xref: /illumos-gate/usr/src/cmd/zlogin/zlogin.c (revision 55d6cb5d63bcf69dfa47b8c41c770a2d34f169b0)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright 2013 DEY Storage Systems, Inc.
24  * Copyright (c) 2014 Gary Mills
25  * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
26  * Copyright 2019 Joyent, Inc.
27  * Copyright 2020 OmniOS Community Edition (OmniOSce) Association.
28  */
29 
30 /*
31  * zlogin provides three types of login which allow users in the global
32  * zone to access non-global zones.
33  *
34  * - "interactive login" is similar to rlogin(1); for example, the user could
35  *   issue 'zlogin my-zone' or 'zlogin -e ^ -l me my-zone'.   The user is
36  *   granted a new pty (which is then shoved into the zone), and an I/O
37  *   loop between parent and child processes takes care of the interactive
38  *   session.  In this mode, login(1) (and its -c option, which means
39  *   "already authenticated") is employed to take care of the initialization
40  *   of the user's session.
41  *
42  * - "non-interactive login" is similar to su(1M); the user could issue
43  *   'zlogin my-zone ls -l' and the command would be run as specified.
44  *   In this mode, zlogin sets up pipes as the communication channel, and
45  *   'su' is used to do the login setup work.
46  *
47  * - "console login" is the equivalent to accessing the tip line for a
48  *   zone.  For example, the user can issue 'zlogin -C my-zone'.
49  *   In this mode, zlogin contacts the zoneadmd process via unix domain
50  *   socket.  If zoneadmd is not running, it starts it.  This allows the
51  *   console to be available anytime the zone is installed, regardless of
52  *   whether it is running.
53  */
54 
55 #include <sys/socket.h>
56 #include <sys/termios.h>
57 #include <sys/utsname.h>
58 #include <sys/stat.h>
59 #include <sys/types.h>
60 #include <sys/contract/process.h>
61 #include <sys/ctfs.h>
62 #include <sys/brand.h>
63 #include <sys/wait.h>
64 #include <alloca.h>
65 #include <assert.h>
66 #include <ctype.h>
67 #include <paths.h>
68 #include <door.h>
69 #include <errno.h>
70 #include <nss_dbdefs.h>
71 #include <poll.h>
72 #include <priv.h>
73 #include <pwd.h>
74 #include <unistd.h>
75 #include <utmpx.h>
76 #include <sac.h>
77 #include <signal.h>
78 #include <stdarg.h>
79 #include <stdio.h>
80 #include <stdlib.h>
81 #include <string.h>
82 #include <strings.h>
83 #include <stropts.h>
84 #include <wait.h>
85 #include <zone.h>
86 #include <fcntl.h>
87 #include <libdevinfo.h>
88 #include <libintl.h>
89 #include <locale.h>
90 #include <libzonecfg.h>
91 #include <libcontract.h>
92 #include <libbrand.h>
93 #include <auth_list.h>
94 #include <auth_attr.h>
95 #include <secdb.h>
96 
97 static int masterfd;
98 static struct termios save_termios;
99 static struct termios effective_termios;
100 static int save_fd;
101 static struct winsize winsize;
102 static volatile int dead;
103 static volatile pid_t child_pid = -1;
104 static int interactive = 0;
105 static priv_set_t *dropprivs;
106 
107 static int nocmdchar = 0;
108 static int failsafe = 0;
109 static int disconnect = 0;
110 static char cmdchar = '~';
111 static int quiet = 0;
112 
113 static int pollerr = 0;
114 
115 static const char *pname;
116 static char *username;
117 
118 /*
119  * When forced_login is true, the user is not prompted
120  * for an authentication password in the target zone.
121  */
122 static boolean_t forced_login = B_FALSE;
123 
124 #if !defined(TEXT_DOMAIN)		/* should be defined by cc -D */
125 #define	TEXT_DOMAIN	"SYS_TEST"	/* Use this only if it wasn't */
126 #endif
127 
128 #define	SUPATH	"/usr/bin/su"
129 #define	FAILSAFESHELL	"/sbin/sh"
130 #define	DEFAULTSHELL	"/sbin/sh"
131 #define	DEF_PATH	"/usr/sbin:/usr/bin"
132 
133 #define	CLUSTER_BRAND_NAME	"cluster"
134 
135 /*
136  * The ZLOGIN_BUFSIZ is larger than PIPE_BUF so we can be sure we're clearing
137  * out the pipe when the child is exiting.  The ZLOGIN_RDBUFSIZ must be less
138  * than ZLOGIN_BUFSIZ (because we share the buffer in doio).  This value is
139  * also chosen in conjunction with the HI_WATER setting to make sure we
140  * don't fill up the pipe.  We can write FIFOHIWAT (16k) into the pipe before
141  * blocking.  By having ZLOGIN_RDBUFSIZ set to 1k and HI_WATER set to 8k, we
142  * know we can always write a ZLOGIN_RDBUFSIZ chunk into the pipe when there
143  * is less than HI_WATER data already in the pipe.
144  */
145 #define	ZLOGIN_BUFSIZ	8192
146 #define	ZLOGIN_RDBUFSIZ	1024
147 #define	HI_WATER	8192
148 
149 /*
150  * See canonify() below.  CANONIFY_LEN is the maximum length that a
151  * "canonical" sequence will expand to (backslash, three octal digits, NUL).
152  */
153 #define	CANONIFY_LEN 5
154 
155 static void
156 usage(void)
157 {
158 	(void) fprintf(stderr, gettext("usage: %s [ -dnQCES ] [ -e cmdchar ] "
159 	    "[-l user] zonename [command [args ...] ]\n"), pname);
160 	exit(2);
161 }
162 
163 static const char *
164 getpname(const char *arg0)
165 {
166 	const char *p = strrchr(arg0, '/');
167 
168 	if (p == NULL)
169 		p = arg0;
170 	else
171 		p++;
172 
173 	pname = p;
174 	return (p);
175 }
176 
177 static void
178 zerror(const char *fmt, ...)
179 {
180 	va_list alist;
181 
182 	(void) fprintf(stderr, "%s: ", pname);
183 	va_start(alist, fmt);
184 	(void) vfprintf(stderr, fmt, alist);
185 	va_end(alist);
186 	(void) fprintf(stderr, "\n");
187 }
188 
189 static void
190 zperror(const char *str)
191 {
192 	const char *estr;
193 
194 	if ((estr = strerror(errno)) != NULL)
195 		(void) fprintf(stderr, "%s: %s: %s\n", pname, str, estr);
196 	else
197 		(void) fprintf(stderr, "%s: %s: errno %d\n", pname, str, errno);
198 }
199 
200 /*
201  * The first part of our privilege dropping scheme needs to be called before
202  * fork(), since we must have it for security; we don't want to be surprised
203  * later that we couldn't allocate the privset.
204  */
205 static int
206 prefork_dropprivs()
207 {
208 	if ((dropprivs = priv_allocset()) == NULL)
209 		return (1);
210 
211 	priv_basicset(dropprivs);
212 	(void) priv_delset(dropprivs, PRIV_PROC_INFO);
213 	(void) priv_delset(dropprivs, PRIV_PROC_FORK);
214 	(void) priv_delset(dropprivs, PRIV_PROC_EXEC);
215 	(void) priv_delset(dropprivs, PRIV_FILE_LINK_ANY);
216 
217 	/*
218 	 * We need to keep the basic privilege PROC_SESSION and all unknown
219 	 * basic privileges as well as the privileges PROC_ZONE and
220 	 * PROC_OWNER in order to query session information and
221 	 * send signals.
222 	 */
223 	if (interactive == 0) {
224 		(void) priv_addset(dropprivs, PRIV_PROC_ZONE);
225 		(void) priv_addset(dropprivs, PRIV_PROC_OWNER);
226 	} else {
227 		(void) priv_delset(dropprivs, PRIV_PROC_SESSION);
228 	}
229 
230 	return (0);
231 }
232 
233 /*
234  * The second part of the privilege drop.  We are paranoid about being attacked
235  * by the zone, so we drop all privileges.  This should prevent a compromise
236  * which gets us to fork(), exec(), symlink(), etc.
237  */
238 static void
239 postfork_dropprivs()
240 {
241 	if ((setppriv(PRIV_SET, PRIV_PERMITTED, dropprivs)) == -1) {
242 		zperror(gettext("Warning: could not set permitted privileges"));
243 	}
244 	if ((setppriv(PRIV_SET, PRIV_LIMIT, dropprivs)) == -1) {
245 		zperror(gettext("Warning: could not set limit privileges"));
246 	}
247 	if ((setppriv(PRIV_SET, PRIV_INHERITABLE, dropprivs)) == -1) {
248 		zperror(gettext("Warning: could not set inheritable "
249 		    "privileges"));
250 	}
251 }
252 
253 /*
254  * Create the unix domain socket and call the zoneadmd server; handshake
255  * with it to determine whether it will allow us to connect.
256  */
257 static int
258 get_console_master(const char *zname)
259 {
260 	int sockfd = -1;
261 	struct sockaddr_un servaddr;
262 	char clientid[MAXPATHLEN];
263 	char handshake[MAXPATHLEN], c;
264 	int msglen;
265 	int i = 0, err = 0;
266 
267 	if ((sockfd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
268 		zperror(gettext("could not create socket"));
269 		return (-1);
270 	}
271 
272 	bzero(&servaddr, sizeof (servaddr));
273 	servaddr.sun_family = AF_UNIX;
274 	(void) snprintf(servaddr.sun_path, sizeof (servaddr.sun_path),
275 	    "%s/%s.console_sock", ZONES_TMPDIR, zname);
276 
277 	if (connect(sockfd, (struct sockaddr *)&servaddr,
278 	    sizeof (servaddr)) == -1) {
279 		zperror(gettext("Could not connect to zone console"));
280 		goto bad;
281 	}
282 	masterfd = sockfd;
283 
284 	msglen = snprintf(clientid, sizeof (clientid), "IDENT %lu %s %d\n",
285 	    getpid(), setlocale(LC_MESSAGES, NULL), disconnect);
286 
287 	if (msglen >= sizeof (clientid) || msglen < 0) {
288 		zerror("protocol error");
289 		goto bad;
290 	}
291 
292 	if (write(masterfd, clientid, msglen) != msglen) {
293 		zerror("protocol error");
294 		goto bad;
295 	}
296 
297 	bzero(handshake, sizeof (handshake));
298 
299 	/*
300 	 * Take care not to accumulate more than our fill, and leave room for
301 	 * the NUL at the end.
302 	 */
303 	while ((err = read(masterfd, &c, 1)) == 1) {
304 		if (i >= (sizeof (handshake) - 1))
305 			break;
306 		if (c == '\n')
307 			break;
308 		handshake[i] = c;
309 		i++;
310 	}
311 
312 	/*
313 	 * If something went wrong during the handshake we bail; perhaps
314 	 * the server died off.
315 	 */
316 	if (err == -1) {
317 		zperror(gettext("Could not connect to zone console"));
318 		goto bad;
319 	}
320 
321 	if (strncmp(handshake, "OK", sizeof (handshake)) == 0)
322 		return (0);
323 
324 	zerror(gettext("Console is already in use by process ID %s."),
325 	    handshake);
326 bad:
327 	(void) close(sockfd);
328 	masterfd = -1;
329 	return (-1);
330 }
331 
332 
333 /*
334  * Routines to handle pty creation upon zone entry and to shuttle I/O back
335  * and forth between the two terminals.  We also compute and store the
336  * name of the slave terminal associated with the master side.
337  */
338 static int
339 get_master_pty()
340 {
341 	if ((masterfd = open("/dev/ptmx", O_RDWR|O_NONBLOCK)) < 0) {
342 		zperror(gettext("failed to obtain a pseudo-tty"));
343 		return (-1);
344 	}
345 	if (tcgetattr(STDIN_FILENO, &save_termios) == -1) {
346 		zperror(gettext("failed to get terminal settings from stdin"));
347 		return (-1);
348 	}
349 	(void) ioctl(STDIN_FILENO, TIOCGWINSZ, (char *)&winsize);
350 
351 	return (0);
352 }
353 
354 /*
355  * This is a bit tricky; normally a pts device will belong to the zone it
356  * is granted to.  But in the case of "entering" a zone, we need to establish
357  * the pty before entering the zone so that we can vector I/O to and from it
358  * from the global zone.
359  *
360  * We use the zonept() call to let the ptm driver know what we are up to;
361  * the only other hairy bit is the setting of zoneslavename (which happens
362  * above, in get_master_pty()).
363  */
364 static int
365 init_slave_pty(zoneid_t zoneid, char *devroot)
366 {
367 	int slavefd = -1;
368 	char *slavename, zoneslavename[MAXPATHLEN];
369 
370 	/*
371 	 * Set slave permissions, zone the pts, then unlock it.
372 	 */
373 	if (grantpt(masterfd) != 0) {
374 		zperror(gettext("grantpt failed"));
375 		return (-1);
376 	}
377 
378 	if (unlockpt(masterfd) != 0) {
379 		zperror(gettext("unlockpt failed"));
380 		return (-1);
381 	}
382 
383 	/*
384 	 * We must open the slave side before zoning this pty; otherwise
385 	 * the kernel would refuse us the open-- zoning a pty makes it
386 	 * inaccessible to the global zone.  Note we are trying to open
387 	 * the device node via the $ZONEROOT/dev path for this pty.
388 	 *
389 	 * Later we'll close the slave out when once we've opened it again
390 	 * from within the target zone.  Blarg.
391 	 */
392 	if ((slavename = ptsname(masterfd)) == NULL) {
393 		zperror(gettext("failed to get name for pseudo-tty"));
394 		return (-1);
395 	}
396 
397 	(void) snprintf(zoneslavename, sizeof (zoneslavename), "%s%s",
398 	    devroot, slavename);
399 
400 	if ((slavefd = open(zoneslavename, O_RDWR)) < 0) {
401 		zerror(gettext("failed to open %s: %s"), zoneslavename,
402 		    strerror(errno));
403 		return (-1);
404 	}
405 
406 	/*
407 	 * Push hardware emulation (ptem), line discipline (ldterm),
408 	 * and V7/4BSD/Xenix compatibility (ttcompat) modules.
409 	 */
410 	if (ioctl(slavefd, I_PUSH, "ptem") == -1) {
411 		zperror(gettext("failed to push ptem module"));
412 		if (!failsafe)
413 			goto bad;
414 	}
415 
416 	/*
417 	 * Anchor the stream to prevent malicious I_POPs; we prefer to do
418 	 * this prior to entering the zone so that we can detect any errors
419 	 * early, and so that we can set the anchor from the global zone.
420 	 */
421 	if (ioctl(slavefd, I_ANCHOR) == -1) {
422 		zperror(gettext("failed to set stream anchor"));
423 		if (!failsafe)
424 			goto bad;
425 	}
426 
427 	if (ioctl(slavefd, I_PUSH, "ldterm") == -1) {
428 		zperror(gettext("failed to push ldterm module"));
429 		if (!failsafe)
430 			goto bad;
431 	}
432 	if (ioctl(slavefd, I_PUSH, "ttcompat") == -1) {
433 		zperror(gettext("failed to push ttcompat module"));
434 		if (!failsafe)
435 			goto bad;
436 	}
437 
438 	/*
439 	 * Propagate terminal settings from the external term to the new one.
440 	 */
441 	if (tcsetattr(slavefd, TCSAFLUSH, &save_termios) == -1) {
442 		zperror(gettext("failed to set terminal settings"));
443 		if (!failsafe)
444 			goto bad;
445 	}
446 	(void) ioctl(slavefd, TIOCSWINSZ, (char *)&winsize);
447 
448 	if (zonept(masterfd, zoneid) != 0) {
449 		zperror(gettext("could not set zoneid of pty"));
450 		goto bad;
451 	}
452 
453 	return (slavefd);
454 
455 bad:
456 	(void) close(slavefd);
457 	return (-1);
458 }
459 
460 /*
461  * Place terminal into raw mode.
462  */
463 static int
464 set_tty_rawmode(int fd)
465 {
466 	struct termios term;
467 	if (tcgetattr(fd, &term) < 0) {
468 		zperror(gettext("failed to get user terminal settings"));
469 		return (-1);
470 	}
471 
472 	/* Stash for later, so we can revert back to previous mode */
473 	save_termios = term;
474 	save_fd = fd;
475 
476 	/* disable 8->7 bit strip, start/stop, enable any char to restart */
477 	term.c_iflag &= ~(ISTRIP|IXON|IXANY);
478 	/* disable NL->CR, CR->NL, ignore CR, UPPER->lower */
479 	term.c_iflag &= ~(INLCR|ICRNL|IGNCR|IUCLC);
480 	/* disable output post-processing */
481 	term.c_oflag &= ~OPOST;
482 	/* disable canonical mode, signal chars, echo & extended functions */
483 	term.c_lflag &= ~(ICANON|ISIG|ECHO|IEXTEN);
484 
485 	term.c_cc[VMIN] = 1;    /* byte-at-a-time */
486 	term.c_cc[VTIME] = 0;
487 
488 	if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &term)) {
489 		zperror(gettext("failed to set user terminal to raw mode"));
490 		return (-1);
491 	}
492 
493 	/*
494 	 * We need to know the value of VEOF so that we can properly process for
495 	 * client-side ~<EOF>.  But we have obliterated VEOF in term,
496 	 * because VMIN overloads the same array slot in non-canonical mode.
497 	 * Stupid @&^%!
498 	 *
499 	 * So here we construct the "effective" termios from the current
500 	 * terminal settings, and the corrected VEOF and VEOL settings.
501 	 */
502 	if (tcgetattr(STDIN_FILENO, &effective_termios) < 0) {
503 		zperror(gettext("failed to get user terminal settings"));
504 		return (-1);
505 	}
506 	effective_termios.c_cc[VEOF] = save_termios.c_cc[VEOF];
507 	effective_termios.c_cc[VEOL] = save_termios.c_cc[VEOL];
508 
509 	return (0);
510 }
511 
512 /*
513  * Copy terminal window size from our terminal to the pts.
514  */
515 /*ARGSUSED*/
516 static void
517 sigwinch(int s)
518 {
519 	struct winsize ws;
520 
521 	if (ioctl(0, TIOCGWINSZ, &ws) == 0)
522 		(void) ioctl(masterfd, TIOCSWINSZ, &ws);
523 }
524 
525 static volatile int close_on_sig = -1;
526 
527 static void
528 /*ARGSUSED*/
529 sigcld(int s)
530 {
531 	int status;
532 	pid_t pid;
533 
534 	/*
535 	 * Peek at the exit status.  If this isn't the process we cared
536 	 * about, then just reap it.
537 	 */
538 	if ((pid = waitpid(child_pid, &status, WNOHANG|WNOWAIT)) != -1) {
539 		if (pid == child_pid &&
540 		    (WIFEXITED(status) || WIFSIGNALED(status))) {
541 			dead = 1;
542 			if (close_on_sig != -1) {
543 				(void) write(close_on_sig, "a", 1);
544 				(void) close(close_on_sig);
545 				close_on_sig = -1;
546 			}
547 		} else {
548 			(void) waitpid(pid, &status, WNOHANG);
549 		}
550 	}
551 }
552 
553 /*
554  * Some signals (currently, SIGINT) must be forwarded on to the process
555  * group of the child process.
556  */
557 static void
558 sig_forward(int s)
559 {
560 	if (child_pid != -1) {
561 		(void) sigsend(P_PGID, child_pid, s);
562 	}
563 }
564 
565 /*
566  * reset terminal settings for global environment
567  */
568 static void
569 reset_tty()
570 {
571 	(void) tcsetattr(save_fd, TCSADRAIN, &save_termios);
572 }
573 
574 /*
575  * Convert character to printable representation, for display with locally
576  * echoed command characters (like when we need to display ~^D)
577  */
578 static void
579 canonify(char c, char *cc)
580 {
581 	if (isprint(c)) {
582 		cc[0] = c;
583 		cc[1] = '\0';
584 	} else if (c >= 0 && c <= 31) {	/* ^@ through ^_ */
585 		cc[0] = '^';
586 		cc[1] = c + '@';
587 		cc[2] = '\0';
588 	} else {
589 		cc[0] = '\\';
590 		cc[1] = ((c >> 6) & 7) + '0';
591 		cc[2] = ((c >> 3) & 7) + '0';
592 		cc[3] = (c & 7) + '0';
593 		cc[4] = '\0';
594 	}
595 }
596 
597 /*
598  * process_user_input watches the input stream for the escape sequence for
599  * 'quit' (by default, tilde-period).  Because we might be fed just one
600  * keystroke at a time, state associated with the user input (are we at the
601  * beginning of the line?  are we locally echoing the next character?) is
602  * maintained by beginning_of_line and local_echo across calls to the routine.
603  * If the write to outfd fails, we'll try to read from infd in an attempt
604  * to prevent deadlock between the two processes.
605  *
606  * This routine returns -1 when the 'quit' escape sequence has been issued,
607  * or an error is encountered, 1 if stdin is EOF, and 0 otherwise.
608  */
609 static int
610 process_user_input(int outfd, int infd)
611 {
612 	static boolean_t beginning_of_line = B_TRUE;
613 	static boolean_t local_echo = B_FALSE;
614 	char ibuf[ZLOGIN_BUFSIZ];
615 	int nbytes;
616 	char *buf = ibuf;
617 
618 	nbytes = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
619 	if (nbytes == -1 && (errno != EINTR || dead))
620 		return (-1);
621 
622 	if (nbytes == -1)	/* The read was interrupted. */
623 		return (0);
624 
625 	/* 0 read means EOF, close the pipe to the child */
626 	if (nbytes == 0)
627 		return (1);
628 
629 	for (char c = *buf; nbytes > 0; c = *buf, --nbytes) {
630 		buf++;
631 		if (beginning_of_line && !nocmdchar) {
632 			beginning_of_line = B_FALSE;
633 			if (c == cmdchar) {
634 				local_echo = B_TRUE;
635 				continue;
636 			}
637 		} else if (local_echo) {
638 			local_echo = B_FALSE;
639 			if (c == '.' || c == effective_termios.c_cc[VEOF]) {
640 				char cc[CANONIFY_LEN];
641 
642 				canonify(c, cc);
643 				(void) write(STDOUT_FILENO, &cmdchar, 1);
644 				(void) write(STDOUT_FILENO, cc, strlen(cc));
645 				return (-1);
646 			}
647 		}
648 retry:
649 		if (write(outfd, &c, 1) <= 0) {
650 			/*
651 			 * Since the fd we are writing to is opened with
652 			 * O_NONBLOCK it is possible to get EAGAIN if the
653 			 * pipe is full.  One way this could happen is if we
654 			 * are writing a lot of data into the pipe in this loop
655 			 * and the application on the other end is echoing that
656 			 * data back out to its stdout.  The output pipe can
657 			 * fill up since we are stuck here in this loop and not
658 			 * draining the other pipe.  We can try to read some of
659 			 * the data to see if we can drain the pipe so that the
660 			 * application can continue to make progress.  The read
661 			 * is non-blocking so we won't hang here.  We also wait
662 			 * a bit before retrying since there could be other
663 			 * reasons why the pipe is full and we don't want to
664 			 * continuously retry.
665 			 */
666 			if (errno == EAGAIN) {
667 				struct timespec rqtp;
668 				int ln;
669 				char obuf[ZLOGIN_BUFSIZ];
670 
671 				if ((ln = read(infd, obuf, ZLOGIN_BUFSIZ)) > 0)
672 					(void) write(STDOUT_FILENO, obuf, ln);
673 
674 				/* sleep for 10 milliseconds */
675 				rqtp.tv_sec = 0;
676 				rqtp.tv_nsec = MSEC2NSEC(10);
677 				(void) nanosleep(&rqtp, NULL);
678 				if (!dead)
679 					goto retry;
680 			}
681 
682 			return (-1);
683 		}
684 		beginning_of_line = (c == '\r' || c == '\n' ||
685 		    c == effective_termios.c_cc[VKILL] ||
686 		    c == effective_termios.c_cc[VEOL] ||
687 		    c == effective_termios.c_cc[VSUSP] ||
688 		    c == effective_termios.c_cc[VINTR]);
689 	}
690 	return (0);
691 }
692 
693 /*
694  * This function prevents deadlock between zlogin and the application in the
695  * zone that it is talking to.  This can happen when we read from zlogin's
696  * stdin and write the data down the pipe to the application.  If the pipe
697  * is full, we'll block in the write.  Because zlogin could be blocked in
698  * the write, it would never read the application's stdout/stderr so the
699  * application can then block on those writes (when the pipe fills up).  If the
700  * the application gets blocked this way, it can never get around to reading
701  * its stdin so that zlogin can unblock from its write.  Once in this state,
702  * the two processes are deadlocked.
703  *
704  * To prevent this, we want to verify that we can write into the pipe before we
705  * read from our stdin.  If the pipe already is pretty full, we bypass the read
706  * for now.  We'll circle back here again after the poll() so that we can
707  * try again.  When this function is called, we already know there is data
708  * ready to read on STDIN_FILENO.  We return -1 if there is a problem, 1 if
709  * stdin is EOF, and 0 if everything is ok (even though we might not have
710  * read/written any data into the pipe on this iteration).
711  */
712 static int
713 process_raw_input(int stdin_fd, int appin_fd)
714 {
715 	int cc;
716 	struct stat64 sb;
717 	char ibuf[ZLOGIN_RDBUFSIZ];
718 
719 	/* Check how much data is already in the pipe */
720 	if (fstat64(appin_fd, &sb) == -1) {
721 		perror("stat failed");
722 		return (-1);
723 	}
724 
725 	if (dead)
726 		return (-1);
727 
728 	/*
729 	 * The pipe already has a lot of data in it,  don't write any more
730 	 * right now.
731 	 */
732 	if (sb.st_size >= HI_WATER)
733 		return (0);
734 
735 	cc = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
736 	if (cc == -1 && (errno != EINTR || dead))
737 		return (-1);
738 
739 	if (cc == -1)	/* The read was interrupted. */
740 		return (0);
741 
742 	/* 0 read means EOF, close the pipe to the child */
743 	if (cc == 0)
744 		return (1);
745 
746 	/*
747 	 * stdin_fd is stdin of the target; so, the thing we'll write the user
748 	 * data *to*.
749 	 */
750 	if (write(stdin_fd, ibuf, cc) == -1)
751 		return (-1);
752 
753 	return (0);
754 }
755 
756 /*
757  * Write the output from the application running in the zone.  We can get
758  * a signal during the write (usually it would be SIGCHLD when the application
759  * has exited) so we loop to make sure we have written all of the data we read.
760  */
761 static int
762 process_output(int in_fd, int out_fd)
763 {
764 	int wrote = 0;
765 	int cc;
766 	char ibuf[ZLOGIN_BUFSIZ];
767 
768 	cc = read(in_fd, ibuf, ZLOGIN_BUFSIZ);
769 	if (cc == -1 && (errno != EINTR || dead))
770 		return (-1);
771 	if (cc == 0)
772 		return (-1);	/* EOF */
773 	if (cc == -1)	/* The read was interrupted. */
774 		return (0);
775 
776 	do {
777 		int len;
778 
779 		len = write(out_fd, ibuf + wrote, cc - wrote);
780 		if (len == -1 && errno != EINTR)
781 			return (-1);
782 		if (len != -1)
783 			wrote += len;
784 	} while (wrote < cc);
785 
786 	return (0);
787 }
788 
789 /*
790  * This is the main I/O loop, and is shared across all zlogin modes.
791  * Parameters:
792  *	stdin_fd:  The fd representing 'stdin' for the slave side; input to
793  *		   the zone will be written here.
794  *
795  *	appin_fd:  The fd representing the other end of the 'stdin' pipe (when
796  *		   we're running non-interactive); used in process_raw_input
797  *		   to ensure we don't fill up the application's stdin pipe.
798  *
799  *	stdout_fd: The fd representing 'stdout' for the slave side; output
800  *		   from the zone will arrive here.
801  *
802  *	stderr_fd: The fd representing 'stderr' for the slave side; output
803  *		   from the zone will arrive here.
804  *
805  *	raw_mode:  If TRUE, then no processing (for example, for '~.') will
806  *		   be performed on the input coming from STDIN.
807  *
808  * stderr_fd may be specified as -1 if there is no stderr (only non-interactive
809  * mode supplies a stderr).
810  *
811  */
812 static void
813 doio(int stdin_fd, int appin_fd, int stdout_fd, int stderr_fd, int sig_fd,
814     boolean_t raw_mode)
815 {
816 	struct pollfd pollfds[4];
817 	char ibuf[ZLOGIN_BUFSIZ];
818 	int cc, ret;
819 
820 	/* read from stdout of zone and write to stdout of global zone */
821 	pollfds[0].fd = stdout_fd;
822 	pollfds[0].events = POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI;
823 
824 	/* read from stderr of zone and write to stderr of global zone */
825 	pollfds[1].fd = stderr_fd;
826 	pollfds[1].events = pollfds[0].events;
827 
828 	/* read from stdin of global zone and write to stdin of zone */
829 	pollfds[2].fd = STDIN_FILENO;
830 	pollfds[2].events = pollfds[0].events;
831 
832 	/* read from signalling pipe so we know when child dies */
833 	pollfds[3].fd = sig_fd;
834 	pollfds[3].events = pollfds[0].events;
835 
836 	for (;;) {
837 		pollfds[0].revents = pollfds[1].revents =
838 		    pollfds[2].revents = pollfds[3].revents = 0;
839 
840 		if (dead)
841 			break;
842 
843 		/*
844 		 * There is a race condition here where we can receive the
845 		 * child death signal, set the dead flag, but since we have
846 		 * passed the test above, we would go into poll and hang.
847 		 * To avoid this we use the sig_fd as an additional poll fd.
848 		 * The signal handler writes into the other end of this pipe
849 		 * when the child dies so that the poll will always see that
850 		 * input and proceed.  We just loop around at that point and
851 		 * then notice the dead flag.
852 		 */
853 
854 		ret = poll(pollfds,
855 		    sizeof (pollfds) / sizeof (struct pollfd), -1);
856 
857 		if (ret == -1 && errno != EINTR) {
858 			perror("poll failed");
859 			break;
860 		}
861 
862 		if (errno == EINTR && dead) {
863 			break;
864 		}
865 
866 		/* event from master side stdout */
867 		if (pollfds[0].revents) {
868 			if (pollfds[0].revents &
869 			    (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
870 				if (process_output(stdout_fd, STDOUT_FILENO)
871 				    != 0)
872 					break;
873 			} else {
874 				pollerr = pollfds[0].revents;
875 				break;
876 			}
877 		}
878 
879 		/* event from master side stderr */
880 		if (pollfds[1].revents) {
881 			if (pollfds[1].revents &
882 			    (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
883 				if (process_output(stderr_fd, STDERR_FILENO)
884 				    != 0)
885 					break;
886 			} else {
887 				pollerr = pollfds[1].revents;
888 				break;
889 			}
890 		}
891 
892 		/* event from user STDIN side */
893 		if (pollfds[2].revents) {
894 			if (pollfds[2].revents &
895 			    (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
896 				/*
897 				 * stdin fd is stdin of the target; so,
898 				 * the thing we'll write the user data *to*.
899 				 *
900 				 * Also, unlike on the output side, we
901 				 * close the pipe on a zero-length message.
902 				 */
903 				int res;
904 
905 				if (raw_mode)
906 					res = process_raw_input(stdin_fd,
907 					    appin_fd);
908 				else
909 					res = process_user_input(stdin_fd,
910 					    stdout_fd);
911 
912 				if (res < 0)
913 					break;
914 				if (res > 0) {
915 					/* EOF (close) child's stdin_fd */
916 					pollfds[2].fd = -1;
917 					while ((res = close(stdin_fd)) != 0 &&
918 					    errno == EINTR)
919 						;
920 					if (res != 0)
921 						break;
922 				}
923 
924 			} else if (raw_mode && pollfds[2].revents & POLLHUP) {
925 				/*
926 				 * It's OK to get a POLLHUP on STDIN-- it
927 				 * always happens if you do:
928 				 *
929 				 * echo foo | zlogin <zone> <command>
930 				 *
931 				 * We reset fd to -1 in this case to clear
932 				 * the condition and close the pipe (EOF) to
933 				 * the other side in order to wrap things up.
934 				 */
935 				int res;
936 
937 				pollfds[2].fd = -1;
938 				while ((res = close(stdin_fd)) != 0 &&
939 				    errno == EINTR)
940 					;
941 				if (res != 0)
942 					break;
943 			} else {
944 				pollerr = pollfds[2].revents;
945 				break;
946 			}
947 		}
948 	}
949 
950 	/*
951 	 * We are in the midst of dying, but try to poll with a short
952 	 * timeout to see if we can catch the last bit of I/O from the
953 	 * children.
954 	 */
955 retry:
956 	pollfds[0].revents = pollfds[1].revents = 0;
957 	(void) poll(pollfds, 2, 100);
958 	if (pollfds[0].revents &
959 	    (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
960 		if ((cc = read(stdout_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
961 			(void) write(STDOUT_FILENO, ibuf, cc);
962 			goto retry;
963 		}
964 	}
965 	if (pollfds[1].revents &
966 	    (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
967 		if ((cc = read(stderr_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
968 			(void) write(STDERR_FILENO, ibuf, cc);
969 			goto retry;
970 		}
971 	}
972 }
973 
974 /*
975  * Fetch the user_cmd brand hook for getting a user's passwd(4) entry.
976  */
977 static const char *
978 zone_get_user_cmd(brand_handle_t bh, const char *login, char *user_cmd,
979     size_t len)
980 {
981 	bzero(user_cmd, sizeof (user_cmd));
982 	if (brand_get_user_cmd(bh, login, user_cmd, len) != 0)
983 		return (NULL);
984 
985 	return (user_cmd);
986 }
987 
988 /* From libc */
989 extern int str2passwd(const char *, int, void *, char *, int);
990 
991 /*
992  * exec() the user_cmd brand hook, and convert the output string to a
993  * struct passwd.  This is to be called after zone_enter().
994  *
995  */
996 static struct passwd *
997 zone_get_user_pw(const char *user_cmd, struct passwd *pwent, char *pwbuf,
998     int pwbuflen)
999 {
1000 	char pwline[NSS_BUFLEN_PASSWD];
1001 	char *cin = NULL;
1002 	FILE *fin;
1003 	int status;
1004 
1005 	assert(getzoneid() != GLOBAL_ZONEID);
1006 
1007 	if ((fin = popen(user_cmd, "r")) == NULL)
1008 		return (NULL);
1009 
1010 	while (cin == NULL && !feof(fin))
1011 		cin = fgets(pwline, sizeof (pwline), fin);
1012 
1013 	if (cin == NULL) {
1014 		(void) pclose(fin);
1015 		return (NULL);
1016 	}
1017 
1018 	status = pclose(fin);
1019 	if (!WIFEXITED(status))
1020 		return (NULL);
1021 	if (WEXITSTATUS(status) != 0)
1022 		return (NULL);
1023 
1024 	if (str2passwd(pwline, sizeof (pwline), pwent, pwbuf, pwbuflen) == 0)
1025 		return (pwent);
1026 	else
1027 		return (NULL);
1028 }
1029 
1030 static char **
1031 zone_login_cmd(brand_handle_t bh, const char *login)
1032 {
1033 	static char result_buf[ARG_MAX];
1034 	char **new_argv, *ptr, *lasts;
1035 	int n, a;
1036 
1037 	/* Get the login command for the target zone. */
1038 	bzero(result_buf, sizeof (result_buf));
1039 
1040 	if (forced_login) {
1041 		if (brand_get_forcedlogin_cmd(bh, login,
1042 		    result_buf, sizeof (result_buf)) != 0)
1043 			return (NULL);
1044 	} else {
1045 		if (brand_get_login_cmd(bh, login,
1046 		    result_buf, sizeof (result_buf)) != 0)
1047 			return (NULL);
1048 	}
1049 
1050 	/*
1051 	 * We got back a string that we'd like to execute.  But since
1052 	 * we're not doing the execution via a shell we'll need to convert
1053 	 * the exec string to an array of strings.  We'll do that here
1054 	 * but we're going to be very simplistic about it and break stuff
1055 	 * up based on spaces.  We're not even going to support any kind
1056 	 * of quoting or escape characters.  It's truly amazing that
1057 	 * there is no library function in OpenSolaris to do this for us.
1058 	 */
1059 
1060 	/*
1061 	 * Be paranoid.  Since we're deliniating based on spaces make
1062 	 * sure there are no adjacent spaces.
1063 	 */
1064 	if (strstr(result_buf, "  ") != NULL)
1065 		return (NULL);
1066 
1067 	/* Remove any trailing whitespace.  */
1068 	n = strlen(result_buf);
1069 	if (result_buf[n - 1] == ' ')
1070 		result_buf[n - 1] = '\0';
1071 
1072 	/* Count how many elements there are in the exec string. */
1073 	ptr = result_buf;
1074 	for (n = 2; ((ptr = strchr(ptr + 1, (int)' ')) != NULL); n++)
1075 		;
1076 
1077 	/* Allocate the argv array that we're going to return. */
1078 	if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1079 		return (NULL);
1080 
1081 	/* Tokenize the exec string and return. */
1082 	a = 0;
1083 	new_argv[a++] = result_buf;
1084 	if (n > 2) {
1085 		(void) strtok_r(result_buf, " ", &lasts);
1086 		while ((new_argv[a++] = strtok_r(NULL, " ", &lasts)) != NULL)
1087 			;
1088 	} else {
1089 		new_argv[a++] = NULL;
1090 	}
1091 	assert(n == a);
1092 	return (new_argv);
1093 }
1094 
1095 /*
1096  * Prepare argv array for exec'd process; if we're passing commands to the
1097  * new process, then use su(1M) to do the invocation.  Otherwise, use
1098  * 'login -z <from_zonename> -f' (-z is an undocumented option which tells
1099  * login that we're coming from another zone, and to disregard its CONSOLE
1100  * checks).
1101  */
1102 static char **
1103 prep_args(brand_handle_t bh, const char *login, char **argv)
1104 {
1105 	int argc = 0, a = 0, i, n = -1;
1106 	char **new_argv;
1107 
1108 	if (argv != NULL) {
1109 		size_t subshell_len = 1;
1110 		char *subshell;
1111 
1112 		while (argv[argc] != NULL)
1113 			argc++;
1114 
1115 		for (i = 0; i < argc; i++) {
1116 			subshell_len += strlen(argv[i]) + 1;
1117 		}
1118 		if ((subshell = calloc(1, subshell_len)) == NULL)
1119 			return (NULL);
1120 
1121 		for (i = 0; i < argc; i++) {
1122 			(void) strcat(subshell, argv[i]);
1123 			(void) strcat(subshell, " ");
1124 		}
1125 
1126 		if (failsafe) {
1127 			n = 4;
1128 			if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1129 				return (NULL);
1130 
1131 			new_argv[a++] = FAILSAFESHELL;
1132 		} else {
1133 			n = 5;
1134 			if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1135 				return (NULL);
1136 
1137 			new_argv[a++] = SUPATH;
1138 			if (strcmp(login, "root") != 0) {
1139 				new_argv[a++] = "-";
1140 				n++;
1141 			}
1142 			new_argv[a++] = (char *)login;
1143 		}
1144 		new_argv[a++] = "-c";
1145 		new_argv[a++] = subshell;
1146 		new_argv[a++] = NULL;
1147 		assert(a == n);
1148 	} else {
1149 		if (failsafe) {
1150 			n = 2;
1151 			if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1152 				return (NULL);
1153 			new_argv[a++] = FAILSAFESHELL;
1154 			new_argv[a++] = NULL;
1155 			assert(n == a);
1156 		} else {
1157 			new_argv = zone_login_cmd(bh, login);
1158 		}
1159 	}
1160 
1161 	return (new_argv);
1162 }
1163 
1164 /*
1165  * Helper routine for prep_env below.
1166  */
1167 static char *
1168 add_env(char *name, char *value)
1169 {
1170 	size_t sz = strlen(name) + strlen(value) + 2; /* name, =, value, NUL */
1171 	char *str;
1172 
1173 	if ((str = malloc(sz)) == NULL)
1174 		return (NULL);
1175 
1176 	(void) snprintf(str, sz, "%s=%s", name, value);
1177 	return (str);
1178 }
1179 
1180 /*
1181  * Prepare envp array for exec'd process.
1182  */
1183 static char **
1184 prep_env()
1185 {
1186 	int e = 0, size = 1;
1187 	char **new_env, *estr;
1188 	char *term = getenv("TERM");
1189 
1190 	size++;	/* for $PATH */
1191 	if (term != NULL)
1192 		size++;
1193 
1194 	/*
1195 	 * In failsafe mode we set $HOME, since '-l' isn't valid in this mode.
1196 	 * We also set $SHELL, since neither login nor su will be around to do
1197 	 * it.
1198 	 */
1199 	if (failsafe)
1200 		size += 2;
1201 
1202 	if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1203 		return (NULL);
1204 
1205 	if ((estr = add_env("PATH", DEF_PATH)) == NULL)
1206 		return (NULL);
1207 	new_env[e++] = estr;
1208 
1209 	if (term != NULL) {
1210 		if ((estr = add_env("TERM", term)) == NULL)
1211 			return (NULL);
1212 		new_env[e++] = estr;
1213 	}
1214 
1215 	if (failsafe) {
1216 		if ((estr = add_env("HOME", "/")) == NULL)
1217 			return (NULL);
1218 		new_env[e++] = estr;
1219 
1220 		if ((estr = add_env("SHELL", FAILSAFESHELL)) == NULL)
1221 			return (NULL);
1222 		new_env[e++] = estr;
1223 	}
1224 
1225 	new_env[e++] = NULL;
1226 
1227 	assert(e == size);
1228 
1229 	return (new_env);
1230 }
1231 
1232 /*
1233  * Finish the preparation of the envp array for exec'd non-interactive
1234  * zlogins.  This is called in the child process *after* we zone_enter(), since
1235  * it derives things we can only know within the zone, such as $HOME, $SHELL,
1236  * etc.  We need only do this in the non-interactive, mode, since otherwise
1237  * login(1) will do it.  We don't do this in failsafe mode, since it presents
1238  * additional ways in which the command could fail, and we'd prefer to avoid
1239  * that.
1240  */
1241 static char **
1242 prep_env_noninteractive(const char *user_cmd, char **env)
1243 {
1244 	size_t size;
1245 	char **new_env;
1246 	int e, i;
1247 	char *estr;
1248 	char varmail[LOGNAME_MAX + 11]; /* strlen(/var/mail/) = 10, NUL */
1249 	char pwbuf[NSS_BUFLEN_PASSWD + 1];
1250 	struct passwd pwent;
1251 	struct passwd *pw = NULL;
1252 
1253 	assert(env != NULL);
1254 	assert(failsafe == 0);
1255 
1256 	/*
1257 	 * Exec the "user_cmd" brand hook to get a pwent for the
1258 	 * login user.  If this fails, HOME will be set to "/", SHELL
1259 	 * will be set to $DEFAULTSHELL, and we will continue to exec
1260 	 * SUPATH <login> -c <cmd>.
1261 	 */
1262 	pw = zone_get_user_pw(user_cmd, &pwent, pwbuf, sizeof (pwbuf));
1263 
1264 	/*
1265 	 * Get existing envp size.
1266 	 */
1267 	for (size = 0; env[size] != NULL; size++)
1268 		;
1269 
1270 	e = size;
1271 
1272 	/*
1273 	 * Finish filling out the environment; we duplicate the environment
1274 	 * setup described in login(1), for lack of a better precedent.
1275 	 */
1276 	if (pw != NULL)
1277 		size += 3;	/* LOGNAME, HOME, MAIL */
1278 	else
1279 		size += 1;	/* HOME */
1280 
1281 	size++;	/* always fill in SHELL */
1282 	size++; /* terminating NULL */
1283 
1284 	if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1285 		goto malloc_fail;
1286 
1287 	/*
1288 	 * Copy existing elements of env into new_env.
1289 	 */
1290 	for (i = 0; env[i] != NULL; i++) {
1291 		if ((new_env[i] = strdup(env[i])) == NULL)
1292 			goto malloc_fail;
1293 	}
1294 	assert(e == i);
1295 
1296 	if (pw != NULL) {
1297 		if ((estr = add_env("LOGNAME", pw->pw_name)) == NULL)
1298 			goto malloc_fail;
1299 		new_env[e++] = estr;
1300 
1301 		if ((estr = add_env("HOME", pw->pw_dir)) == NULL)
1302 			goto malloc_fail;
1303 		new_env[e++] = estr;
1304 
1305 		if (chdir(pw->pw_dir) != 0)
1306 			zerror(gettext("Could not chdir to home directory "
1307 			    "%s: %s"), pw->pw_dir, strerror(errno));
1308 
1309 		(void) snprintf(varmail, sizeof (varmail), "/var/mail/%s",
1310 		    pw->pw_name);
1311 		if ((estr = add_env("MAIL", varmail)) == NULL)
1312 			goto malloc_fail;
1313 		new_env[e++] = estr;
1314 	} else {
1315 		if ((estr = add_env("HOME", "/")) == NULL)
1316 			goto malloc_fail;
1317 		new_env[e++] = estr;
1318 	}
1319 
1320 	if (pw != NULL && strlen(pw->pw_shell) > 0) {
1321 		if ((estr = add_env("SHELL", pw->pw_shell)) == NULL)
1322 			goto malloc_fail;
1323 		new_env[e++] = estr;
1324 	} else {
1325 		if ((estr = add_env("SHELL", DEFAULTSHELL)) == NULL)
1326 			goto malloc_fail;
1327 		new_env[e++] = estr;
1328 	}
1329 
1330 	new_env[e++] = NULL;	/* add terminating NULL */
1331 
1332 	assert(e == size);
1333 	return (new_env);
1334 
1335 malloc_fail:
1336 	zperror(gettext("failed to allocate memory for process environment"));
1337 	return (NULL);
1338 }
1339 
1340 static int
1341 close_func(void *slavefd, int fd)
1342 {
1343 	if (fd != *(int *)slavefd)
1344 		(void) close(fd);
1345 	return (0);
1346 }
1347 
1348 static void
1349 set_cmdchar(char *cmdcharstr)
1350 {
1351 	char c;
1352 	long lc;
1353 
1354 	if ((c = *cmdcharstr) != '\\') {
1355 		cmdchar = c;
1356 		return;
1357 	}
1358 
1359 	c = cmdcharstr[1];
1360 	if (c == '\0' || c == '\\') {
1361 		cmdchar = '\\';
1362 		return;
1363 	}
1364 
1365 	if (c < '0' || c > '7') {
1366 		zerror(gettext("Unrecognized escape character option %s"),
1367 		    cmdcharstr);
1368 		usage();
1369 	}
1370 
1371 	lc = strtol(cmdcharstr + 1, NULL, 8);
1372 	if (lc < 0 || lc > 255) {
1373 		zerror(gettext("Octal escape character '%s' too large"),
1374 		    cmdcharstr);
1375 		usage();
1376 	}
1377 	cmdchar = (char)lc;
1378 }
1379 
1380 static int
1381 setup_utmpx(char *slavename)
1382 {
1383 	struct utmpx ut;
1384 
1385 	bzero(&ut, sizeof (ut));
1386 	(void) strncpy(ut.ut_user, ".zlogin", sizeof (ut.ut_user));
1387 	(void) strncpy(ut.ut_line, slavename, sizeof (ut.ut_line));
1388 	ut.ut_pid = getpid();
1389 	ut.ut_id[0] = 'z';
1390 	ut.ut_id[1] = ut.ut_id[2] = ut.ut_id[3] = (char)SC_WILDC;
1391 	ut.ut_type = LOGIN_PROCESS;
1392 	(void) time(&ut.ut_tv.tv_sec);
1393 
1394 	if (makeutx(&ut) == NULL) {
1395 		zerror(gettext("makeutx failed"));
1396 		return (-1);
1397 	}
1398 	return (0);
1399 }
1400 
1401 static void
1402 release_lock_file(int lockfd)
1403 {
1404 	(void) close(lockfd);
1405 }
1406 
1407 static int
1408 grab_lock_file(const char *zone_name, int *lockfd)
1409 {
1410 	char pathbuf[PATH_MAX];
1411 	struct flock flock;
1412 
1413 	if (mkdir(ZONES_TMPDIR, S_IRWXU) < 0 && errno != EEXIST) {
1414 		zerror(gettext("could not mkdir %s: %s"), ZONES_TMPDIR,
1415 		    strerror(errno));
1416 		return (-1);
1417 	}
1418 	(void) chmod(ZONES_TMPDIR, S_IRWXU);
1419 	(void) snprintf(pathbuf, sizeof (pathbuf), "%s/%s.zoneadm.lock",
1420 	    ZONES_TMPDIR, zone_name);
1421 
1422 	if ((*lockfd = open(pathbuf, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR)) < 0) {
1423 		zerror(gettext("could not open %s: %s"), pathbuf,
1424 		    strerror(errno));
1425 		return (-1);
1426 	}
1427 	/*
1428 	 * Lock the file to synchronize with other zoneadmds
1429 	 */
1430 	flock.l_type = F_WRLCK;
1431 	flock.l_whence = SEEK_SET;
1432 	flock.l_start = (off_t)0;
1433 	flock.l_len = (off_t)0;
1434 	if (fcntl(*lockfd, F_SETLKW, &flock) < 0) {
1435 		zerror(gettext("unable to lock %s: %s"), pathbuf,
1436 		    strerror(errno));
1437 		release_lock_file(*lockfd);
1438 		return (-1);
1439 	}
1440 	return (Z_OK);
1441 }
1442 
1443 static int
1444 start_zoneadmd(const char *zone_name)
1445 {
1446 	pid_t retval;
1447 	int pstatus = 0, error = -1, lockfd, doorfd;
1448 	struct door_info info;
1449 	char doorpath[MAXPATHLEN];
1450 
1451 	(void) snprintf(doorpath, sizeof (doorpath), ZONE_DOOR_PATH, zone_name);
1452 
1453 	if (grab_lock_file(zone_name, &lockfd) != Z_OK)
1454 		return (-1);
1455 	/*
1456 	 * We must do the door check with the lock held.  Otherwise, we
1457 	 * might race against another zoneadm/zlogin process and wind
1458 	 * up with two processes trying to start zoneadmd at the same
1459 	 * time.  zoneadmd will detect this, and fail, but we prefer this
1460 	 * to be as seamless as is practical, from a user perspective.
1461 	 */
1462 	if ((doorfd = open(doorpath, O_RDONLY)) < 0) {
1463 		if (errno != ENOENT) {
1464 			zerror("failed to open %s: %s", doorpath,
1465 			    strerror(errno));
1466 			goto out;
1467 		}
1468 	} else {
1469 		/*
1470 		 * Seems to be working ok.
1471 		 */
1472 		if (door_info(doorfd, &info) == 0 &&
1473 		    ((info.di_attributes & DOOR_REVOKED) == 0)) {
1474 			error = 0;
1475 			goto out;
1476 		}
1477 	}
1478 
1479 	if ((child_pid = fork()) == -1) {
1480 		zperror(gettext("could not fork"));
1481 		goto out;
1482 	} else if (child_pid == 0) {
1483 		/* child process */
1484 		(void) execl("/usr/lib/zones/zoneadmd", "zoneadmd", "-z",
1485 		    zone_name, NULL);
1486 		zperror(gettext("could not exec zoneadmd"));
1487 		_exit(1);
1488 	}
1489 
1490 	/* parent process */
1491 	do {
1492 		retval = waitpid(child_pid, &pstatus, 0);
1493 	} while (retval != child_pid);
1494 	if (WIFSIGNALED(pstatus) ||
1495 	    (WIFEXITED(pstatus) && WEXITSTATUS(pstatus) != 0)) {
1496 		zerror(gettext("could not start %s"), "zoneadmd");
1497 		goto out;
1498 	}
1499 	error = 0;
1500 out:
1501 	release_lock_file(lockfd);
1502 	(void) close(doorfd);
1503 	return (error);
1504 }
1505 
1506 static int
1507 init_template(void)
1508 {
1509 	int fd;
1510 	int err = 0;
1511 
1512 	fd = open64(CTFS_ROOT "/process/template", O_RDWR);
1513 	if (fd == -1)
1514 		return (-1);
1515 
1516 	/*
1517 	 * zlogin doesn't do anything with the contract.
1518 	 * Deliver no events, don't inherit, and allow it to be orphaned.
1519 	 */
1520 	err |= ct_tmpl_set_critical(fd, 0);
1521 	err |= ct_tmpl_set_informative(fd, 0);
1522 	err |= ct_pr_tmpl_set_fatal(fd, CT_PR_EV_HWERR);
1523 	err |= ct_pr_tmpl_set_param(fd, CT_PR_PGRPONLY | CT_PR_REGENT);
1524 	if (err || ct_tmpl_activate(fd)) {
1525 		(void) close(fd);
1526 		return (-1);
1527 	}
1528 
1529 	return (fd);
1530 }
1531 
1532 static int
1533 noninteractive_login(char *zonename, const char *user_cmd, zoneid_t zoneid,
1534     char **new_args, char **new_env)
1535 {
1536 	pid_t retval;
1537 	int stdin_pipe[2], stdout_pipe[2], stderr_pipe[2], dead_child_pipe[2];
1538 	int child_status;
1539 	int tmpl_fd;
1540 	sigset_t block_cld;
1541 
1542 	if ((tmpl_fd = init_template()) == -1) {
1543 		reset_tty();
1544 		zperror(gettext("could not create contract"));
1545 		return (1);
1546 	}
1547 
1548 	if (pipe(stdin_pipe) != 0) {
1549 		zperror(gettext("could not create STDIN pipe"));
1550 		return (1);
1551 	}
1552 	/*
1553 	 * When the user types ^D, we get a zero length message on STDIN.
1554 	 * We need to echo that down the pipe to send it to the other side;
1555 	 * but by default, pipes don't propagate zero-length messages.  We
1556 	 * toggle that behavior off using I_SWROPT.  See streamio(7i).
1557 	 */
1558 	if (ioctl(stdin_pipe[0], I_SWROPT, SNDZERO) != 0) {
1559 		zperror(gettext("could not configure STDIN pipe"));
1560 		return (1);
1561 
1562 	}
1563 	if (pipe(stdout_pipe) != 0) {
1564 		zperror(gettext("could not create STDOUT pipe"));
1565 		return (1);
1566 	}
1567 	if (pipe(stderr_pipe) != 0) {
1568 		zperror(gettext("could not create STDERR pipe"));
1569 		return (1);
1570 	}
1571 
1572 	if (pipe(dead_child_pipe) != 0) {
1573 		zperror(gettext("could not create signalling pipe"));
1574 		return (1);
1575 	}
1576 	close_on_sig = dead_child_pipe[0];
1577 
1578 	/*
1579 	 * If any of the pipe FD's winds up being less than STDERR, then we
1580 	 * have a mess on our hands-- and we are lacking some of the I/O
1581 	 * streams we would expect anyway.  So we bail.
1582 	 */
1583 	if (stdin_pipe[0] <= STDERR_FILENO ||
1584 	    stdin_pipe[1] <= STDERR_FILENO ||
1585 	    stdout_pipe[0] <= STDERR_FILENO ||
1586 	    stdout_pipe[1] <= STDERR_FILENO ||
1587 	    stderr_pipe[0] <= STDERR_FILENO ||
1588 	    stderr_pipe[1] <= STDERR_FILENO ||
1589 	    dead_child_pipe[0] <= STDERR_FILENO ||
1590 	    dead_child_pipe[1] <= STDERR_FILENO) {
1591 		zperror(gettext("process lacks valid STDIN, STDOUT, STDERR"));
1592 		return (1);
1593 	}
1594 
1595 	if (prefork_dropprivs() != 0) {
1596 		zperror(gettext("could not allocate privilege set"));
1597 		return (1);
1598 	}
1599 
1600 	(void) sigset(SIGCLD, sigcld);
1601 	(void) sigemptyset(&block_cld);
1602 	(void) sigaddset(&block_cld, SIGCLD);
1603 	(void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
1604 
1605 	if ((child_pid = fork()) == -1) {
1606 		(void) ct_tmpl_clear(tmpl_fd);
1607 		(void) close(tmpl_fd);
1608 		zperror(gettext("could not fork"));
1609 		return (1);
1610 	} else if (child_pid == 0) { /* child process */
1611 		(void) ct_tmpl_clear(tmpl_fd);
1612 
1613 		/*
1614 		 * Do a dance to get the pipes hooked up as FD's 0, 1 and 2.
1615 		 */
1616 		(void) close(STDIN_FILENO);
1617 		(void) close(STDOUT_FILENO);
1618 		(void) close(STDERR_FILENO);
1619 		(void) dup2(stdin_pipe[1], STDIN_FILENO);
1620 		(void) dup2(stdout_pipe[1], STDOUT_FILENO);
1621 		(void) dup2(stderr_pipe[1], STDERR_FILENO);
1622 		(void) closefrom(STDERR_FILENO + 1);
1623 
1624 		(void) sigset(SIGCLD, SIG_DFL);
1625 		(void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1626 		/*
1627 		 * In case any of stdin, stdout or stderr are streams,
1628 		 * anchor them to prevent malicious I_POPs.
1629 		 */
1630 		(void) ioctl(STDIN_FILENO, I_ANCHOR);
1631 		(void) ioctl(STDOUT_FILENO, I_ANCHOR);
1632 		(void) ioctl(STDERR_FILENO, I_ANCHOR);
1633 
1634 		if (zone_enter(zoneid) == -1) {
1635 			zerror(gettext("could not enter zone %s: %s"),
1636 			    zonename, strerror(errno));
1637 			_exit(1);
1638 		}
1639 
1640 		/*
1641 		 * For non-native zones, tell libc where it can find locale
1642 		 * specific getttext() messages.
1643 		 */
1644 		if (access("/.SUNWnative/usr/lib/locale", R_OK) == 0)
1645 			(void) bindtextdomain(TEXT_DOMAIN,
1646 			    "/.SUNWnative/usr/lib/locale");
1647 		else if (access("/native/usr/lib/locale", R_OK) == 0)
1648 			(void) bindtextdomain(TEXT_DOMAIN,
1649 			    "/native/usr/lib/locale");
1650 
1651 		if (!failsafe)
1652 			new_env = prep_env_noninteractive(user_cmd, new_env);
1653 
1654 		if (new_env == NULL) {
1655 			_exit(1);
1656 		}
1657 
1658 		/*
1659 		 * Move into a new process group; the zone_enter will have
1660 		 * placed us into zsched's session, and we want to be in
1661 		 * a unique process group.
1662 		 */
1663 		(void) setpgid(getpid(), getpid());
1664 
1665 		/*
1666 		 * The child needs to run as root to
1667 		 * execute the su program.
1668 		 */
1669 		if (setuid(0) == -1) {
1670 			zperror(gettext("insufficient privilege"));
1671 			return (1);
1672 		}
1673 
1674 		(void) execve(new_args[0], new_args, new_env);
1675 		zperror(gettext("exec failure"));
1676 		_exit(1);
1677 	}
1678 	/* parent */
1679 
1680 	/* close pipe sides written by child */
1681 	(void) close(stdout_pipe[1]);
1682 	(void) close(stderr_pipe[1]);
1683 
1684 	(void) sigset(SIGINT, sig_forward);
1685 
1686 	postfork_dropprivs();
1687 
1688 	(void) ct_tmpl_clear(tmpl_fd);
1689 	(void) close(tmpl_fd);
1690 
1691 	(void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1692 	doio(stdin_pipe[0], stdin_pipe[1], stdout_pipe[0], stderr_pipe[0],
1693 	    dead_child_pipe[1], B_TRUE);
1694 	do {
1695 		retval = waitpid(child_pid, &child_status, 0);
1696 		if (retval == -1) {
1697 			child_status = 0;
1698 		}
1699 	} while (retval != child_pid && errno != ECHILD);
1700 
1701 	return (WEXITSTATUS(child_status));
1702 }
1703 
1704 static char *
1705 get_username()
1706 {
1707 	uid_t	uid;
1708 	struct passwd *nptr;
1709 
1710 	/*
1711 	 * Authorizations are checked to restrict access based on the
1712 	 * requested operation and zone name, It is assumed that the
1713 	 * program is running with all privileges, but that the real
1714 	 * user ID is that of the user or role on whose behalf we are
1715 	 * operating. So we start by getting the username that will be
1716 	 * used for subsequent authorization checks.
1717 	 */
1718 
1719 	uid = getuid();
1720 	if ((nptr = getpwuid(uid)) == NULL) {
1721 		zerror(gettext("could not get user name."));
1722 		_exit(1);
1723 	}
1724 	return (nptr->pw_name);
1725 }
1726 
1727 int
1728 main(int argc, char **argv)
1729 {
1730 	int arg, console = 0;
1731 	zoneid_t zoneid;
1732 	zone_state_t st;
1733 	char *login = "root";
1734 	int lflag = 0;
1735 	int nflag = 0;
1736 	char *zonename = NULL;
1737 	char **proc_args = NULL;
1738 	char **new_args, **new_env;
1739 	sigset_t block_cld;
1740 	char devroot[MAXPATHLEN];
1741 	char *slavename, slaveshortname[MAXPATHLEN];
1742 	priv_set_t *privset;
1743 	int tmpl_fd;
1744 	char zonebrand[MAXNAMELEN];
1745 	char default_brand[MAXNAMELEN];
1746 	struct stat sb;
1747 	char kernzone[ZONENAME_MAX];
1748 	brand_handle_t bh;
1749 	char user_cmd[MAXPATHLEN];
1750 	char authname[MAXAUTHS];
1751 
1752 	(void) setlocale(LC_ALL, "");
1753 	(void) textdomain(TEXT_DOMAIN);
1754 
1755 	(void) getpname(argv[0]);
1756 	username = get_username();
1757 
1758 	while ((arg = getopt(argc, argv, "dnECR:Se:l:Q")) != EOF) {
1759 		switch (arg) {
1760 		case 'C':
1761 			console = 1;
1762 			break;
1763 		case 'E':
1764 			nocmdchar = 1;
1765 			break;
1766 		case 'R':	/* undocumented */
1767 			if (*optarg != '/') {
1768 				zerror(gettext("root path must be absolute."));
1769 				exit(2);
1770 			}
1771 			if (stat(optarg, &sb) == -1 || !S_ISDIR(sb.st_mode)) {
1772 				zerror(
1773 				    gettext("root path must be a directory."));
1774 				exit(2);
1775 			}
1776 			zonecfg_set_root(optarg);
1777 			break;
1778 		case 'Q':
1779 			quiet = 1;
1780 			break;
1781 		case 'S':
1782 			failsafe = 1;
1783 			break;
1784 		case 'd':
1785 			disconnect = 1;
1786 			break;
1787 		case 'e':
1788 			set_cmdchar(optarg);
1789 			break;
1790 		case 'l':
1791 			login = optarg;
1792 			lflag = 1;
1793 			break;
1794 		case 'n':
1795 			nflag = 1;
1796 			break;
1797 		default:
1798 			usage();
1799 		}
1800 	}
1801 
1802 	if (console != 0) {
1803 
1804 		if (lflag != 0) {
1805 			zerror(gettext(
1806 			    "-l may not be specified for console login"));
1807 			usage();
1808 		}
1809 
1810 		if (nflag != 0) {
1811 			zerror(gettext(
1812 			    "-n may not be specified for console login"));
1813 			usage();
1814 		}
1815 
1816 		if (failsafe != 0) {
1817 			zerror(gettext(
1818 			    "-S may not be specified for console login"));
1819 			usage();
1820 		}
1821 
1822 		if (zonecfg_in_alt_root()) {
1823 			zerror(gettext(
1824 			    "-R may not be specified for console login"));
1825 			exit(2);
1826 		}
1827 
1828 	}
1829 
1830 	if (failsafe != 0 && lflag != 0) {
1831 		zerror(gettext("-l may not be specified for failsafe login"));
1832 		usage();
1833 	}
1834 
1835 	if (!console && disconnect != 0) {
1836 		zerror(gettext(
1837 		    "-d may only be specified with console login"));
1838 		usage();
1839 	}
1840 
1841 	if (optind == (argc - 1)) {
1842 		/*
1843 		 * zone name, no process name; this should be an interactive
1844 		 * as long as STDIN is really a tty.
1845 		 */
1846 		if (nflag != 0) {
1847 			zerror(gettext(
1848 			    "-n may not be specified for interactive login"));
1849 			usage();
1850 		}
1851 		if (isatty(STDIN_FILENO))
1852 			interactive = 1;
1853 		zonename = argv[optind];
1854 	} else if (optind < (argc - 1)) {
1855 		if (console) {
1856 			zerror(gettext("Commands may not be specified for "
1857 			    "console login."));
1858 			usage();
1859 		}
1860 		/* zone name and process name, and possibly some args */
1861 		zonename = argv[optind];
1862 		proc_args = &argv[optind + 1];
1863 		interactive = 0;
1864 	} else {
1865 		usage();
1866 	}
1867 
1868 	if (getzoneid() != GLOBAL_ZONEID) {
1869 		zerror(gettext("'%s' may only be used from the global zone"),
1870 		    pname);
1871 		return (1);
1872 	}
1873 
1874 	if (strcmp(zonename, GLOBAL_ZONENAME) == 0) {
1875 		zerror(gettext("'%s' not applicable to the global zone"),
1876 		    pname);
1877 		return (1);
1878 	}
1879 
1880 	if (zone_get_state(zonename, &st) != Z_OK) {
1881 		zerror(gettext("zone '%s' unknown"), zonename);
1882 		return (1);
1883 	}
1884 
1885 	if (st < ZONE_STATE_INSTALLED) {
1886 		zerror(gettext("cannot login to a zone which is '%s'"),
1887 		    zone_state_str(st));
1888 		return (1);
1889 	}
1890 
1891 	/*
1892 	 * In both console and non-console cases, we require all privs.
1893 	 * In the console case, because we may need to startup zoneadmd.
1894 	 * In the non-console case in order to do zone_enter(2), zonept()
1895 	 * and other tasks.
1896 	 */
1897 
1898 	if ((privset = priv_allocset()) == NULL) {
1899 		zperror(gettext("priv_allocset failed"));
1900 		return (1);
1901 	}
1902 
1903 	if (getppriv(PRIV_EFFECTIVE, privset) != 0) {
1904 		zperror(gettext("getppriv failed"));
1905 		priv_freeset(privset);
1906 		return (1);
1907 	}
1908 
1909 	if (priv_isfullset(privset) == B_FALSE) {
1910 		zerror(gettext("You lack sufficient privilege to run "
1911 		    "this command (all privs required)"));
1912 		priv_freeset(privset);
1913 		return (1);
1914 	}
1915 	priv_freeset(privset);
1916 
1917 	/*
1918 	 * Check if user is authorized for requested usage of the zone
1919 	 */
1920 
1921 	(void) snprintf(authname, MAXAUTHS, "%s%s%s",
1922 	    ZONE_MANAGE_AUTH, KV_OBJECT, zonename);
1923 	if (chkauthattr(authname, username) == 0) {
1924 		if (console) {
1925 			zerror(gettext("%s is not authorized for console "
1926 			    "access to  %s zone."),
1927 			    username, zonename);
1928 			return (1);
1929 		} else {
1930 			(void) snprintf(authname, MAXAUTHS, "%s%s%s",
1931 			    ZONE_LOGIN_AUTH, KV_OBJECT, zonename);
1932 			if (failsafe || !interactive) {
1933 				zerror(gettext("%s is not authorized for  "
1934 				    "failsafe or non-interactive login "
1935 				    "to  %s zone."), username, zonename);
1936 				return (1);
1937 			} else if (chkauthattr(authname, username) == 0) {
1938 				zerror(gettext("%s is not authorized "
1939 				    " to login to %s zone."),
1940 				    username, zonename);
1941 				return (1);
1942 			}
1943 		}
1944 	} else {
1945 		forced_login = B_TRUE;
1946 	}
1947 
1948 	/*
1949 	 * The console is a separate case from the rest of the code; handle
1950 	 * it first.
1951 	 */
1952 	if (console) {
1953 		/*
1954 		 * Ensure that zoneadmd for this zone is running.
1955 		 */
1956 		if (start_zoneadmd(zonename) == -1)
1957 			return (1);
1958 
1959 		/*
1960 		 * Make contact with zoneadmd.
1961 		 */
1962 		if (get_console_master(zonename) == -1)
1963 			return (1);
1964 
1965 		if (!quiet)
1966 			(void) printf(
1967 			    gettext("[Connected to zone '%s' console]\n"),
1968 			    zonename);
1969 
1970 		if (set_tty_rawmode(STDIN_FILENO) == -1) {
1971 			reset_tty();
1972 			zperror(gettext("failed to set stdin pty to raw mode"));
1973 			return (1);
1974 		}
1975 
1976 		(void) sigset(SIGWINCH, sigwinch);
1977 		(void) sigwinch(0);
1978 
1979 		/*
1980 		 * Run the I/O loop until we get disconnected.
1981 		 */
1982 		doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
1983 		reset_tty();
1984 		if (!quiet)
1985 			(void) printf(
1986 			    gettext("\n[Connection to zone '%s' console "
1987 			    "closed]\n"), zonename);
1988 
1989 		return (0);
1990 	}
1991 
1992 	if (st != ZONE_STATE_RUNNING && st != ZONE_STATE_MOUNTED) {
1993 		zerror(gettext("login allowed only to running zones "
1994 		    "(%s is '%s')."), zonename, zone_state_str(st));
1995 		return (1);
1996 	}
1997 
1998 	(void) strlcpy(kernzone, zonename, sizeof (kernzone));
1999 	if (zonecfg_in_alt_root()) {
2000 		FILE *fp = zonecfg_open_scratch("", B_FALSE);
2001 
2002 		if (fp == NULL || zonecfg_find_scratch(fp, zonename,
2003 		    zonecfg_get_root(), kernzone, sizeof (kernzone)) == -1) {
2004 			zerror(gettext("cannot find scratch zone %s"),
2005 			    zonename);
2006 			if (fp != NULL)
2007 				zonecfg_close_scratch(fp);
2008 			return (1);
2009 		}
2010 		zonecfg_close_scratch(fp);
2011 	}
2012 
2013 	if ((zoneid = getzoneidbyname(kernzone)) == -1) {
2014 		zerror(gettext("failed to get zoneid for zone '%s'"),
2015 		    zonename);
2016 		return (1);
2017 	}
2018 
2019 	/*
2020 	 * We need the zone root path only if we are setting up a pty.
2021 	 */
2022 	if (zone_get_devroot(zonename, devroot, sizeof (devroot)) == -1) {
2023 		zerror(gettext("could not get dev path for zone %s"),
2024 		    zonename);
2025 		return (1);
2026 	}
2027 
2028 	if (zone_get_brand(zonename, zonebrand, sizeof (zonebrand)) != Z_OK) {
2029 		zerror(gettext("could not get brand for zone %s"), zonename);
2030 		return (1);
2031 	}
2032 	/*
2033 	 * In the alternate root environment, the only supported
2034 	 * operations are mount and unmount.  In this case, just treat
2035 	 * the zone as native if it is cluster.  Cluster zones can be
2036 	 * native for the purpose of LU or upgrade, and the cluster
2037 	 * brand may not exist in the miniroot (such as in net install
2038 	 * upgrade).
2039 	 */
2040 	if (zonecfg_default_brand(default_brand,
2041 	    sizeof (default_brand)) != Z_OK) {
2042 		zerror(gettext("unable to determine default brand"));
2043 		return (1);
2044 	}
2045 	if (zonecfg_in_alt_root() &&
2046 	    strcmp(zonebrand, CLUSTER_BRAND_NAME) == 0) {
2047 		(void) strlcpy(zonebrand, default_brand, sizeof (zonebrand));
2048 	}
2049 
2050 	if ((bh = brand_open(zonebrand)) == NULL) {
2051 		zerror(gettext("could not open brand for zone %s"), zonename);
2052 		return (1);
2053 	}
2054 
2055 	if ((new_args = prep_args(bh, login, proc_args)) == NULL) {
2056 		zperror(gettext("could not assemble new arguments"));
2057 		brand_close(bh);
2058 		return (1);
2059 	}
2060 	/*
2061 	 * Get the brand specific user_cmd.  This command is used to get
2062 	 * a passwd(4) entry for login.
2063 	 */
2064 	if (!interactive && !failsafe) {
2065 		if (zone_get_user_cmd(bh, login, user_cmd,
2066 		    sizeof (user_cmd)) == NULL) {
2067 			zerror(gettext("could not get user_cmd for zone %s"),
2068 			    zonename);
2069 			brand_close(bh);
2070 			return (1);
2071 		}
2072 	}
2073 	brand_close(bh);
2074 
2075 	if ((new_env = prep_env()) == NULL) {
2076 		zperror(gettext("could not assemble new environment"));
2077 		return (1);
2078 	}
2079 
2080 	if (!interactive) {
2081 		if (nflag) {
2082 			int nfd;
2083 
2084 			if ((nfd = open(_PATH_DEVNULL, O_RDONLY)) < 0) {
2085 				zperror(gettext("failed to open null device"));
2086 				return (1);
2087 			}
2088 			if (nfd != STDIN_FILENO) {
2089 				if (dup2(nfd, STDIN_FILENO) < 0) {
2090 					zperror(gettext(
2091 					    "failed to dup2 null device"));
2092 					return (1);
2093 				}
2094 				(void) close(nfd);
2095 			}
2096 			/* /dev/null is now standard input */
2097 		}
2098 		return (noninteractive_login(zonename, user_cmd, zoneid,
2099 		    new_args, new_env));
2100 	}
2101 
2102 	if (zonecfg_in_alt_root()) {
2103 		zerror(gettext("cannot use interactive login with scratch "
2104 		    "zone"));
2105 		return (1);
2106 	}
2107 
2108 	/*
2109 	 * Things are more complex in interactive mode; we get the
2110 	 * master side of the pty, then place the user's terminal into
2111 	 * raw mode.
2112 	 */
2113 	if (get_master_pty() == -1) {
2114 		zerror(gettext("could not setup master pty device"));
2115 		return (1);
2116 	}
2117 
2118 	/*
2119 	 * Compute the "short name" of the pts.  /dev/pts/2 --> pts/2
2120 	 */
2121 	if ((slavename = ptsname(masterfd)) == NULL) {
2122 		zperror(gettext("failed to get name for pseudo-tty"));
2123 		return (1);
2124 	}
2125 	if (strncmp(slavename, "/dev/", strlen("/dev/")) == 0)
2126 		(void) strlcpy(slaveshortname, slavename + strlen("/dev/"),
2127 		    sizeof (slaveshortname));
2128 	else
2129 		(void) strlcpy(slaveshortname, slavename,
2130 		    sizeof (slaveshortname));
2131 
2132 	if (!quiet)
2133 		(void) printf(gettext("[Connected to zone '%s' %s]\n"),
2134 		    zonename, slaveshortname);
2135 
2136 	if (set_tty_rawmode(STDIN_FILENO) == -1) {
2137 		reset_tty();
2138 		zperror(gettext("failed to set stdin pty to raw mode"));
2139 		return (1);
2140 	}
2141 
2142 	if (prefork_dropprivs() != 0) {
2143 		reset_tty();
2144 		zperror(gettext("could not allocate privilege set"));
2145 		return (1);
2146 	}
2147 
2148 	/*
2149 	 * We must mask SIGCLD until after we have coped with the fork
2150 	 * sufficiently to deal with it; otherwise we can race and receive the
2151 	 * signal before child_pid has been initialized (yes, this really
2152 	 * happens).
2153 	 */
2154 	(void) sigset(SIGCLD, sigcld);
2155 	(void) sigemptyset(&block_cld);
2156 	(void) sigaddset(&block_cld, SIGCLD);
2157 	(void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
2158 
2159 	/*
2160 	 * We activate the contract template at the last minute to
2161 	 * avoid intermediate functions that could be using fork(2)
2162 	 * internally.
2163 	 */
2164 	if ((tmpl_fd = init_template()) == -1) {
2165 		reset_tty();
2166 		zperror(gettext("could not create contract"));
2167 		return (1);
2168 	}
2169 
2170 	if ((child_pid = fork()) == -1) {
2171 		(void) ct_tmpl_clear(tmpl_fd);
2172 		reset_tty();
2173 		zperror(gettext("could not fork"));
2174 		return (1);
2175 	} else if (child_pid == 0) { /* child process */
2176 		int slavefd, newslave;
2177 
2178 		(void) ct_tmpl_clear(tmpl_fd);
2179 		(void) close(tmpl_fd);
2180 
2181 		(void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2182 
2183 		if ((slavefd = init_slave_pty(zoneid, devroot)) == -1)
2184 			return (1);
2185 
2186 		/*
2187 		 * Close all fds except for the slave pty.
2188 		 */
2189 		(void) fdwalk(close_func, &slavefd);
2190 
2191 		/*
2192 		 * Temporarily dup slavefd to stderr; that way if we have
2193 		 * to print out that zone_enter failed, the output will
2194 		 * have somewhere to go.
2195 		 */
2196 		if (slavefd != STDERR_FILENO)
2197 			(void) dup2(slavefd, STDERR_FILENO);
2198 
2199 		if (zone_enter(zoneid) == -1) {
2200 			zerror(gettext("could not enter zone %s: %s"),
2201 			    zonename, strerror(errno));
2202 			return (1);
2203 		}
2204 
2205 		if (slavefd != STDERR_FILENO)
2206 			(void) close(STDERR_FILENO);
2207 
2208 		/*
2209 		 * We take pains to get this process into a new process
2210 		 * group, and subsequently a new session.  In this way,
2211 		 * we'll have a session which doesn't yet have a controlling
2212 		 * terminal.  When we open the slave, it will become the
2213 		 * controlling terminal; no PIDs concerning pgrps or sids
2214 		 * will leak inappropriately into the zone.
2215 		 */
2216 		(void) setpgrp();
2217 
2218 		/*
2219 		 * We need the slave pty to be referenced from the zone's
2220 		 * /dev in order to ensure that the devt's, etc are all
2221 		 * correct.  Otherwise we break ttyname and the like.
2222 		 */
2223 		if ((newslave = open(slavename, O_RDWR)) == -1) {
2224 			(void) close(slavefd);
2225 			return (1);
2226 		}
2227 		(void) close(slavefd);
2228 		slavefd = newslave;
2229 
2230 		/*
2231 		 * dup the slave to the various FDs, so that when the
2232 		 * spawned process does a write/read it maps to the slave
2233 		 * pty.
2234 		 */
2235 		(void) dup2(slavefd, STDIN_FILENO);
2236 		(void) dup2(slavefd, STDOUT_FILENO);
2237 		(void) dup2(slavefd, STDERR_FILENO);
2238 		if (slavefd != STDIN_FILENO && slavefd != STDOUT_FILENO &&
2239 		    slavefd != STDERR_FILENO) {
2240 			(void) close(slavefd);
2241 		}
2242 
2243 		/*
2244 		 * In failsafe mode, we don't use login(1), so don't try
2245 		 * setting up a utmpx entry.
2246 		 */
2247 		if (!failsafe)
2248 			if (setup_utmpx(slaveshortname) == -1)
2249 				return (1);
2250 
2251 		/*
2252 		 * The child needs to run as root to
2253 		 * execute the brand's login program.
2254 		 */
2255 		if (setuid(0) == -1) {
2256 			zperror(gettext("insufficient privilege"));
2257 			return (1);
2258 		}
2259 
2260 		(void) execve(new_args[0], new_args, new_env);
2261 		zperror(gettext("exec failure"));
2262 		return (1);
2263 	}
2264 
2265 	(void) ct_tmpl_clear(tmpl_fd);
2266 	(void) close(tmpl_fd);
2267 
2268 	/*
2269 	 * The rest is only for the parent process.
2270 	 */
2271 	(void) sigset(SIGWINCH, sigwinch);
2272 
2273 	postfork_dropprivs();
2274 
2275 	(void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2276 	doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
2277 
2278 	reset_tty();
2279 	if (!quiet)
2280 		(void) fprintf(stderr,
2281 		    gettext("\n[Connection to zone '%s' %s closed]\n"),
2282 		    zonename, slaveshortname);
2283 
2284 	if (pollerr != 0) {
2285 		(void) fprintf(stderr, gettext("Error: connection closed due "
2286 		    "to unexpected pollevents=0x%x.\n"), pollerr);
2287 		return (1);
2288 	}
2289 
2290 	return (0);
2291 }
2292