1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2013 DEY Storage Systems, Inc. 24 * Copyright (c) 2014 Gary Mills 25 * Copyright 2015 Nexenta Systems, Inc. All rights reserved. 26 */ 27 28 /* 29 * zlogin provides three types of login which allow users in the global 30 * zone to access non-global zones. 31 * 32 * - "interactive login" is similar to rlogin(1); for example, the user could 33 * issue 'zlogin my-zone' or 'zlogin -e ^ -l me my-zone'. The user is 34 * granted a new pty (which is then shoved into the zone), and an I/O 35 * loop between parent and child processes takes care of the interactive 36 * session. In this mode, login(1) (and its -c option, which means 37 * "already authenticated") is employed to take care of the initialization 38 * of the user's session. 39 * 40 * - "non-interactive login" is similar to su(1M); the user could issue 41 * 'zlogin my-zone ls -l' and the command would be run as specified. 42 * In this mode, zlogin sets up pipes as the communication channel, and 43 * 'su' is used to do the login setup work. 44 * 45 * - "console login" is the equivalent to accessing the tip line for a 46 * zone. For example, the user can issue 'zlogin -C my-zone'. 47 * In this mode, zlogin contacts the zoneadmd process via unix domain 48 * socket. If zoneadmd is not running, it starts it. This allows the 49 * console to be available anytime the zone is installed, regardless of 50 * whether it is running. 51 */ 52 53 #include <sys/socket.h> 54 #include <sys/termios.h> 55 #include <sys/utsname.h> 56 #include <sys/stat.h> 57 #include <sys/types.h> 58 #include <sys/contract/process.h> 59 #include <sys/ctfs.h> 60 #include <sys/brand.h> 61 #include <sys/wait.h> 62 #include <alloca.h> 63 #include <assert.h> 64 #include <ctype.h> 65 #include <paths.h> 66 #include <door.h> 67 #include <errno.h> 68 #include <nss_dbdefs.h> 69 #include <poll.h> 70 #include <priv.h> 71 #include <pwd.h> 72 #include <unistd.h> 73 #include <utmpx.h> 74 #include <sac.h> 75 #include <signal.h> 76 #include <stdarg.h> 77 #include <stdio.h> 78 #include <stdlib.h> 79 #include <string.h> 80 #include <strings.h> 81 #include <stropts.h> 82 #include <wait.h> 83 #include <zone.h> 84 #include <fcntl.h> 85 #include <libdevinfo.h> 86 #include <libintl.h> 87 #include <locale.h> 88 #include <libzonecfg.h> 89 #include <libcontract.h> 90 #include <libbrand.h> 91 #include <auth_list.h> 92 #include <auth_attr.h> 93 #include <secdb.h> 94 95 static int masterfd; 96 static struct termios save_termios; 97 static struct termios effective_termios; 98 static int save_fd; 99 static struct winsize winsize; 100 static volatile int dead; 101 static volatile pid_t child_pid = -1; 102 static int interactive = 0; 103 static priv_set_t *dropprivs; 104 105 static int nocmdchar = 0; 106 static int failsafe = 0; 107 static int disconnect = 0; 108 static char cmdchar = '~'; 109 static int quiet = 0; 110 111 static int pollerr = 0; 112 113 static const char *pname; 114 static char *username; 115 116 /* 117 * When forced_login is true, the user is not prompted 118 * for an authentication password in the target zone. 119 */ 120 static boolean_t forced_login = B_FALSE; 121 122 #if !defined(TEXT_DOMAIN) /* should be defined by cc -D */ 123 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it wasn't */ 124 #endif 125 126 #define SUPATH "/usr/bin/su" 127 #define FAILSAFESHELL "/sbin/sh" 128 #define DEFAULTSHELL "/sbin/sh" 129 #define DEF_PATH "/usr/sbin:/usr/bin" 130 131 #define CLUSTER_BRAND_NAME "cluster" 132 133 /* 134 * The ZLOGIN_BUFSIZ is larger than PIPE_BUF so we can be sure we're clearing 135 * out the pipe when the child is exiting. The ZLOGIN_RDBUFSIZ must be less 136 * than ZLOGIN_BUFSIZ (because we share the buffer in doio). This value is 137 * also chosen in conjunction with the HI_WATER setting to make sure we 138 * don't fill up the pipe. We can write FIFOHIWAT (16k) into the pipe before 139 * blocking. By having ZLOGIN_RDBUFSIZ set to 1k and HI_WATER set to 8k, we 140 * know we can always write a ZLOGIN_RDBUFSIZ chunk into the pipe when there 141 * is less than HI_WATER data already in the pipe. 142 */ 143 #define ZLOGIN_BUFSIZ 8192 144 #define ZLOGIN_RDBUFSIZ 1024 145 #define HI_WATER 8192 146 147 /* 148 * See canonify() below. CANONIFY_LEN is the maximum length that a 149 * "canonical" sequence will expand to (backslash, three octal digits, NUL). 150 */ 151 #define CANONIFY_LEN 5 152 153 static void 154 usage(void) 155 { 156 (void) fprintf(stderr, gettext("usage: %s [ -dnQCES ] [ -e cmdchar ] " 157 "[-l user] zonename [command [args ...] ]\n"), pname); 158 exit(2); 159 } 160 161 static const char * 162 getpname(const char *arg0) 163 { 164 const char *p = strrchr(arg0, '/'); 165 166 if (p == NULL) 167 p = arg0; 168 else 169 p++; 170 171 pname = p; 172 return (p); 173 } 174 175 static void 176 zerror(const char *fmt, ...) 177 { 178 va_list alist; 179 180 (void) fprintf(stderr, "%s: ", pname); 181 va_start(alist, fmt); 182 (void) vfprintf(stderr, fmt, alist); 183 va_end(alist); 184 (void) fprintf(stderr, "\n"); 185 } 186 187 static void 188 zperror(const char *str) 189 { 190 const char *estr; 191 192 if ((estr = strerror(errno)) != NULL) 193 (void) fprintf(stderr, "%s: %s: %s\n", pname, str, estr); 194 else 195 (void) fprintf(stderr, "%s: %s: errno %d\n", pname, str, errno); 196 } 197 198 /* 199 * The first part of our privilege dropping scheme needs to be called before 200 * fork(), since we must have it for security; we don't want to be surprised 201 * later that we couldn't allocate the privset. 202 */ 203 static int 204 prefork_dropprivs() 205 { 206 if ((dropprivs = priv_allocset()) == NULL) 207 return (1); 208 209 priv_basicset(dropprivs); 210 (void) priv_delset(dropprivs, PRIV_PROC_INFO); 211 (void) priv_delset(dropprivs, PRIV_PROC_FORK); 212 (void) priv_delset(dropprivs, PRIV_PROC_EXEC); 213 (void) priv_delset(dropprivs, PRIV_FILE_LINK_ANY); 214 215 /* 216 * We need to keep the basic privilege PROC_SESSION and all unknown 217 * basic privileges as well as the privileges PROC_ZONE and 218 * PROC_OWNER in order to query session information and 219 * send signals. 220 */ 221 if (interactive == 0) { 222 (void) priv_addset(dropprivs, PRIV_PROC_ZONE); 223 (void) priv_addset(dropprivs, PRIV_PROC_OWNER); 224 } else { 225 (void) priv_delset(dropprivs, PRIV_PROC_SESSION); 226 } 227 228 return (0); 229 } 230 231 /* 232 * The second part of the privilege drop. We are paranoid about being attacked 233 * by the zone, so we drop all privileges. This should prevent a compromise 234 * which gets us to fork(), exec(), symlink(), etc. 235 */ 236 static void 237 postfork_dropprivs() 238 { 239 if ((setppriv(PRIV_SET, PRIV_PERMITTED, dropprivs)) == -1) { 240 zperror(gettext("Warning: could not set permitted privileges")); 241 } 242 if ((setppriv(PRIV_SET, PRIV_LIMIT, dropprivs)) == -1) { 243 zperror(gettext("Warning: could not set limit privileges")); 244 } 245 if ((setppriv(PRIV_SET, PRIV_INHERITABLE, dropprivs)) == -1) { 246 zperror(gettext("Warning: could not set inheritable " 247 "privileges")); 248 } 249 } 250 251 /* 252 * Create the unix domain socket and call the zoneadmd server; handshake 253 * with it to determine whether it will allow us to connect. 254 */ 255 static int 256 get_console_master(const char *zname) 257 { 258 int sockfd = -1; 259 struct sockaddr_un servaddr; 260 char clientid[MAXPATHLEN]; 261 char handshake[MAXPATHLEN], c; 262 int msglen; 263 int i = 0, err = 0; 264 265 if ((sockfd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) { 266 zperror(gettext("could not create socket")); 267 return (-1); 268 } 269 270 bzero(&servaddr, sizeof (servaddr)); 271 servaddr.sun_family = AF_UNIX; 272 (void) snprintf(servaddr.sun_path, sizeof (servaddr.sun_path), 273 "%s/%s.console_sock", ZONES_TMPDIR, zname); 274 275 if (connect(sockfd, (struct sockaddr *)&servaddr, 276 sizeof (servaddr)) == -1) { 277 zperror(gettext("Could not connect to zone console")); 278 goto bad; 279 } 280 masterfd = sockfd; 281 282 msglen = snprintf(clientid, sizeof (clientid), "IDENT %lu %s %d\n", 283 getpid(), setlocale(LC_MESSAGES, NULL), disconnect); 284 285 if (msglen >= sizeof (clientid) || msglen < 0) { 286 zerror("protocol error"); 287 goto bad; 288 } 289 290 if (write(masterfd, clientid, msglen) != msglen) { 291 zerror("protocol error"); 292 goto bad; 293 } 294 295 bzero(handshake, sizeof (handshake)); 296 297 /* 298 * Take care not to accumulate more than our fill, and leave room for 299 * the NUL at the end. 300 */ 301 while ((err = read(masterfd, &c, 1)) == 1) { 302 if (i >= (sizeof (handshake) - 1)) 303 break; 304 if (c == '\n') 305 break; 306 handshake[i] = c; 307 i++; 308 } 309 310 /* 311 * If something went wrong during the handshake we bail; perhaps 312 * the server died off. 313 */ 314 if (err == -1) { 315 zperror(gettext("Could not connect to zone console")); 316 goto bad; 317 } 318 319 if (strncmp(handshake, "OK", sizeof (handshake)) == 0) 320 return (0); 321 322 zerror(gettext("Console is already in use by process ID %s."), 323 handshake); 324 bad: 325 (void) close(sockfd); 326 masterfd = -1; 327 return (-1); 328 } 329 330 331 /* 332 * Routines to handle pty creation upon zone entry and to shuttle I/O back 333 * and forth between the two terminals. We also compute and store the 334 * name of the slave terminal associated with the master side. 335 */ 336 static int 337 get_master_pty() 338 { 339 if ((masterfd = open("/dev/ptmx", O_RDWR|O_NONBLOCK)) < 0) { 340 zperror(gettext("failed to obtain a pseudo-tty")); 341 return (-1); 342 } 343 if (tcgetattr(STDIN_FILENO, &save_termios) == -1) { 344 zperror(gettext("failed to get terminal settings from stdin")); 345 return (-1); 346 } 347 (void) ioctl(STDIN_FILENO, TIOCGWINSZ, (char *)&winsize); 348 349 return (0); 350 } 351 352 /* 353 * This is a bit tricky; normally a pts device will belong to the zone it 354 * is granted to. But in the case of "entering" a zone, we need to establish 355 * the pty before entering the zone so that we can vector I/O to and from it 356 * from the global zone. 357 * 358 * We use the zonept() call to let the ptm driver know what we are up to; 359 * the only other hairy bit is the setting of zoneslavename (which happens 360 * above, in get_master_pty()). 361 */ 362 static int 363 init_slave_pty(zoneid_t zoneid, char *devroot) 364 { 365 int slavefd = -1; 366 char *slavename, zoneslavename[MAXPATHLEN]; 367 368 /* 369 * Set slave permissions, zone the pts, then unlock it. 370 */ 371 if (grantpt(masterfd) != 0) { 372 zperror(gettext("grantpt failed")); 373 return (-1); 374 } 375 376 if (unlockpt(masterfd) != 0) { 377 zperror(gettext("unlockpt failed")); 378 return (-1); 379 } 380 381 /* 382 * We must open the slave side before zoning this pty; otherwise 383 * the kernel would refuse us the open-- zoning a pty makes it 384 * inaccessible to the global zone. Note we are trying to open 385 * the device node via the $ZONEROOT/dev path for this pty. 386 * 387 * Later we'll close the slave out when once we've opened it again 388 * from within the target zone. Blarg. 389 */ 390 if ((slavename = ptsname(masterfd)) == NULL) { 391 zperror(gettext("failed to get name for pseudo-tty")); 392 return (-1); 393 } 394 395 (void) snprintf(zoneslavename, sizeof (zoneslavename), "%s%s", 396 devroot, slavename); 397 398 if ((slavefd = open(zoneslavename, O_RDWR)) < 0) { 399 zerror(gettext("failed to open %s: %s"), zoneslavename, 400 strerror(errno)); 401 return (-1); 402 } 403 404 /* 405 * Push hardware emulation (ptem), line discipline (ldterm), 406 * and V7/4BSD/Xenix compatibility (ttcompat) modules. 407 */ 408 if (ioctl(slavefd, I_PUSH, "ptem") == -1) { 409 zperror(gettext("failed to push ptem module")); 410 if (!failsafe) 411 goto bad; 412 } 413 414 /* 415 * Anchor the stream to prevent malicious I_POPs; we prefer to do 416 * this prior to entering the zone so that we can detect any errors 417 * early, and so that we can set the anchor from the global zone. 418 */ 419 if (ioctl(slavefd, I_ANCHOR) == -1) { 420 zperror(gettext("failed to set stream anchor")); 421 if (!failsafe) 422 goto bad; 423 } 424 425 if (ioctl(slavefd, I_PUSH, "ldterm") == -1) { 426 zperror(gettext("failed to push ldterm module")); 427 if (!failsafe) 428 goto bad; 429 } 430 if (ioctl(slavefd, I_PUSH, "ttcompat") == -1) { 431 zperror(gettext("failed to push ttcompat module")); 432 if (!failsafe) 433 goto bad; 434 } 435 436 /* 437 * Propagate terminal settings from the external term to the new one. 438 */ 439 if (tcsetattr(slavefd, TCSAFLUSH, &save_termios) == -1) { 440 zperror(gettext("failed to set terminal settings")); 441 if (!failsafe) 442 goto bad; 443 } 444 (void) ioctl(slavefd, TIOCSWINSZ, (char *)&winsize); 445 446 if (zonept(masterfd, zoneid) != 0) { 447 zperror(gettext("could not set zoneid of pty")); 448 goto bad; 449 } 450 451 return (slavefd); 452 453 bad: 454 (void) close(slavefd); 455 return (-1); 456 } 457 458 /* 459 * Place terminal into raw mode. 460 */ 461 static int 462 set_tty_rawmode(int fd) 463 { 464 struct termios term; 465 if (tcgetattr(fd, &term) < 0) { 466 zperror(gettext("failed to get user terminal settings")); 467 return (-1); 468 } 469 470 /* Stash for later, so we can revert back to previous mode */ 471 save_termios = term; 472 save_fd = fd; 473 474 /* disable 8->7 bit strip, start/stop, enable any char to restart */ 475 term.c_iflag &= ~(ISTRIP|IXON|IXANY); 476 /* disable NL->CR, CR->NL, ignore CR, UPPER->lower */ 477 term.c_iflag &= ~(INLCR|ICRNL|IGNCR|IUCLC); 478 /* disable output post-processing */ 479 term.c_oflag &= ~OPOST; 480 /* disable canonical mode, signal chars, echo & extended functions */ 481 term.c_lflag &= ~(ICANON|ISIG|ECHO|IEXTEN); 482 483 term.c_cc[VMIN] = 1; /* byte-at-a-time */ 484 term.c_cc[VTIME] = 0; 485 486 if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &term)) { 487 zperror(gettext("failed to set user terminal to raw mode")); 488 return (-1); 489 } 490 491 /* 492 * We need to know the value of VEOF so that we can properly process for 493 * client-side ~<EOF>. But we have obliterated VEOF in term, 494 * because VMIN overloads the same array slot in non-canonical mode. 495 * Stupid @&^%! 496 * 497 * So here we construct the "effective" termios from the current 498 * terminal settings, and the corrected VEOF and VEOL settings. 499 */ 500 if (tcgetattr(STDIN_FILENO, &effective_termios) < 0) { 501 zperror(gettext("failed to get user terminal settings")); 502 return (-1); 503 } 504 effective_termios.c_cc[VEOF] = save_termios.c_cc[VEOF]; 505 effective_termios.c_cc[VEOL] = save_termios.c_cc[VEOL]; 506 507 return (0); 508 } 509 510 /* 511 * Copy terminal window size from our terminal to the pts. 512 */ 513 /*ARGSUSED*/ 514 static void 515 sigwinch(int s) 516 { 517 struct winsize ws; 518 519 if (ioctl(0, TIOCGWINSZ, &ws) == 0) 520 (void) ioctl(masterfd, TIOCSWINSZ, &ws); 521 } 522 523 static volatile int close_on_sig = -1; 524 525 static void 526 /*ARGSUSED*/ 527 sigcld(int s) 528 { 529 int status; 530 pid_t pid; 531 532 /* 533 * Peek at the exit status. If this isn't the process we cared 534 * about, then just reap it. 535 */ 536 if ((pid = waitpid(child_pid, &status, WNOHANG|WNOWAIT)) != -1) { 537 if (pid == child_pid && 538 (WIFEXITED(status) || WIFSIGNALED(status))) { 539 dead = 1; 540 if (close_on_sig != -1) { 541 (void) write(close_on_sig, "a", 1); 542 (void) close(close_on_sig); 543 close_on_sig = -1; 544 } 545 } else { 546 (void) waitpid(pid, &status, WNOHANG); 547 } 548 } 549 } 550 551 /* 552 * Some signals (currently, SIGINT) must be forwarded on to the process 553 * group of the child process. 554 */ 555 static void 556 sig_forward(int s) 557 { 558 if (child_pid != -1) { 559 (void) sigsend(P_PGID, child_pid, s); 560 } 561 } 562 563 /* 564 * reset terminal settings for global environment 565 */ 566 static void 567 reset_tty() 568 { 569 (void) tcsetattr(save_fd, TCSADRAIN, &save_termios); 570 } 571 572 /* 573 * Convert character to printable representation, for display with locally 574 * echoed command characters (like when we need to display ~^D) 575 */ 576 static void 577 canonify(char c, char *cc) 578 { 579 if (isprint(c)) { 580 cc[0] = c; 581 cc[1] = '\0'; 582 } else if (c >= 0 && c <= 31) { /* ^@ through ^_ */ 583 cc[0] = '^'; 584 cc[1] = c + '@'; 585 cc[2] = '\0'; 586 } else { 587 cc[0] = '\\'; 588 cc[1] = ((c >> 6) & 7) + '0'; 589 cc[2] = ((c >> 3) & 7) + '0'; 590 cc[3] = (c & 7) + '0'; 591 cc[4] = '\0'; 592 } 593 } 594 595 /* 596 * process_user_input watches the input stream for the escape sequence for 597 * 'quit' (by default, tilde-period). Because we might be fed just one 598 * keystroke at a time, state associated with the user input (are we at the 599 * beginning of the line? are we locally echoing the next character?) is 600 * maintained by beginning_of_line and local_echo across calls to the routine. 601 * If the write to outfd fails, we'll try to read from infd in an attempt 602 * to prevent deadlock between the two processes. 603 * 604 * This routine returns -1 when the 'quit' escape sequence has been issued, 605 * or an error is encountered, 1 if stdin is EOF, and 0 otherwise. 606 */ 607 static int 608 process_user_input(int outfd, int infd) 609 { 610 static boolean_t beginning_of_line = B_TRUE; 611 static boolean_t local_echo = B_FALSE; 612 char ibuf[ZLOGIN_BUFSIZ]; 613 int nbytes; 614 char *buf = ibuf; 615 char c = *buf; 616 617 nbytes = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ); 618 if (nbytes == -1 && (errno != EINTR || dead)) 619 return (-1); 620 621 if (nbytes == -1) /* The read was interrupted. */ 622 return (0); 623 624 /* 0 read means EOF, close the pipe to the child */ 625 if (nbytes == 0) 626 return (1); 627 628 for (c = *buf; nbytes > 0; c = *buf, --nbytes) { 629 buf++; 630 if (beginning_of_line && !nocmdchar) { 631 beginning_of_line = B_FALSE; 632 if (c == cmdchar) { 633 local_echo = B_TRUE; 634 continue; 635 } 636 } else if (local_echo) { 637 local_echo = B_FALSE; 638 if (c == '.' || c == effective_termios.c_cc[VEOF]) { 639 char cc[CANONIFY_LEN]; 640 641 canonify(c, cc); 642 (void) write(STDOUT_FILENO, &cmdchar, 1); 643 (void) write(STDOUT_FILENO, cc, strlen(cc)); 644 return (-1); 645 } 646 } 647 retry: 648 if (write(outfd, &c, 1) <= 0) { 649 /* 650 * Since the fd we are writing to is opened with 651 * O_NONBLOCK it is possible to get EAGAIN if the 652 * pipe is full. One way this could happen is if we 653 * are writing a lot of data into the pipe in this loop 654 * and the application on the other end is echoing that 655 * data back out to its stdout. The output pipe can 656 * fill up since we are stuck here in this loop and not 657 * draining the other pipe. We can try to read some of 658 * the data to see if we can drain the pipe so that the 659 * application can continue to make progress. The read 660 * is non-blocking so we won't hang here. We also wait 661 * a bit before retrying since there could be other 662 * reasons why the pipe is full and we don't want to 663 * continuously retry. 664 */ 665 if (errno == EAGAIN) { 666 struct timespec rqtp; 667 int ln; 668 char obuf[ZLOGIN_BUFSIZ]; 669 670 if ((ln = read(infd, obuf, ZLOGIN_BUFSIZ)) > 0) 671 (void) write(STDOUT_FILENO, obuf, ln); 672 673 /* sleep for 10 milliseconds */ 674 rqtp.tv_sec = 0; 675 rqtp.tv_nsec = MSEC2NSEC(10); 676 (void) nanosleep(&rqtp, NULL); 677 if (!dead) 678 goto retry; 679 } 680 681 return (-1); 682 } 683 beginning_of_line = (c == '\r' || c == '\n' || 684 c == effective_termios.c_cc[VKILL] || 685 c == effective_termios.c_cc[VEOL] || 686 c == effective_termios.c_cc[VSUSP] || 687 c == effective_termios.c_cc[VINTR]); 688 } 689 return (0); 690 } 691 692 /* 693 * This function prevents deadlock between zlogin and the application in the 694 * zone that it is talking to. This can happen when we read from zlogin's 695 * stdin and write the data down the pipe to the application. If the pipe 696 * is full, we'll block in the write. Because zlogin could be blocked in 697 * the write, it would never read the application's stdout/stderr so the 698 * application can then block on those writes (when the pipe fills up). If the 699 * the application gets blocked this way, it can never get around to reading 700 * its stdin so that zlogin can unblock from its write. Once in this state, 701 * the two processes are deadlocked. 702 * 703 * To prevent this, we want to verify that we can write into the pipe before we 704 * read from our stdin. If the pipe already is pretty full, we bypass the read 705 * for now. We'll circle back here again after the poll() so that we can 706 * try again. When this function is called, we already know there is data 707 * ready to read on STDIN_FILENO. We return -1 if there is a problem, 1 if 708 * stdin is EOF, and 0 if everything is ok (even though we might not have 709 * read/written any data into the pipe on this iteration). 710 */ 711 static int 712 process_raw_input(int stdin_fd, int appin_fd) 713 { 714 int cc; 715 struct stat64 sb; 716 char ibuf[ZLOGIN_RDBUFSIZ]; 717 718 /* Check how much data is already in the pipe */ 719 if (fstat64(appin_fd, &sb) == -1) { 720 perror("stat failed"); 721 return (-1); 722 } 723 724 if (dead) 725 return (-1); 726 727 /* 728 * The pipe already has a lot of data in it, don't write any more 729 * right now. 730 */ 731 if (sb.st_size >= HI_WATER) 732 return (0); 733 734 cc = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ); 735 if (cc == -1 && (errno != EINTR || dead)) 736 return (-1); 737 738 if (cc == -1) /* The read was interrupted. */ 739 return (0); 740 741 /* 0 read means EOF, close the pipe to the child */ 742 if (cc == 0) 743 return (1); 744 745 /* 746 * stdin_fd is stdin of the target; so, the thing we'll write the user 747 * data *to*. 748 */ 749 if (write(stdin_fd, ibuf, cc) == -1) 750 return (-1); 751 752 return (0); 753 } 754 755 /* 756 * Write the output from the application running in the zone. We can get 757 * a signal during the write (usually it would be SIGCHLD when the application 758 * has exited) so we loop to make sure we have written all of the data we read. 759 */ 760 static int 761 process_output(int in_fd, int out_fd) 762 { 763 int wrote = 0; 764 int cc; 765 char ibuf[ZLOGIN_BUFSIZ]; 766 767 cc = read(in_fd, ibuf, ZLOGIN_BUFSIZ); 768 if (cc == -1 && (errno != EINTR || dead)) 769 return (-1); 770 if (cc == 0) /* EOF */ 771 return (-1); 772 if (cc == -1) /* The read was interrupted. */ 773 return (0); 774 775 do { 776 int len; 777 778 len = write(out_fd, ibuf + wrote, cc - wrote); 779 if (len == -1 && errno != EINTR) 780 return (-1); 781 if (len != -1) 782 wrote += len; 783 } while (wrote < cc); 784 785 return (0); 786 } 787 788 /* 789 * This is the main I/O loop, and is shared across all zlogin modes. 790 * Parameters: 791 * stdin_fd: The fd representing 'stdin' for the slave side; input to 792 * the zone will be written here. 793 * 794 * appin_fd: The fd representing the other end of the 'stdin' pipe (when 795 * we're running non-interactive); used in process_raw_input 796 * to ensure we don't fill up the application's stdin pipe. 797 * 798 * stdout_fd: The fd representing 'stdout' for the slave side; output 799 * from the zone will arrive here. 800 * 801 * stderr_fd: The fd representing 'stderr' for the slave side; output 802 * from the zone will arrive here. 803 * 804 * raw_mode: If TRUE, then no processing (for example, for '~.') will 805 * be performed on the input coming from STDIN. 806 * 807 * stderr_fd may be specified as -1 if there is no stderr (only non-interactive 808 * mode supplies a stderr). 809 * 810 */ 811 static void 812 doio(int stdin_fd, int appin_fd, int stdout_fd, int stderr_fd, int sig_fd, 813 boolean_t raw_mode) 814 { 815 struct pollfd pollfds[4]; 816 char ibuf[ZLOGIN_BUFSIZ]; 817 int cc, ret; 818 819 /* read from stdout of zone and write to stdout of global zone */ 820 pollfds[0].fd = stdout_fd; 821 pollfds[0].events = POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI; 822 823 /* read from stderr of zone and write to stderr of global zone */ 824 pollfds[1].fd = stderr_fd; 825 pollfds[1].events = pollfds[0].events; 826 827 /* read from stdin of global zone and write to stdin of zone */ 828 pollfds[2].fd = STDIN_FILENO; 829 pollfds[2].events = pollfds[0].events; 830 831 /* read from signalling pipe so we know when child dies */ 832 pollfds[3].fd = sig_fd; 833 pollfds[3].events = pollfds[0].events; 834 835 for (;;) { 836 pollfds[0].revents = pollfds[1].revents = 837 pollfds[2].revents = pollfds[3].revents = 0; 838 839 if (dead) 840 break; 841 842 /* 843 * There is a race condition here where we can receive the 844 * child death signal, set the dead flag, but since we have 845 * passed the test above, we would go into poll and hang. 846 * To avoid this we use the sig_fd as an additional poll fd. 847 * The signal handler writes into the other end of this pipe 848 * when the child dies so that the poll will always see that 849 * input and proceed. We just loop around at that point and 850 * then notice the dead flag. 851 */ 852 853 ret = poll(pollfds, 854 sizeof (pollfds) / sizeof (struct pollfd), -1); 855 856 if (ret == -1 && errno != EINTR) { 857 perror("poll failed"); 858 break; 859 } 860 861 if (errno == EINTR && dead) { 862 break; 863 } 864 865 /* event from master side stdout */ 866 if (pollfds[0].revents) { 867 if (pollfds[0].revents & 868 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) { 869 if (process_output(stdout_fd, STDOUT_FILENO) 870 != 0) 871 break; 872 } else { 873 pollerr = pollfds[0].revents; 874 break; 875 } 876 } 877 878 /* event from master side stderr */ 879 if (pollfds[1].revents) { 880 if (pollfds[1].revents & 881 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) { 882 if (process_output(stderr_fd, STDERR_FILENO) 883 != 0) 884 break; 885 } else { 886 pollerr = pollfds[1].revents; 887 break; 888 } 889 } 890 891 /* event from user STDIN side */ 892 if (pollfds[2].revents) { 893 if (pollfds[2].revents & 894 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) { 895 /* 896 * stdin fd is stdin of the target; so, 897 * the thing we'll write the user data *to*. 898 * 899 * Also, unlike on the output side, we 900 * close the pipe on a zero-length message. 901 */ 902 int res; 903 904 if (raw_mode) 905 res = process_raw_input(stdin_fd, 906 appin_fd); 907 else 908 res = process_user_input(stdin_fd, 909 stdout_fd); 910 911 if (res < 0) 912 break; 913 if (res > 0) { 914 /* EOF (close) child's stdin_fd */ 915 pollfds[2].fd = -1; 916 while ((res = close(stdin_fd)) != 0 && 917 errno == EINTR) 918 ; 919 if (res != 0) 920 break; 921 } 922 923 } else if (raw_mode && pollfds[2].revents & POLLHUP) { 924 /* 925 * It's OK to get a POLLHUP on STDIN-- it 926 * always happens if you do: 927 * 928 * echo foo | zlogin <zone> <command> 929 * 930 * We reset fd to -1 in this case to clear 931 * the condition and close the pipe (EOF) to 932 * the other side in order to wrap things up. 933 */ 934 int res; 935 936 pollfds[2].fd = -1; 937 while ((res = close(stdin_fd)) != 0 && 938 errno == EINTR) 939 ; 940 if (res != 0) 941 break; 942 } else { 943 pollerr = pollfds[2].revents; 944 break; 945 } 946 } 947 } 948 949 /* 950 * We are in the midst of dying, but try to poll with a short 951 * timeout to see if we can catch the last bit of I/O from the 952 * children. 953 */ 954 retry: 955 pollfds[0].revents = pollfds[1].revents = 0; 956 (void) poll(pollfds, 2, 100); 957 if (pollfds[0].revents & 958 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) { 959 if ((cc = read(stdout_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) { 960 (void) write(STDOUT_FILENO, ibuf, cc); 961 goto retry; 962 } 963 } 964 if (pollfds[1].revents & 965 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) { 966 if ((cc = read(stderr_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) { 967 (void) write(STDERR_FILENO, ibuf, cc); 968 goto retry; 969 } 970 } 971 } 972 973 /* 974 * Fetch the user_cmd brand hook for getting a user's passwd(4) entry. 975 */ 976 static const char * 977 zone_get_user_cmd(brand_handle_t bh, const char *login, char *user_cmd, 978 size_t len) 979 { 980 bzero(user_cmd, sizeof (user_cmd)); 981 if (brand_get_user_cmd(bh, login, user_cmd, len) != 0) 982 return (NULL); 983 984 return (user_cmd); 985 } 986 987 /* From libc */ 988 extern int str2passwd(const char *, int, void *, char *, int); 989 990 /* 991 * exec() the user_cmd brand hook, and convert the output string to a 992 * struct passwd. This is to be called after zone_enter(). 993 * 994 */ 995 static struct passwd * 996 zone_get_user_pw(const char *user_cmd, struct passwd *pwent, char *pwbuf, 997 int pwbuflen) 998 { 999 char pwline[NSS_BUFLEN_PASSWD]; 1000 char *cin = NULL; 1001 FILE *fin; 1002 int status; 1003 1004 assert(getzoneid() != GLOBAL_ZONEID); 1005 1006 if ((fin = popen(user_cmd, "r")) == NULL) 1007 return (NULL); 1008 1009 while (cin == NULL && !feof(fin)) 1010 cin = fgets(pwline, sizeof (pwline), fin); 1011 1012 if (cin == NULL) { 1013 (void) pclose(fin); 1014 return (NULL); 1015 } 1016 1017 status = pclose(fin); 1018 if (!WIFEXITED(status)) 1019 return (NULL); 1020 if (WEXITSTATUS(status) != 0) 1021 return (NULL); 1022 1023 if (str2passwd(pwline, sizeof (pwline), pwent, pwbuf, pwbuflen) == 0) 1024 return (pwent); 1025 else 1026 return (NULL); 1027 } 1028 1029 static char ** 1030 zone_login_cmd(brand_handle_t bh, const char *login) 1031 { 1032 static char result_buf[ARG_MAX]; 1033 char **new_argv, *ptr, *lasts; 1034 int n, a; 1035 1036 /* Get the login command for the target zone. */ 1037 bzero(result_buf, sizeof (result_buf)); 1038 1039 if (forced_login) { 1040 if (brand_get_forcedlogin_cmd(bh, login, 1041 result_buf, sizeof (result_buf)) != 0) 1042 return (NULL); 1043 } else { 1044 if (brand_get_login_cmd(bh, login, 1045 result_buf, sizeof (result_buf)) != 0) 1046 return (NULL); 1047 } 1048 1049 /* 1050 * We got back a string that we'd like to execute. But since 1051 * we're not doing the execution via a shell we'll need to convert 1052 * the exec string to an array of strings. We'll do that here 1053 * but we're going to be very simplistic about it and break stuff 1054 * up based on spaces. We're not even going to support any kind 1055 * of quoting or escape characters. It's truly amazing that 1056 * there is no library function in OpenSolaris to do this for us. 1057 */ 1058 1059 /* 1060 * Be paranoid. Since we're deliniating based on spaces make 1061 * sure there are no adjacent spaces. 1062 */ 1063 if (strstr(result_buf, " ") != NULL) 1064 return (NULL); 1065 1066 /* Remove any trailing whitespace. */ 1067 n = strlen(result_buf); 1068 if (result_buf[n - 1] == ' ') 1069 result_buf[n - 1] = '\0'; 1070 1071 /* Count how many elements there are in the exec string. */ 1072 ptr = result_buf; 1073 for (n = 2; ((ptr = strchr(ptr + 1, (int)' ')) != NULL); n++) 1074 ; 1075 1076 /* Allocate the argv array that we're going to return. */ 1077 if ((new_argv = malloc(sizeof (char *) * n)) == NULL) 1078 return (NULL); 1079 1080 /* Tokenize the exec string and return. */ 1081 a = 0; 1082 new_argv[a++] = result_buf; 1083 if (n > 2) { 1084 (void) strtok_r(result_buf, " ", &lasts); 1085 while ((new_argv[a++] = strtok_r(NULL, " ", &lasts)) != NULL) 1086 ; 1087 } else { 1088 new_argv[a++] = NULL; 1089 } 1090 assert(n == a); 1091 return (new_argv); 1092 } 1093 1094 /* 1095 * Prepare argv array for exec'd process; if we're passing commands to the 1096 * new process, then use su(1M) to do the invocation. Otherwise, use 1097 * 'login -z <from_zonename> -f' (-z is an undocumented option which tells 1098 * login that we're coming from another zone, and to disregard its CONSOLE 1099 * checks). 1100 */ 1101 static char ** 1102 prep_args(brand_handle_t bh, const char *login, char **argv) 1103 { 1104 int argc = 0, a = 0, i, n = -1; 1105 char **new_argv; 1106 1107 if (argv != NULL) { 1108 size_t subshell_len = 1; 1109 char *subshell; 1110 1111 while (argv[argc] != NULL) 1112 argc++; 1113 1114 for (i = 0; i < argc; i++) { 1115 subshell_len += strlen(argv[i]) + 1; 1116 } 1117 if ((subshell = calloc(1, subshell_len)) == NULL) 1118 return (NULL); 1119 1120 for (i = 0; i < argc; i++) { 1121 (void) strcat(subshell, argv[i]); 1122 (void) strcat(subshell, " "); 1123 } 1124 1125 if (failsafe) { 1126 n = 4; 1127 if ((new_argv = malloc(sizeof (char *) * n)) == NULL) 1128 return (NULL); 1129 1130 new_argv[a++] = FAILSAFESHELL; 1131 } else { 1132 n = 5; 1133 if ((new_argv = malloc(sizeof (char *) * n)) == NULL) 1134 return (NULL); 1135 1136 new_argv[a++] = SUPATH; 1137 if (strcmp(login, "root") != 0) { 1138 new_argv[a++] = "-"; 1139 n++; 1140 } 1141 new_argv[a++] = (char *)login; 1142 } 1143 new_argv[a++] = "-c"; 1144 new_argv[a++] = subshell; 1145 new_argv[a++] = NULL; 1146 assert(a == n); 1147 } else { 1148 if (failsafe) { 1149 n = 2; 1150 if ((new_argv = malloc(sizeof (char *) * n)) == NULL) 1151 return (NULL); 1152 new_argv[a++] = FAILSAFESHELL; 1153 new_argv[a++] = NULL; 1154 assert(n == a); 1155 } else { 1156 new_argv = zone_login_cmd(bh, login); 1157 } 1158 } 1159 1160 return (new_argv); 1161 } 1162 1163 /* 1164 * Helper routine for prep_env below. 1165 */ 1166 static char * 1167 add_env(char *name, char *value) 1168 { 1169 size_t sz = strlen(name) + strlen(value) + 2; /* name, =, value, NUL */ 1170 char *str; 1171 1172 if ((str = malloc(sz)) == NULL) 1173 return (NULL); 1174 1175 (void) snprintf(str, sz, "%s=%s", name, value); 1176 return (str); 1177 } 1178 1179 /* 1180 * Prepare envp array for exec'd process. 1181 */ 1182 static char ** 1183 prep_env() 1184 { 1185 int e = 0, size = 1; 1186 char **new_env, *estr; 1187 char *term = getenv("TERM"); 1188 1189 size++; /* for $PATH */ 1190 if (term != NULL) 1191 size++; 1192 1193 /* 1194 * In failsafe mode we set $HOME, since '-l' isn't valid in this mode. 1195 * We also set $SHELL, since neither login nor su will be around to do 1196 * it. 1197 */ 1198 if (failsafe) 1199 size += 2; 1200 1201 if ((new_env = malloc(sizeof (char *) * size)) == NULL) 1202 return (NULL); 1203 1204 if ((estr = add_env("PATH", DEF_PATH)) == NULL) 1205 return (NULL); 1206 new_env[e++] = estr; 1207 1208 if (term != NULL) { 1209 if ((estr = add_env("TERM", term)) == NULL) 1210 return (NULL); 1211 new_env[e++] = estr; 1212 } 1213 1214 if (failsafe) { 1215 if ((estr = add_env("HOME", "/")) == NULL) 1216 return (NULL); 1217 new_env[e++] = estr; 1218 1219 if ((estr = add_env("SHELL", FAILSAFESHELL)) == NULL) 1220 return (NULL); 1221 new_env[e++] = estr; 1222 } 1223 1224 new_env[e++] = NULL; 1225 1226 assert(e == size); 1227 1228 return (new_env); 1229 } 1230 1231 /* 1232 * Finish the preparation of the envp array for exec'd non-interactive 1233 * zlogins. This is called in the child process *after* we zone_enter(), since 1234 * it derives things we can only know within the zone, such as $HOME, $SHELL, 1235 * etc. We need only do this in the non-interactive, mode, since otherwise 1236 * login(1) will do it. We don't do this in failsafe mode, since it presents 1237 * additional ways in which the command could fail, and we'd prefer to avoid 1238 * that. 1239 */ 1240 static char ** 1241 prep_env_noninteractive(const char *user_cmd, char **env) 1242 { 1243 size_t size; 1244 char **new_env; 1245 int e, i; 1246 char *estr; 1247 char varmail[LOGNAME_MAX + 11]; /* strlen(/var/mail/) = 10, NUL */ 1248 char pwbuf[NSS_BUFLEN_PASSWD + 1]; 1249 struct passwd pwent; 1250 struct passwd *pw = NULL; 1251 1252 assert(env != NULL); 1253 assert(failsafe == 0); 1254 1255 /* 1256 * Exec the "user_cmd" brand hook to get a pwent for the 1257 * login user. If this fails, HOME will be set to "/", SHELL 1258 * will be set to $DEFAULTSHELL, and we will continue to exec 1259 * SUPATH <login> -c <cmd>. 1260 */ 1261 pw = zone_get_user_pw(user_cmd, &pwent, pwbuf, sizeof (pwbuf)); 1262 1263 /* 1264 * Get existing envp size. 1265 */ 1266 for (size = 0; env[size] != NULL; size++) 1267 ; 1268 1269 e = size; 1270 1271 /* 1272 * Finish filling out the environment; we duplicate the environment 1273 * setup described in login(1), for lack of a better precedent. 1274 */ 1275 if (pw != NULL) 1276 size += 3; /* LOGNAME, HOME, MAIL */ 1277 else 1278 size += 1; /* HOME */ 1279 1280 size++; /* always fill in SHELL */ 1281 size++; /* terminating NULL */ 1282 1283 if ((new_env = malloc(sizeof (char *) * size)) == NULL) 1284 goto malloc_fail; 1285 1286 /* 1287 * Copy existing elements of env into new_env. 1288 */ 1289 for (i = 0; env[i] != NULL; i++) { 1290 if ((new_env[i] = strdup(env[i])) == NULL) 1291 goto malloc_fail; 1292 } 1293 assert(e == i); 1294 1295 if (pw != NULL) { 1296 if ((estr = add_env("LOGNAME", pw->pw_name)) == NULL) 1297 goto malloc_fail; 1298 new_env[e++] = estr; 1299 1300 if ((estr = add_env("HOME", pw->pw_dir)) == NULL) 1301 goto malloc_fail; 1302 new_env[e++] = estr; 1303 1304 if (chdir(pw->pw_dir) != 0) 1305 zerror(gettext("Could not chdir to home directory " 1306 "%s: %s"), pw->pw_dir, strerror(errno)); 1307 1308 (void) snprintf(varmail, sizeof (varmail), "/var/mail/%s", 1309 pw->pw_name); 1310 if ((estr = add_env("MAIL", varmail)) == NULL) 1311 goto malloc_fail; 1312 new_env[e++] = estr; 1313 } else { 1314 if ((estr = add_env("HOME", "/")) == NULL) 1315 goto malloc_fail; 1316 new_env[e++] = estr; 1317 } 1318 1319 if (pw != NULL && strlen(pw->pw_shell) > 0) { 1320 if ((estr = add_env("SHELL", pw->pw_shell)) == NULL) 1321 goto malloc_fail; 1322 new_env[e++] = estr; 1323 } else { 1324 if ((estr = add_env("SHELL", DEFAULTSHELL)) == NULL) 1325 goto malloc_fail; 1326 new_env[e++] = estr; 1327 } 1328 1329 new_env[e++] = NULL; /* add terminating NULL */ 1330 1331 assert(e == size); 1332 return (new_env); 1333 1334 malloc_fail: 1335 zperror(gettext("failed to allocate memory for process environment")); 1336 return (NULL); 1337 } 1338 1339 static int 1340 close_func(void *slavefd, int fd) 1341 { 1342 if (fd != *(int *)slavefd) 1343 (void) close(fd); 1344 return (0); 1345 } 1346 1347 static void 1348 set_cmdchar(char *cmdcharstr) 1349 { 1350 char c; 1351 long lc; 1352 1353 if ((c = *cmdcharstr) != '\\') { 1354 cmdchar = c; 1355 return; 1356 } 1357 1358 c = cmdcharstr[1]; 1359 if (c == '\0' || c == '\\') { 1360 cmdchar = '\\'; 1361 return; 1362 } 1363 1364 if (c < '0' || c > '7') { 1365 zerror(gettext("Unrecognized escape character option %s"), 1366 cmdcharstr); 1367 usage(); 1368 } 1369 1370 lc = strtol(cmdcharstr + 1, NULL, 8); 1371 if (lc < 0 || lc > 255) { 1372 zerror(gettext("Octal escape character '%s' too large"), 1373 cmdcharstr); 1374 usage(); 1375 } 1376 cmdchar = (char)lc; 1377 } 1378 1379 static int 1380 setup_utmpx(char *slavename) 1381 { 1382 struct utmpx ut; 1383 1384 bzero(&ut, sizeof (ut)); 1385 (void) strncpy(ut.ut_user, ".zlogin", sizeof (ut.ut_user)); 1386 (void) strncpy(ut.ut_line, slavename, sizeof (ut.ut_line)); 1387 ut.ut_pid = getpid(); 1388 ut.ut_id[0] = 'z'; 1389 ut.ut_id[1] = ut.ut_id[2] = ut.ut_id[3] = (char)SC_WILDC; 1390 ut.ut_type = LOGIN_PROCESS; 1391 (void) time(&ut.ut_tv.tv_sec); 1392 1393 if (makeutx(&ut) == NULL) { 1394 zerror(gettext("makeutx failed")); 1395 return (-1); 1396 } 1397 return (0); 1398 } 1399 1400 static void 1401 release_lock_file(int lockfd) 1402 { 1403 (void) close(lockfd); 1404 } 1405 1406 static int 1407 grab_lock_file(const char *zone_name, int *lockfd) 1408 { 1409 char pathbuf[PATH_MAX]; 1410 struct flock flock; 1411 1412 if (mkdir(ZONES_TMPDIR, S_IRWXU) < 0 && errno != EEXIST) { 1413 zerror(gettext("could not mkdir %s: %s"), ZONES_TMPDIR, 1414 strerror(errno)); 1415 return (-1); 1416 } 1417 (void) chmod(ZONES_TMPDIR, S_IRWXU); 1418 (void) snprintf(pathbuf, sizeof (pathbuf), "%s/%s.zoneadm.lock", 1419 ZONES_TMPDIR, zone_name); 1420 1421 if ((*lockfd = open(pathbuf, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR)) < 0) { 1422 zerror(gettext("could not open %s: %s"), pathbuf, 1423 strerror(errno)); 1424 return (-1); 1425 } 1426 /* 1427 * Lock the file to synchronize with other zoneadmds 1428 */ 1429 flock.l_type = F_WRLCK; 1430 flock.l_whence = SEEK_SET; 1431 flock.l_start = (off_t)0; 1432 flock.l_len = (off_t)0; 1433 if (fcntl(*lockfd, F_SETLKW, &flock) < 0) { 1434 zerror(gettext("unable to lock %s: %s"), pathbuf, 1435 strerror(errno)); 1436 release_lock_file(*lockfd); 1437 return (-1); 1438 } 1439 return (Z_OK); 1440 } 1441 1442 static int 1443 start_zoneadmd(const char *zone_name) 1444 { 1445 pid_t retval; 1446 int pstatus = 0, error = -1, lockfd, doorfd; 1447 struct door_info info; 1448 char doorpath[MAXPATHLEN]; 1449 1450 (void) snprintf(doorpath, sizeof (doorpath), ZONE_DOOR_PATH, zone_name); 1451 1452 if (grab_lock_file(zone_name, &lockfd) != Z_OK) 1453 return (-1); 1454 /* 1455 * We must do the door check with the lock held. Otherwise, we 1456 * might race against another zoneadm/zlogin process and wind 1457 * up with two processes trying to start zoneadmd at the same 1458 * time. zoneadmd will detect this, and fail, but we prefer this 1459 * to be as seamless as is practical, from a user perspective. 1460 */ 1461 if ((doorfd = open(doorpath, O_RDONLY)) < 0) { 1462 if (errno != ENOENT) { 1463 zerror("failed to open %s: %s", doorpath, 1464 strerror(errno)); 1465 goto out; 1466 } 1467 } else { 1468 /* 1469 * Seems to be working ok. 1470 */ 1471 if (door_info(doorfd, &info) == 0 && 1472 ((info.di_attributes & DOOR_REVOKED) == 0)) { 1473 error = 0; 1474 goto out; 1475 } 1476 } 1477 1478 if ((child_pid = fork()) == -1) { 1479 zperror(gettext("could not fork")); 1480 goto out; 1481 } else if (child_pid == 0) { 1482 /* child process */ 1483 (void) execl("/usr/lib/zones/zoneadmd", "zoneadmd", "-z", 1484 zone_name, NULL); 1485 zperror(gettext("could not exec zoneadmd")); 1486 _exit(1); 1487 } 1488 1489 /* parent process */ 1490 do { 1491 retval = waitpid(child_pid, &pstatus, 0); 1492 } while (retval != child_pid); 1493 if (WIFSIGNALED(pstatus) || 1494 (WIFEXITED(pstatus) && WEXITSTATUS(pstatus) != 0)) { 1495 zerror(gettext("could not start %s"), "zoneadmd"); 1496 goto out; 1497 } 1498 error = 0; 1499 out: 1500 release_lock_file(lockfd); 1501 (void) close(doorfd); 1502 return (error); 1503 } 1504 1505 static int 1506 init_template(void) 1507 { 1508 int fd; 1509 int err = 0; 1510 1511 fd = open64(CTFS_ROOT "/process/template", O_RDWR); 1512 if (fd == -1) 1513 return (-1); 1514 1515 /* 1516 * zlogin doesn't do anything with the contract. 1517 * Deliver no events, don't inherit, and allow it to be orphaned. 1518 */ 1519 err |= ct_tmpl_set_critical(fd, 0); 1520 err |= ct_tmpl_set_informative(fd, 0); 1521 err |= ct_pr_tmpl_set_fatal(fd, CT_PR_EV_HWERR); 1522 err |= ct_pr_tmpl_set_param(fd, CT_PR_PGRPONLY | CT_PR_REGENT); 1523 if (err || ct_tmpl_activate(fd)) { 1524 (void) close(fd); 1525 return (-1); 1526 } 1527 1528 return (fd); 1529 } 1530 1531 static int 1532 noninteractive_login(char *zonename, const char *user_cmd, zoneid_t zoneid, 1533 char **new_args, char **new_env) 1534 { 1535 pid_t retval; 1536 int stdin_pipe[2], stdout_pipe[2], stderr_pipe[2], dead_child_pipe[2]; 1537 int child_status; 1538 int tmpl_fd; 1539 sigset_t block_cld; 1540 1541 if ((tmpl_fd = init_template()) == -1) { 1542 reset_tty(); 1543 zperror(gettext("could not create contract")); 1544 return (1); 1545 } 1546 1547 if (pipe(stdin_pipe) != 0) { 1548 zperror(gettext("could not create STDIN pipe")); 1549 return (1); 1550 } 1551 /* 1552 * When the user types ^D, we get a zero length message on STDIN. 1553 * We need to echo that down the pipe to send it to the other side; 1554 * but by default, pipes don't propagate zero-length messages. We 1555 * toggle that behavior off using I_SWROPT. See streamio(7i). 1556 */ 1557 if (ioctl(stdin_pipe[0], I_SWROPT, SNDZERO) != 0) { 1558 zperror(gettext("could not configure STDIN pipe")); 1559 return (1); 1560 1561 } 1562 if (pipe(stdout_pipe) != 0) { 1563 zperror(gettext("could not create STDOUT pipe")); 1564 return (1); 1565 } 1566 if (pipe(stderr_pipe) != 0) { 1567 zperror(gettext("could not create STDERR pipe")); 1568 return (1); 1569 } 1570 1571 if (pipe(dead_child_pipe) != 0) { 1572 zperror(gettext("could not create signalling pipe")); 1573 return (1); 1574 } 1575 close_on_sig = dead_child_pipe[0]; 1576 1577 /* 1578 * If any of the pipe FD's winds up being less than STDERR, then we 1579 * have a mess on our hands-- and we are lacking some of the I/O 1580 * streams we would expect anyway. So we bail. 1581 */ 1582 if (stdin_pipe[0] <= STDERR_FILENO || 1583 stdin_pipe[1] <= STDERR_FILENO || 1584 stdout_pipe[0] <= STDERR_FILENO || 1585 stdout_pipe[1] <= STDERR_FILENO || 1586 stderr_pipe[0] <= STDERR_FILENO || 1587 stderr_pipe[1] <= STDERR_FILENO || 1588 dead_child_pipe[0] <= STDERR_FILENO || 1589 dead_child_pipe[1] <= STDERR_FILENO) { 1590 zperror(gettext("process lacks valid STDIN, STDOUT, STDERR")); 1591 return (1); 1592 } 1593 1594 if (prefork_dropprivs() != 0) { 1595 zperror(gettext("could not allocate privilege set")); 1596 return (1); 1597 } 1598 1599 (void) sigset(SIGCLD, sigcld); 1600 (void) sigemptyset(&block_cld); 1601 (void) sigaddset(&block_cld, SIGCLD); 1602 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL); 1603 1604 if ((child_pid = fork()) == -1) { 1605 (void) ct_tmpl_clear(tmpl_fd); 1606 (void) close(tmpl_fd); 1607 zperror(gettext("could not fork")); 1608 return (1); 1609 } else if (child_pid == 0) { /* child process */ 1610 (void) ct_tmpl_clear(tmpl_fd); 1611 1612 /* 1613 * Do a dance to get the pipes hooked up as FD's 0, 1 and 2. 1614 */ 1615 (void) close(STDIN_FILENO); 1616 (void) close(STDOUT_FILENO); 1617 (void) close(STDERR_FILENO); 1618 (void) dup2(stdin_pipe[1], STDIN_FILENO); 1619 (void) dup2(stdout_pipe[1], STDOUT_FILENO); 1620 (void) dup2(stderr_pipe[1], STDERR_FILENO); 1621 (void) closefrom(STDERR_FILENO + 1); 1622 1623 (void) sigset(SIGCLD, SIG_DFL); 1624 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL); 1625 /* 1626 * In case any of stdin, stdout or stderr are streams, 1627 * anchor them to prevent malicious I_POPs. 1628 */ 1629 (void) ioctl(STDIN_FILENO, I_ANCHOR); 1630 (void) ioctl(STDOUT_FILENO, I_ANCHOR); 1631 (void) ioctl(STDERR_FILENO, I_ANCHOR); 1632 1633 if (zone_enter(zoneid) == -1) { 1634 zerror(gettext("could not enter zone %s: %s"), 1635 zonename, strerror(errno)); 1636 _exit(1); 1637 } 1638 1639 /* 1640 * For non-native zones, tell libc where it can find locale 1641 * specific getttext() messages. 1642 */ 1643 if (access("/.SUNWnative/usr/lib/locale", R_OK) == 0) 1644 (void) bindtextdomain(TEXT_DOMAIN, 1645 "/.SUNWnative/usr/lib/locale"); 1646 else if (access("/native/usr/lib/locale", R_OK) == 0) 1647 (void) bindtextdomain(TEXT_DOMAIN, 1648 "/native/usr/lib/locale"); 1649 1650 if (!failsafe) 1651 new_env = prep_env_noninteractive(user_cmd, new_env); 1652 1653 if (new_env == NULL) { 1654 _exit(1); 1655 } 1656 1657 /* 1658 * Move into a new process group; the zone_enter will have 1659 * placed us into zsched's session, and we want to be in 1660 * a unique process group. 1661 */ 1662 (void) setpgid(getpid(), getpid()); 1663 1664 /* 1665 * The child needs to run as root to 1666 * execute the su program. 1667 */ 1668 if (setuid(0) == -1) { 1669 zperror(gettext("insufficient privilege")); 1670 return (1); 1671 } 1672 1673 (void) execve(new_args[0], new_args, new_env); 1674 zperror(gettext("exec failure")); 1675 _exit(1); 1676 } 1677 /* parent */ 1678 1679 /* close pipe sides written by child */ 1680 (void) close(stdout_pipe[1]); 1681 (void) close(stderr_pipe[1]); 1682 1683 (void) sigset(SIGINT, sig_forward); 1684 1685 postfork_dropprivs(); 1686 1687 (void) ct_tmpl_clear(tmpl_fd); 1688 (void) close(tmpl_fd); 1689 1690 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL); 1691 doio(stdin_pipe[0], stdin_pipe[1], stdout_pipe[0], stderr_pipe[0], 1692 dead_child_pipe[1], B_TRUE); 1693 do { 1694 retval = waitpid(child_pid, &child_status, 0); 1695 if (retval == -1) { 1696 child_status = 0; 1697 } 1698 } while (retval != child_pid && errno != ECHILD); 1699 1700 return (WEXITSTATUS(child_status)); 1701 } 1702 1703 static char * 1704 get_username() 1705 { 1706 uid_t uid; 1707 struct passwd *nptr; 1708 1709 /* 1710 * Authorizations are checked to restrict access based on the 1711 * requested operation and zone name, It is assumed that the 1712 * program is running with all privileges, but that the real 1713 * user ID is that of the user or role on whose behalf we are 1714 * operating. So we start by getting the username that will be 1715 * used for subsequent authorization checks. 1716 */ 1717 1718 uid = getuid(); 1719 if ((nptr = getpwuid(uid)) == NULL) { 1720 zerror(gettext("could not get user name.")); 1721 _exit(1); 1722 } 1723 return (nptr->pw_name); 1724 } 1725 1726 int 1727 main(int argc, char **argv) 1728 { 1729 int arg, console = 0; 1730 zoneid_t zoneid; 1731 zone_state_t st; 1732 char *login = "root"; 1733 int lflag = 0; 1734 int nflag = 0; 1735 char *zonename = NULL; 1736 char **proc_args = NULL; 1737 char **new_args, **new_env; 1738 sigset_t block_cld; 1739 char devroot[MAXPATHLEN]; 1740 char *slavename, slaveshortname[MAXPATHLEN]; 1741 priv_set_t *privset; 1742 int tmpl_fd; 1743 char zonebrand[MAXNAMELEN]; 1744 char default_brand[MAXNAMELEN]; 1745 struct stat sb; 1746 char kernzone[ZONENAME_MAX]; 1747 brand_handle_t bh; 1748 char user_cmd[MAXPATHLEN]; 1749 char authname[MAXAUTHS]; 1750 1751 (void) setlocale(LC_ALL, ""); 1752 (void) textdomain(TEXT_DOMAIN); 1753 1754 (void) getpname(argv[0]); 1755 username = get_username(); 1756 1757 while ((arg = getopt(argc, argv, "dnECR:Se:l:Q")) != EOF) { 1758 switch (arg) { 1759 case 'C': 1760 console = 1; 1761 break; 1762 case 'E': 1763 nocmdchar = 1; 1764 break; 1765 case 'R': /* undocumented */ 1766 if (*optarg != '/') { 1767 zerror(gettext("root path must be absolute.")); 1768 exit(2); 1769 } 1770 if (stat(optarg, &sb) == -1 || !S_ISDIR(sb.st_mode)) { 1771 zerror( 1772 gettext("root path must be a directory.")); 1773 exit(2); 1774 } 1775 zonecfg_set_root(optarg); 1776 break; 1777 case 'Q': 1778 quiet = 1; 1779 break; 1780 case 'S': 1781 failsafe = 1; 1782 break; 1783 case 'd': 1784 disconnect = 1; 1785 break; 1786 case 'e': 1787 set_cmdchar(optarg); 1788 break; 1789 case 'l': 1790 login = optarg; 1791 lflag = 1; 1792 break; 1793 case 'n': 1794 nflag = 1; 1795 break; 1796 default: 1797 usage(); 1798 } 1799 } 1800 1801 if (console != 0) { 1802 1803 if (lflag != 0) { 1804 zerror(gettext( 1805 "-l may not be specified for console login")); 1806 usage(); 1807 } 1808 1809 if (nflag != 0) { 1810 zerror(gettext( 1811 "-n may not be specified for console login")); 1812 usage(); 1813 } 1814 1815 if (failsafe != 0) { 1816 zerror(gettext( 1817 "-S may not be specified for console login")); 1818 usage(); 1819 } 1820 1821 if (zonecfg_in_alt_root()) { 1822 zerror(gettext( 1823 "-R may not be specified for console login")); 1824 exit(2); 1825 } 1826 1827 } 1828 1829 if (failsafe != 0 && lflag != 0) { 1830 zerror(gettext("-l may not be specified for failsafe login")); 1831 usage(); 1832 } 1833 1834 if (!console && disconnect != 0) { 1835 zerror(gettext( 1836 "-d may only be specified with console login")); 1837 usage(); 1838 } 1839 1840 if (optind == (argc - 1)) { 1841 /* 1842 * zone name, no process name; this should be an interactive 1843 * as long as STDIN is really a tty. 1844 */ 1845 if (nflag != 0) { 1846 zerror(gettext( 1847 "-n may not be specified for interactive login")); 1848 usage(); 1849 } 1850 if (isatty(STDIN_FILENO)) 1851 interactive = 1; 1852 zonename = argv[optind]; 1853 } else if (optind < (argc - 1)) { 1854 if (console) { 1855 zerror(gettext("Commands may not be specified for " 1856 "console login.")); 1857 usage(); 1858 } 1859 /* zone name and process name, and possibly some args */ 1860 zonename = argv[optind]; 1861 proc_args = &argv[optind + 1]; 1862 interactive = 0; 1863 } else { 1864 usage(); 1865 } 1866 1867 if (getzoneid() != GLOBAL_ZONEID) { 1868 zerror(gettext("'%s' may only be used from the global zone"), 1869 pname); 1870 return (1); 1871 } 1872 1873 if (strcmp(zonename, GLOBAL_ZONENAME) == 0) { 1874 zerror(gettext("'%s' not applicable to the global zone"), 1875 pname); 1876 return (1); 1877 } 1878 1879 if (zone_get_state(zonename, &st) != Z_OK) { 1880 zerror(gettext("zone '%s' unknown"), zonename); 1881 return (1); 1882 } 1883 1884 if (st < ZONE_STATE_INSTALLED) { 1885 zerror(gettext("cannot login to a zone which is '%s'"), 1886 zone_state_str(st)); 1887 return (1); 1888 } 1889 1890 /* 1891 * In both console and non-console cases, we require all privs. 1892 * In the console case, because we may need to startup zoneadmd. 1893 * In the non-console case in order to do zone_enter(2), zonept() 1894 * and other tasks. 1895 */ 1896 1897 if ((privset = priv_allocset()) == NULL) { 1898 zperror(gettext("priv_allocset failed")); 1899 return (1); 1900 } 1901 1902 if (getppriv(PRIV_EFFECTIVE, privset) != 0) { 1903 zperror(gettext("getppriv failed")); 1904 priv_freeset(privset); 1905 return (1); 1906 } 1907 1908 if (priv_isfullset(privset) == B_FALSE) { 1909 zerror(gettext("You lack sufficient privilege to run " 1910 "this command (all privs required)")); 1911 priv_freeset(privset); 1912 return (1); 1913 } 1914 priv_freeset(privset); 1915 1916 /* 1917 * Check if user is authorized for requested usage of the zone 1918 */ 1919 1920 (void) snprintf(authname, MAXAUTHS, "%s%s%s", 1921 ZONE_MANAGE_AUTH, KV_OBJECT, zonename); 1922 if (chkauthattr(authname, username) == 0) { 1923 if (console) { 1924 zerror(gettext("%s is not authorized for console " 1925 "access to %s zone."), 1926 username, zonename); 1927 return (1); 1928 } else { 1929 (void) snprintf(authname, MAXAUTHS, "%s%s%s", 1930 ZONE_LOGIN_AUTH, KV_OBJECT, zonename); 1931 if (failsafe || !interactive) { 1932 zerror(gettext("%s is not authorized for " 1933 "failsafe or non-interactive login " 1934 "to %s zone."), username, zonename); 1935 return (1); 1936 } else if (chkauthattr(authname, username) == 0) { 1937 zerror(gettext("%s is not authorized " 1938 " to login to %s zone."), 1939 username, zonename); 1940 return (1); 1941 } 1942 } 1943 } else { 1944 forced_login = B_TRUE; 1945 } 1946 1947 /* 1948 * The console is a separate case from the rest of the code; handle 1949 * it first. 1950 */ 1951 if (console) { 1952 /* 1953 * Ensure that zoneadmd for this zone is running. 1954 */ 1955 if (start_zoneadmd(zonename) == -1) 1956 return (1); 1957 1958 /* 1959 * Make contact with zoneadmd. 1960 */ 1961 if (get_console_master(zonename) == -1) 1962 return (1); 1963 1964 if (!quiet) 1965 (void) printf( 1966 gettext("[Connected to zone '%s' console]\n"), 1967 zonename); 1968 1969 if (set_tty_rawmode(STDIN_FILENO) == -1) { 1970 reset_tty(); 1971 zperror(gettext("failed to set stdin pty to raw mode")); 1972 return (1); 1973 } 1974 1975 (void) sigset(SIGWINCH, sigwinch); 1976 (void) sigwinch(0); 1977 1978 /* 1979 * Run the I/O loop until we get disconnected. 1980 */ 1981 doio(masterfd, -1, masterfd, -1, -1, B_FALSE); 1982 reset_tty(); 1983 if (!quiet) 1984 (void) printf( 1985 gettext("\n[Connection to zone '%s' console " 1986 "closed]\n"), zonename); 1987 1988 return (0); 1989 } 1990 1991 if (st != ZONE_STATE_RUNNING && st != ZONE_STATE_MOUNTED) { 1992 zerror(gettext("login allowed only to running zones " 1993 "(%s is '%s')."), zonename, zone_state_str(st)); 1994 return (1); 1995 } 1996 1997 (void) strlcpy(kernzone, zonename, sizeof (kernzone)); 1998 if (zonecfg_in_alt_root()) { 1999 FILE *fp = zonecfg_open_scratch("", B_FALSE); 2000 2001 if (fp == NULL || zonecfg_find_scratch(fp, zonename, 2002 zonecfg_get_root(), kernzone, sizeof (kernzone)) == -1) { 2003 zerror(gettext("cannot find scratch zone %s"), 2004 zonename); 2005 if (fp != NULL) 2006 zonecfg_close_scratch(fp); 2007 return (1); 2008 } 2009 zonecfg_close_scratch(fp); 2010 } 2011 2012 if ((zoneid = getzoneidbyname(kernzone)) == -1) { 2013 zerror(gettext("failed to get zoneid for zone '%s'"), 2014 zonename); 2015 return (1); 2016 } 2017 2018 /* 2019 * We need the zone root path only if we are setting up a pty. 2020 */ 2021 if (zone_get_devroot(zonename, devroot, sizeof (devroot)) == -1) { 2022 zerror(gettext("could not get dev path for zone %s"), 2023 zonename); 2024 return (1); 2025 } 2026 2027 if (zone_get_brand(zonename, zonebrand, sizeof (zonebrand)) != Z_OK) { 2028 zerror(gettext("could not get brand for zone %s"), zonename); 2029 return (1); 2030 } 2031 /* 2032 * In the alternate root environment, the only supported 2033 * operations are mount and unmount. In this case, just treat 2034 * the zone as native if it is cluster. Cluster zones can be 2035 * native for the purpose of LU or upgrade, and the cluster 2036 * brand may not exist in the miniroot (such as in net install 2037 * upgrade). 2038 */ 2039 if (zonecfg_default_brand(default_brand, 2040 sizeof (default_brand)) != Z_OK) { 2041 zerror(gettext("unable to determine default brand")); 2042 return (1); 2043 } 2044 if (zonecfg_in_alt_root() && 2045 strcmp(zonebrand, CLUSTER_BRAND_NAME) == 0) { 2046 (void) strlcpy(zonebrand, default_brand, sizeof (zonebrand)); 2047 } 2048 2049 if ((bh = brand_open(zonebrand)) == NULL) { 2050 zerror(gettext("could not open brand for zone %s"), zonename); 2051 return (1); 2052 } 2053 2054 if ((new_args = prep_args(bh, login, proc_args)) == NULL) { 2055 zperror(gettext("could not assemble new arguments")); 2056 brand_close(bh); 2057 return (1); 2058 } 2059 /* 2060 * Get the brand specific user_cmd. This command is used to get 2061 * a passwd(4) entry for login. 2062 */ 2063 if (!interactive && !failsafe) { 2064 if (zone_get_user_cmd(bh, login, user_cmd, 2065 sizeof (user_cmd)) == NULL) { 2066 zerror(gettext("could not get user_cmd for zone %s"), 2067 zonename); 2068 brand_close(bh); 2069 return (1); 2070 } 2071 } 2072 brand_close(bh); 2073 2074 if ((new_env = prep_env()) == NULL) { 2075 zperror(gettext("could not assemble new environment")); 2076 return (1); 2077 } 2078 2079 if (!interactive) { 2080 if (nflag) { 2081 int nfd; 2082 2083 if ((nfd = open(_PATH_DEVNULL, O_RDONLY)) < 0) { 2084 zperror(gettext("failed to open null device")); 2085 return (1); 2086 } 2087 if (nfd != STDIN_FILENO) { 2088 if (dup2(nfd, STDIN_FILENO) < 0) { 2089 zperror(gettext( 2090 "failed to dup2 null device")); 2091 return (1); 2092 } 2093 (void) close(nfd); 2094 } 2095 /* /dev/null is now standard input */ 2096 } 2097 return (noninteractive_login(zonename, user_cmd, zoneid, 2098 new_args, new_env)); 2099 } 2100 2101 if (zonecfg_in_alt_root()) { 2102 zerror(gettext("cannot use interactive login with scratch " 2103 "zone")); 2104 return (1); 2105 } 2106 2107 /* 2108 * Things are more complex in interactive mode; we get the 2109 * master side of the pty, then place the user's terminal into 2110 * raw mode. 2111 */ 2112 if (get_master_pty() == -1) { 2113 zerror(gettext("could not setup master pty device")); 2114 return (1); 2115 } 2116 2117 /* 2118 * Compute the "short name" of the pts. /dev/pts/2 --> pts/2 2119 */ 2120 if ((slavename = ptsname(masterfd)) == NULL) { 2121 zperror(gettext("failed to get name for pseudo-tty")); 2122 return (1); 2123 } 2124 if (strncmp(slavename, "/dev/", strlen("/dev/")) == 0) 2125 (void) strlcpy(slaveshortname, slavename + strlen("/dev/"), 2126 sizeof (slaveshortname)); 2127 else 2128 (void) strlcpy(slaveshortname, slavename, 2129 sizeof (slaveshortname)); 2130 2131 if (!quiet) 2132 (void) printf(gettext("[Connected to zone '%s' %s]\n"), 2133 zonename, slaveshortname); 2134 2135 if (set_tty_rawmode(STDIN_FILENO) == -1) { 2136 reset_tty(); 2137 zperror(gettext("failed to set stdin pty to raw mode")); 2138 return (1); 2139 } 2140 2141 if (prefork_dropprivs() != 0) { 2142 reset_tty(); 2143 zperror(gettext("could not allocate privilege set")); 2144 return (1); 2145 } 2146 2147 /* 2148 * We must mask SIGCLD until after we have coped with the fork 2149 * sufficiently to deal with it; otherwise we can race and receive the 2150 * signal before child_pid has been initialized (yes, this really 2151 * happens). 2152 */ 2153 (void) sigset(SIGCLD, sigcld); 2154 (void) sigemptyset(&block_cld); 2155 (void) sigaddset(&block_cld, SIGCLD); 2156 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL); 2157 2158 /* 2159 * We activate the contract template at the last minute to 2160 * avoid intermediate functions that could be using fork(2) 2161 * internally. 2162 */ 2163 if ((tmpl_fd = init_template()) == -1) { 2164 reset_tty(); 2165 zperror(gettext("could not create contract")); 2166 return (1); 2167 } 2168 2169 if ((child_pid = fork()) == -1) { 2170 (void) ct_tmpl_clear(tmpl_fd); 2171 reset_tty(); 2172 zperror(gettext("could not fork")); 2173 return (1); 2174 } else if (child_pid == 0) { /* child process */ 2175 int slavefd, newslave; 2176 2177 (void) ct_tmpl_clear(tmpl_fd); 2178 (void) close(tmpl_fd); 2179 2180 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL); 2181 2182 if ((slavefd = init_slave_pty(zoneid, devroot)) == -1) 2183 return (1); 2184 2185 /* 2186 * Close all fds except for the slave pty. 2187 */ 2188 (void) fdwalk(close_func, &slavefd); 2189 2190 /* 2191 * Temporarily dup slavefd to stderr; that way if we have 2192 * to print out that zone_enter failed, the output will 2193 * have somewhere to go. 2194 */ 2195 if (slavefd != STDERR_FILENO) 2196 (void) dup2(slavefd, STDERR_FILENO); 2197 2198 if (zone_enter(zoneid) == -1) { 2199 zerror(gettext("could not enter zone %s: %s"), 2200 zonename, strerror(errno)); 2201 return (1); 2202 } 2203 2204 if (slavefd != STDERR_FILENO) 2205 (void) close(STDERR_FILENO); 2206 2207 /* 2208 * We take pains to get this process into a new process 2209 * group, and subsequently a new session. In this way, 2210 * we'll have a session which doesn't yet have a controlling 2211 * terminal. When we open the slave, it will become the 2212 * controlling terminal; no PIDs concerning pgrps or sids 2213 * will leak inappropriately into the zone. 2214 */ 2215 (void) setpgrp(); 2216 2217 /* 2218 * We need the slave pty to be referenced from the zone's 2219 * /dev in order to ensure that the devt's, etc are all 2220 * correct. Otherwise we break ttyname and the like. 2221 */ 2222 if ((newslave = open(slavename, O_RDWR)) == -1) { 2223 (void) close(slavefd); 2224 return (1); 2225 } 2226 (void) close(slavefd); 2227 slavefd = newslave; 2228 2229 /* 2230 * dup the slave to the various FDs, so that when the 2231 * spawned process does a write/read it maps to the slave 2232 * pty. 2233 */ 2234 (void) dup2(slavefd, STDIN_FILENO); 2235 (void) dup2(slavefd, STDOUT_FILENO); 2236 (void) dup2(slavefd, STDERR_FILENO); 2237 if (slavefd != STDIN_FILENO && slavefd != STDOUT_FILENO && 2238 slavefd != STDERR_FILENO) { 2239 (void) close(slavefd); 2240 } 2241 2242 /* 2243 * In failsafe mode, we don't use login(1), so don't try 2244 * setting up a utmpx entry. 2245 */ 2246 if (!failsafe) 2247 if (setup_utmpx(slaveshortname) == -1) 2248 return (1); 2249 2250 /* 2251 * The child needs to run as root to 2252 * execute the brand's login program. 2253 */ 2254 if (setuid(0) == -1) { 2255 zperror(gettext("insufficient privilege")); 2256 return (1); 2257 } 2258 2259 (void) execve(new_args[0], new_args, new_env); 2260 zperror(gettext("exec failure")); 2261 return (1); 2262 } 2263 2264 (void) ct_tmpl_clear(tmpl_fd); 2265 (void) close(tmpl_fd); 2266 2267 /* 2268 * The rest is only for the parent process. 2269 */ 2270 (void) sigset(SIGWINCH, sigwinch); 2271 2272 postfork_dropprivs(); 2273 2274 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL); 2275 doio(masterfd, -1, masterfd, -1, -1, B_FALSE); 2276 2277 reset_tty(); 2278 if (!quiet) 2279 (void) fprintf(stderr, 2280 gettext("\n[Connection to zone '%s' %s closed]\n"), 2281 zonename, slaveshortname); 2282 2283 if (pollerr != 0) { 2284 (void) fprintf(stderr, gettext("Error: connection closed due " 2285 "to unexpected pollevents=0x%x.\n"), pollerr); 2286 return (1); 2287 } 2288 2289 return (0); 2290 } 2291