1 /* $NetBSD: master.c,v 1.2 2017/02/14 01:16:45 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* master 8 6 /* SUMMARY 7 /* Postfix master process 8 /* SYNOPSIS 9 /* \fBmaster\fR [\fB-Ddtvw\fR] [\fB-c \fIconfig_dir\fR] [\fB-e \fIexit_time\fR] 10 /* DESCRIPTION 11 /* The \fBmaster\fR(8) daemon is the resident process that runs Postfix 12 /* daemons on demand: daemons to send or receive messages via the 13 /* network, daemons to deliver mail locally, etc. These daemons are 14 /* created on demand up to a configurable maximum number per service. 15 /* 16 /* Postfix daemons terminate voluntarily, either after being idle for 17 /* a configurable amount of time, or after having serviced a 18 /* configurable number of requests. Exceptions to this rule are the 19 /* resident queue manager, address verification server, and the TLS 20 /* session cache and pseudo-random number server. 21 /* 22 /* The behavior of the \fBmaster\fR(8) daemon is controlled by the 23 /* \fBmaster.cf\fR configuration file, as described in \fBmaster\fR(5). 24 /* 25 /* Options: 26 /* .IP "\fB-c \fIconfig_dir\fR" 27 /* Read the \fBmain.cf\fR and \fBmaster.cf\fR configuration files in 28 /* the named directory instead of the default configuration directory. 29 /* This also overrides the configuration files for other Postfix 30 /* daemon processes. 31 /* .IP \fB-D\fR 32 /* After initialization, run a debugger on the master process. The 33 /* debugging command is specified with the \fBdebugger_command\fR in 34 /* the \fBmain.cf\fR global configuration file. 35 /* .IP \fB-d\fR 36 /* Do not redirect stdin, stdout or stderr to /dev/null, and 37 /* do not discard the controlling terminal. This must be used 38 /* for debugging only. 39 /* .IP "\fB-e \fIexit_time\fR" 40 /* Terminate the master process after \fIexit_time\fR seconds. Child 41 /* processes terminate at their convenience. 42 /* .IP \fB-t\fR 43 /* Test mode. Return a zero exit status when the \fBmaster.pid\fR lock 44 /* file does not exist or when that file is not locked. This is evidence 45 /* that the \fBmaster\fR(8) daemon is not running. 46 /* .IP \fB-v\fR 47 /* Enable verbose logging for debugging purposes. This option 48 /* is passed on to child processes. Multiple \fB-v\fR options 49 /* make the software increasingly verbose. 50 /* .IP \fB-w\fR 51 /* Wait in a dummy foreground process, while the real master 52 /* daemon initializes in a background process. The dummy 53 /* foreground process returns a zero exit status only if the 54 /* master daemon initialization is successful, and if it 55 /* completes in a reasonable amount of time. 56 /* .sp 57 /* This feature is available in Postfix 2.10 and later. 58 /* .PP 59 /* Signals: 60 /* .IP \fBSIGHUP\fR 61 /* Upon receipt of a \fBHUP\fR signal (e.g., after "\fBpostfix reload\fR"), 62 /* the master process re-reads its configuration files. If a service has 63 /* been removed from the \fBmaster.cf\fR file, its running processes 64 /* are terminated immediately. 65 /* Otherwise, running processes are allowed to terminate as soon 66 /* as is convenient, so that changes in configuration settings 67 /* affect only new service requests. 68 /* .IP \fBSIGTERM\fR 69 /* Upon receipt of a \fBTERM\fR signal (e.g., after "\fBpostfix abort\fR"), 70 /* the master process passes the signal on to its child processes and 71 /* terminates. 72 /* This is useful for an emergency shutdown. Normally one would 73 /* terminate only the master ("\fBpostfix stop\fR") and allow running 74 /* processes to finish what they are doing. 75 /* DIAGNOSTICS 76 /* Problems are reported to \fBsyslogd\fR(8). The exit status 77 /* is non-zero in case of problems, including problems while 78 /* initializing as a master daemon process in the background. 79 /* ENVIRONMENT 80 /* .ad 81 /* .fi 82 /* .IP \fBMAIL_DEBUG\fR 83 /* After initialization, start a debugger as specified with the 84 /* \fBdebugger_command\fR configuration parameter in the \fBmain.cf\fR 85 /* configuration file. 86 /* .IP \fBMAIL_CONFIG\fR 87 /* Directory with Postfix configuration files. 88 /* CONFIGURATION PARAMETERS 89 /* .ad 90 /* .fi 91 /* Unlike most Postfix daemon processes, the \fBmaster\fR(8) server does 92 /* not automatically pick up changes to \fBmain.cf\fR. Changes 93 /* to \fBmaster.cf\fR are never picked up automatically. 94 /* Use the "\fBpostfix reload\fR" command after a configuration change. 95 /* RESOURCE AND RATE CONTROLS 96 /* .ad 97 /* .fi 98 /* .IP "\fBdefault_process_limit (100)\fR" 99 /* The default maximal number of Postfix child processes that provide 100 /* a given service. 101 /* .IP "\fBmax_idle (100s)\fR" 102 /* The maximum amount of time that an idle Postfix daemon process waits 103 /* for an incoming connection before terminating voluntarily. 104 /* .IP "\fBmax_use (100)\fR" 105 /* The maximal number of incoming connections that a Postfix daemon 106 /* process will service before terminating voluntarily. 107 /* .IP "\fBservice_throttle_time (60s)\fR" 108 /* How long the Postfix \fBmaster\fR(8) waits before forking a server that 109 /* appears to be malfunctioning. 110 /* .PP 111 /* Available in Postfix version 2.6 and later: 112 /* .IP "\fBmaster_service_disable (empty)\fR" 113 /* Selectively disable \fBmaster\fR(8) listener ports by service type 114 /* or by service name and type. 115 /* MISCELLANEOUS CONTROLS 116 /* .ad 117 /* .fi 118 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" 119 /* The default location of the Postfix main.cf and master.cf 120 /* configuration files. 121 /* .IP "\fBdaemon_directory (see 'postconf -d' output)\fR" 122 /* The directory with Postfix support programs and daemon programs. 123 /* .IP "\fBdebugger_command (empty)\fR" 124 /* The external command to execute when a Postfix daemon program is 125 /* invoked with the -D option. 126 /* .IP "\fBinet_interfaces (all)\fR" 127 /* The network interface addresses that this mail system receives 128 /* mail on. 129 /* .IP "\fBinet_protocols (all)\fR" 130 /* The Internet protocols Postfix will attempt to use when making 131 /* or accepting connections. 132 /* .IP "\fBimport_environment (see 'postconf -d' output)\fR" 133 /* The list of environment parameters that a Postfix process will 134 /* import from a non-Postfix parent process. 135 /* .IP "\fBmail_owner (postfix)\fR" 136 /* The UNIX system account that owns the Postfix queue and most Postfix 137 /* daemon processes. 138 /* .IP "\fBprocess_id (read-only)\fR" 139 /* The process ID of a Postfix command or daemon process. 140 /* .IP "\fBprocess_name (read-only)\fR" 141 /* The process name of a Postfix command or daemon process. 142 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR" 143 /* The location of the Postfix top-level queue directory. 144 /* .IP "\fBsyslog_facility (mail)\fR" 145 /* The syslog facility of Postfix logging. 146 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" 147 /* The mail system name that is prepended to the process name in syslog 148 /* records, so that "smtpd" becomes, for example, "postfix/smtpd". 149 /* FILES 150 /* .ad 151 /* .fi 152 /* To expand the directory names below into their actual values, 153 /* use the command "\fBpostconf config_directory\fR" etc. 154 /* .na 155 /* .nf 156 /* 157 /* $config_directory/main.cf, global configuration file. 158 /* $config_directory/master.cf, master server configuration file. 159 /* $queue_directory/pid/master.pid, master lock file. 160 /* $data_directory/master.lock, master lock file. 161 /* SEE ALSO 162 /* qmgr(8), queue manager 163 /* verify(8), address verification 164 /* master(5), master.cf configuration file syntax 165 /* postconf(5), main.cf configuration file syntax 166 /* syslogd(8), system logging 167 /* LICENSE 168 /* .ad 169 /* .fi 170 /* The Secure Mailer license must be distributed with this software. 171 /* AUTHOR(S) 172 /* Wietse Venema 173 /* IBM T.J. Watson Research 174 /* P.O. Box 704 175 /* Yorktown Heights, NY 10598, USA 176 /* 177 /* Wietse Venema 178 /* Google, Inc. 179 /* 111 8th Avenue 180 /* New York, NY 10011, USA 181 /*--*/ 182 183 /* System libraries. */ 184 185 #include <sys_defs.h> 186 #include <sys/stat.h> 187 #include <syslog.h> 188 #include <signal.h> 189 #include <stdlib.h> 190 #include <unistd.h> 191 #include <string.h> 192 #include <fcntl.h> 193 #include <limits.h> 194 195 /* Utility library. */ 196 197 #include <events.h> 198 #include <msg.h> 199 #include <msg_syslog.h> 200 #include <vstring.h> 201 #include <mymalloc.h> 202 #include <iostuff.h> 203 #include <vstream.h> 204 #include <stringops.h> 205 #include <myflock.h> 206 #include <watchdog.h> 207 #include <clean_env.h> 208 #include <argv.h> 209 #include <safe.h> 210 #include <set_eugid.h> 211 #include <set_ugid.h> 212 213 /* Global library. */ 214 215 #include <mail_params.h> 216 #include <mail_version.h> 217 #include <debug_process.h> 218 #include <mail_task.h> 219 #include <mail_conf.h> 220 #include <open_lock.h> 221 #include <inet_proto.h> 222 #include <mail_parm_split.h> 223 224 /* Application-specific. */ 225 226 #include "master.h" 227 228 int master_detach = 1; 229 230 /* master_exit_event - exit for memory leak testing purposes */ 231 232 static void master_exit_event(int unused_event, void *unused_context) 233 { 234 msg_info("master exit time has arrived"); 235 exit(0); 236 } 237 238 /* usage - show hint and terminate */ 239 240 static NORETURN usage(const char *me) 241 { 242 msg_fatal("usage: %s [-c config_dir] [-D (debug)] [-d (don't detach from terminal)] [-e exit_time] [-t (test)] [-v] [-w (wait for initialization)]", me); 243 } 244 245 MAIL_VERSION_STAMP_DECLARE; 246 247 /* main - main program */ 248 249 int main(int argc, char **argv) 250 { 251 static VSTREAM *lock_fp; 252 static VSTREAM *data_lock_fp; 253 VSTRING *lock_path; 254 VSTRING *data_lock_path; 255 off_t inherited_limit; 256 int debug_me = 0; 257 int ch; 258 int fd; 259 int n; 260 int test_lock = 0; 261 VSTRING *why; 262 WATCHDOG *watchdog; 263 ARGV *import_env; 264 int wait_flag = 0; 265 int monitor_fd = -1; 266 267 /* 268 * Fingerprint executables and core dumps. 269 */ 270 MAIL_VERSION_STAMP_ALLOCATE; 271 272 /* 273 * Initialize. 274 */ 275 umask(077); /* never fails! */ 276 277 /* 278 * Process environment options as early as we can. 279 */ 280 if (getenv(CONF_ENV_VERB)) 281 msg_verbose = 1; 282 if (getenv(CONF_ENV_DEBUG)) 283 debug_me = 1; 284 285 /* 286 * Don't die when a process goes away unexpectedly. 287 */ 288 signal(SIGPIPE, SIG_IGN); 289 290 /* 291 * Strip and save the process name for diagnostics etc. 292 */ 293 var_procname = mystrdup(basename(argv[0])); 294 295 /* 296 * When running a child process, don't leak any open files that were 297 * leaked to us by our own (privileged) parent process. Descriptors 0-2 298 * are taken care of after we have initialized error logging. 299 * 300 * Some systems such as AIX have a huge per-process open file limit. In 301 * those cases, limit the search for potential file descriptor leaks to 302 * just the first couple hundred. 303 * 304 * The Debian post-installation script passes an open file descriptor into 305 * the master process and waits forever for someone to close it. Because 306 * of this we have to close descriptors > 2, and pray that doing so does 307 * not break things. 308 */ 309 closefrom(3); 310 311 /* 312 * Initialize logging and exit handler. 313 */ 314 msg_syslog_init(mail_task(var_procname), LOG_PID, LOG_FACILITY); 315 316 /* 317 * Check the Postfix library version as soon as we enable logging. 318 */ 319 MAIL_VERSION_CHECK; 320 321 /* 322 * The mail system must be run by the superuser so it can revoke 323 * privileges for selected operations. That's right - it takes privileges 324 * to toss privileges. 325 */ 326 if (getuid() != 0) 327 msg_fatal("the master command is reserved for the superuser"); 328 if (unsafe() != 0) 329 msg_fatal("the master command must not run as a set-uid process"); 330 331 /* 332 * Process JCL. 333 */ 334 while ((ch = GETOPT(argc, argv, "c:Dde:tvw")) > 0) { 335 switch (ch) { 336 case 'c': 337 if (setenv(CONF_ENV_PATH, optarg, 1) < 0) 338 msg_fatal("out of memory"); 339 break; 340 case 'd': 341 master_detach = 0; 342 break; 343 case 'e': 344 event_request_timer(master_exit_event, (void *) 0, atoi(optarg)); 345 break; 346 case 'D': 347 debug_me = 1; 348 break; 349 case 't': 350 test_lock = 1; 351 break; 352 case 'v': 353 msg_verbose++; 354 break; 355 case 'w': 356 wait_flag = 1; 357 break; 358 default: 359 usage(argv[0]); 360 /* NOTREACHED */ 361 } 362 } 363 364 /* 365 * This program takes no other arguments. 366 */ 367 if (argc > optind) 368 usage(argv[0]); 369 370 /* 371 * Sanity check. 372 */ 373 if (test_lock && wait_flag) 374 msg_fatal("the -t and -w options cannot be used together"); 375 376 /* 377 * Run a foreground monitor process that returns an exit status of 0 when 378 * the child background process reports successful initialization as a 379 * daemon process. We use a generous limit in case main/master.cf specify 380 * symbolic hosts/ports and the naming service is slow. 381 */ 382 #define MASTER_INIT_TIMEOUT 100 /* keep this limit generous */ 383 384 if (wait_flag) 385 monitor_fd = master_monitor(MASTER_INIT_TIMEOUT); 386 387 /* 388 * If started from a terminal, get rid of any tty association. This also 389 * means that all errors and warnings must go to the syslog daemon. 390 */ 391 if (master_detach) 392 for (fd = 0; fd < 3; fd++) { 393 (void) close(fd); 394 if (open("/dev/null", O_RDWR, 0) != fd) 395 msg_fatal("open /dev/null: %m"); 396 } 397 398 /* 399 * Run in a separate process group, so that "postfix stop" can terminate 400 * all MTA processes cleanly. Give up if we can't separate from our 401 * parent process. We're not supposed to blow away the parent. 402 */ 403 if (debug_me == 0 && master_detach != 0 && setsid() == -1 && getsid(0) != getpid()) 404 msg_fatal("unable to set session and process group ID: %m"); 405 406 /* 407 * Make some room for plumbing with file descriptors. XXX This breaks 408 * when a service listens on many ports. In order to do this right we 409 * must change the master-child interface so that descriptors do not need 410 * to have fixed numbers. 411 * 412 * In a child we need two descriptors for the flow control pipe, one for 413 * child->master status updates and at least one for listening. 414 */ 415 for (n = 0; n < 5; n++) { 416 if (close_on_exec(dup(0), CLOSE_ON_EXEC) < 0) 417 msg_fatal("dup(0): %m"); 418 } 419 420 /* 421 * Final initializations. Unfortunately, we must read the global Postfix 422 * configuration file after doing command-line processing, so that we get 423 * consistent results when we SIGHUP the server to reload configuration 424 * files. 425 */ 426 master_vars_init(); 427 428 /* 429 * In case of multi-protocol support. This needs to be done because 430 * master does not invoke mail_params_init() (it was written before that 431 * code existed). 432 */ 433 (void) inet_proto_init(VAR_INET_PROTOCOLS, var_inet_protocols); 434 435 /* 436 * Environment import filter, to enforce consistent behavior whether 437 * Postfix is started by hand, or at system boot time. 438 */ 439 import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ); 440 clean_env(import_env->argv); 441 argv_free(import_env); 442 443 if ((inherited_limit = get_file_limit()) < 0) 444 set_file_limit(OFF_T_MAX); 445 446 if (chdir(var_queue_dir)) 447 msg_fatal("chdir %s: %m", var_queue_dir); 448 449 /* 450 * Lock down the master.pid file. In test mode, no file means that it 451 * isn't locked. 452 */ 453 lock_path = vstring_alloc(10); 454 data_lock_path = vstring_alloc(10); 455 why = vstring_alloc(10); 456 457 vstring_sprintf(lock_path, "%s/%s.pid", DEF_PID_DIR, var_procname); 458 if (test_lock && access(vstring_str(lock_path), F_OK) < 0) 459 exit(0); 460 lock_fp = open_lock(vstring_str(lock_path), O_RDWR | O_CREAT, 0644, why); 461 if (test_lock) 462 exit(lock_fp ? 0 : 1); 463 if (lock_fp == 0) 464 msg_fatal("open lock file %s: %s", 465 vstring_str(lock_path), vstring_str(why)); 466 vstream_fprintf(lock_fp, "%*lu\n", (int) sizeof(unsigned long) * 4, 467 (unsigned long) var_pid); 468 if (vstream_fflush(lock_fp)) 469 msg_fatal("cannot update lock file %s: %m", vstring_str(lock_path)); 470 close_on_exec(vstream_fileno(lock_fp), CLOSE_ON_EXEC); 471 472 /* 473 * Lock down the Postfix-writable data directory. 474 */ 475 vstring_sprintf(data_lock_path, "%s/%s.lock", var_data_dir, var_procname); 476 set_eugid(var_owner_uid, var_owner_gid); 477 data_lock_fp = 478 open_lock(vstring_str(data_lock_path), O_RDWR | O_CREAT, 0644, why); 479 set_ugid(getuid(), getgid()); 480 if (data_lock_fp == 0) 481 msg_fatal("open lock file %s: %s", 482 vstring_str(data_lock_path), vstring_str(why)); 483 vstream_fprintf(data_lock_fp, "%*lu\n", (int) sizeof(unsigned long) * 4, 484 (unsigned long) var_pid); 485 if (vstream_fflush(data_lock_fp)) 486 msg_fatal("cannot update lock file %s: %m", vstring_str(data_lock_path)); 487 close_on_exec(vstream_fileno(data_lock_fp), CLOSE_ON_EXEC); 488 489 /* 490 * Clean up. 491 */ 492 vstring_free(why); 493 vstring_free(lock_path); 494 vstring_free(data_lock_path); 495 496 /* 497 * Optionally start the debugger on ourself. 498 */ 499 if (debug_me) 500 debug_process(); 501 502 /* 503 * Finish initialization, last part. We must process configuration files 504 * after processing command-line parameters, so that we get consistent 505 * results when we SIGHUP the server to reload configuration files. 506 */ 507 master_config(); 508 master_sigsetup(); 509 master_flow_init(); 510 msg_info("daemon started -- version %s, configuration %s", 511 var_mail_version, var_config_dir); 512 513 /* 514 * Report successful initialization to the foreground monitor process. 515 */ 516 if (monitor_fd >= 0) { 517 write(monitor_fd, "", 1); 518 (void) close(monitor_fd); 519 } 520 521 /* 522 * Process events. The event handler will execute the read/write/timer 523 * action routines. Whenever something has happened, see if we received 524 * any signal in the mean time. Although the master process appears to do 525 * multiple things at the same time, it really is all a single thread, so 526 * that there are no concurrency conflicts within the master process. 527 */ 528 #define MASTER_WATCHDOG_TIME 1000 529 530 watchdog = watchdog_create(MASTER_WATCHDOG_TIME, (WATCHDOG_FN) 0, (void *) 0); 531 for (;;) { 532 #ifdef HAS_VOLATILE_LOCKS 533 if (myflock(vstream_fileno(lock_fp), INTERNAL_LOCK, 534 MYFLOCK_OP_EXCLUSIVE) < 0) 535 msg_fatal("refresh exclusive lock: %m"); 536 if (myflock(vstream_fileno(data_lock_fp), INTERNAL_LOCK, 537 MYFLOCK_OP_EXCLUSIVE) < 0) 538 msg_fatal("refresh exclusive lock: %m"); 539 #endif 540 watchdog_start(watchdog); /* same as trigger servers */ 541 event_loop(MASTER_WATCHDOG_TIME / 2); 542 if (master_gotsighup) { 543 msg_info("reload -- version %s, configuration %s", 544 var_mail_version, var_config_dir); 545 master_gotsighup = 0; /* this first */ 546 master_vars_init(); /* then this */ 547 master_refresh(); /* then this */ 548 } 549 if (master_gotsigchld) { 550 if (msg_verbose) 551 msg_info("got sigchld"); 552 master_gotsigchld = 0; /* this first */ 553 master_reap_child(); /* then this */ 554 } 555 } 556 } 557