
1103 {
1104 int argc = 0, a = 0, i, n = -1;
1105 char **new_argv;
1106
1107 if (argv != NULL) {
1108 size_t subshell_len = 1;
1109 char *subshell;
1110
1111 while (argv[argc] != NULL)
1112 argc++;
1113
1114 for (i = 0; i < argc; i++) {
1115 subshell_len += strlen(argv[i]) + 1;
1116 }
1117 if ((subshell = calloc(1, subshell_len)) == NULL)
1118 return (NULL);
1119
1120 for (i = 0; i < argc; i++) {
1121 (void) strcat(subshell, argv[i]);
1122 (void) strcat(subshell, " ");
1123 }
1124
1125 if (failsafe) {
1126 n = 4;
1127 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1128 return (NULL);
1129
1130 new_argv[a++] = FAILSAFESHELL;
1131 } else {
1132 n = 5;
1133 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1134 return (NULL);
1135
1136 new_argv[a++] = SUPATH;
1137 if (strcmp(login, "root") != 0) {
1138 new_argv[a++] = "-";
1139 n++;
1140 }
1141 new_argv[a++] = (char *)login;
1142 }
1143 new_argv[a++] = "-c";
1144 new_argv[a++] = subshell;
1145 new_argv[a++] = NULL;
1146 assert(a == n);
1147 } else {
1148 if (failsafe) {
1149 n = 2;
1150 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1151 return (NULL);
1152 new_argv[a++] = FAILSAFESHELL;
1153 new_argv[a++] = NULL;
1154 assert(n == a);
1155 } else {
1156 new_argv = zone_login_cmd(bh, login);
1157 }
1158 }
1159
1160 return (new_argv);
1161 }
1162
1163 /*
1164 * Helper routine for prep_env below.
1165 */
1166 static char *
add_env(char * name,char * value)1167 add_env(char *name, char *value)
1168 {
1169 size_t sz = strlen(name) + strlen(value) + 2; /* name, =, value, NUL */
1170 char *str;
1171
1172 if ((str = malloc(sz)) == NULL)
1173 return (NULL);
1174
1175 (void) snprintf(str, sz, "%s=%s", name, value);
1176 return (str);
1177 }
1178
1179 /*
1180 * Prepare envp array for exec'd process.
1181 */
1182 static char **
prep_env()1183 prep_env()
1184 {
1185 int e = 0, size = 1;
1186 char **new_env, *estr;
1187 char *term = getenv("TERM");
1188
1189 size++; /* for $PATH */
1190 if (term != NULL)
1191 size++;
1192
1193 /*
1194 * In failsafe mode we set $HOME, since '-l' isn't valid in this mode.
1195 * We also set $SHELL, since neither login nor su will be around to do
1196 * it.
1197 */
1198 if (failsafe)
1199 size += 2;
1200
1201 if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1202 return (NULL);
1203
1204 if ((estr = add_env("PATH", DEF_PATH)) == NULL)
1205 return (NULL);
1206 new_env[e++] = estr;
1207
1208 if (term != NULL) {
1209 if ((estr = add_env("TERM", term)) == NULL)
1210 return (NULL);
1211 new_env[e++] = estr;
1212 }
1213
1214 if (failsafe) {
1215 if ((estr = add_env("HOME", "/")) == NULL)
1216 return (NULL);
1217 new_env[e++] = estr;
1218
1219 if ((estr = add_env("SHELL", FAILSAFESHELL)) == NULL)
1220 return (NULL);
1221 new_env[e++] = estr;
1222 }
1223
1224 new_env[e++] = NULL;
1225
1226 assert(e == size);
1227
1228 return (new_env);
1229 }
1230
1231 /*
1232 * Finish the preparation of the envp array for exec'd non-interactive
1233 * zlogins. This is called in the child process *after* we zone_enter(), since
1234 * it derives things we can only know within the zone, such as $HOME, $SHELL,
1235 * etc. We need only do this in the non-interactive, mode, since otherwise
1236 * login(1) will do it. We don't do this in failsafe mode, since it presents
1237 * additional ways in which the command could fail, and we'd prefer to avoid
1238 * that.
1239 */
1240 static char **
prep_env_noninteractive(const char * user_cmd,char ** env)1241 prep_env_noninteractive(const char *user_cmd, char **env)
1242 {
1243 size_t size;
1244 char **new_env;
1245 int e, i;
1246 char *estr;
1247 char varmail[LOGNAME_MAX + 11]; /* strlen(/var/mail/) = 10, NUL */
1248 char pwbuf[NSS_BUFLEN_PASSWD + 1];
1249 struct passwd pwent;
1250 struct passwd *pw = NULL;
1251
1252 assert(env != NULL);
1253 assert(failsafe == 0);
1254
1255 /*
1256 * Exec the "user_cmd" brand hook to get a pwent for the
1257 * login user. If this fails, HOME will be set to "/", SHELL
1258 * will be set to $DEFAULTSHELL, and we will continue to exec
1259 * SUPATH <login> -c <cmd>.
1260 */
1261 pw = zone_get_user_pw(user_cmd, &pwent, pwbuf, sizeof (pwbuf));
1262
1263 /*
1264 * Get existing envp size.
1265 */
1266 for (size = 0; env[size] != NULL; size++)
1267 ;
1268
1269 e = size;
1270
1271 /*
1272 * Finish filling out the environment; we duplicate the environment
1273 * setup described in login(1), for lack of a better precedent.
1274 */
1275 if (pw != NULL)
1276 size += 3; /* LOGNAME, HOME, MAIL */
1277 else
1278 size += 1; /* HOME */
1279
1280 size++; /* always fill in SHELL */
1281 size++; /* terminating NULL */
1282
1283 if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1284 goto malloc_fail;
1285
1286 /*
1287 * Copy existing elements of env into new_env.
1288 */
1289 for (i = 0; env[i] != NULL; i++) {
1290 if ((new_env[i] = strdup(env[i])) == NULL)
1291 goto malloc_fail;
1292 }
1293 assert(e == i);
1294
1295 if (pw != NULL) {
1296 if ((estr = add_env("LOGNAME", pw->pw_name)) == NULL)
1297 goto malloc_fail;
1298 new_env[e++] = estr;
1299
1300 if ((estr = add_env("HOME", pw->pw_dir)) == NULL)
1301 goto malloc_fail;
1302 new_env[e++] = estr;
1303
1304 if (chdir(pw->pw_dir) != 0)
1305 zerror(gettext("Could not chdir to home directory "
1306 "%s: %s"), pw->pw_dir, strerror(errno));
1307
1308 (void) snprintf(varmail, sizeof (varmail), "/var/mail/%s",
1309 pw->pw_name);
1310 if ((estr = add_env("MAIL", varmail)) == NULL)
1311 goto malloc_fail;
1312 new_env[e++] = estr;
1313 } else {
1314 if ((estr = add_env("HOME", "/")) == NULL)
1315 goto malloc_fail;
1316 new_env[e++] = estr;
1317 }
1318
1319 if (pw != NULL && strlen(pw->pw_shell) > 0) {
1320 if ((estr = add_env("SHELL", pw->pw_shell)) == NULL)
1321 goto malloc_fail;
1322 new_env[e++] = estr;
1323 } else {
1324 if ((estr = add_env("SHELL", DEFAULTSHELL)) == NULL)
1325 goto malloc_fail;
1326 new_env[e++] = estr;
1327 }
1328
1329 new_env[e++] = NULL; /* add terminating NULL */
1330
1331 assert(e == size);
1332 return (new_env);
1333
1334 malloc_fail:
1335 zperror(gettext("failed to allocate memory for process environment"));
1336 return (NULL);
1337 }
1338
1339 static int
close_func(void * slavefd,int fd)1340 close_func(void *slavefd, int fd)
1341 {
1342 if (fd != *(int *)slavefd)
1343 (void) close(fd);
1344 return (0);
1345 }
1346
1347 static void
set_cmdchar(char * cmdcharstr)1348 set_cmdchar(char *cmdcharstr)
1349 {
1350 char c;
1351 long lc;
1352
1353 if ((c = *cmdcharstr) != '\\') {
1354 cmdchar = c;
1355 return;
1356 }
1357
1358 c = cmdcharstr[1];
1359 if (c == '\0' || c == '\\') {
1360 cmdchar = '\\';
1361 return;
1362 }
1363
1364 if (c < '0' || c > '7') {
1365 zerror(gettext("Unrecognized escape character option %s"),
1366 cmdcharstr);
1367 usage();
1368 }
1369
1370 lc = strtol(cmdcharstr + 1, NULL, 8);
1371 if (lc < 0 || lc > 255) {
1372 zerror(gettext("Octal escape character '%s' too large"),
1373 cmdcharstr);
1374 usage();
1375 }
1376 cmdchar = (char)lc;
1377 }
1378
1379 static int
setup_utmpx(char * slavename)1380 setup_utmpx(char *slavename)
1381 {
1382 struct utmpx ut;
1383
1384 bzero(&ut, sizeof (ut));
1385 (void) strncpy(ut.ut_user, ".zlogin", sizeof (ut.ut_user));
1386 (void) strncpy(ut.ut_line, slavename, sizeof (ut.ut_line));
1387 ut.ut_pid = getpid();
1388 ut.ut_id[0] = 'z';
1389 ut.ut_id[1] = ut.ut_id[2] = ut.ut_id[3] = (char)SC_WILDC;
1390 ut.ut_type = LOGIN_PROCESS;
1391 (void) time(&ut.ut_tv.tv_sec);
1392
1393 if (makeutx(&ut) == NULL) {
1394 zerror(gettext("makeutx failed"));
1395 return (-1);
1396 }
1397 return (0);
1398 }
1399
1400 static void
release_lock_file(int lockfd)1401 release_lock_file(int lockfd)
1402 {
1403 (void) close(lockfd);
1404 }
1405
1406 static int
grab_lock_file(const char * zone_name,int * lockfd)1407 grab_lock_file(const char *zone_name, int *lockfd)
1408 {
1409 char pathbuf[PATH_MAX];
1410 struct flock flock;
1411
1412 if (mkdir(ZONES_TMPDIR, S_IRWXU) < 0 && errno != EEXIST) {
1413 zerror(gettext("could not mkdir %s: %s"), ZONES_TMPDIR,
1414 strerror(errno));
1415 return (-1);
1416 }
1417 (void) chmod(ZONES_TMPDIR, S_IRWXU);
1418 (void) snprintf(pathbuf, sizeof (pathbuf), "%s/%s.zoneadm.lock",
1419 ZONES_TMPDIR, zone_name);
1420
1421 if ((*lockfd = open(pathbuf, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR)) < 0) {
1422 zerror(gettext("could not open %s: %s"), pathbuf,
1423 strerror(errno));
1424 return (-1);
1425 }
1426 /*
1427 * Lock the file to synchronize with other zoneadmds
1428 */
1429 flock.l_type = F_WRLCK;
1430 flock.l_whence = SEEK_SET;
1431 flock.l_start = (off_t)0;
1432 flock.l_len = (off_t)0;
1433 if (fcntl(*lockfd, F_SETLKW, &flock) < 0) {
1434 zerror(gettext("unable to lock %s: %s"), pathbuf,
1435 strerror(errno));
1436 release_lock_file(*lockfd);
1437 return (-1);
1438 }
1439 return (Z_OK);
1440 }
1441
1442 static int
start_zoneadmd(const char * zone_name)1443 start_zoneadmd(const char *zone_name)
1444 {
1445 pid_t retval;
1446 int pstatus = 0, error = -1, lockfd, doorfd;
1447 struct door_info info;
1448 char doorpath[MAXPATHLEN];
1449
1450 (void) snprintf(doorpath, sizeof (doorpath), ZONE_DOOR_PATH, zone_name);
1451
1452 if (grab_lock_file(zone_name, &lockfd) != Z_OK)
1453 return (-1);
1454 /*
1455 * We must do the door check with the lock held. Otherwise, we
1456 * might race against another zoneadm/zlogin process and wind
1457 * up with two processes trying to start zoneadmd at the same
1458 * time. zoneadmd will detect this, and fail, but we prefer this
1459 * to be as seamless as is practical, from a user perspective.
1460 */
1461 if ((doorfd = open(doorpath, O_RDONLY)) < 0) {
1462 if (errno != ENOENT) {
1463 zerror("failed to open %s: %s", doorpath,
1464 strerror(errno));
1465 goto out;
1466 }
1467 } else {
1468 /*
1469 * Seems to be working ok.
1470 */
1471 if (door_info(doorfd, &info) == 0 &&
1472 ((info.di_attributes & DOOR_REVOKED) == 0)) {
1473 error = 0;
1474 goto out;
1475 }
1476 }
1477
1478 if ((child_pid = fork()) == -1) {
1479 zperror(gettext("could not fork"));
1480 goto out;
1481 } else if (child_pid == 0) {
1482 /* child process */
1483 (void) execl("/usr/lib/zones/zoneadmd", "zoneadmd", "-z",
1484 zone_name, NULL);
1485 zperror(gettext("could not exec zoneadmd"));
1486 _exit(1);
1487 }
1488
1489 /* parent process */
1490 do {
1491 retval = waitpid(child_pid, &pstatus, 0);
1492 } while (retval != child_pid);
1493 if (WIFSIGNALED(pstatus) ||
1494 (WIFEXITED(pstatus) && WEXITSTATUS(pstatus) != 0)) {
1495 zerror(gettext("could not start %s"), "zoneadmd");
1496 goto out;
1497 }
1498 error = 0;
1499 out:
1500 release_lock_file(lockfd);
1501 (void) close(doorfd);
1502 return (error);
1503 }
1504
1505 static int
init_template(void)1506 init_template(void)
1507 {
1508 int fd;
1509 int err = 0;
1510
1511 fd = open64(CTFS_ROOT "/process/template", O_RDWR);
1512 if (fd == -1)
1513 return (-1);
1514
1515 /*
1516 * zlogin doesn't do anything with the contract.
1517 * Deliver no events, don't inherit, and allow it to be orphaned.
1518 */
1519 err |= ct_tmpl_set_critical(fd, 0);
1520 err |= ct_tmpl_set_informative(fd, 0);
1521 err |= ct_pr_tmpl_set_fatal(fd, CT_PR_EV_HWERR);
1522 err |= ct_pr_tmpl_set_param(fd, CT_PR_PGRPONLY | CT_PR_REGENT);
1523 if (err || ct_tmpl_activate(fd)) {
1524 (void) close(fd);
1525 return (-1);
1526 }
1527
1528 return (fd);
1529 }
1530
1531 static int
noninteractive_login(char * zonename,const char * user_cmd,zoneid_t zoneid,char ** new_args,char ** new_env)1532 noninteractive_login(char *zonename, const char *user_cmd, zoneid_t zoneid,
1533 char **new_args, char **new_env)
1534 {
1535 pid_t retval;
1536 int stdin_pipe[2], stdout_pipe[2], stderr_pipe[2], dead_child_pipe[2];
1537 int child_status;
1538 int tmpl_fd;
1539 sigset_t block_cld;
1540
1541 if ((tmpl_fd = init_template()) == -1) {
1542 reset_tty();
1543 zperror(gettext("could not create contract"));
1544 return (1);
1545 }
1546
1547 if (pipe(stdin_pipe) != 0) {
1548 zperror(gettext("could not create STDIN pipe"));
1549 return (1);
1550 }
1551 /*
1552 * When the user types ^D, we get a zero length message on STDIN.
1553 * We need to echo that down the pipe to send it to the other side;
1554 * but by default, pipes don't propagate zero-length messages. We
1555 * toggle that behavior off using I_SWROPT. See streamio(7i).
1556 */
1557 if (ioctl(stdin_pipe[0], I_SWROPT, SNDZERO) != 0) {
1558 zperror(gettext("could not configure STDIN pipe"));
1559 return (1);
1560
1561 }
1562 if (pipe(stdout_pipe) != 0) {
1563 zperror(gettext("could not create STDOUT pipe"));
1564 return (1);
1565 }
1566 if (pipe(stderr_pipe) != 0) {
1567 zperror(gettext("could not create STDERR pipe"));
1568 return (1);
1569 }
1570
1571 if (pipe(dead_child_pipe) != 0) {
1572 zperror(gettext("could not create signalling pipe"));
1573 return (1);
1574 }
1575 close_on_sig = dead_child_pipe[0];
1576
1577 /*
1578 * If any of the pipe FD's winds up being less than STDERR, then we
1579 * have a mess on our hands-- and we are lacking some of the I/O
1580 * streams we would expect anyway. So we bail.
1581 */
1582 if (stdin_pipe[0] <= STDERR_FILENO ||
1583 stdin_pipe[1] <= STDERR_FILENO ||
1584 stdout_pipe[0] <= STDERR_FILENO ||
1585 stdout_pipe[1] <= STDERR_FILENO ||
1586 stderr_pipe[0] <= STDERR_FILENO ||
1587 stderr_pipe[1] <= STDERR_FILENO ||
1588 dead_child_pipe[0] <= STDERR_FILENO ||
1589 dead_child_pipe[1] <= STDERR_FILENO) {
1590 zperror(gettext("process lacks valid STDIN, STDOUT, STDERR"));
1591 return (1);
1592 }
1593
1594 if (prefork_dropprivs() != 0) {
1595 zperror(gettext("could not allocate privilege set"));
1596 return (1);
1597 }
1598
1599 (void) sigset(SIGCLD, sigcld);
1600 (void) sigemptyset(&block_cld);
1601 (void) sigaddset(&block_cld, SIGCLD);
1602 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
1603
1604 if ((child_pid = fork()) == -1) {
1605 (void) ct_tmpl_clear(tmpl_fd);
1606 (void) close(tmpl_fd);
1607 zperror(gettext("could not fork"));
1608 return (1);
1609 } else if (child_pid == 0) { /* child process */
1610 (void) ct_tmpl_clear(tmpl_fd);
1611
1612 /*
1613 * Do a dance to get the pipes hooked up as FD's 0, 1 and 2.
1614 */
1615 (void) close(STDIN_FILENO);
1616 (void) close(STDOUT_FILENO);
1617 (void) close(STDERR_FILENO);
1618 (void) dup2(stdin_pipe[1], STDIN_FILENO);
1619 (void) dup2(stdout_pipe[1], STDOUT_FILENO);
1620 (void) dup2(stderr_pipe[1], STDERR_FILENO);
1621 (void) closefrom(STDERR_FILENO + 1);
1622
1623 (void) sigset(SIGCLD, SIG_DFL);
1624 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1625 /*
1626 * In case any of stdin, stdout or stderr are streams,
1627 * anchor them to prevent malicious I_POPs.
1628 */
1629 (void) ioctl(STDIN_FILENO, I_ANCHOR);
1630 (void) ioctl(STDOUT_FILENO, I_ANCHOR);
1631 (void) ioctl(STDERR_FILENO, I_ANCHOR);
1632
1633 if (zone_enter(zoneid) == -1) {
1634 zerror(gettext("could not enter zone %s: %s"),
1635 zonename, strerror(errno));
1636 _exit(1);
1637 }
1638
1639 /*
1640 * For non-native zones, tell libc where it can find locale
1641 * specific getttext() messages.
1642 */
1643 if (access("/.SUNWnative/usr/lib/locale", R_OK) == 0)
1644 (void) bindtextdomain(TEXT_DOMAIN,
1645 "/.SUNWnative/usr/lib/locale");
1646 else if (access("/native/usr/lib/locale", R_OK) == 0)
1647 (void) bindtextdomain(TEXT_DOMAIN,
1648 "/native/usr/lib/locale");
1649
1650 if (!failsafe)
1651 new_env = prep_env_noninteractive(user_cmd, new_env);
1652
1653 if (new_env == NULL) {
1654 _exit(1);
1655 }
1656
1657 /*
1658 * Move into a new process group; the zone_enter will have
1659 * placed us into zsched's session, and we want to be in
1660 * a unique process group.
1661 */
1662 (void) setpgid(getpid(), getpid());
1663
1664 /*
1665 * The child needs to run as root to
1666 * execute the su program.
1667 */
1668 if (setuid(0) == -1) {
1669 zperror(gettext("insufficient privilege"));
1670 return (1);
1671 }
1672
1673 (void) execve(new_args[0], new_args, new_env);
1674 zperror(gettext("exec failure"));
1675 _exit(1);
1676 }
1677 /* parent */
1678
1679 /* close pipe sides written by child */
1680 (void) close(stdout_pipe[1]);
1681 (void) close(stderr_pipe[1]);
1682
1683 (void) sigset(SIGINT, sig_forward);
1684
1685 postfork_dropprivs();
1686
1687 (void) ct_tmpl_clear(tmpl_fd);
1688 (void) close(tmpl_fd);
1689
1690 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1691 doio(stdin_pipe[0], stdin_pipe[1], stdout_pipe[0], stderr_pipe[0],
1692 dead_child_pipe[1], B_TRUE);
1693 do {
1694 retval = waitpid(child_pid, &child_status, 0);
1695 if (retval == -1) {
1696 child_status = 0;
1697 }
1698 } while (retval != child_pid && errno != ECHILD);
1699
1700 return (WEXITSTATUS(child_status));
1701 }
1702
1703 static char *
get_username()1704 get_username()
1705 {
1706 uid_t uid;
1707 struct passwd *nptr;
1708
1709 /*
1710 * Authorizations are checked to restrict access based on the
1711 * requested operation and zone name, It is assumed that the
1712 * program is running with all privileges, but that the real
1713 * user ID is that of the user or role on whose behalf we are
1714 * operating. So we start by getting the username that will be
1715 * used for subsequent authorization checks.
1716 */
1717
1718 uid = getuid();
1719 if ((nptr = getpwuid(uid)) == NULL) {
1720 zerror(gettext("could not get user name."));
1721 _exit(1);
1722 }
1723 return (nptr->pw_name);
1724 }
1725
1726 int
main(int argc,char ** argv)1727 main(int argc, char **argv)
1728 {
1729 int arg, console = 0;
1730 zoneid_t zoneid;
1731 zone_state_t st;
1732 char *login = "root";
1733 int lflag = 0;
1734 int nflag = 0;
1735 char *zonename = NULL;
1736 char **proc_args = NULL;
1737 char **new_args, **new_env;
1738 sigset_t block_cld;
1739 char devroot[MAXPATHLEN];
1740 char *slavename, slaveshortname[MAXPATHLEN];
1741 priv_set_t *privset;
1742 int tmpl_fd;
1743 char zonebrand[MAXNAMELEN];
1744 char default_brand[MAXNAMELEN];
1745 struct stat sb;
1746 char kernzone[ZONENAME_MAX];
1747 brand_handle_t bh;
1748 char user_cmd[MAXPATHLEN];
1749 char authname[MAXAUTHS];
1750
1751 (void) setlocale(LC_ALL, "");
1752 (void) textdomain(TEXT_DOMAIN);
1753
1754 (void) getpname(argv[0]);
1755 username = get_username();
1756
1757 while ((arg = getopt(argc, argv, "dnECR:Se:l:Q")) != EOF) {
1758 switch (arg) {
1759 case 'C':
1760 console = 1;
1761 break;
1762 case 'E':
1763 nocmdchar = 1;
1764 break;
1765 case 'R': /* undocumented */
1766 if (*optarg != '/') {
1767 zerror(gettext("root path must be absolute."));
1768 exit(2);
1769 }
1770 if (stat(optarg, &sb) == -1 || !S_ISDIR(sb.st_mode)) {
1771 zerror(
1772 gettext("root path must be a directory."));
1773 exit(2);
1774 }
1775 zonecfg_set_root(optarg);
1776 break;
1777 case 'Q':
1778 quiet = 1;
1779 break;
1780 case 'S':
1781 failsafe = 1;
1782 break;
1783 case 'd':
1784 disconnect = 1;
1785 break;
1786 case 'e':
1787 set_cmdchar(optarg);
1788 break;
1789 case 'l':
1790 login = optarg;
1791 lflag = 1;
1792 break;
1793 case 'n':
1794 nflag = 1;
1795 break;
1796 default:
1797 usage();
1798 }
1799 }
1800
1801 if (console != 0) {
1802
1803 if (lflag != 0) {
1804 zerror(gettext(
1805 "-l may not be specified for console login"));
1806 usage();
1807 }
1808
1809 if (nflag != 0) {
1810 zerror(gettext(
1811 "-n may not be specified for console login"));
1812 usage();
1813 }
1814
1815 if (failsafe != 0) {
1816 zerror(gettext(
1817 "-S may not be specified for console login"));
1818 usage();
1819 }
1820
1821 if (zonecfg_in_alt_root()) {
1822 zerror(gettext(
1823 "-R may not be specified for console login"));
1824 exit(2);
1825 }
1826
1827 }
1828
1829 if (failsafe != 0 && lflag != 0) {
1830 zerror(gettext("-l may not be specified for failsafe login"));
1831 usage();
1832 }
1833
1834 if (!console && disconnect != 0) {
1835 zerror(gettext(
1836 "-d may only be specified with console login"));
1837 usage();
1838 }
1839
1840 if (optind == (argc - 1)) {
1841 /*
1842 * zone name, no process name; this should be an interactive
1843 * as long as STDIN is really a tty.
1844 */
1845 if (nflag != 0) {
1846 zerror(gettext(
1847 "-n may not be specified for interactive login"));
1848 usage();
1849 }
1850 if (isatty(STDIN_FILENO))
1851 interactive = 1;
1852 zonename = argv[optind];
1853 } else if (optind < (argc - 1)) {
1854 if (console) {
1855 zerror(gettext("Commands may not be specified for "
1856 "console login."));
1857 usage();
1858 }
1859 /* zone name and process name, and possibly some args */
1860 zonename = argv[optind];
1861 proc_args = &argv[optind + 1];
1862 interactive = 0;
1863 } else {
1864 usage();
1865 }
1866
1867 if (getzoneid() != GLOBAL_ZONEID) {
1868 zerror(gettext("'%s' may only be used from the global zone"),
1869 pname);
1870 return (1);
1871 }
1872
1873 if (strcmp(zonename, GLOBAL_ZONENAME) == 0) {
1874 zerror(gettext("'%s' not applicable to the global zone"),
1875 pname);
1876 return (1);
1877 }
1878
1879 if (zone_get_state(zonename, &st) != Z_OK) {
1880 zerror(gettext("zone '%s' unknown"), zonename);
1881 return (1);
1882 }
1883
1884 if (st < ZONE_STATE_INSTALLED) {
1885 zerror(gettext("cannot login to a zone which is '%s'"),
1886 zone_state_str(st));
1887 return (1);
1888 }
1889
1890 /*
1891 * In both console and non-console cases, we require all privs.
1892 * In the console case, because we may need to startup zoneadmd.
1893 * In the non-console case in order to do zone_enter(2), zonept()
1894 * and other tasks.
1895 */
1896
1897 if ((privset = priv_allocset()) == NULL) {
1898 zperror(gettext("priv_allocset failed"));
1899 return (1);
1900 }
1901
1902 if (getppriv(PRIV_EFFECTIVE, privset) != 0) {
1903 zperror(gettext("getppriv failed"));
1904 priv_freeset(privset);
1905 return (1);
1906 }
1907
1908 if (priv_isfullset(privset) == B_FALSE) {
1909 zerror(gettext("You lack sufficient privilege to run "
1910 "this command (all privs required)"));
1911 priv_freeset(privset);
1912 return (1);
1913 }
1914 priv_freeset(privset);
1915
1916 /*
1917 * Check if user is authorized for requested usage of the zone
1918 */
1919
1920 (void) snprintf(authname, MAXAUTHS, "%s%s%s",
1921 ZONE_MANAGE_AUTH, KV_OBJECT, zonename);
1922 if (chkauthattr(authname, username) == 0) {
1923 if (console) {
1924 zerror(gettext("%s is not authorized for console "
1925 "access to %s zone."),
1926 username, zonename);
1927 return (1);
1928 } else {
1929 (void) snprintf(authname, MAXAUTHS, "%s%s%s",
1930 ZONE_LOGIN_AUTH, KV_OBJECT, zonename);
1931 if (failsafe || !interactive) {
1932 zerror(gettext("%s is not authorized for "
1933 "failsafe or non-interactive login "
1934 "to %s zone."), username, zonename);
1935 return (1);
1936 } else if (chkauthattr(authname, username) == 0) {
1937 zerror(gettext("%s is not authorized "
1938 " to login to %s zone."),
1939 username, zonename);
1940 return (1);
1941 }
1942 }
1943 } else {
1944 forced_login = B_TRUE;
1945 }
1946
1947 /*
1948 * The console is a separate case from the rest of the code; handle
1949 * it first.
1950 */
1951 if (console) {
1952 /*
1953 * Ensure that zoneadmd for this zone is running.
1954 */
1955 if (start_zoneadmd(zonename) == -1)
1956 return (1);
1957
1958 /*
1959 * Make contact with zoneadmd.
1960 */
1961 if (get_console_master(zonename) == -1)
1962 return (1);
1963
1964 if (!quiet)
1965 (void) printf(
1966 gettext("[Connected to zone '%s' console]\n"),
1967 zonename);
1968
1969 if (set_tty_rawmode(STDIN_FILENO) == -1) {
1970 reset_tty();
1971 zperror(gettext("failed to set stdin pty to raw mode"));
1972 return (1);
1973 }
1974
1975 (void) sigset(SIGWINCH, sigwinch);
1976 (void) sigwinch(0);
1977
1978 /*
1979 * Run the I/O loop until we get disconnected.
1980 */
1981 doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
1982 reset_tty();
1983 if (!quiet)
1984 (void) printf(
1985 gettext("\n[Connection to zone '%s' console "
1986 "closed]\n"), zonename);
1987
1988 return (0);
1989 }
1990
1991 if (st != ZONE_STATE_RUNNING && st != ZONE_STATE_MOUNTED) {
1992 zerror(gettext("login allowed only to running zones "
1993 "(%s is '%s')."), zonename, zone_state_str(st));
1994 return (1);
1995 }
1996
1997 (void) strlcpy(kernzone, zonename, sizeof (kernzone));
1998 if (zonecfg_in_alt_root()) {
1999 FILE *fp = zonecfg_open_scratch("", B_FALSE);
2000
2001 if (fp == NULL || zonecfg_find_scratch(fp, zonename,
2002 zonecfg_get_root(), kernzone, sizeof (kernzone)) == -1) {
2003 zerror(gettext("cannot find scratch zone %s"),
2004 zonename);
2005 if (fp != NULL)
2006 zonecfg_close_scratch(fp);
2007 return (1);
2008 }
2009 zonecfg_close_scratch(fp);
2010 }
2011
2012 if ((zoneid = getzoneidbyname(kernzone)) == -1) {
2013 zerror(gettext("failed to get zoneid for zone '%s'"),
2014 zonename);
2015 return (1);
2016 }
2017
2018 /*
2019 * We need the zone root path only if we are setting up a pty.
2020 */
2021 if (zone_get_devroot(zonename, devroot, sizeof (devroot)) == -1) {
2022 zerror(gettext("could not get dev path for zone %s"),
2023 zonename);
2024 return (1);
2025 }
2026
2027 if (zone_get_brand(zonename, zonebrand, sizeof (zonebrand)) != Z_OK) {
2028 zerror(gettext("could not get brand for zone %s"), zonename);
2029 return (1);
2030 }
2031 /*
2032 * In the alternate root environment, the only supported
2033 * operations are mount and unmount. In this case, just treat
2034 * the zone as native if it is cluster. Cluster zones can be
2035 * native for the purpose of LU or upgrade, and the cluster
2036 * brand may not exist in the miniroot (such as in net install
2037 * upgrade).
2038 */
2039 if (zonecfg_default_brand(default_brand,
2040 sizeof (default_brand)) != Z_OK) {
2041 zerror(gettext("unable to determine default brand"));
2042 return (1);
2043 }
2044 if (zonecfg_in_alt_root() &&
2045 strcmp(zonebrand, CLUSTER_BRAND_NAME) == 0) {
2046 (void) strlcpy(zonebrand, default_brand, sizeof (zonebrand));
2047 }
2048
2049 if ((bh = brand_open(zonebrand)) == NULL) {
2050 zerror(gettext("could not open brand for zone %s"), zonename);
2051 return (1);
2052 }
2053
2054 if ((new_args = prep_args(bh, login, proc_args)) == NULL) {
2055 zperror(gettext("could not assemble new arguments"));
2056 brand_close(bh);
2057 return (1);
2058 }
2059 /*
2060 * Get the brand specific user_cmd. This command is used to get
2061 * a passwd(4) entry for login.
2062 */
2063 if (!interactive && !failsafe) {
2064 if (zone_get_user_cmd(bh, login, user_cmd,
2065 sizeof (user_cmd)) == NULL) {
2066 zerror(gettext("could not get user_cmd for zone %s"),
2067 zonename);
2068 brand_close(bh);
2069 return (1);
2070 }
2071 }
2072 brand_close(bh);
2073
2074 if ((new_env = prep_env()) == NULL) {
2075 zperror(gettext("could not assemble new environment"));
2076 return (1);
2077 }
2078
2079 if (!interactive) {
2080 if (nflag) {
2081 int nfd;
2082
2083 if ((nfd = open(_PATH_DEVNULL, O_RDONLY)) < 0) {
2084 zperror(gettext("failed to open null device"));
2085 return (1);
2086 }
2087 if (nfd != STDIN_FILENO) {
2088 if (dup2(nfd, STDIN_FILENO) < 0) {
2089 zperror(gettext(
2090 "failed to dup2 null device"));
2091 return (1);
2092 }
2093 (void) close(nfd);
2094 }
2095 /* /dev/null is now standard input */
2096 }
2097 return (noninteractive_login(zonename, user_cmd, zoneid,
2098 new_args, new_env));
2099 }
2100
2101 if (zonecfg_in_alt_root()) {
2102 zerror(gettext("cannot use interactive login with scratch "
2103 "zone"));
2104 return (1);
2105 }
2106
2107 /*
2108 * Things are more complex in interactive mode; we get the
2109 * master side of the pty, then place the user's terminal into
2110 * raw mode.
2111 */
2112 if (get_master_pty() == -1) {
2113 zerror(gettext("could not setup master pty device"));
2114 return (1);
2115 }
2116
2117 /*
2118 * Compute the "short name" of the pts. /dev/pts/2 --> pts/2
2119 */
2120 if ((slavename = ptsname(masterfd)) == NULL) {
2121 zperror(gettext("failed to get name for pseudo-tty"));
2122 return (1);
2123 }
2124 if (strncmp(slavename, "/dev/", strlen("/dev/")) == 0)
2125 (void) strlcpy(slaveshortname, slavename + strlen("/dev/"),
2126 sizeof (slaveshortname));
2127 else
2128 (void) strlcpy(slaveshortname, slavename,
2129 sizeof (slaveshortname));
2130
2131 if (!quiet)
2132 (void) printf(gettext("[Connected to zone '%s' %s]\n"),
2133 zonename, slaveshortname);
2134
2135 if (set_tty_rawmode(STDIN_FILENO) == -1) {
2136 reset_tty();
2137 zperror(gettext("failed to set stdin pty to raw mode"));
2138 return (1);
2139 }
2140
2141 if (prefork_dropprivs() != 0) {
2142 reset_tty();
2143 zperror(gettext("could not allocate privilege set"));
2144 return (1);
2145 }
2146
2147 /*
2148 * We must mask SIGCLD until after we have coped with the fork
2149 * sufficiently to deal with it; otherwise we can race and receive the
2150 * signal before child_pid has been initialized (yes, this really
2151 * happens).
2152 */
2153 (void) sigset(SIGCLD, sigcld);
2154 (void) sigemptyset(&block_cld);
2155 (void) sigaddset(&block_cld, SIGCLD);
2156 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
2157
2158 /*
2159 * We activate the contract template at the last minute to
2160 * avoid intermediate functions that could be using fork(2)
2161 * internally.
2162 */
2163 if ((tmpl_fd = init_template()) == -1) {
2164 reset_tty();
2165 zperror(gettext("could not create contract"));
2166 return (1);
2167 }
2168
2169 if ((child_pid = fork()) == -1) {
2170 (void) ct_tmpl_clear(tmpl_fd);
2171 reset_tty();
2172 zperror(gettext("could not fork"));
2173 return (1);
2174 } else if (child_pid == 0) { /* child process */
2175 int slavefd, newslave;
2176
2177 (void) ct_tmpl_clear(tmpl_fd);
2178 (void) close(tmpl_fd);
2179
2180 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2181
2182 if ((slavefd = init_slave_pty(zoneid, devroot)) == -1)
2183 return (1);
2184
2185 /*
2186 * Close all fds except for the slave pty.
2187 */
2188 (void) fdwalk(close_func, &slavefd);
2189
2190 /*
2191 * Temporarily dup slavefd to stderr; that way if we have
2192 * to print out that zone_enter failed, the output will
2193 * have somewhere to go.
2194 */
2195 if (slavefd != STDERR_FILENO)
2196 (void) dup2(slavefd, STDERR_FILENO);
2197
2198 if (zone_enter(zoneid) == -1) {
2199 zerror(gettext("could not enter zone %s: %s"),
2200 zonename, strerror(errno));
2201 return (1);
2202 }
2203
2204 if (slavefd != STDERR_FILENO)
2205 (void) close(STDERR_FILENO);
2206
2207 /*
2208 * We take pains to get this process into a new process
2209 * group, and subsequently a new session. In this way,
2210 * we'll have a session which doesn't yet have a controlling
2211 * terminal. When we open the slave, it will become the
2212 * controlling terminal; no PIDs concerning pgrps or sids
2213 * will leak inappropriately into the zone.
2214 */
2215 (void) setpgrp();
2216
2217 /*
2218 * We need the slave pty to be referenced from the zone's
2219 * /dev in order to ensure that the devt's, etc are all
2220 * correct. Otherwise we break ttyname and the like.
2221 */
2222 if ((newslave = open(slavename, O_RDWR)) == -1) {
2223 (void) close(slavefd);
2224 return (1);
2225 }
2226 (void) close(slavefd);
2227 slavefd = newslave;
2228
2229 /*
2230 * dup the slave to the various FDs, so that when the
2231 * spawned process does a write/read it maps to the slave
2232 * pty.
2233 */
2234 (void) dup2(slavefd, STDIN_FILENO);
2235 (void) dup2(slavefd, STDOUT_FILENO);
2236 (void) dup2(slavefd, STDERR_FILENO);
2237 if (slavefd != STDIN_FILENO && slavefd != STDOUT_FILENO &&
2238 slavefd != STDERR_FILENO) {
2239 (void) close(slavefd);
2240 }
2241
2242 /*
2243 * In failsafe mode, we don't use login(1), so don't try
2244 * setting up a utmpx entry.
2245 */
2246 if (!failsafe)
2247 if (setup_utmpx(slaveshortname) == -1)
2248 return (1);
2249
2250 /*
2251 * The child needs to run as root to
2252 * execute the brand's login program.
2253 */
2254 if (setuid(0) == -1) {
2255 zperror(gettext("insufficient privilege"));
2256 return (1);
2257 }
2258
2259 (void) execve(new_args[0], new_args, new_env);
2260 zperror(gettext("exec failure"));
2261 return (1);
2262 }
2263
2264 (void) ct_tmpl_clear(tmpl_fd);
2265 (void) close(tmpl_fd);
2266
2267 /*
2268 * The rest is only for the parent process.
2269 */
2270 (void) sigset(SIGWINCH, sigwinch);
2271
2272 postfork_dropprivs();
2273
2274 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2275 doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
2276
2277 reset_tty();
2278 if (!quiet)
2279 (void) fprintf(stderr,
2280 gettext("\n[Connection to zone '%s' %s closed]\n"),
2281 zonename, slaveshortname);
2282
2283 if (pollerr != 0) {
2284 (void) fprintf(stderr, gettext("Error: connection closed due "
2285 "to unexpected pollevents=0x%x.\n"), pollerr);
2286 return (1);
2287 }
2288
2289 return (0);
2290 }
2291