1 /* 2 * ntpd.c - main program for the fixed point NTP daemon 3 */ 4 5 #ifdef HAVE_CONFIG_H 6 # include <config.h> 7 #endif 8 9 #include "ntp_machine.h" 10 #include "ntpd.h" 11 #include "ntp_io.h" 12 #include "ntp_stdlib.h" 13 #include <ntp_random.h> 14 15 #include "ntp_config.h" 16 #include "ntp_syslog.h" 17 #include "ntp_assert.h" 18 #include "isc/error.h" 19 #include "isc/strerror.h" 20 #include "isc/formatcheck.h" 21 #include "iosignal.h" 22 23 #ifdef SIM 24 # include "ntpsim.h" 25 #endif 26 27 #include "ntp_libopts.h" 28 #include "ntpd-opts.h" 29 30 /* there's a short treatise below what the thread stuff is for. 31 * [Bug 2954] enable the threading warm-up only for Linux. 32 */ 33 #if defined(HAVE_PTHREADS) && HAVE_PTHREADS && !defined(NO_THREADS) 34 # ifdef HAVE_PTHREAD_H 35 # include <pthread.h> 36 # endif 37 # if defined(linux) 38 # define NEED_PTHREAD_WARMUP 39 # endif 40 #endif 41 42 #ifdef HAVE_UNISTD_H 43 # include <unistd.h> 44 #endif 45 #ifdef HAVE_SYS_STAT_H 46 # include <sys/stat.h> 47 #endif 48 #ifdef HAVE_SYS_WAIT_H 49 # include <sys/wait.h> 50 #endif 51 #include <stdio.h> 52 #ifdef HAVE_SYS_PARAM_H 53 # include <sys/param.h> 54 #endif 55 #ifdef HAVE_SYS_SIGNAL_H 56 # include <sys/signal.h> 57 #else 58 # include <signal.h> 59 #endif 60 #ifdef HAVE_SYS_IOCTL_H 61 # include <sys/ioctl.h> 62 #endif /* HAVE_SYS_IOCTL_H */ 63 #if defined(HAVE_RTPRIO) 64 # ifdef HAVE_SYS_LOCK_H 65 # include <sys/lock.h> 66 # endif 67 # include <sys/rtprio.h> 68 #else 69 # ifdef HAVE_PLOCK 70 # ifdef HAVE_SYS_LOCK_H 71 # include <sys/lock.h> 72 # endif 73 # endif 74 #endif 75 #if defined(HAVE_SCHED_SETSCHEDULER) 76 # ifdef HAVE_SCHED_H 77 # include <sched.h> 78 # else 79 # ifdef HAVE_SYS_SCHED_H 80 # include <sys/sched.h> 81 # endif 82 # endif 83 #endif 84 #if defined(HAVE_SYS_MMAN_H) 85 # include <sys/mman.h> 86 #endif 87 88 #ifdef HAVE_SYSEXITS_H 89 # include <sysexits.h> 90 #endif 91 92 #ifdef HAVE_TERMIOS_H 93 # include <termios.h> 94 #endif 95 96 #ifdef SYS_DOMAINOS 97 # include <apollo/base.h> 98 #endif /* SYS_DOMAINOS */ 99 100 101 #include "recvbuff.h" 102 #include "ntp_cmdargs.h" 103 104 #if 0 /* HMS: I don't think we need this. 961223 */ 105 #ifdef LOCK_PROCESS 106 # ifdef SYS_SOLARIS 107 # include <sys/mman.h> 108 # else 109 # include <sys/lock.h> 110 # endif 111 #endif 112 #endif 113 114 #ifdef SYS_WINNT 115 # include "ntservice.h" 116 #endif 117 118 #ifdef _AIX 119 # include <ulimit.h> 120 #endif /* _AIX */ 121 122 #ifdef SCO5_CLOCK 123 # include <sys/ci/ciioctl.h> 124 #endif 125 126 #ifdef HAVE_DROPROOT 127 # include <ctype.h> 128 # include <grp.h> 129 # include <pwd.h> 130 #ifdef HAVE_LINUX_CAPABILITIES 131 # include <sys/capability.h> 132 # include <sys/prctl.h> 133 #endif /* HAVE_LINUX_CAPABILITIES */ 134 #if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS) 135 # include <priv.h> 136 #endif /* HAVE_PRIV_H */ 137 #if defined(HAVE_TRUSTEDBSD_MAC) 138 # include <sys/mac.h> 139 #endif /* HAVE_TRUSTEDBSD_MAC */ 140 #endif /* HAVE_DROPROOT */ 141 142 #if defined (LIBSECCOMP) && (KERN_SECCOMP) 143 /* # include <sys/types.h> */ 144 # include <sys/resource.h> 145 # include <seccomp.h> 146 #endif /* LIBSECCOMP and KERN_SECCOMP */ 147 148 #ifdef __FreeBSD__ 149 #include <sys/procctl.h> 150 #ifndef PROC_STACKGAP_CTL 151 /* 152 * Even if we compile on an older system we can still run on a newer one. 153 */ 154 #define PROC_STACKGAP_CTL 17 155 #define PROC_STACKGAP_DISABLE 0x0002 156 #endif 157 #endif 158 159 #ifdef HAVE_DNSREGISTRATION 160 # include <dns_sd.h> 161 DNSServiceRef mdns; 162 #endif 163 164 /* In case 'sysexits.h' is unavailable, define some exit codes here: */ 165 #ifndef EX_SOFTWARE 166 # define EX_SOFTWARE 70 167 #endif 168 #ifndef EX_OSERR 169 # define EX_OSERR 71 170 #endif 171 #ifndef EX_IOERR 172 # define EX_IOERR 74 173 #endif 174 #ifndef EX_PROTOCOL 175 #define EX_PROTOCOL 76 176 #endif 177 178 179 #ifdef HAVE_SETPGRP_0 180 # define ntp_setpgrp(x, y) setpgrp() 181 #else 182 # define ntp_setpgrp(x, y) setpgrp(x, y) 183 #endif 184 185 #ifdef HAVE_SOLARIS_PRIVS 186 # define LOWPRIVS "basic,sys_time,net_privaddr,proc_setid,!proc_info,!proc_session,!proc_exec" 187 static priv_set_t *lowprivs = NULL; 188 static priv_set_t *highprivs = NULL; 189 #endif /* HAVE_SOLARIS_PRIVS */ 190 /* 191 * Scheduling priority we run at 192 */ 193 #define NTPD_PRIO (-12) 194 195 int priority_done = 2; /* 0 - Set priority */ 196 /* 1 - priority is OK where it is */ 197 /* 2 - Don't set priority */ 198 /* 1 and 2 are pretty much the same */ 199 200 int listen_to_virtual_ips = TRUE; 201 202 /* 203 * No-fork flag. If set, we do not become a background daemon. 204 */ 205 int nofork; /* Fork by default */ 206 207 #ifdef HAVE_DNSREGISTRATION 208 /* 209 * mDNS registration flag. If set, we attempt to register with the mDNS system, but only 210 * after we have synched the first time. If the attempt fails, then try again once per 211 * minute for up to 5 times. After all, we may be starting before mDNS. 212 */ 213 int mdnsreg = FALSE; 214 int mdnstries = 5; 215 #endif /* HAVE_DNSREGISTRATION */ 216 217 #ifdef HAVE_LINUX_CAPABILITIES 218 int have_caps; /* runtime check whether capabilities work */ 219 #endif /* HAVE_LINUX_CAPABILITIES */ 220 221 #ifdef HAVE_DROPROOT 222 int droproot; 223 int root_dropped; 224 char *user; /* User to switch to */ 225 char *group; /* group to switch to */ 226 const char *chrootdir; /* directory to chroot to */ 227 uid_t sw_uid; 228 gid_t sw_gid; 229 struct group *gr; 230 struct passwd *pw; 231 #endif /* HAVE_DROPROOT */ 232 233 #ifdef HAVE_WORKING_FORK 234 int daemon_pipe[2] = { -1, -1 }; 235 #endif 236 237 /* 238 * Version declaration 239 */ 240 extern const char *Version; 241 242 char const *progname; 243 244 int was_alarmed; 245 246 #ifdef DECL_SYSCALL 247 /* 248 * We put this here, since the argument profile is syscall-specific 249 */ 250 extern int syscall (int, ...); 251 #endif /* DECL_SYSCALL */ 252 253 254 #if !defined(SIM) && defined(SIGDIE1) 255 static volatile int signalled = 0; 256 static volatile int signo = 0; 257 258 /* In an ideal world, 'finish_safe()' would declared as noreturn... */ 259 static void finish_safe (int); 260 static RETSIGTYPE finish (int); 261 #endif 262 263 #if !defined(SIM) && defined(HAVE_WORKING_FORK) 264 static int wait_child_sync_if (int, unsigned long); 265 static int wait_child_exit_if (pid_t, int); 266 #endif 267 268 #if !defined(SIM) && !defined(SYS_WINNT) 269 # ifdef DEBUG 270 static RETSIGTYPE moredebug (int); 271 static RETSIGTYPE lessdebug (int); 272 # else /* !DEBUG follows */ 273 static RETSIGTYPE no_debug (int); 274 # endif /* !DEBUG */ 275 #endif /* !SIM && !SYS_WINNT */ 276 277 #ifndef WORK_FORK 278 int saved_argc; 279 char ** saved_argv; 280 #endif 281 282 #ifndef SIM 283 int ntpdmain (int, char **); 284 static void set_process_priority (void); 285 static void assertion_failed (const char *, int, 286 isc_assertiontype_t, 287 const char *) 288 __attribute__ ((__noreturn__)); 289 static void library_fatal_error (const char *, int, 290 const char *, va_list) 291 ISC_FORMAT_PRINTF(3, 0); 292 static void library_unexpected_error(const char *, int, 293 const char *, va_list) 294 ISC_FORMAT_PRINTF(3, 0); 295 #endif /* !SIM */ 296 297 298 /* Bug2332 unearthed a problem in the interaction of reduced user 299 * privileges, the limits on memory usage and some versions of the 300 * pthread library on Linux systems. The 'pthread_cancel()' function and 301 * likely some others need to track the stack of the thread involved, 302 * and uses a function that comes from GCC (--> libgcc_s.so) to do 303 * this. Unfortunately the developers of glibc decided to load the 304 * library on demand, which speeds up program start but can cause 305 * trouble here: Due to all the things NTPD does to limit its resource 306 * usage, this deferred load of libgcc_s does not always work once the 307 * restrictions are in effect. 308 * 309 * One way out of this was attempting a forced link against libgcc_s 310 * when possible because it makes the library available immediately 311 * without deferred load. (The symbol resolution would still be dynamic 312 * and on demand, but the code would already be in the process image.) 313 * 314 * This is a tricky thing to do, since it's not necessary everywhere, 315 * not possible everywhere, has shown to break the build of other 316 * programs in the NTP suite and is now generally frowned upon. 317 * 318 * So we take a different approach here: We creat a worker thread that does 319 * actually nothing except waiting for cancellation and cancel it. If 320 * this is done before all the limitations are put in place, the 321 * machinery is pre-heated and all the runtime stuff should be in place 322 * and useable when needed. 323 * 324 * This uses only the standard pthread API and should work with all 325 * implementations of pthreads. It is not necessary everywhere, but it's 326 * cheap enough to go on nearly unnoticed. 327 * 328 * Addendum: Bug 2954 showed that the assumption that this should work 329 * with all OS is wrong -- at least FreeBSD bombs heavily. 330 */ 331 #ifdef NEED_PTHREAD_WARMUP 332 333 /* simple thread function: sleep until cancelled, just to exercise 334 * thread cancellation. 335 */ 336 static void* 337 my_pthread_warmup_worker( 338 void *thread_args) 339 { 340 (void)thread_args; 341 for (;;) 342 sleep(10); 343 return NULL; 344 } 345 346 /* pre-heat threading: create a thread and cancel it, just to exercise 347 * thread cancellation. 348 */ 349 static void 350 my_pthread_warmup(void) 351 { 352 pthread_t thread; 353 pthread_attr_t thr_attr; 354 int rc; 355 356 pthread_attr_init(&thr_attr); 357 #if defined(HAVE_PTHREAD_ATTR_GETSTACKSIZE) && \ 358 defined(HAVE_PTHREAD_ATTR_SETSTACKSIZE) && \ 359 defined(PTHREAD_STACK_MIN) 360 { 361 size_t ssmin = 32*1024; /* 32kB should be minimum */ 362 if (ssmin < PTHREAD_STACK_MIN) 363 ssmin = PTHREAD_STACK_MIN; 364 rc = pthread_attr_setstacksize(&thr_attr, ssmin); 365 if (0 != rc) 366 msyslog(LOG_ERR, 367 "my_pthread_warmup: pthread_attr_setstacksize() -> %s", 368 strerror(rc)); 369 } 370 #endif 371 rc = pthread_create( 372 &thread, &thr_attr, my_pthread_warmup_worker, NULL); 373 pthread_attr_destroy(&thr_attr); 374 if (0 != rc) { 375 msyslog(LOG_ERR, 376 "my_pthread_warmup: pthread_create() -> %s", 377 strerror(rc)); 378 } else { 379 pthread_cancel(thread); 380 pthread_join(thread, NULL); 381 } 382 } 383 384 #endif /*defined(NEED_PTHREAD_WARMUP)*/ 385 386 #ifdef NEED_EARLY_FORK 387 static void 388 dummy_callback(void) { return; } 389 390 static void 391 fork_nonchroot_worker(void) { 392 getaddrinfo_sometime("localhost", "ntp", NULL, INITIAL_DNS_RETRY, 393 (gai_sometime_callback)&dummy_callback, NULL); 394 } 395 #endif /* NEED_EARLY_FORK */ 396 397 void 398 parse_cmdline_opts( 399 int * pargc, 400 char ***pargv 401 ) 402 { 403 static int parsed; 404 static int optct; 405 406 if (!parsed) 407 optct = ntpOptionProcess(&ntpdOptions, *pargc, *pargv); 408 409 parsed = 1; 410 411 *pargc -= optct; 412 *pargv += optct; 413 } 414 415 416 #ifdef SIM 417 int 418 main( 419 int argc, 420 char *argv[] 421 ) 422 { 423 progname = argv[0]; 424 parse_cmdline_opts(&argc, &argv); 425 #ifdef DEBUG 426 debug = OPT_VALUE_SET_DEBUG_LEVEL; 427 DPRINTF(1, ("%s\n", Version)); 428 #endif 429 430 return ntpsim(argc, argv); 431 } 432 #elif defined(NO_MAIN_ALLOWED) 433 CALL(ntpd,"ntpd",ntpdmain); 434 #elif !defined(SYS_WINNT) 435 int 436 main( 437 int argc, 438 char *argv[] 439 ) 440 { 441 # ifdef __FreeBSD__ 442 { 443 /* 444 * We Must disable ASLR stack gap on FreeBSD to avoid a 445 * segfault. See PR/241421 and PR/241960. 446 */ 447 int aslr_var = PROC_STACKGAP_DISABLE; 448 449 pid_t my_pid = getpid(); 450 procctl(P_PID, my_pid, PROC_STACKGAP_CTL, &aslr_var); 451 } 452 # endif 453 return ntpdmain(argc, argv); 454 } 455 #endif /* !SYS_WINNT */ 456 457 #ifdef _AIX 458 /* 459 * OK. AIX is different than solaris in how it implements plock(). 460 * If you do NOT adjust the stack limit, you will get the MAXIMUM 461 * stack size allocated and PINNED with you program. To check the 462 * value, use ulimit -a. 463 * 464 * To fix this, we create an automatic variable and set our stack limit 465 * to that PLUS 32KB of extra space (we need some headroom). 466 * 467 * This subroutine gets the stack address. 468 * 469 * Grover Davidson and Matt Ladendorf 470 * 471 */ 472 static char * 473 get_aix_stack(void) 474 { 475 char ch; 476 return (&ch); 477 } 478 479 /* 480 * Signal handler for SIGDANGER. 481 */ 482 static void 483 catch_danger(int signo) 484 { 485 msyslog(LOG_INFO, "ntpd: setpgid(): %m"); 486 /* Make the system believe we'll free something, but don't do it! */ 487 return; 488 } 489 #endif /* _AIX */ 490 491 /* 492 * Set the process priority 493 */ 494 #ifndef SIM 495 static void 496 set_process_priority(void) 497 { 498 499 # ifdef DEBUG 500 if (debug > 1) 501 msyslog(LOG_DEBUG, "set_process_priority: %s: priority_done is <%d>", 502 ((priority_done) 503 ? "Leave priority alone" 504 : "Attempt to set priority" 505 ), 506 priority_done); 507 # endif /* DEBUG */ 508 509 # if defined(HAVE_SCHED_SETSCHEDULER) 510 if (!priority_done) { 511 extern int config_priority_override, config_priority; 512 int pmax, pmin; 513 struct sched_param sched; 514 515 pmax = sched_get_priority_max(SCHED_FIFO); 516 sched.sched_priority = pmax; 517 if ( config_priority_override ) { 518 pmin = sched_get_priority_min(SCHED_FIFO); 519 if ( config_priority > pmax ) 520 sched.sched_priority = pmax; 521 else if ( config_priority < pmin ) 522 sched.sched_priority = pmin; 523 else 524 sched.sched_priority = config_priority; 525 } 526 if ( sched_setscheduler(0, SCHED_FIFO, &sched) == -1 ) 527 msyslog(LOG_ERR, "sched_setscheduler(): %m"); 528 else 529 ++priority_done; 530 } 531 # endif /* HAVE_SCHED_SETSCHEDULER */ 532 # ifdef HAVE_RTPRIO 533 # ifdef RTP_SET 534 if (!priority_done) { 535 struct rtprio srtp; 536 537 srtp.type = RTP_PRIO_REALTIME; /* was: RTP_PRIO_NORMAL */ 538 srtp.prio = 0; /* 0 (hi) -> RTP_PRIO_MAX (31,lo) */ 539 540 if (rtprio(RTP_SET, getpid(), &srtp) < 0) 541 msyslog(LOG_ERR, "rtprio() error: %m"); 542 else 543 ++priority_done; 544 } 545 # else /* !RTP_SET follows */ 546 if (!priority_done) { 547 if (rtprio(0, 120) < 0) 548 msyslog(LOG_ERR, "rtprio() error: %m"); 549 else 550 ++priority_done; 551 } 552 # endif /* !RTP_SET */ 553 # endif /* HAVE_RTPRIO */ 554 # if defined(NTPD_PRIO) && NTPD_PRIO != 0 555 # ifdef HAVE_ATT_NICE 556 if (!priority_done) { 557 errno = 0; 558 if (-1 == nice (NTPD_PRIO) && errno != 0) 559 msyslog(LOG_ERR, "nice() error: %m"); 560 else 561 ++priority_done; 562 } 563 # endif /* HAVE_ATT_NICE */ 564 # ifdef HAVE_BSD_NICE 565 if (!priority_done) { 566 if (-1 == setpriority(PRIO_PROCESS, 0, NTPD_PRIO)) 567 msyslog(LOG_ERR, "setpriority() error: %m"); 568 else 569 ++priority_done; 570 } 571 # endif /* HAVE_BSD_NICE */ 572 # endif /* NTPD_PRIO && NTPD_PRIO != 0 */ 573 if (!priority_done) 574 msyslog(LOG_ERR, "set_process_priority: No way found to improve our priority"); 575 } 576 #endif /* !SIM */ 577 578 #if !defined(SIM) && !defined(SYS_WINNT) 579 /* 580 * Detach from terminal (much like daemon()) 581 * Nothe that this function calls exit() 582 */ 583 # ifdef HAVE_WORKING_FORK 584 static void 585 detach_from_terminal( 586 int pipe[2], 587 long wait_sync, 588 const char *logfilename 589 ) 590 { 591 pid_t cpid; 592 int exit_code; 593 # if !defined(HAVE_SETSID) && !defined (HAVE_SETPGID) && defined(TIOCNOTTY) 594 int fid; 595 # endif 596 # ifdef _AIX 597 struct sigaction sa; 598 # endif 599 600 cpid = fork(); 601 if (0 != cpid) { 602 /* parent */ 603 if (-1 == cpid) { 604 msyslog(LOG_ERR, "fork: %m"); 605 exit_code = EX_OSERR; 606 } else { 607 close(pipe[1]); 608 pipe[1] = -1; 609 exit_code = wait_child_sync_if( 610 pipe[0], wait_sync); 611 DPRINTF(1, ("sync_if: rc=%d\n", exit_code)); 612 if (exit_code <= 0) { 613 /* probe daemon exit code -- wait for 614 * child process if we have an unexpected 615 * EOF on the monitor pipe. 616 */ 617 exit_code = wait_child_exit_if( 618 cpid, (exit_code < 0)); 619 DPRINTF(1, ("exit_if: rc=%d\n", exit_code)); 620 } 621 } 622 exit(exit_code); 623 } 624 625 /* 626 * child/daemon 627 * close all open files excepting waitsync_fd_to_close. 628 * msyslog() unreliable until after init_logging(). 629 */ 630 closelog(); 631 if (syslog_file != NULL) { 632 fclose(syslog_file); 633 syslog_file = NULL; 634 syslogit = TRUE; 635 } 636 close_all_except(pipe[1]); 637 pipe[0] = -1; 638 INSIST(0 == open("/dev/null", 0) && 1 == dup2(0, 1) \ 639 && 2 == dup2(0, 2)); 640 641 init_logging(progname, 0, TRUE); 642 /* we lost our logfile (if any) daemonizing */ 643 setup_logfile(logfilename); 644 645 # ifdef SYS_DOMAINOS 646 { 647 uid_$t puid; 648 status_$t st; 649 650 proc2_$who_am_i(&puid); 651 proc2_$make_server(&puid, &st); 652 } 653 # endif /* SYS_DOMAINOS */ 654 # ifdef HAVE_SETSID 655 if (setsid() == (pid_t)-1) 656 msyslog(LOG_ERR, "setsid(): %m"); 657 # elif defined(HAVE_SETPGID) 658 if (setpgid(0, 0) == -1) 659 msyslog(LOG_ERR, "setpgid(): %m"); 660 # else /* !HAVE_SETSID && !HAVE_SETPGID follows */ 661 # ifdef TIOCNOTTY 662 fid = open("/dev/tty", 2); 663 if (fid >= 0) { 664 ioctl(fid, (u_long)TIOCNOTTY, NULL); 665 close(fid); 666 } 667 # endif /* TIOCNOTTY */ 668 ntp_setpgrp(0, getpid()); 669 # endif /* !HAVE_SETSID && !HAVE_SETPGID */ 670 # ifdef _AIX 671 /* Don't get killed by low-on-memory signal. */ 672 sa.sa_handler = catch_danger; 673 sigemptyset(&sa.sa_mask); 674 sa.sa_flags = SA_RESTART; 675 sigaction(SIGDANGER, &sa, NULL); 676 # endif /* _AIX */ 677 678 return; 679 } 680 # endif /* HAVE_WORKING_FORK */ 681 682 #ifdef HAVE_DROPROOT 683 /* 684 * Map user name/number to user ID 685 */ 686 static int 687 map_user( 688 ) 689 { 690 char *endp; 691 692 if (isdigit((unsigned char)*user)) { 693 sw_uid = (uid_t)strtoul(user, &endp, 0); 694 if (*endp != '\0') 695 goto getuser; 696 697 if ((pw = getpwuid(sw_uid)) != NULL) { 698 free(user); 699 user = estrdup(pw->pw_name); 700 sw_gid = pw->pw_gid; 701 } else { 702 errno = 0; 703 msyslog(LOG_ERR, "Cannot find user ID %s", user); 704 return 0; 705 } 706 707 } else { 708 getuser: 709 errno = 0; 710 if ((pw = getpwnam(user)) != NULL) { 711 sw_uid = pw->pw_uid; 712 sw_gid = pw->pw_gid; 713 } else { 714 if (errno) 715 msyslog(LOG_ERR, "getpwnam(%s) failed: %m", user); 716 else 717 msyslog(LOG_ERR, "Cannot find user `%s'", user); 718 return 0; 719 } 720 } 721 722 return 1; 723 } 724 725 /* 726 * Map group name/number to group ID 727 */ 728 static int 729 map_group(void) 730 { 731 char *endp; 732 733 if (isdigit((unsigned char)*group)) { 734 sw_gid = (gid_t)strtoul(group, &endp, 0); 735 if (*endp != '\0') 736 goto getgroup; 737 } else { 738 getgroup: 739 if ((gr = getgrnam(group)) != NULL) { 740 sw_gid = gr->gr_gid; 741 } else { 742 errno = 0; 743 msyslog(LOG_ERR, "Cannot find group `%s'", group); 744 return 0; 745 } 746 } 747 748 return 1; 749 } 750 751 static int 752 set_group_ids(void) 753 { 754 if (user && initgroups(user, sw_gid)) { 755 msyslog(LOG_ERR, "Cannot initgroups() to user `%s': %m", user); 756 return 0; 757 } 758 if (group && setgid(sw_gid)) { 759 msyslog(LOG_ERR, "Cannot setgid() to group `%s': %m", group); 760 return 0; 761 } 762 if (group && setegid(sw_gid)) { 763 msyslog(LOG_ERR, "Cannot setegid() to group `%s': %m", group); 764 return 0; 765 } 766 if (group) { 767 if (0 != setgroups(1, &sw_gid)) { 768 msyslog(LOG_ERR, "setgroups(1, %d) failed: %m", sw_gid); 769 return 0; 770 } 771 } 772 else if (pw) 773 if (0 != initgroups(pw->pw_name, pw->pw_gid)) { 774 msyslog(LOG_ERR, "initgroups(<%s>, %d) filed: %m", pw->pw_name, pw->pw_gid); 775 return 0; 776 } 777 return 1; 778 } 779 780 static int 781 set_user_ids(void) 782 { 783 if (user && setuid(sw_uid)) { 784 msyslog(LOG_ERR, "Cannot setuid() to user `%s': %m", user); 785 return 0; 786 } 787 if (user && seteuid(sw_uid)) { 788 msyslog(LOG_ERR, "Cannot seteuid() to user `%s': %m", user); 789 return 0; 790 } 791 return 1; 792 } 793 794 /* 795 * Change (effective) user and group IDs, also initialize the supplementary group access list 796 */ 797 int set_user_group_ids(void); 798 int 799 set_user_group_ids(void) 800 { 801 /* If the the user was already mapped, no need to map it again */ 802 if ((NULL != user) && (0 == sw_uid)) { 803 if (0 == map_user()) 804 exit (-1); 805 } 806 /* same applies for the group */ 807 if ((NULL != group) && (0 == sw_gid)) { 808 if (0 == map_group()) 809 exit (-1); 810 } 811 812 if (getegid() != sw_gid && 0 == set_group_ids()) 813 return 0; 814 if (geteuid() != sw_uid && 0 == set_user_ids()) 815 return 0; 816 817 return 1; 818 } 819 #endif /* HAVE_DROPROOT */ 820 #endif /* !SIM */ 821 822 /* 823 * Main program. Initialize us, disconnect us from the tty if necessary, 824 * and loop waiting for I/O and/or timer expiries. 825 */ 826 #ifndef SIM 827 int 828 ntpdmain( 829 int argc, 830 char *argv[] 831 ) 832 { 833 l_fp now; 834 struct recvbuf *rbuf; 835 const char * logfilename; 836 # ifdef HAVE_UMASK 837 mode_t uv; 838 # endif 839 # if defined(HAVE_GETUID) && !defined(MPE) /* MPE lacks the concept of root */ 840 uid_t uid; 841 # endif 842 # if defined(HAVE_WORKING_FORK) 843 long wait_sync = 0; 844 # endif /* HAVE_WORKING_FORK*/ 845 # ifdef SCO5_CLOCK 846 int fd; 847 int zero; 848 # endif 849 850 # ifdef NEED_PTHREAD_WARMUP 851 my_pthread_warmup(); 852 # endif 853 854 # ifdef HAVE_UMASK 855 uv = umask(0); 856 if (uv) 857 umask(uv); 858 else 859 umask(022); 860 # endif 861 saved_argc = argc; 862 saved_argv = argv; 863 progname = argv[0]; 864 initializing = TRUE; /* mark that we are initializing */ 865 parse_cmdline_opts(&argc, &argv); 866 # ifdef DEBUG 867 debug = OPT_VALUE_SET_DEBUG_LEVEL; 868 # ifdef HAVE_SETLINEBUF 869 setlinebuf(stdout); 870 # endif 871 # endif 872 873 if (HAVE_OPT(NOFORK) || HAVE_OPT(QUIT) 874 # ifdef DEBUG 875 || debug 876 # endif 877 || HAVE_OPT(SAVECONFIGQUIT)) 878 nofork = TRUE; 879 880 init_logging(progname, NLOG_SYNCMASK, TRUE); 881 /* honor -l/--logfile option to log to a file */ 882 if (HAVE_OPT(LOGFILE)) { 883 logfilename = OPT_ARG(LOGFILE); 884 syslogit = FALSE; 885 change_logfile(logfilename, FALSE); 886 } else { 887 logfilename = NULL; 888 if (nofork) 889 msyslog_term = TRUE; 890 if (HAVE_OPT(SAVECONFIGQUIT)) 891 syslogit = FALSE; 892 } 893 msyslog(LOG_NOTICE, "%s: Starting", Version); 894 895 { 896 int i; 897 char buf[1024]; /* Secret knowledge of msyslog buf length */ 898 char *cp = buf; 899 900 /* Note that every arg has an initial space character */ 901 snprintf(cp, sizeof(buf), "Command line:"); 902 cp += strlen(cp); 903 904 for (i = 0; i < saved_argc ; ++i) { 905 snprintf(cp, sizeof(buf) - (cp - buf), 906 " %s", saved_argv[i]); 907 cp += strlen(cp); 908 } 909 msyslog(LOG_NOTICE, "%s", buf); 910 } 911 912 msyslog(LOG_NOTICE, "----------------------------------------------------"); 913 msyslog(LOG_NOTICE, "ntp-4 is maintained by Network Time Foundation,"); 914 msyslog(LOG_NOTICE, "Inc. (NTF), a non-profit 501(c)(3) public-benefit"); 915 msyslog(LOG_NOTICE, "corporation. Support and training for ntp-4 are"); 916 msyslog(LOG_NOTICE, "available at https://www.nwtime.org/support"); 917 msyslog(LOG_NOTICE, "----------------------------------------------------"); 918 919 /* 920 * Install trap handlers to log errors and assertion failures. 921 * Default handlers print to stderr which doesn't work if detached. 922 */ 923 isc_assertion_setcallback(assertion_failed); 924 isc_error_setfatal(library_fatal_error); 925 isc_error_setunexpected(library_unexpected_error); 926 927 /* MPE lacks the concept of root */ 928 # if defined(HAVE_GETUID) && !defined(MPE) 929 uid = getuid(); 930 if (uid && !HAVE_OPT( SAVECONFIGQUIT ) 931 # if defined(HAVE_TRUSTEDBSD_MAC) 932 /* We can run as non-root if the mac_ntpd policy is enabled. */ 933 && mac_is_present("ntpd") != 1 934 # endif 935 ) { 936 msyslog_term = TRUE; 937 msyslog(LOG_ERR, 938 "must be run as root, not uid %ld", (long)uid); 939 exit(1); 940 } 941 # endif 942 943 /* 944 * Enable the Multi-Media Timer for Windows? 945 */ 946 # ifdef SYS_WINNT 947 if (HAVE_OPT( MODIFYMMTIMER )) 948 set_mm_timer(MM_TIMER_HIRES); 949 # endif 950 951 #ifdef HAVE_DNSREGISTRATION 952 /* 953 * Enable mDNS registrations? 954 */ 955 if (HAVE_OPT( MDNS )) { 956 mdnsreg = TRUE; 957 } 958 #endif /* HAVE_DNSREGISTRATION */ 959 960 if (HAVE_OPT( NOVIRTUALIPS )) 961 listen_to_virtual_ips = 0; 962 963 /* 964 * --interface, listen on specified interfaces 965 */ 966 if (HAVE_OPT( INTERFACE )) { 967 int ifacect = STACKCT_OPT( INTERFACE ); 968 const char** ifaces = STACKLST_OPT( INTERFACE ); 969 sockaddr_u addr; 970 971 while (ifacect-- > 0) { 972 add_nic_rule( 973 is_ip_address(*ifaces, AF_UNSPEC, &addr) 974 ? MATCH_IFADDR 975 : MATCH_IFNAME, 976 *ifaces, -1, ACTION_LISTEN); 977 ifaces++; 978 } 979 } 980 981 if (HAVE_OPT( NICE )) 982 priority_done = 0; 983 984 # ifdef HAVE_SCHED_SETSCHEDULER 985 if (HAVE_OPT( PRIORITY )) { 986 config_priority = OPT_VALUE_PRIORITY; 987 config_priority_override = 1; 988 priority_done = 0; 989 } 990 # endif 991 992 # ifdef HAVE_WORKING_FORK 993 /* make sure the FDs are initialised 994 * 995 * note: if WAIT_SYNC is requested, we *have* to fork. This will 996 * overide any '-n' (nofork) or '-d' (debug) option presented on 997 * the command line! 998 */ 999 if (HAVE_OPT(WAIT_SYNC)) { 1000 wait_sync = OPT_VALUE_WAIT_SYNC; 1001 if (wait_sync <= 0) 1002 wait_sync = 0; 1003 else 1004 nofork = FALSE; 1005 } 1006 if ( !nofork && pipe(daemon_pipe)) { 1007 msyslog(LOG_ERR, 1008 "Pipe creation failed for --wait-sync/daemon: %m"); 1009 exit(EX_OSERR); 1010 } 1011 # endif /* HAVE_WORKING_FORK */ 1012 1013 init_lib(); 1014 # ifdef SYS_WINNT 1015 /* 1016 * Make sure the service is initialized before we do anything else 1017 */ 1018 ntservice_init(); 1019 1020 /* 1021 * Start interpolation thread, must occur before first 1022 * get_systime() 1023 */ 1024 init_winnt_time(); 1025 # endif 1026 /* 1027 * Initialize random generator and public key pair 1028 */ 1029 get_systime(&now); 1030 1031 ntp_srandom((int)(now.l_i * now.l_uf)); 1032 1033 /* 1034 * Detach us from the terminal. May need an #ifndef GIZMO. 1035 */ 1036 # ifdef HAVE_WORKING_FORK 1037 if (!nofork) { 1038 detach_from_terminal(daemon_pipe, wait_sync, logfilename); 1039 } 1040 # endif /* HAVE_WORKING_FORK */ 1041 1042 # ifdef SCO5_CLOCK 1043 /* 1044 * SCO OpenServer's system clock offers much more precise timekeeping 1045 * on the base CPU than the other CPUs (for multiprocessor systems), 1046 * so we must lock to the base CPU. 1047 */ 1048 fd = open("/dev/at1", O_RDONLY); 1049 if (fd >= 0) { 1050 zero = 0; 1051 if (ioctl(fd, ACPU_LOCK, &zero) < 0) 1052 msyslog(LOG_ERR, "cannot lock to base CPU: %m"); 1053 close(fd); 1054 } 1055 # endif 1056 1057 /* Setup stack size in preparation for locking pages in memory. */ 1058 # if defined(HAVE_MLOCKALL) 1059 # ifdef HAVE_SETRLIMIT 1060 ntp_rlimit(RLIMIT_STACK, DFLT_RLIMIT_STACK * 4096, 4096, "4k"); 1061 # if defined(RLIMIT_MEMLOCK) && defined(DFLT_RLIMIT_MEMLOCK) && DFLT_RLIMIT_MEMLOCK != -1 1062 /* 1063 * The default RLIMIT_MEMLOCK is very low on Linux systems. 1064 * Unless we increase this limit malloc calls are likely to 1065 * fail if we drop root privilege. To be useful the value 1066 * has to be larger than the largest ntpd resident set size. 1067 */ 1068 ntp_rlimit(RLIMIT_MEMLOCK, DFLT_RLIMIT_MEMLOCK * 1024 * 1024, 1024 * 1024, "MB"); 1069 # endif /* RLIMIT_MEMLOCK */ 1070 # endif /* HAVE_SETRLIMIT */ 1071 # else /* !HAVE_MLOCKALL follows */ 1072 # ifdef HAVE_PLOCK 1073 # ifdef PROCLOCK 1074 # ifdef _AIX 1075 /* 1076 * set the stack limit for AIX for plock(). 1077 * see get_aix_stack() for more info. 1078 */ 1079 if (ulimit(SET_STACKLIM, (get_aix_stack() - 8 * 4096)) < 0) 1080 msyslog(LOG_ERR, 1081 "Cannot adjust stack limit for plock: %m"); 1082 # endif /* _AIX */ 1083 # endif /* PROCLOCK */ 1084 # endif /* HAVE_PLOCK */ 1085 # endif /* !HAVE_MLOCKALL */ 1086 1087 /* 1088 * Set up signals we pay attention to locally. 1089 */ 1090 # ifdef SIGDIE1 1091 signal_no_reset(SIGDIE1, finish); 1092 signal_no_reset(SIGDIE2, finish); 1093 signal_no_reset(SIGDIE3, finish); 1094 signal_no_reset(SIGDIE4, finish); 1095 # endif 1096 # ifdef SIGBUS 1097 signal_no_reset(SIGBUS, finish); 1098 # endif 1099 1100 # if !defined(SYS_WINNT) && !defined(VMS) 1101 # ifdef DEBUG 1102 (void) signal_no_reset(MOREDEBUGSIG, moredebug); 1103 (void) signal_no_reset(LESSDEBUGSIG, lessdebug); 1104 # else 1105 (void) signal_no_reset(MOREDEBUGSIG, no_debug); 1106 (void) signal_no_reset(LESSDEBUGSIG, no_debug); 1107 # endif /* DEBUG */ 1108 # endif /* !SYS_WINNT && !VMS */ 1109 1110 /* 1111 * Set up signals we should never pay attention to. 1112 */ 1113 # ifdef SIGPIPE 1114 signal_no_reset(SIGPIPE, SIG_IGN); 1115 # endif 1116 1117 /* 1118 * Call the init_ routines to initialize the data structures. 1119 * 1120 * Exactly what command-line options are we expecting here? 1121 */ 1122 INIT_SSL(); 1123 init_auth(); 1124 init_util(); 1125 init_restrict(); 1126 init_mon(); 1127 init_timer(); 1128 init_request(); 1129 init_control(); 1130 init_peer(); 1131 # ifdef REFCLOCK 1132 init_refclock(); 1133 # endif 1134 set_process_priority(); 1135 init_proto(); /* Call at high priority */ 1136 init_io(); 1137 init_loopfilter(); 1138 mon_start(MON_ON); /* monitor on by default now */ 1139 /* turn off in config if unwanted */ 1140 1141 /* 1142 * Get the configuration. This is done in a separate module 1143 * since this will definitely be different for the gizmo board. 1144 */ 1145 getconfig(argc, argv); 1146 1147 if (-1 == cur_memlock) { 1148 # if defined(HAVE_MLOCKALL) 1149 /* 1150 * lock the process into memory 1151 */ 1152 if ( !HAVE_OPT(SAVECONFIGQUIT) 1153 # ifdef RLIMIT_MEMLOCK 1154 && -1 != DFLT_RLIMIT_MEMLOCK 1155 # endif 1156 && 0 != mlockall(MCL_CURRENT|MCL_FUTURE)) 1157 msyslog(LOG_ERR, "mlockall(): %m"); 1158 # else /* !HAVE_MLOCKALL follows */ 1159 # ifdef HAVE_PLOCK 1160 # ifdef PROCLOCK 1161 /* 1162 * lock the process into memory 1163 */ 1164 if (!HAVE_OPT(SAVECONFIGQUIT) && 0 != plock(PROCLOCK)) 1165 msyslog(LOG_ERR, "plock(PROCLOCK): %m"); 1166 # else /* !PROCLOCK follows */ 1167 # ifdef TXTLOCK 1168 /* 1169 * Lock text into ram 1170 */ 1171 if (!HAVE_OPT(SAVECONFIGQUIT) && 0 != plock(TXTLOCK)) 1172 msyslog(LOG_ERR, "plock(TXTLOCK) error: %m"); 1173 # else /* !TXTLOCK follows */ 1174 msyslog(LOG_ERR, "plock() - don't know what to lock!"); 1175 # endif /* !TXTLOCK */ 1176 # endif /* !PROCLOCK */ 1177 # endif /* HAVE_PLOCK */ 1178 # endif /* !HAVE_MLOCKALL */ 1179 } 1180 1181 loop_config(LOOP_DRIFTINIT, 0); 1182 report_event(EVNT_SYSRESTART, NULL, NULL); 1183 initializing = FALSE; 1184 1185 # ifdef HAVE_LINUX_CAPABILITIES 1186 { 1187 /* Check that setting capabilities actually works; we might be 1188 * run on a kernel with disabled capabilities. We must not 1189 * drop privileges in this case. 1190 */ 1191 cap_t caps; 1192 caps = cap_from_text("cap_sys_time,cap_setuid,cap_setgid,cap_sys_chroot,cap_net_bind_service=pe"); 1193 if ( ! caps) { 1194 msyslog( LOG_ERR, "cap_from_text() failed: %m" ); 1195 exit(-1); 1196 } 1197 have_caps = (cap_set_proc(caps) == 0); 1198 cap_free(caps); /* caps not NULL here! */ 1199 } 1200 # endif /* HAVE_LINUX_CAPABILITIES */ 1201 1202 # ifdef HAVE_DROPROOT 1203 # ifdef HAVE_LINUX_CAPABILITIES 1204 if (droproot && have_caps) { 1205 # else 1206 if (droproot) { 1207 # endif /*HAVE_LINUX_CAPABILITIES*/ 1208 1209 # ifdef NEED_EARLY_FORK 1210 fork_nonchroot_worker(); 1211 # endif 1212 1213 /* Drop super-user privileges and chroot now if the OS supports this */ 1214 1215 # ifdef HAVE_LINUX_CAPABILITIES 1216 /* set flag: keep privileges accross setuid() call (we only really need cap_sys_time): */ 1217 if (prctl( PR_SET_KEEPCAPS, 1L, 0L, 0L, 0L ) == -1) { 1218 msyslog( LOG_ERR, "prctl( PR_SET_KEEPCAPS, 1L ) failed: %m" ); 1219 exit(-1); 1220 } 1221 # elif HAVE_SOLARIS_PRIVS 1222 /* Nothing to do here */ 1223 # else 1224 /* we need a user to switch to */ 1225 if (user == NULL) { 1226 msyslog(LOG_ERR, "Need user name to drop root privileges (see -u flag!)" ); 1227 exit(-1); 1228 } 1229 # endif /* HAVE_LINUX_CAPABILITIES || HAVE_SOLARIS_PRIVS */ 1230 1231 if (user != NULL) { 1232 if (0 == map_user()) 1233 exit (-1); 1234 } 1235 if (group != NULL) { 1236 if (0 == map_group()) 1237 exit (-1); 1238 } 1239 1240 if (chrootdir ) { 1241 /* make sure cwd is inside the jail: */ 1242 if (chdir(chrootdir)) { 1243 msyslog(LOG_ERR, "Cannot chdir() to `%s': %m", chrootdir); 1244 exit (-1); 1245 } 1246 if (chroot(chrootdir)) { 1247 msyslog(LOG_ERR, "Cannot chroot() to `%s': %m", chrootdir); 1248 exit (-1); 1249 } 1250 if (chdir("/")) { 1251 msyslog(LOG_ERR, "Cannot chdir() to`root after chroot(): %m"); 1252 exit (-1); 1253 } 1254 } 1255 # ifdef HAVE_SOLARIS_PRIVS 1256 if ((lowprivs = priv_str_to_set(LOWPRIVS, ",", NULL)) == NULL) { 1257 msyslog(LOG_ERR, "priv_str_to_set() failed:%m"); 1258 exit(-1); 1259 } 1260 if ((highprivs = priv_allocset()) == NULL) { 1261 msyslog(LOG_ERR, "priv_allocset() failed:%m"); 1262 exit(-1); 1263 } 1264 (void) getppriv(PRIV_PERMITTED, highprivs); 1265 (void) priv_intersect(highprivs, lowprivs); 1266 if (setppriv(PRIV_SET, PRIV_PERMITTED, lowprivs) == -1) { 1267 msyslog(LOG_ERR, "setppriv() failed:%m"); 1268 exit(-1); 1269 } 1270 # endif /* HAVE_SOLARIS_PRIVS */ 1271 if (0 == set_user_group_ids()) 1272 exit(-1); 1273 1274 # if defined(HAVE_TRUSTEDBSD_MAC) 1275 /* 1276 * To manipulate system time and (re-)bind to NTP_PORT as needed 1277 * following interface changes, we must either run as uid 0 or 1278 * the mac_ntpd policy module must be enabled. 1279 */ 1280 if (sw_uid != 0 && mac_is_present("ntpd") != 1) { 1281 msyslog(LOG_ERR, "Need MAC 'ntpd' policy enabled to drop root privileges"); 1282 exit (-1); 1283 } 1284 # elif !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) 1285 /* 1286 * for now assume that the privilege to bind to privileged ports 1287 * is associated with running with uid 0 - should be refined on 1288 * ports that allow binding to NTP_PORT with uid != 0 1289 */ 1290 disable_dynamic_updates |= (sw_uid != 0); /* also notifies routing message listener */ 1291 # endif /* !HAVE_LINUX_CAPABILITIES && !HAVE_SOLARIS_PRIVS */ 1292 1293 if (disable_dynamic_updates && interface_interval) { 1294 interface_interval = 0; 1295 msyslog(LOG_INFO, "running as non-root disables dynamic interface tracking"); 1296 } 1297 1298 # ifdef HAVE_LINUX_CAPABILITIES 1299 { 1300 /* 1301 * We may be running under non-root uid now, but we still hold full root privileges! 1302 * We drop all of them, except for the crucial one or two: cap_sys_time and 1303 * cap_net_bind_service if doing dynamic interface tracking. 1304 */ 1305 cap_t caps; 1306 char *captext; 1307 1308 captext = (0 != interface_interval) 1309 ? "cap_sys_time,cap_net_bind_service=pe" 1310 : "cap_sys_time=pe"; 1311 caps = cap_from_text(captext); 1312 if (!caps) { 1313 msyslog(LOG_ERR, 1314 "cap_from_text(%s) failed: %m", 1315 captext); 1316 exit(-1); 1317 } 1318 if (-1 == cap_set_proc(caps)) { 1319 msyslog(LOG_ERR, 1320 "cap_set_proc() failed to drop root privs: %m"); 1321 exit(-1); 1322 } 1323 cap_free(caps); 1324 } 1325 # endif /* HAVE_LINUX_CAPABILITIES */ 1326 # ifdef HAVE_SOLARIS_PRIVS 1327 if (priv_delset(lowprivs, "proc_setid") == -1) { 1328 msyslog(LOG_ERR, "priv_delset() failed:%m"); 1329 exit(-1); 1330 } 1331 if (setppriv(PRIV_SET, PRIV_PERMITTED, lowprivs) == -1) { 1332 msyslog(LOG_ERR, "setppriv() failed:%m"); 1333 exit(-1); 1334 } 1335 priv_freeset(lowprivs); 1336 priv_freeset(highprivs); 1337 # endif /* HAVE_SOLARIS_PRIVS */ 1338 root_dropped = TRUE; 1339 fork_deferred_worker(); 1340 } /* if (droproot) */ 1341 # endif /* HAVE_DROPROOT */ 1342 1343 /* libssecomp sandboxing */ 1344 #if defined (LIBSECCOMP) && (KERN_SECCOMP) 1345 scmp_filter_ctx ctx; 1346 1347 if ((ctx = seccomp_init(SCMP_ACT_KILL)) < 0) 1348 msyslog(LOG_ERR, "%s: seccomp_init(SCMP_ACT_KILL) failed: %m", __func__); 1349 else { 1350 msyslog(LOG_DEBUG, "%s: seccomp_init(SCMP_ACT_KILL) succeeded", __func__); 1351 } 1352 1353 #ifdef __x86_64__ 1354 int scmp_sc[] = { 1355 SCMP_SYS(adjtimex), 1356 SCMP_SYS(bind), 1357 SCMP_SYS(brk), 1358 SCMP_SYS(chdir), 1359 SCMP_SYS(clock_gettime), 1360 SCMP_SYS(clock_settime), 1361 SCMP_SYS(close), 1362 SCMP_SYS(connect), 1363 SCMP_SYS(exit_group), 1364 SCMP_SYS(fstat), 1365 SCMP_SYS(fsync), 1366 SCMP_SYS(futex), 1367 SCMP_SYS(getitimer), 1368 SCMP_SYS(getsockname), 1369 SCMP_SYS(ioctl), 1370 SCMP_SYS(lseek), 1371 SCMP_SYS(madvise), 1372 SCMP_SYS(mmap), 1373 SCMP_SYS(munmap), 1374 SCMP_SYS(open), 1375 SCMP_SYS(poll), 1376 SCMP_SYS(read), 1377 SCMP_SYS(recvmsg), 1378 SCMP_SYS(rename), 1379 SCMP_SYS(rt_sigaction), 1380 SCMP_SYS(rt_sigprocmask), 1381 SCMP_SYS(rt_sigreturn), 1382 SCMP_SYS(select), 1383 SCMP_SYS(sendto), 1384 SCMP_SYS(setitimer), 1385 SCMP_SYS(setsid), 1386 SCMP_SYS(socket), 1387 SCMP_SYS(stat), 1388 SCMP_SYS(time), 1389 SCMP_SYS(write), 1390 }; 1391 #endif 1392 #ifdef __i386__ 1393 int scmp_sc[] = { 1394 SCMP_SYS(_newselect), 1395 SCMP_SYS(adjtimex), 1396 SCMP_SYS(brk), 1397 SCMP_SYS(chdir), 1398 SCMP_SYS(clock_gettime), 1399 SCMP_SYS(clock_settime), 1400 SCMP_SYS(close), 1401 SCMP_SYS(exit_group), 1402 SCMP_SYS(fsync), 1403 SCMP_SYS(futex), 1404 SCMP_SYS(getitimer), 1405 SCMP_SYS(madvise), 1406 SCMP_SYS(mmap), 1407 SCMP_SYS(mmap2), 1408 SCMP_SYS(munmap), 1409 SCMP_SYS(open), 1410 SCMP_SYS(poll), 1411 SCMP_SYS(read), 1412 SCMP_SYS(rename), 1413 SCMP_SYS(rt_sigaction), 1414 SCMP_SYS(rt_sigprocmask), 1415 SCMP_SYS(select), 1416 SCMP_SYS(setitimer), 1417 SCMP_SYS(setsid), 1418 SCMP_SYS(sigprocmask), 1419 SCMP_SYS(sigreturn), 1420 SCMP_SYS(socketcall), 1421 SCMP_SYS(stat64), 1422 SCMP_SYS(time), 1423 SCMP_SYS(write), 1424 }; 1425 #endif 1426 { 1427 int i; 1428 1429 for (i = 0; i < COUNTOF(scmp_sc); i++) { 1430 if (seccomp_rule_add(ctx, 1431 SCMP_ACT_ALLOW, scmp_sc[i], 0) < 0) { 1432 msyslog(LOG_ERR, 1433 "%s: seccomp_rule_add() failed: %m", 1434 __func__); 1435 } 1436 } 1437 } 1438 1439 if (seccomp_load(ctx) < 0) 1440 msyslog(LOG_ERR, "%s: seccomp_load() failed: %m", 1441 __func__); 1442 else { 1443 msyslog(LOG_DEBUG, "%s: seccomp_load() succeeded", __func__); 1444 } 1445 #endif /* LIBSECCOMP and KERN_SECCOMP */ 1446 1447 #if defined(SYS_WINNT) 1448 ntservice_isup(); 1449 #elif defined(HAVE_WORKING_FORK) 1450 if (daemon_pipe[1] != -1) { 1451 write(daemon_pipe[1], "R\n", 2); 1452 } 1453 #endif /* HAVE_WORKING_FORK */ 1454 1455 # ifndef HAVE_IO_COMPLETION_PORT 1456 BLOCK_IO_AND_ALARM(); 1457 was_alarmed = FALSE; 1458 # endif 1459 1460 for (;;) { 1461 #if !defined(SIM) && defined(SIGDIE1) 1462 if (signalled) 1463 finish_safe(signo); 1464 #endif 1465 # ifdef HAVE_IO_COMPLETION_PORT 1466 GetReceivedBuffers(); 1467 1468 # else /* normal I/O */ 1469 if (alarm_flag) { /* alarmed? */ 1470 was_alarmed = TRUE; 1471 alarm_flag = FALSE; 1472 } 1473 1474 /* collect async name/addr results */ 1475 if (!was_alarmed) 1476 harvest_blocking_responses(); 1477 1478 if (!was_alarmed && !has_full_recv_buffer()) { 1479 /* 1480 * Nothing to do. Wait for something. 1481 */ 1482 io_handler(); 1483 } 1484 1485 if (alarm_flag) { /* alarmed? */ 1486 was_alarmed = TRUE; 1487 alarm_flag = FALSE; 1488 } 1489 1490 if (was_alarmed) { 1491 UNBLOCK_IO_AND_ALARM(); 1492 /* 1493 * Out here, signals are unblocked. Call timer routine 1494 * to process expiry. 1495 */ 1496 timer(); 1497 was_alarmed = FALSE; 1498 BLOCK_IO_AND_ALARM(); 1499 } 1500 1501 # endif /* !HAVE_IO_COMPLETION_PORT */ 1502 1503 # ifdef DEBUG_TIMING 1504 { 1505 l_fp pts; 1506 l_fp tsa, tsb; 1507 int bufcount = 0; 1508 1509 get_systime(&pts); 1510 tsa = pts; 1511 # endif 1512 rbuf = get_full_recv_buffer(); 1513 while (rbuf != NULL) { 1514 if (alarm_flag) { 1515 was_alarmed = TRUE; 1516 alarm_flag = FALSE; 1517 } 1518 UNBLOCK_IO_AND_ALARM(); 1519 1520 if (was_alarmed) { 1521 /* avoid timer starvation during lengthy I/O handling */ 1522 timer(); 1523 was_alarmed = FALSE; 1524 } 1525 1526 /* 1527 * Call the data procedure to handle each received 1528 * packet. 1529 */ 1530 if (rbuf->receiver != NULL) { 1531 # ifdef DEBUG_TIMING 1532 l_fp dts = pts; 1533 1534 L_SUB(&dts, &rbuf->recv_time); 1535 DPRINTF(2, ("processing timestamp delta %s (with prec. fuzz)\n", lfptoa(&dts, 9))); 1536 collect_timing(rbuf, "buffer processing delay", 1, &dts); 1537 bufcount++; 1538 # endif 1539 (*rbuf->receiver)(rbuf); 1540 } else { 1541 msyslog(LOG_ERR, "fatal: receive buffer callback NULL"); 1542 abort(); 1543 } 1544 1545 BLOCK_IO_AND_ALARM(); 1546 freerecvbuf(rbuf); 1547 rbuf = get_full_recv_buffer(); 1548 } 1549 # ifdef DEBUG_TIMING 1550 get_systime(&tsb); 1551 L_SUB(&tsb, &tsa); 1552 if (bufcount) { 1553 collect_timing(NULL, "processing", bufcount, &tsb); 1554 DPRINTF(2, ("processing time for %d buffers %s\n", bufcount, lfptoa(&tsb, 9))); 1555 } 1556 } 1557 # endif 1558 1559 /* 1560 * Go around again 1561 */ 1562 1563 # ifdef HAVE_DNSREGISTRATION 1564 if (mdnsreg && (current_time - mdnsreg ) > 60 && mdnstries && sys_leap != LEAP_NOTINSYNC) { 1565 mdnsreg = current_time; 1566 msyslog(LOG_INFO, "Attempting to register mDNS"); 1567 if ( DNSServiceRegister (&mdns, 0, 0, NULL, "_ntp._udp", NULL, NULL, 1568 htons(NTP_PORT), 0, NULL, NULL, NULL) != kDNSServiceErr_NoError ) { 1569 if (!--mdnstries) { 1570 msyslog(LOG_ERR, "Unable to register mDNS, giving up."); 1571 } else { 1572 msyslog(LOG_INFO, "Unable to register mDNS, will try later."); 1573 } 1574 } else { 1575 msyslog(LOG_INFO, "mDNS service registered."); 1576 mdnsreg = FALSE; 1577 } 1578 } 1579 # endif /* HAVE_DNSREGISTRATION */ 1580 1581 } 1582 UNBLOCK_IO_AND_ALARM(); 1583 return 1; 1584 } 1585 #endif /* !SIM */ 1586 1587 1588 #if !defined(SIM) && defined(SIGDIE1) 1589 /* 1590 * finish - exit gracefully 1591 */ 1592 static void 1593 finish_safe( 1594 int sig 1595 ) 1596 { 1597 const char *sig_desc; 1598 1599 sig_desc = NULL; 1600 #ifdef HAVE_STRSIGNAL 1601 sig_desc = strsignal(sig); 1602 #endif 1603 if (sig_desc == NULL) 1604 sig_desc = ""; 1605 msyslog(LOG_NOTICE, "%s exiting on signal %d (%s)", progname, 1606 sig, sig_desc); 1607 /* See Bug 2513 and Bug 2522 re the unlink of PIDFILE */ 1608 # ifdef HAVE_DNSREGISTRATION 1609 if (mdns != NULL) 1610 DNSServiceRefDeallocate(mdns); 1611 # endif 1612 peer_cleanup(); 1613 exit(0); 1614 } 1615 1616 static RETSIGTYPE 1617 finish( 1618 int sig 1619 ) 1620 { 1621 signalled = 1; 1622 signo = sig; 1623 } 1624 1625 #endif /* !SIM && SIGDIE1 */ 1626 1627 1628 #ifndef SIM 1629 /* 1630 * wait_child_sync_if - implements parent side of -w/--wait-sync 1631 */ 1632 # ifdef HAVE_WORKING_FORK 1633 1634 static int 1635 wait_child_sync_if( 1636 int pipe_read_fd, 1637 unsigned long wait_sync 1638 ) 1639 { 1640 int rc; 1641 char ch; 1642 time_t wait_end_time; 1643 time_t cur_time; 1644 time_t wait_rem; 1645 fd_set readset; 1646 struct timeval wtimeout; 1647 1648 /* we wait a bit for the child in *any* case, because on failure 1649 * of the child we have to get and inspect the exit code! 1650 */ 1651 wait_end_time = time(NULL); 1652 if (wait_sync) 1653 wait_end_time += wait_sync; 1654 else 1655 wait_end_time += 30; 1656 1657 do { 1658 cur_time = time(NULL); 1659 wait_rem = (wait_end_time > cur_time) 1660 ? (wait_end_time - cur_time) 1661 : 0; 1662 wtimeout.tv_sec = wait_rem; 1663 wtimeout.tv_usec = 0; 1664 FD_ZERO(&readset); 1665 FD_SET(pipe_read_fd, &readset); 1666 rc = select(pipe_read_fd + 1, &readset, NULL, NULL, 1667 &wtimeout); 1668 if (-1 == rc) { 1669 if (EINTR == errno) 1670 continue; 1671 msyslog(LOG_ERR, 1672 "daemon startup: select failed: %m"); 1673 return EX_IOERR; 1674 } 1675 if (0 == rc) { 1676 /* 1677 * select() indicated a timeout, but in case 1678 * its timeouts are affected by a step of the 1679 * system clock, select() again with a zero 1680 * timeout to confirm. 1681 */ 1682 FD_ZERO(&readset); 1683 FD_SET(pipe_read_fd, &readset); 1684 wtimeout.tv_sec = 0; 1685 wtimeout.tv_usec = 0; 1686 rc = select(pipe_read_fd + 1, &readset, NULL, 1687 NULL, &wtimeout); 1688 if (0 == rc) /* select() timeout */ 1689 break; 1690 } 1691 rc = read(pipe_read_fd, &ch, 1); 1692 if (rc == 0) { 1693 DPRINTF(2, ("daemon control: got EOF\n")); 1694 return -1; /* unexpected EOF, check daemon */ 1695 } else if (rc == 1) { 1696 DPRINTF(2, ("daemon control: got '%c'\n", 1697 (ch >= ' ' ? ch : '.'))); 1698 if (ch == 'R' && !wait_sync) 1699 return 0; 1700 if (ch == 'S' && wait_sync) 1701 return 0; 1702 } else { 1703 DPRINTF(2, ("daemon control: read 1 char failed: %s\n", 1704 strerror(errno))); 1705 return EX_IOERR; 1706 } 1707 } while (wait_rem > 0); 1708 1709 if (wait_sync) { 1710 fprintf(stderr, "%s: -w/--wait-sync %ld timed out.\n", 1711 progname, wait_sync); 1712 return EX_PROTOCOL; 1713 } else { 1714 fprintf(stderr, "%s: daemon startup monitoring timed out.\n", 1715 progname); 1716 return 0; 1717 } 1718 } 1719 1720 1721 static int 1722 wait_child_exit_if( 1723 pid_t cpid, 1724 int blocking 1725 ) 1726 { 1727 # ifdef HAVE_WAITPID 1728 int rc = 0; 1729 int wstatus; 1730 if (cpid == waitpid(cpid, &wstatus, (blocking ? 0 : WNOHANG))) { 1731 DPRINTF(1, ("child (pid=%d) dead now\n", cpid)); 1732 if (WIFEXITED(wstatus)) { 1733 rc = WEXITSTATUS(wstatus); 1734 msyslog(LOG_ERR, "daemon child exited with code %d", 1735 rc); 1736 } else if (WIFSIGNALED(wstatus)) { 1737 rc = EX_SOFTWARE; 1738 msyslog(LOG_ERR, "daemon child died with signal %d", 1739 WTERMSIG(wstatus)); 1740 } else { 1741 rc = EX_SOFTWARE; 1742 msyslog(LOG_ERR, "daemon child died with unknown cause"); 1743 } 1744 } else { 1745 DPRINTF(1, ("child (pid=%d) still alive\n", cpid)); 1746 } 1747 return rc; 1748 # else 1749 UNUSED_ARG(cpid); 1750 return 0; 1751 # endif 1752 } 1753 1754 # endif /* HAVE_WORKING_FORK */ 1755 1756 1757 /* 1758 * assertion_failed - Redirect assertion failures to msyslog(). 1759 */ 1760 static void 1761 assertion_failed( 1762 const char *file, 1763 int line, 1764 isc_assertiontype_t type, 1765 const char *cond 1766 ) 1767 { 1768 isc_assertion_setcallback(NULL); /* Avoid recursion */ 1769 1770 msyslog(LOG_ERR, "%s:%d: %s(%s) failed", 1771 file, line, isc_assertion_typetotext(type), cond); 1772 msyslog(LOG_ERR, "exiting (due to assertion failure)"); 1773 1774 #if defined(DEBUG) && defined(SYS_WINNT) 1775 if (debug) 1776 DebugBreak(); 1777 #endif 1778 1779 abort(); 1780 } 1781 1782 1783 /* 1784 * library_fatal_error - Handle fatal errors from our libraries. 1785 */ 1786 static void 1787 library_fatal_error( 1788 const char *file, 1789 int line, 1790 const char *format, 1791 va_list args 1792 ) 1793 { 1794 char errbuf[256]; 1795 1796 isc_error_setfatal(NULL); /* Avoid recursion */ 1797 1798 msyslog(LOG_ERR, "%s:%d: fatal error:", file, line); 1799 vsnprintf(errbuf, sizeof(errbuf), format, args); 1800 msyslog(LOG_ERR, "%s", errbuf); 1801 msyslog(LOG_ERR, "exiting (due to fatal error in library)"); 1802 1803 #if defined(DEBUG) && defined(SYS_WINNT) 1804 if (debug) 1805 DebugBreak(); 1806 #endif 1807 1808 abort(); 1809 } 1810 1811 1812 /* 1813 * library_unexpected_error - Handle non fatal errors from our libraries. 1814 */ 1815 # define MAX_UNEXPECTED_ERRORS 100 1816 int unexpected_error_cnt = 0; 1817 static void 1818 library_unexpected_error( 1819 const char *file, 1820 int line, 1821 const char *format, 1822 va_list args 1823 ) 1824 { 1825 char errbuf[256]; 1826 1827 if (unexpected_error_cnt >= MAX_UNEXPECTED_ERRORS) 1828 return; /* avoid clutter in log */ 1829 1830 msyslog(LOG_ERR, "%s:%d: unexpected error:", file, line); 1831 vsnprintf(errbuf, sizeof(errbuf), format, args); 1832 msyslog(LOG_ERR, "%s", errbuf); 1833 1834 if (++unexpected_error_cnt == MAX_UNEXPECTED_ERRORS) 1835 msyslog(LOG_ERR, "Too many errors. Shutting up."); 1836 1837 } 1838 #endif /* !SIM */ 1839 1840 #if !defined(SIM) && !defined(SYS_WINNT) 1841 # ifdef DEBUG 1842 1843 /* 1844 * moredebug - increase debugging verbosity 1845 */ 1846 static RETSIGTYPE 1847 moredebug( 1848 int sig 1849 ) 1850 { 1851 int saved_errno = errno; 1852 1853 if (debug < 255) 1854 { 1855 debug++; 1856 msyslog(LOG_DEBUG, "debug raised to %d", debug); 1857 } 1858 errno = saved_errno; 1859 } 1860 1861 1862 /* 1863 * lessdebug - decrease debugging verbosity 1864 */ 1865 static RETSIGTYPE 1866 lessdebug( 1867 int sig 1868 ) 1869 { 1870 int saved_errno = errno; 1871 1872 if (debug > 0) 1873 { 1874 debug--; 1875 msyslog(LOG_DEBUG, "debug lowered to %d", debug); 1876 } 1877 errno = saved_errno; 1878 } 1879 1880 # else /* !DEBUG follows */ 1881 1882 1883 /* 1884 * no_debug - We don't do the debug here. 1885 */ 1886 static RETSIGTYPE 1887 no_debug( 1888 int sig 1889 ) 1890 { 1891 int saved_errno = errno; 1892 1893 msyslog(LOG_DEBUG, "ntpd not compiled for debugging (signal %d)", sig); 1894 errno = saved_errno; 1895 } 1896 # endif /* !DEBUG */ 1897 #endif /* !SIM && !SYS_WINNT */ 1898