1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 /*
26 * zlogin provides three types of login which allow users in the global
27 * zone to access non-global zones.
28 *
29 * - "interactive login" is similar to rlogin(1); for example, the user could
30 * issue 'zlogin my-zone' or 'zlogin -e ^ -l me my-zone'. The user is
31 * granted a new pty (which is then shoved into the zone), and an I/O
32 * loop between parent and child processes takes care of the interactive
33 * session. In this mode, login(1) (and its -c option, which means
34 * "already authenticated") is employed to take care of the initialization
35 * of the user's session.
36 *
37 * - "non-interactive login" is similar to su(1M); the user could issue
38 * 'zlogin my-zone ls -l' and the command would be run as specified.
39 * In this mode, zlogin sets up pipes as the communication channel, and
40 * 'su' is used to do the login setup work.
41 *
42 * - "console login" is the equivalent to accessing the tip line for a
43 * zone. For example, the user can issue 'zlogin -C my-zone'.
44 * In this mode, zlogin contacts the zoneadmd process via unix domain
45 * socket. If zoneadmd is not running, it starts it. This allows the
46 * console to be available anytime the zone is installed, regardless of
47 * whether it is running.
48 */
49
50 #include <sys/socket.h>
51 #include <sys/termios.h>
52 #include <sys/utsname.h>
53 #include <sys/stat.h>
54 #include <sys/types.h>
55 #include <sys/contract/process.h>
56 #include <sys/ctfs.h>
57 #include <sys/brand.h>
58 #include <sys/wait.h>
59 #include <alloca.h>
60 #include <assert.h>
61 #include <ctype.h>
62 #include <door.h>
63 #include <errno.h>
64 #include <nss_dbdefs.h>
65 #include <poll.h>
66 #include <priv.h>
67 #include <pwd.h>
68 #include <unistd.h>
69 #include <utmpx.h>
70 #include <sac.h>
71 #include <signal.h>
72 #include <stdarg.h>
73 #include <stdio.h>
74 #include <stdlib.h>
75 #include <string.h>
76 #include <strings.h>
77 #include <stropts.h>
78 #include <wait.h>
79 #include <zone.h>
80 #include <fcntl.h>
81 #include <libdevinfo.h>
82 #include <libintl.h>
83 #include <locale.h>
84 #include <libzonecfg.h>
85 #include <libcontract.h>
86 #include <libbrand.h>
87 #include <auth_list.h>
88 #include <auth_attr.h>
89 #include <secdb.h>
90
91 static int masterfd;
92 static struct termios save_termios;
93 static struct termios effective_termios;
94 static int save_fd;
95 static struct winsize winsize;
96 static volatile int dead;
97 static volatile pid_t child_pid = -1;
98 static int interactive = 0;
99 static priv_set_t *dropprivs;
100
101 static int nocmdchar = 0;
102 static int failsafe = 0;
103 static char cmdchar = '~';
104
105 static int pollerr = 0;
106
107 static const char *pname;
108 static char *username;
109
110 /*
111 * When forced_login is true, the user is not prompted
112 * for an authentication password in the target zone.
113 */
114 static boolean_t forced_login = B_FALSE;
115
116 #if !defined(TEXT_DOMAIN) /* should be defined by cc -D */
117 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it wasn't */
118 #endif
119
120 #define SUPATH "/usr/bin/su"
121 #define FAILSAFESHELL "/sbin/sh"
122 #define DEFAULTSHELL "/sbin/sh"
123 #define DEF_PATH "/usr/sbin:/usr/bin"
124
125 #define CLUSTER_BRAND_NAME "cluster"
126
127 /*
128 * The ZLOGIN_BUFSIZ is larger than PIPE_BUF so we can be sure we're clearing
129 * out the pipe when the child is exiting. The ZLOGIN_RDBUFSIZ must be less
130 * than ZLOGIN_BUFSIZ (because we share the buffer in doio). This value is
131 * also chosen in conjunction with the HI_WATER setting to make sure we
132 * don't fill up the pipe. We can write FIFOHIWAT (16k) into the pipe before
133 * blocking. By having ZLOGIN_RDBUFSIZ set to 1k and HI_WATER set to 8k, we
134 * know we can always write a ZLOGIN_RDBUFSIZ chunk into the pipe when there
135 * is less than HI_WATER data already in the pipe.
136 */
137 #define ZLOGIN_BUFSIZ 8192
138 #define ZLOGIN_RDBUFSIZ 1024
139 #define HI_WATER 8192
140
141 /*
142 * See canonify() below. CANONIFY_LEN is the maximum length that a
143 * "canonical" sequence will expand to (backslash, three octal digits, NUL).
144 */
145 #define CANONIFY_LEN 5
146
147 static void
usage(void)148 usage(void)
149 {
150 (void) fprintf(stderr, gettext("usage: %s [ -CES ] [ -e cmdchar ] "
151 "[-l user] zonename [command [args ...] ]\n"), pname);
152 exit(2);
153 }
154
155 static const char *
getpname(const char * arg0)156 getpname(const char *arg0)
157 {
158 const char *p = strrchr(arg0, '/');
159
160 if (p == NULL)
161 p = arg0;
162 else
163 p++;
164
165 pname = p;
166 return (p);
167 }
168
169 static void
zerror(const char * fmt,...)170 zerror(const char *fmt, ...)
171 {
172 va_list alist;
173
174 (void) fprintf(stderr, "%s: ", pname);
175 va_start(alist, fmt);
176 (void) vfprintf(stderr, fmt, alist);
177 va_end(alist);
178 (void) fprintf(stderr, "\n");
179 }
180
181 static void
zperror(const char * str)182 zperror(const char *str)
183 {
184 const char *estr;
185
186 if ((estr = strerror(errno)) != NULL)
187 (void) fprintf(stderr, "%s: %s: %s\n", pname, str, estr);
188 else
189 (void) fprintf(stderr, "%s: %s: errno %d\n", pname, str, errno);
190 }
191
192 /*
193 * The first part of our privilege dropping scheme needs to be called before
194 * fork(), since we must have it for security; we don't want to be surprised
195 * later that we couldn't allocate the privset.
196 */
197 static int
prefork_dropprivs()198 prefork_dropprivs()
199 {
200 if ((dropprivs = priv_allocset()) == NULL)
201 return (1);
202
203 priv_basicset(dropprivs);
204 (void) priv_delset(dropprivs, PRIV_PROC_INFO);
205 (void) priv_delset(dropprivs, PRIV_PROC_FORK);
206 (void) priv_delset(dropprivs, PRIV_PROC_EXEC);
207 (void) priv_delset(dropprivs, PRIV_FILE_LINK_ANY);
208
209 /*
210 * We need to keep the basic privilege PROC_SESSION and all unknown
211 * basic privileges as well as the privileges PROC_ZONE and
212 * PROC_OWNER in order to query session information and
213 * send signals.
214 */
215 if (interactive == 0) {
216 (void) priv_addset(dropprivs, PRIV_PROC_ZONE);
217 (void) priv_addset(dropprivs, PRIV_PROC_OWNER);
218 } else {
219 (void) priv_delset(dropprivs, PRIV_PROC_SESSION);
220 }
221
222 return (0);
223 }
224
225 /*
226 * The second part of the privilege drop. We are paranoid about being attacked
227 * by the zone, so we drop all privileges. This should prevent a compromise
228 * which gets us to fork(), exec(), symlink(), etc.
229 */
230 static void
postfork_dropprivs()231 postfork_dropprivs()
232 {
233 if ((setppriv(PRIV_SET, PRIV_PERMITTED, dropprivs)) == -1) {
234 zperror(gettext("Warning: could not set permitted privileges"));
235 }
236 if ((setppriv(PRIV_SET, PRIV_LIMIT, dropprivs)) == -1) {
237 zperror(gettext("Warning: could not set limit privileges"));
238 }
239 if ((setppriv(PRIV_SET, PRIV_INHERITABLE, dropprivs)) == -1) {
240 zperror(gettext("Warning: could not set inheritable "
241 "privileges"));
242 }
243 }
244
245 /*
246 * Create the unix domain socket and call the zoneadmd server; handshake
247 * with it to determine whether it will allow us to connect.
248 */
249 static int
get_console_master(const char * zname)250 get_console_master(const char *zname)
251 {
252 int sockfd = -1;
253 struct sockaddr_un servaddr;
254 char clientid[MAXPATHLEN];
255 char handshake[MAXPATHLEN], c;
256 int msglen;
257 int i = 0, err = 0;
258
259 if ((sockfd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
260 zperror(gettext("could not create socket"));
261 return (-1);
262 }
263
264 bzero(&servaddr, sizeof (servaddr));
265 servaddr.sun_family = AF_UNIX;
266 (void) snprintf(servaddr.sun_path, sizeof (servaddr.sun_path),
267 "%s/%s.console_sock", ZONES_TMPDIR, zname);
268
269 if (connect(sockfd, (struct sockaddr *)&servaddr,
270 sizeof (servaddr)) == -1) {
271 zperror(gettext("Could not connect to zone console"));
272 goto bad;
273 }
274 masterfd = sockfd;
275
276 msglen = snprintf(clientid, sizeof (clientid), "IDENT %lu %s\n",
277 getpid(), setlocale(LC_MESSAGES, NULL));
278
279 if (msglen >= sizeof (clientid) || msglen < 0) {
280 zerror("protocol error");
281 goto bad;
282 }
283
284 if (write(masterfd, clientid, msglen) != msglen) {
285 zerror("protocol error");
286 goto bad;
287 }
288
289 bzero(handshake, sizeof (handshake));
290
291 /*
292 * Take care not to accumulate more than our fill, and leave room for
293 * the NUL at the end.
294 */
295 while ((err = read(masterfd, &c, 1)) == 1) {
296 if (i >= (sizeof (handshake) - 1))
297 break;
298 if (c == '\n')
299 break;
300 handshake[i] = c;
301 i++;
302 }
303
304 /*
305 * If something went wrong during the handshake we bail; perhaps
306 * the server died off.
307 */
308 if (err == -1) {
309 zperror(gettext("Could not connect to zone console"));
310 goto bad;
311 }
312
313 if (strncmp(handshake, "OK", sizeof (handshake)) == 0)
314 return (0);
315
316 zerror(gettext("Console is already in use by process ID %s."),
317 handshake);
318 bad:
319 (void) close(sockfd);
320 masterfd = -1;
321 return (-1);
322 }
323
324
325 /*
326 * Routines to handle pty creation upon zone entry and to shuttle I/O back
327 * and forth between the two terminals. We also compute and store the
328 * name of the slave terminal associated with the master side.
329 */
330 static int
get_master_pty()331 get_master_pty()
332 {
333 if ((masterfd = open("/dev/ptmx", O_RDWR|O_NONBLOCK)) < 0) {
334 zperror(gettext("failed to obtain a pseudo-tty"));
335 return (-1);
336 }
337 if (tcgetattr(STDIN_FILENO, &save_termios) == -1) {
338 zperror(gettext("failed to get terminal settings from stdin"));
339 return (-1);
340 }
341 (void) ioctl(STDIN_FILENO, TIOCGWINSZ, (char *)&winsize);
342
343 return (0);
344 }
345
346 /*
347 * This is a bit tricky; normally a pts device will belong to the zone it
348 * is granted to. But in the case of "entering" a zone, we need to establish
349 * the pty before entering the zone so that we can vector I/O to and from it
350 * from the global zone.
351 *
352 * We use the zonept() call to let the ptm driver know what we are up to;
353 * the only other hairy bit is the setting of zoneslavename (which happens
354 * above, in get_master_pty()).
355 */
356 static int
init_slave_pty(zoneid_t zoneid,char * devroot)357 init_slave_pty(zoneid_t zoneid, char *devroot)
358 {
359 int slavefd = -1;
360 char *slavename, zoneslavename[MAXPATHLEN];
361
362 /*
363 * Set slave permissions, zone the pts, then unlock it.
364 */
365 if (grantpt(masterfd) != 0) {
366 zperror(gettext("grantpt failed"));
367 return (-1);
368 }
369
370 if (unlockpt(masterfd) != 0) {
371 zperror(gettext("unlockpt failed"));
372 return (-1);
373 }
374
375 /*
376 * We must open the slave side before zoning this pty; otherwise
377 * the kernel would refuse us the open-- zoning a pty makes it
378 * inaccessible to the global zone. Note we are trying to open
379 * the device node via the $ZONEROOT/dev path for this pty.
380 *
381 * Later we'll close the slave out when once we've opened it again
382 * from within the target zone. Blarg.
383 */
384 if ((slavename = ptsname(masterfd)) == NULL) {
385 zperror(gettext("failed to get name for pseudo-tty"));
386 return (-1);
387 }
388
389 (void) snprintf(zoneslavename, sizeof (zoneslavename), "%s%s",
390 devroot, slavename);
391
392 if ((slavefd = open(zoneslavename, O_RDWR)) < 0) {
393 zerror(gettext("failed to open %s: %s"), zoneslavename,
394 strerror(errno));
395 return (-1);
396 }
397
398 /*
399 * Push hardware emulation (ptem), line discipline (ldterm),
400 * and V7/4BSD/Xenix compatibility (ttcompat) modules.
401 */
402 if (ioctl(slavefd, I_PUSH, "ptem") == -1) {
403 zperror(gettext("failed to push ptem module"));
404 if (!failsafe)
405 goto bad;
406 }
407
408 /*
409 * Anchor the stream to prevent malicious I_POPs; we prefer to do
410 * this prior to entering the zone so that we can detect any errors
411 * early, and so that we can set the anchor from the global zone.
412 */
413 if (ioctl(slavefd, I_ANCHOR) == -1) {
414 zperror(gettext("failed to set stream anchor"));
415 if (!failsafe)
416 goto bad;
417 }
418
419 if (ioctl(slavefd, I_PUSH, "ldterm") == -1) {
420 zperror(gettext("failed to push ldterm module"));
421 if (!failsafe)
422 goto bad;
423 }
424 if (ioctl(slavefd, I_PUSH, "ttcompat") == -1) {
425 zperror(gettext("failed to push ttcompat module"));
426 if (!failsafe)
427 goto bad;
428 }
429
430 /*
431 * Propagate terminal settings from the external term to the new one.
432 */
433 if (tcsetattr(slavefd, TCSAFLUSH, &save_termios) == -1) {
434 zperror(gettext("failed to set terminal settings"));
435 if (!failsafe)
436 goto bad;
437 }
438 (void) ioctl(slavefd, TIOCSWINSZ, (char *)&winsize);
439
440 if (zonept(masterfd, zoneid) != 0) {
441 zperror(gettext("could not set zoneid of pty"));
442 goto bad;
443 }
444
445 return (slavefd);
446
447 bad:
448 (void) close(slavefd);
449 return (-1);
450 }
451
452 /*
453 * Place terminal into raw mode.
454 */
455 static int
set_tty_rawmode(int fd)456 set_tty_rawmode(int fd)
457 {
458 struct termios term;
459 if (tcgetattr(fd, &term) < 0) {
460 zperror(gettext("failed to get user terminal settings"));
461 return (-1);
462 }
463
464 /* Stash for later, so we can revert back to previous mode */
465 save_termios = term;
466 save_fd = fd;
467
468 /* disable 8->7 bit strip, start/stop, enable any char to restart */
469 term.c_iflag &= ~(ISTRIP|IXON|IXANY);
470 /* disable NL->CR, CR->NL, ignore CR, UPPER->lower */
471 term.c_iflag &= ~(INLCR|ICRNL|IGNCR|IUCLC);
472 /* disable output post-processing */
473 term.c_oflag &= ~OPOST;
474 /* disable canonical mode, signal chars, echo & extended functions */
475 term.c_lflag &= ~(ICANON|ISIG|ECHO|IEXTEN);
476
477 term.c_cc[VMIN] = 1; /* byte-at-a-time */
478 term.c_cc[VTIME] = 0;
479
480 if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &term)) {
481 zperror(gettext("failed to set user terminal to raw mode"));
482 return (-1);
483 }
484
485 /*
486 * We need to know the value of VEOF so that we can properly process for
487 * client-side ~<EOF>. But we have obliterated VEOF in term,
488 * because VMIN overloads the same array slot in non-canonical mode.
489 * Stupid @&^%!
490 *
491 * So here we construct the "effective" termios from the current
492 * terminal settings, and the corrected VEOF and VEOL settings.
493 */
494 if (tcgetattr(STDIN_FILENO, &effective_termios) < 0) {
495 zperror(gettext("failed to get user terminal settings"));
496 return (-1);
497 }
498 effective_termios.c_cc[VEOF] = save_termios.c_cc[VEOF];
499 effective_termios.c_cc[VEOL] = save_termios.c_cc[VEOL];
500
501 return (0);
502 }
503
504 /*
505 * Copy terminal window size from our terminal to the pts.
506 */
507 /*ARGSUSED*/
508 static void
sigwinch(int s)509 sigwinch(int s)
510 {
511 struct winsize ws;
512
513 if (ioctl(0, TIOCGWINSZ, &ws) == 0)
514 (void) ioctl(masterfd, TIOCSWINSZ, &ws);
515 }
516
517 static volatile int close_on_sig = -1;
518
519 static void
520 /*ARGSUSED*/
sigcld(int s)521 sigcld(int s)
522 {
523 int status;
524 pid_t pid;
525
526 /*
527 * Peek at the exit status. If this isn't the process we cared
528 * about, then just reap it.
529 */
530 if ((pid = waitpid(child_pid, &status, WNOHANG|WNOWAIT)) != -1) {
531 if (pid == child_pid &&
532 (WIFEXITED(status) || WIFSIGNALED(status))) {
533 dead = 1;
534 if (close_on_sig != -1) {
535 (void) write(close_on_sig, "a", 1);
536 (void) close(close_on_sig);
537 close_on_sig = -1;
538 }
539 } else {
540 (void) waitpid(pid, &status, WNOHANG);
541 }
542 }
543 }
544
545 /*
546 * Some signals (currently, SIGINT) must be forwarded on to the process
547 * group of the child process.
548 */
549 static void
sig_forward(int s)550 sig_forward(int s)
551 {
552 if (child_pid != -1) {
553 pid_t pgid = getpgid(child_pid);
554 if (pgid != -1)
555 (void) sigsend(P_PGID, pgid, s);
556 }
557 }
558
559 /*
560 * reset terminal settings for global environment
561 */
562 static void
reset_tty()563 reset_tty()
564 {
565 (void) tcsetattr(save_fd, TCSADRAIN, &save_termios);
566 }
567
568 /*
569 * Convert character to printable representation, for display with locally
570 * echoed command characters (like when we need to display ~^D)
571 */
572 static void
canonify(char c,char * cc)573 canonify(char c, char *cc)
574 {
575 if (isprint(c)) {
576 cc[0] = c;
577 cc[1] = '\0';
578 } else if (c >= 0 && c <= 31) { /* ^@ through ^_ */
579 cc[0] = '^';
580 cc[1] = c + '@';
581 cc[2] = '\0';
582 } else {
583 cc[0] = '\\';
584 cc[1] = ((c >> 6) & 7) + '0';
585 cc[2] = ((c >> 3) & 7) + '0';
586 cc[3] = (c & 7) + '0';
587 cc[4] = '\0';
588 }
589 }
590
591 /*
592 * process_user_input watches the input stream for the escape sequence for
593 * 'quit' (by default, tilde-period). Because we might be fed just one
594 * keystroke at a time, state associated with the user input (are we at the
595 * beginning of the line? are we locally echoing the next character?) is
596 * maintained by beginning_of_line and local_echo across calls to the routine.
597 * If the write to outfd fails, we'll try to read from infd in an attempt
598 * to prevent deadlock between the two processes.
599 *
600 * This routine returns -1 when the 'quit' escape sequence has been issued,
601 * or an error is encountered, 1 if stdin is EOF, and 0 otherwise.
602 */
603 static int
process_user_input(int outfd,int infd)604 process_user_input(int outfd, int infd)
605 {
606 static boolean_t beginning_of_line = B_TRUE;
607 static boolean_t local_echo = B_FALSE;
608 char ibuf[ZLOGIN_BUFSIZ];
609 int nbytes;
610 char *buf = ibuf;
611 char c = *buf;
612
613 nbytes = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
614 if (nbytes == -1 && (errno != EINTR || dead))
615 return (-1);
616
617 if (nbytes == -1) /* The read was interrupted. */
618 return (0);
619
620 /* 0 read means EOF, close the pipe to the child */
621 if (nbytes == 0)
622 return (1);
623
624 for (c = *buf; nbytes > 0; c = *buf, --nbytes) {
625 buf++;
626 if (beginning_of_line && !nocmdchar) {
627 beginning_of_line = B_FALSE;
628 if (c == cmdchar) {
629 local_echo = B_TRUE;
630 continue;
631 }
632 } else if (local_echo) {
633 local_echo = B_FALSE;
634 if (c == '.' || c == effective_termios.c_cc[VEOF]) {
635 char cc[CANONIFY_LEN];
636
637 canonify(c, cc);
638 (void) write(STDOUT_FILENO, &cmdchar, 1);
639 (void) write(STDOUT_FILENO, cc, strlen(cc));
640 return (-1);
641 }
642 }
643 retry:
644 if (write(outfd, &c, 1) <= 0) {
645 /*
646 * Since the fd we are writing to is opened with
647 * O_NONBLOCK it is possible to get EAGAIN if the
648 * pipe is full. One way this could happen is if we
649 * are writing a lot of data into the pipe in this loop
650 * and the application on the other end is echoing that
651 * data back out to its stdout. The output pipe can
652 * fill up since we are stuck here in this loop and not
653 * draining the other pipe. We can try to read some of
654 * the data to see if we can drain the pipe so that the
655 * application can continue to make progress. The read
656 * is non-blocking so we won't hang here. We also wait
657 * a bit before retrying since there could be other
658 * reasons why the pipe is full and we don't want to
659 * continuously retry.
660 */
661 if (errno == EAGAIN) {
662 struct timespec rqtp;
663 int ln;
664 char obuf[ZLOGIN_BUFSIZ];
665
666 if ((ln = read(infd, obuf, ZLOGIN_BUFSIZ)) > 0)
667 (void) write(STDOUT_FILENO, obuf, ln);
668
669 /* sleep for 10 milliseconds */
670 rqtp.tv_sec = 0;
671 rqtp.tv_nsec = 10 * (NANOSEC / MILLISEC);
672 (void) nanosleep(&rqtp, NULL);
673 if (!dead)
674 goto retry;
675 }
676
677 return (-1);
678 }
679 beginning_of_line = (c == '\r' || c == '\n' ||
680 c == effective_termios.c_cc[VKILL] ||
681 c == effective_termios.c_cc[VEOL] ||
682 c == effective_termios.c_cc[VSUSP] ||
683 c == effective_termios.c_cc[VINTR]);
684 }
685 return (0);
686 }
687
688 /*
689 * This function prevents deadlock between zlogin and the application in the
690 * zone that it is talking to. This can happen when we read from zlogin's
691 * stdin and write the data down the pipe to the application. If the pipe
692 * is full, we'll block in the write. Because zlogin could be blocked in
693 * the write, it would never read the application's stdout/stderr so the
694 * application can then block on those writes (when the pipe fills up). If the
695 * the application gets blocked this way, it can never get around to reading
696 * its stdin so that zlogin can unblock from its write. Once in this state,
697 * the two processes are deadlocked.
698 *
699 * To prevent this, we want to verify that we can write into the pipe before we
700 * read from our stdin. If the pipe already is pretty full, we bypass the read
701 * for now. We'll circle back here again after the poll() so that we can
702 * try again. When this function is called, we already know there is data
703 * ready to read on STDIN_FILENO. We return -1 if there is a problem, 1 if
704 * stdin is EOF, and 0 if everything is ok (even though we might not have
705 * read/written any data into the pipe on this iteration).
706 */
707 static int
process_raw_input(int stdin_fd,int appin_fd)708 process_raw_input(int stdin_fd, int appin_fd)
709 {
710 int cc;
711 struct stat64 sb;
712 char ibuf[ZLOGIN_RDBUFSIZ];
713
714 /* Check how much data is already in the pipe */
715 if (fstat64(appin_fd, &sb) == -1) {
716 perror("stat failed");
717 return (-1);
718 }
719
720 if (dead)
721 return (-1);
722
723 /*
724 * The pipe already has a lot of data in it, don't write any more
725 * right now.
726 */
727 if (sb.st_size >= HI_WATER)
728 return (0);
729
730 cc = read(STDIN_FILENO, ibuf, ZLOGIN_RDBUFSIZ);
731 if (cc == -1 && (errno != EINTR || dead))
732 return (-1);
733
734 if (cc == -1) /* The read was interrupted. */
735 return (0);
736
737 /* 0 read means EOF, close the pipe to the child */
738 if (cc == 0)
739 return (1);
740
741 /*
742 * stdin_fd is stdin of the target; so, the thing we'll write the user
743 * data *to*.
744 */
745 if (write(stdin_fd, ibuf, cc) == -1)
746 return (-1);
747
748 return (0);
749 }
750
751 /*
752 * Write the output from the application running in the zone. We can get
753 * a signal during the write (usually it would be SIGCHLD when the application
754 * has exited) so we loop to make sure we have written all of the data we read.
755 */
756 static int
process_output(int in_fd,int out_fd)757 process_output(int in_fd, int out_fd)
758 {
759 int wrote = 0;
760 int cc;
761 char ibuf[ZLOGIN_BUFSIZ];
762
763 cc = read(in_fd, ibuf, ZLOGIN_BUFSIZ);
764 if (cc == -1 && (errno != EINTR || dead))
765 return (-1);
766 if (cc == 0) /* EOF */
767 return (-1);
768 if (cc == -1) /* The read was interrupted. */
769 return (0);
770
771 do {
772 int len;
773
774 len = write(out_fd, ibuf + wrote, cc - wrote);
775 if (len == -1 && errno != EINTR)
776 return (-1);
777 if (len != -1)
778 wrote += len;
779 } while (wrote < cc);
780
781 return (0);
782 }
783
784 /*
785 * This is the main I/O loop, and is shared across all zlogin modes.
786 * Parameters:
787 * stdin_fd: The fd representing 'stdin' for the slave side; input to
788 * the zone will be written here.
789 *
790 * appin_fd: The fd representing the other end of the 'stdin' pipe (when
791 * we're running non-interactive); used in process_raw_input
792 * to ensure we don't fill up the application's stdin pipe.
793 *
794 * stdout_fd: The fd representing 'stdout' for the slave side; output
795 * from the zone will arrive here.
796 *
797 * stderr_fd: The fd representing 'stderr' for the slave side; output
798 * from the zone will arrive here.
799 *
800 * raw_mode: If TRUE, then no processing (for example, for '~.') will
801 * be performed on the input coming from STDIN.
802 *
803 * stderr_fd may be specified as -1 if there is no stderr (only non-interactive
804 * mode supplies a stderr).
805 *
806 */
807 static void
doio(int stdin_fd,int appin_fd,int stdout_fd,int stderr_fd,int sig_fd,boolean_t raw_mode)808 doio(int stdin_fd, int appin_fd, int stdout_fd, int stderr_fd, int sig_fd,
809 boolean_t raw_mode)
810 {
811 struct pollfd pollfds[4];
812 char ibuf[ZLOGIN_BUFSIZ];
813 int cc, ret;
814
815 /* read from stdout of zone and write to stdout of global zone */
816 pollfds[0].fd = stdout_fd;
817 pollfds[0].events = POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI;
818
819 /* read from stderr of zone and write to stderr of global zone */
820 pollfds[1].fd = stderr_fd;
821 pollfds[1].events = pollfds[0].events;
822
823 /* read from stdin of global zone and write to stdin of zone */
824 pollfds[2].fd = STDIN_FILENO;
825 pollfds[2].events = pollfds[0].events;
826
827 /* read from signalling pipe so we know when child dies */
828 pollfds[3].fd = sig_fd;
829 pollfds[3].events = pollfds[0].events;
830
831 for (;;) {
832 pollfds[0].revents = pollfds[1].revents =
833 pollfds[2].revents = pollfds[3].revents = 0;
834
835 if (dead)
836 break;
837
838 /*
839 * There is a race condition here where we can receive the
840 * child death signal, set the dead flag, but since we have
841 * passed the test above, we would go into poll and hang.
842 * To avoid this we use the sig_fd as an additional poll fd.
843 * The signal handler writes into the other end of this pipe
844 * when the child dies so that the poll will always see that
845 * input and proceed. We just loop around at that point and
846 * then notice the dead flag.
847 */
848
849 ret = poll(pollfds,
850 sizeof (pollfds) / sizeof (struct pollfd), -1);
851
852 if (ret == -1 && errno != EINTR) {
853 perror("poll failed");
854 break;
855 }
856
857 if (errno == EINTR && dead) {
858 break;
859 }
860
861 /* event from master side stdout */
862 if (pollfds[0].revents) {
863 if (pollfds[0].revents &
864 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
865 if (process_output(stdout_fd, STDOUT_FILENO)
866 != 0)
867 break;
868 } else {
869 pollerr = pollfds[0].revents;
870 break;
871 }
872 }
873
874 /* event from master side stderr */
875 if (pollfds[1].revents) {
876 if (pollfds[1].revents &
877 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
878 if (process_output(stderr_fd, STDERR_FILENO)
879 != 0)
880 break;
881 } else {
882 pollerr = pollfds[1].revents;
883 break;
884 }
885 }
886
887 /* event from user STDIN side */
888 if (pollfds[2].revents) {
889 if (pollfds[2].revents &
890 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
891 /*
892 * stdin fd is stdin of the target; so,
893 * the thing we'll write the user data *to*.
894 *
895 * Also, unlike on the output side, we
896 * close the pipe on a zero-length message.
897 */
898 int res;
899
900 if (raw_mode)
901 res = process_raw_input(stdin_fd,
902 appin_fd);
903 else
904 res = process_user_input(stdin_fd,
905 stdout_fd);
906
907 if (res < 0)
908 break;
909 if (res > 0) {
910 /* EOF (close) child's stdin_fd */
911 pollfds[2].fd = -1;
912 while ((res = close(stdin_fd)) != 0 &&
913 errno == EINTR)
914 ;
915 if (res != 0)
916 break;
917 }
918
919 } else if (raw_mode && pollfds[2].revents & POLLHUP) {
920 /*
921 * It's OK to get a POLLHUP on STDIN-- it
922 * always happens if you do:
923 *
924 * echo foo | zlogin <zone> <command>
925 *
926 * We reset fd to -1 in this case to clear
927 * the condition and close the pipe (EOF) to
928 * the other side in order to wrap things up.
929 */
930 int res;
931
932 pollfds[2].fd = -1;
933 while ((res = close(stdin_fd)) != 0 &&
934 errno == EINTR)
935 ;
936 if (res != 0)
937 break;
938 } else {
939 pollerr = pollfds[2].revents;
940 break;
941 }
942 }
943 }
944
945 /*
946 * We are in the midst of dying, but try to poll with a short
947 * timeout to see if we can catch the last bit of I/O from the
948 * children.
949 */
950 retry:
951 pollfds[0].revents = pollfds[1].revents = 0;
952 (void) poll(pollfds, 2, 100);
953 if (pollfds[0].revents &
954 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
955 if ((cc = read(stdout_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
956 (void) write(STDOUT_FILENO, ibuf, cc);
957 goto retry;
958 }
959 }
960 if (pollfds[1].revents &
961 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
962 if ((cc = read(stderr_fd, ibuf, ZLOGIN_BUFSIZ)) > 0) {
963 (void) write(STDERR_FILENO, ibuf, cc);
964 goto retry;
965 }
966 }
967 }
968
969 /*
970 * Fetch the user_cmd brand hook for getting a user's passwd(4) entry.
971 */
972 static const char *
zone_get_user_cmd(brand_handle_t bh,const char * login,char * user_cmd,size_t len)973 zone_get_user_cmd(brand_handle_t bh, const char *login, char *user_cmd,
974 size_t len)
975 {
976 bzero(user_cmd, sizeof (user_cmd));
977 if (brand_get_user_cmd(bh, login, user_cmd, len) != 0)
978 return (NULL);
979
980 return (user_cmd);
981 }
982
983 /* From libc */
984 extern int str2passwd(const char *, int, void *, char *, int);
985
986 /*
987 * exec() the user_cmd brand hook, and convert the output string to a
988 * struct passwd. This is to be called after zone_enter().
989 *
990 */
991 static struct passwd *
zone_get_user_pw(const char * user_cmd,struct passwd * pwent,char * pwbuf,int pwbuflen)992 zone_get_user_pw(const char *user_cmd, struct passwd *pwent, char *pwbuf,
993 int pwbuflen)
994 {
995 char pwline[NSS_BUFLEN_PASSWD];
996 char *cin = NULL;
997 FILE *fin;
998 int status;
999
1000 assert(getzoneid() != GLOBAL_ZONEID);
1001
1002 if ((fin = popen(user_cmd, "r")) == NULL)
1003 return (NULL);
1004
1005 while (cin == NULL && !feof(fin))
1006 cin = fgets(pwline, sizeof (pwline), fin);
1007
1008 if (cin == NULL) {
1009 (void) pclose(fin);
1010 return (NULL);
1011 }
1012
1013 status = pclose(fin);
1014 if (!WIFEXITED(status))
1015 return (NULL);
1016 if (WEXITSTATUS(status) != 0)
1017 return (NULL);
1018
1019 if (str2passwd(pwline, sizeof (pwline), pwent, pwbuf, pwbuflen) == 0)
1020 return (pwent);
1021 else
1022 return (NULL);
1023 }
1024
1025 static char **
zone_login_cmd(brand_handle_t bh,const char * login)1026 zone_login_cmd(brand_handle_t bh, const char *login)
1027 {
1028 static char result_buf[ARG_MAX];
1029 char **new_argv, *ptr, *lasts;
1030 int n, a;
1031
1032 /* Get the login command for the target zone. */
1033 bzero(result_buf, sizeof (result_buf));
1034
1035 if (forced_login) {
1036 if (brand_get_forcedlogin_cmd(bh, login,
1037 result_buf, sizeof (result_buf)) != 0)
1038 return (NULL);
1039 } else {
1040 if (brand_get_login_cmd(bh, login,
1041 result_buf, sizeof (result_buf)) != 0)
1042 return (NULL);
1043 }
1044
1045 /*
1046 * We got back a string that we'd like to execute. But since
1047 * we're not doing the execution via a shell we'll need to convert
1048 * the exec string to an array of strings. We'll do that here
1049 * but we're going to be very simplistic about it and break stuff
1050 * up based on spaces. We're not even going to support any kind
1051 * of quoting or escape characters. It's truly amazing that
1052 * there is no library function in OpenSolaris to do this for us.
1053 */
1054
1055 /*
1056 * Be paranoid. Since we're deliniating based on spaces make
1057 * sure there are no adjacent spaces.
1058 */
1059 if (strstr(result_buf, " ") != NULL)
1060 return (NULL);
1061
1062 /* Remove any trailing whitespace. */
1063 n = strlen(result_buf);
1064 if (result_buf[n - 1] == ' ')
1065 result_buf[n - 1] = '\0';
1066
1067 /* Count how many elements there are in the exec string. */
1068 ptr = result_buf;
1069 for (n = 2; ((ptr = strchr(ptr + 1, (int)' ')) != NULL); n++)
1070 ;
1071
1072 /* Allocate the argv array that we're going to return. */
1073 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1074 return (NULL);
1075
1076 /* Tokenize the exec string and return. */
1077 a = 0;
1078 new_argv[a++] = result_buf;
1079 if (n > 2) {
1080 (void) strtok_r(result_buf, " ", &lasts);
1081 while ((new_argv[a++] = strtok_r(NULL, " ", &lasts)) != NULL)
1082 ;
1083 } else {
1084 new_argv[a++] = NULL;
1085 }
1086 assert(n == a);
1087 return (new_argv);
1088 }
1089
1090 /*
1091 * Prepare argv array for exec'd process; if we're passing commands to the
1092 * new process, then use su(1M) to do the invocation. Otherwise, use
1093 * 'login -z <from_zonename> -f' (-z is an undocumented option which tells
1094 * login that we're coming from another zone, and to disregard its CONSOLE
1095 * checks).
1096 */
1097 static char **
prep_args(brand_handle_t bh,const char * login,char ** argv)1098 prep_args(brand_handle_t bh, const char *login, char **argv)
1099 {
1100 int argc = 0, a = 0, i, n = -1;
1101 char **new_argv;
1102
1103 if (argv != NULL) {
1104 size_t subshell_len = 1;
1105 char *subshell;
1106
1107 while (argv[argc] != NULL)
1108 argc++;
1109
1110 for (i = 0; i < argc; i++) {
1111 subshell_len += strlen(argv[i]) + 1;
1112 }
1113 if ((subshell = calloc(1, subshell_len)) == NULL)
1114 return (NULL);
1115
1116 for (i = 0; i < argc; i++) {
1117 (void) strcat(subshell, argv[i]);
1118 (void) strcat(subshell, " ");
1119 }
1120
1121 if (failsafe) {
1122 n = 4;
1123 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1124 return (NULL);
1125
1126 new_argv[a++] = FAILSAFESHELL;
1127 } else {
1128 n = 5;
1129 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1130 return (NULL);
1131
1132 new_argv[a++] = SUPATH;
1133 if (strcmp(login, "root") != 0) {
1134 new_argv[a++] = "-";
1135 n++;
1136 }
1137 new_argv[a++] = (char *)login;
1138 }
1139 new_argv[a++] = "-c";
1140 new_argv[a++] = subshell;
1141 new_argv[a++] = NULL;
1142 assert(a == n);
1143 } else {
1144 if (failsafe) {
1145 n = 2;
1146 if ((new_argv = malloc(sizeof (char *) * n)) == NULL)
1147 return (NULL);
1148 new_argv[a++] = FAILSAFESHELL;
1149 new_argv[a++] = NULL;
1150 assert(n == a);
1151 } else {
1152 new_argv = zone_login_cmd(bh, login);
1153 }
1154 }
1155
1156 return (new_argv);
1157 }
1158
1159 /*
1160 * Helper routine for prep_env below.
1161 */
1162 static char *
add_env(char * name,char * value)1163 add_env(char *name, char *value)
1164 {
1165 size_t sz = strlen(name) + strlen(value) + 2; /* name, =, value, NUL */
1166 char *str;
1167
1168 if ((str = malloc(sz)) == NULL)
1169 return (NULL);
1170
1171 (void) snprintf(str, sz, "%s=%s", name, value);
1172 return (str);
1173 }
1174
1175 /*
1176 * Prepare envp array for exec'd process.
1177 */
1178 static char **
prep_env()1179 prep_env()
1180 {
1181 int e = 0, size = 1;
1182 char **new_env, *estr;
1183 char *term = getenv("TERM");
1184
1185 size++; /* for $PATH */
1186 if (term != NULL)
1187 size++;
1188
1189 /*
1190 * In failsafe mode we set $HOME, since '-l' isn't valid in this mode.
1191 * We also set $SHELL, since neither login nor su will be around to do
1192 * it.
1193 */
1194 if (failsafe)
1195 size += 2;
1196
1197 if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1198 return (NULL);
1199
1200 if ((estr = add_env("PATH", DEF_PATH)) == NULL)
1201 return (NULL);
1202 new_env[e++] = estr;
1203
1204 if (term != NULL) {
1205 if ((estr = add_env("TERM", term)) == NULL)
1206 return (NULL);
1207 new_env[e++] = estr;
1208 }
1209
1210 if (failsafe) {
1211 if ((estr = add_env("HOME", "/")) == NULL)
1212 return (NULL);
1213 new_env[e++] = estr;
1214
1215 if ((estr = add_env("SHELL", FAILSAFESHELL)) == NULL)
1216 return (NULL);
1217 new_env[e++] = estr;
1218 }
1219
1220 new_env[e++] = NULL;
1221
1222 assert(e == size);
1223
1224 return (new_env);
1225 }
1226
1227 /*
1228 * Finish the preparation of the envp array for exec'd non-interactive
1229 * zlogins. This is called in the child process *after* we zone_enter(), since
1230 * it derives things we can only know within the zone, such as $HOME, $SHELL,
1231 * etc. We need only do this in the non-interactive, mode, since otherwise
1232 * login(1) will do it. We don't do this in failsafe mode, since it presents
1233 * additional ways in which the command could fail, and we'd prefer to avoid
1234 * that.
1235 */
1236 static char **
prep_env_noninteractive(const char * user_cmd,char ** env)1237 prep_env_noninteractive(const char *user_cmd, char **env)
1238 {
1239 size_t size;
1240 char **new_env;
1241 int e, i;
1242 char *estr;
1243 char varmail[LOGNAME_MAX + 11]; /* strlen(/var/mail/) = 10, NUL */
1244 char pwbuf[NSS_BUFLEN_PASSWD + 1];
1245 struct passwd pwent;
1246 struct passwd *pw = NULL;
1247
1248 assert(env != NULL);
1249 assert(failsafe == 0);
1250
1251 /*
1252 * Exec the "user_cmd" brand hook to get a pwent for the
1253 * login user. If this fails, HOME will be set to "/", SHELL
1254 * will be set to $DEFAULTSHELL, and we will continue to exec
1255 * SUPATH <login> -c <cmd>.
1256 */
1257 pw = zone_get_user_pw(user_cmd, &pwent, pwbuf, sizeof (pwbuf));
1258
1259 /*
1260 * Get existing envp size.
1261 */
1262 for (size = 0; env[size] != NULL; size++)
1263 ;
1264
1265 e = size;
1266
1267 /*
1268 * Finish filling out the environment; we duplicate the environment
1269 * setup described in login(1), for lack of a better precedent.
1270 */
1271 if (pw != NULL)
1272 size += 3; /* LOGNAME, HOME, MAIL */
1273 else
1274 size += 1; /* HOME */
1275
1276 size++; /* always fill in SHELL */
1277 size++; /* terminating NULL */
1278
1279 if ((new_env = malloc(sizeof (char *) * size)) == NULL)
1280 goto malloc_fail;
1281
1282 /*
1283 * Copy existing elements of env into new_env.
1284 */
1285 for (i = 0; env[i] != NULL; i++) {
1286 if ((new_env[i] = strdup(env[i])) == NULL)
1287 goto malloc_fail;
1288 }
1289 assert(e == i);
1290
1291 if (pw != NULL) {
1292 if ((estr = add_env("LOGNAME", pw->pw_name)) == NULL)
1293 goto malloc_fail;
1294 new_env[e++] = estr;
1295
1296 if ((estr = add_env("HOME", pw->pw_dir)) == NULL)
1297 goto malloc_fail;
1298 new_env[e++] = estr;
1299
1300 if (chdir(pw->pw_dir) != 0)
1301 zerror(gettext("Could not chdir to home directory "
1302 "%s: %s"), pw->pw_dir, strerror(errno));
1303
1304 (void) snprintf(varmail, sizeof (varmail), "/var/mail/%s",
1305 pw->pw_name);
1306 if ((estr = add_env("MAIL", varmail)) == NULL)
1307 goto malloc_fail;
1308 new_env[e++] = estr;
1309 } else {
1310 if ((estr = add_env("HOME", "/")) == NULL)
1311 goto malloc_fail;
1312 new_env[e++] = estr;
1313 }
1314
1315 if (pw != NULL && strlen(pw->pw_shell) > 0) {
1316 if ((estr = add_env("SHELL", pw->pw_shell)) == NULL)
1317 goto malloc_fail;
1318 new_env[e++] = estr;
1319 } else {
1320 if ((estr = add_env("SHELL", DEFAULTSHELL)) == NULL)
1321 goto malloc_fail;
1322 new_env[e++] = estr;
1323 }
1324
1325 new_env[e++] = NULL; /* add terminating NULL */
1326
1327 assert(e == size);
1328 return (new_env);
1329
1330 malloc_fail:
1331 zperror(gettext("failed to allocate memory for process environment"));
1332 return (NULL);
1333 }
1334
1335 static int
close_func(void * slavefd,int fd)1336 close_func(void *slavefd, int fd)
1337 {
1338 if (fd != *(int *)slavefd)
1339 (void) close(fd);
1340 return (0);
1341 }
1342
1343 static void
set_cmdchar(char * cmdcharstr)1344 set_cmdchar(char *cmdcharstr)
1345 {
1346 char c;
1347 long lc;
1348
1349 if ((c = *cmdcharstr) != '\\') {
1350 cmdchar = c;
1351 return;
1352 }
1353
1354 c = cmdcharstr[1];
1355 if (c == '\0' || c == '\\') {
1356 cmdchar = '\\';
1357 return;
1358 }
1359
1360 if (c < '0' || c > '7') {
1361 zerror(gettext("Unrecognized escape character option %s"),
1362 cmdcharstr);
1363 usage();
1364 }
1365
1366 lc = strtol(cmdcharstr + 1, NULL, 8);
1367 if (lc < 0 || lc > 255) {
1368 zerror(gettext("Octal escape character '%s' too large"),
1369 cmdcharstr);
1370 usage();
1371 }
1372 cmdchar = (char)lc;
1373 }
1374
1375 static int
setup_utmpx(char * slavename)1376 setup_utmpx(char *slavename)
1377 {
1378 struct utmpx ut;
1379
1380 bzero(&ut, sizeof (ut));
1381 (void) strncpy(ut.ut_user, ".zlogin", sizeof (ut.ut_user));
1382 (void) strncpy(ut.ut_line, slavename, sizeof (ut.ut_line));
1383 ut.ut_pid = getpid();
1384 ut.ut_id[0] = 'z';
1385 ut.ut_id[1] = ut.ut_id[2] = ut.ut_id[3] = (char)SC_WILDC;
1386 ut.ut_type = LOGIN_PROCESS;
1387 (void) time(&ut.ut_tv.tv_sec);
1388
1389 if (makeutx(&ut) == NULL) {
1390 zerror(gettext("makeutx failed"));
1391 return (-1);
1392 }
1393 return (0);
1394 }
1395
1396 static void
release_lock_file(int lockfd)1397 release_lock_file(int lockfd)
1398 {
1399 (void) close(lockfd);
1400 }
1401
1402 static int
grab_lock_file(const char * zone_name,int * lockfd)1403 grab_lock_file(const char *zone_name, int *lockfd)
1404 {
1405 char pathbuf[PATH_MAX];
1406 struct flock flock;
1407
1408 if (mkdir(ZONES_TMPDIR, S_IRWXU) < 0 && errno != EEXIST) {
1409 zerror(gettext("could not mkdir %s: %s"), ZONES_TMPDIR,
1410 strerror(errno));
1411 return (-1);
1412 }
1413 (void) chmod(ZONES_TMPDIR, S_IRWXU);
1414 (void) snprintf(pathbuf, sizeof (pathbuf), "%s/%s.zoneadm.lock",
1415 ZONES_TMPDIR, zone_name);
1416
1417 if ((*lockfd = open(pathbuf, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR)) < 0) {
1418 zerror(gettext("could not open %s: %s"), pathbuf,
1419 strerror(errno));
1420 return (-1);
1421 }
1422 /*
1423 * Lock the file to synchronize with other zoneadmds
1424 */
1425 flock.l_type = F_WRLCK;
1426 flock.l_whence = SEEK_SET;
1427 flock.l_start = (off_t)0;
1428 flock.l_len = (off_t)0;
1429 if (fcntl(*lockfd, F_SETLKW, &flock) < 0) {
1430 zerror(gettext("unable to lock %s: %s"), pathbuf,
1431 strerror(errno));
1432 release_lock_file(*lockfd);
1433 return (-1);
1434 }
1435 return (Z_OK);
1436 }
1437
1438 static int
start_zoneadmd(const char * zone_name)1439 start_zoneadmd(const char *zone_name)
1440 {
1441 pid_t retval;
1442 int pstatus = 0, error = -1, lockfd, doorfd;
1443 struct door_info info;
1444 char doorpath[MAXPATHLEN];
1445
1446 (void) snprintf(doorpath, sizeof (doorpath), ZONE_DOOR_PATH, zone_name);
1447
1448 if (grab_lock_file(zone_name, &lockfd) != Z_OK)
1449 return (-1);
1450 /*
1451 * We must do the door check with the lock held. Otherwise, we
1452 * might race against another zoneadm/zlogin process and wind
1453 * up with two processes trying to start zoneadmd at the same
1454 * time. zoneadmd will detect this, and fail, but we prefer this
1455 * to be as seamless as is practical, from a user perspective.
1456 */
1457 if ((doorfd = open(doorpath, O_RDONLY)) < 0) {
1458 if (errno != ENOENT) {
1459 zerror("failed to open %s: %s", doorpath,
1460 strerror(errno));
1461 goto out;
1462 }
1463 } else {
1464 /*
1465 * Seems to be working ok.
1466 */
1467 if (door_info(doorfd, &info) == 0 &&
1468 ((info.di_attributes & DOOR_REVOKED) == 0)) {
1469 error = 0;
1470 goto out;
1471 }
1472 }
1473
1474 if ((child_pid = fork()) == -1) {
1475 zperror(gettext("could not fork"));
1476 goto out;
1477 } else if (child_pid == 0) {
1478 /* child process */
1479 (void) execl("/usr/lib/zones/zoneadmd", "zoneadmd", "-z",
1480 zone_name, NULL);
1481 zperror(gettext("could not exec zoneadmd"));
1482 _exit(1);
1483 }
1484
1485 /* parent process */
1486 do {
1487 retval = waitpid(child_pid, &pstatus, 0);
1488 } while (retval != child_pid);
1489 if (WIFSIGNALED(pstatus) ||
1490 (WIFEXITED(pstatus) && WEXITSTATUS(pstatus) != 0)) {
1491 zerror(gettext("could not start %s"), "zoneadmd");
1492 goto out;
1493 }
1494 error = 0;
1495 out:
1496 release_lock_file(lockfd);
1497 (void) close(doorfd);
1498 return (error);
1499 }
1500
1501 static int
init_template(void)1502 init_template(void)
1503 {
1504 int fd;
1505 int err = 0;
1506
1507 fd = open64(CTFS_ROOT "/process/template", O_RDWR);
1508 if (fd == -1)
1509 return (-1);
1510
1511 /*
1512 * zlogin doesn't do anything with the contract.
1513 * Deliver no events, don't inherit, and allow it to be orphaned.
1514 */
1515 err |= ct_tmpl_set_critical(fd, 0);
1516 err |= ct_tmpl_set_informative(fd, 0);
1517 err |= ct_pr_tmpl_set_fatal(fd, CT_PR_EV_HWERR);
1518 err |= ct_pr_tmpl_set_param(fd, CT_PR_PGRPONLY | CT_PR_REGENT);
1519 if (err || ct_tmpl_activate(fd)) {
1520 (void) close(fd);
1521 return (-1);
1522 }
1523
1524 return (fd);
1525 }
1526
1527 static int
noninteractive_login(char * zonename,const char * user_cmd,zoneid_t zoneid,char ** new_args,char ** new_env)1528 noninteractive_login(char *zonename, const char *user_cmd, zoneid_t zoneid,
1529 char **new_args, char **new_env)
1530 {
1531 pid_t retval;
1532 int stdin_pipe[2], stdout_pipe[2], stderr_pipe[2], dead_child_pipe[2];
1533 int child_status;
1534 int tmpl_fd;
1535 sigset_t block_cld;
1536
1537 if ((tmpl_fd = init_template()) == -1) {
1538 reset_tty();
1539 zperror(gettext("could not create contract"));
1540 return (1);
1541 }
1542
1543 if (pipe(stdin_pipe) != 0) {
1544 zperror(gettext("could not create STDIN pipe"));
1545 return (1);
1546 }
1547 /*
1548 * When the user types ^D, we get a zero length message on STDIN.
1549 * We need to echo that down the pipe to send it to the other side;
1550 * but by default, pipes don't propagate zero-length messages. We
1551 * toggle that behavior off using I_SWROPT. See streamio(7i).
1552 */
1553 if (ioctl(stdin_pipe[0], I_SWROPT, SNDZERO) != 0) {
1554 zperror(gettext("could not configure STDIN pipe"));
1555 return (1);
1556
1557 }
1558 if (pipe(stdout_pipe) != 0) {
1559 zperror(gettext("could not create STDOUT pipe"));
1560 return (1);
1561 }
1562 if (pipe(stderr_pipe) != 0) {
1563 zperror(gettext("could not create STDERR pipe"));
1564 return (1);
1565 }
1566
1567 if (pipe(dead_child_pipe) != 0) {
1568 zperror(gettext("could not create signalling pipe"));
1569 return (1);
1570 }
1571 close_on_sig = dead_child_pipe[0];
1572
1573 /*
1574 * If any of the pipe FD's winds up being less than STDERR, then we
1575 * have a mess on our hands-- and we are lacking some of the I/O
1576 * streams we would expect anyway. So we bail.
1577 */
1578 if (stdin_pipe[0] <= STDERR_FILENO ||
1579 stdin_pipe[1] <= STDERR_FILENO ||
1580 stdout_pipe[0] <= STDERR_FILENO ||
1581 stdout_pipe[1] <= STDERR_FILENO ||
1582 stderr_pipe[0] <= STDERR_FILENO ||
1583 stderr_pipe[1] <= STDERR_FILENO ||
1584 dead_child_pipe[0] <= STDERR_FILENO ||
1585 dead_child_pipe[1] <= STDERR_FILENO) {
1586 zperror(gettext("process lacks valid STDIN, STDOUT, STDERR"));
1587 return (1);
1588 }
1589
1590 if (prefork_dropprivs() != 0) {
1591 zperror(gettext("could not allocate privilege set"));
1592 return (1);
1593 }
1594
1595 (void) sigset(SIGCLD, sigcld);
1596 (void) sigemptyset(&block_cld);
1597 (void) sigaddset(&block_cld, SIGCLD);
1598 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
1599
1600 if ((child_pid = fork()) == -1) {
1601 (void) ct_tmpl_clear(tmpl_fd);
1602 (void) close(tmpl_fd);
1603 zperror(gettext("could not fork"));
1604 return (1);
1605 } else if (child_pid == 0) { /* child process */
1606 (void) ct_tmpl_clear(tmpl_fd);
1607
1608 /*
1609 * Do a dance to get the pipes hooked up as FD's 0, 1 and 2.
1610 */
1611 (void) close(STDIN_FILENO);
1612 (void) close(STDOUT_FILENO);
1613 (void) close(STDERR_FILENO);
1614 (void) dup2(stdin_pipe[1], STDIN_FILENO);
1615 (void) dup2(stdout_pipe[1], STDOUT_FILENO);
1616 (void) dup2(stderr_pipe[1], STDERR_FILENO);
1617 (void) closefrom(STDERR_FILENO + 1);
1618
1619 (void) sigset(SIGCLD, SIG_DFL);
1620 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1621 /*
1622 * In case any of stdin, stdout or stderr are streams,
1623 * anchor them to prevent malicious I_POPs.
1624 */
1625 (void) ioctl(STDIN_FILENO, I_ANCHOR);
1626 (void) ioctl(STDOUT_FILENO, I_ANCHOR);
1627 (void) ioctl(STDERR_FILENO, I_ANCHOR);
1628
1629 if (zone_enter(zoneid) == -1) {
1630 zerror(gettext("could not enter zone %s: %s"),
1631 zonename, strerror(errno));
1632 _exit(1);
1633 }
1634
1635 /*
1636 * For non-native zones, tell libc where it can find locale
1637 * specific getttext() messages.
1638 */
1639 if (access("/.SUNWnative/usr/lib/locale", R_OK) == 0)
1640 (void) bindtextdomain(TEXT_DOMAIN,
1641 "/.SUNWnative/usr/lib/locale");
1642 else if (access("/native/usr/lib/locale", R_OK) == 0)
1643 (void) bindtextdomain(TEXT_DOMAIN,
1644 "/native/usr/lib/locale");
1645
1646 if (!failsafe)
1647 new_env = prep_env_noninteractive(user_cmd, new_env);
1648
1649 if (new_env == NULL) {
1650 _exit(1);
1651 }
1652
1653 /*
1654 * Move into a new process group; the zone_enter will have
1655 * placed us into zsched's session, and we want to be in
1656 * a unique process group.
1657 */
1658 (void) setpgid(getpid(), getpid());
1659
1660 /*
1661 * The child needs to run as root to
1662 * execute the su program.
1663 */
1664 if (setuid(0) == -1) {
1665 zperror(gettext("insufficient privilege"));
1666 return (1);
1667 }
1668
1669 (void) execve(new_args[0], new_args, new_env);
1670 zperror(gettext("exec failure"));
1671 _exit(1);
1672 }
1673 /* parent */
1674
1675 /* close pipe sides written by child */
1676 (void) close(stdout_pipe[1]);
1677 (void) close(stderr_pipe[1]);
1678
1679 (void) sigset(SIGINT, sig_forward);
1680
1681 postfork_dropprivs();
1682
1683 (void) ct_tmpl_clear(tmpl_fd);
1684 (void) close(tmpl_fd);
1685
1686 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
1687 doio(stdin_pipe[0], stdin_pipe[1], stdout_pipe[0], stderr_pipe[0],
1688 dead_child_pipe[1], B_TRUE);
1689 do {
1690 retval = waitpid(child_pid, &child_status, 0);
1691 if (retval == -1) {
1692 child_status = 0;
1693 }
1694 } while (retval != child_pid && errno != ECHILD);
1695
1696 return (WEXITSTATUS(child_status));
1697 }
1698
1699 static char *
get_username()1700 get_username()
1701 {
1702 uid_t uid;
1703 struct passwd *nptr;
1704
1705 /*
1706 * Authorizations are checked to restrict access based on the
1707 * requested operation and zone name, It is assumed that the
1708 * program is running with all privileges, but that the real
1709 * user ID is that of the user or role on whose behalf we are
1710 * operating. So we start by getting the username that will be
1711 * used for subsequent authorization checks.
1712 */
1713
1714 uid = getuid();
1715 if ((nptr = getpwuid(uid)) == NULL) {
1716 zerror(gettext("could not get user name."));
1717 _exit(1);
1718 }
1719 return (nptr->pw_name);
1720 }
1721
1722 int
main(int argc,char ** argv)1723 main(int argc, char **argv)
1724 {
1725 int arg, console = 0;
1726 zoneid_t zoneid;
1727 zone_state_t st;
1728 char *login = "root";
1729 int lflag = 0;
1730 char *zonename = NULL;
1731 char **proc_args = NULL;
1732 char **new_args, **new_env;
1733 sigset_t block_cld;
1734 char devroot[MAXPATHLEN];
1735 char *slavename, slaveshortname[MAXPATHLEN];
1736 priv_set_t *privset;
1737 int tmpl_fd;
1738 char zonebrand[MAXNAMELEN];
1739 char default_brand[MAXNAMELEN];
1740 struct stat sb;
1741 char kernzone[ZONENAME_MAX];
1742 brand_handle_t bh;
1743 char user_cmd[MAXPATHLEN];
1744 char authname[MAXAUTHS];
1745
1746 (void) setlocale(LC_ALL, "");
1747 (void) textdomain(TEXT_DOMAIN);
1748
1749 (void) getpname(argv[0]);
1750 username = get_username();
1751
1752 while ((arg = getopt(argc, argv, "ECR:Se:l:")) != EOF) {
1753 switch (arg) {
1754 case 'C':
1755 console = 1;
1756 break;
1757 case 'E':
1758 nocmdchar = 1;
1759 break;
1760 case 'R': /* undocumented */
1761 if (*optarg != '/') {
1762 zerror(gettext("root path must be absolute."));
1763 exit(2);
1764 }
1765 if (stat(optarg, &sb) == -1 || !S_ISDIR(sb.st_mode)) {
1766 zerror(
1767 gettext("root path must be a directory."));
1768 exit(2);
1769 }
1770 zonecfg_set_root(optarg);
1771 break;
1772 case 'S':
1773 failsafe = 1;
1774 break;
1775 case 'e':
1776 set_cmdchar(optarg);
1777 break;
1778 case 'l':
1779 login = optarg;
1780 lflag = 1;
1781 break;
1782 default:
1783 usage();
1784 }
1785 }
1786
1787 if (console != 0 && lflag != 0) {
1788 zerror(gettext("-l may not be specified for console login"));
1789 usage();
1790 }
1791
1792 if (console != 0 && failsafe != 0) {
1793 zerror(gettext("-S may not be specified for console login"));
1794 usage();
1795 }
1796
1797 if (console != 0 && zonecfg_in_alt_root()) {
1798 zerror(gettext("-R may not be specified for console login"));
1799 exit(2);
1800 }
1801
1802 if (failsafe != 0 && lflag != 0) {
1803 zerror(gettext("-l may not be specified for failsafe login"));
1804 usage();
1805 }
1806
1807 if (optind == (argc - 1)) {
1808 /*
1809 * zone name, no process name; this should be an interactive
1810 * as long as STDIN is really a tty.
1811 */
1812 if (isatty(STDIN_FILENO))
1813 interactive = 1;
1814 zonename = argv[optind];
1815 } else if (optind < (argc - 1)) {
1816 if (console) {
1817 zerror(gettext("Commands may not be specified for "
1818 "console login."));
1819 usage();
1820 }
1821 /* zone name and process name, and possibly some args */
1822 zonename = argv[optind];
1823 proc_args = &argv[optind + 1];
1824 interactive = 0;
1825 } else {
1826 usage();
1827 }
1828
1829 if (getzoneid() != GLOBAL_ZONEID) {
1830 zerror(gettext("'%s' may only be used from the global zone"),
1831 pname);
1832 return (1);
1833 }
1834
1835 if (strcmp(zonename, GLOBAL_ZONENAME) == 0) {
1836 zerror(gettext("'%s' not applicable to the global zone"),
1837 pname);
1838 return (1);
1839 }
1840
1841 if (zone_get_state(zonename, &st) != Z_OK) {
1842 zerror(gettext("zone '%s' unknown"), zonename);
1843 return (1);
1844 }
1845
1846 if (st < ZONE_STATE_INSTALLED) {
1847 zerror(gettext("cannot login to a zone which is '%s'"),
1848 zone_state_str(st));
1849 return (1);
1850 }
1851
1852 /*
1853 * In both console and non-console cases, we require all privs.
1854 * In the console case, because we may need to startup zoneadmd.
1855 * In the non-console case in order to do zone_enter(2), zonept()
1856 * and other tasks.
1857 */
1858
1859 if ((privset = priv_allocset()) == NULL) {
1860 zperror(gettext("priv_allocset failed"));
1861 return (1);
1862 }
1863
1864 if (getppriv(PRIV_EFFECTIVE, privset) != 0) {
1865 zperror(gettext("getppriv failed"));
1866 priv_freeset(privset);
1867 return (1);
1868 }
1869
1870 if (priv_isfullset(privset) == B_FALSE) {
1871 zerror(gettext("You lack sufficient privilege to run "
1872 "this command (all privs required)"));
1873 priv_freeset(privset);
1874 return (1);
1875 }
1876 priv_freeset(privset);
1877
1878 /*
1879 * Check if user is authorized for requested usage of the zone
1880 */
1881
1882 (void) snprintf(authname, MAXAUTHS, "%s%s%s",
1883 ZONE_MANAGE_AUTH, KV_OBJECT, zonename);
1884 if (chkauthattr(authname, username) == 0) {
1885 if (console) {
1886 zerror(gettext("%s is not authorized for console "
1887 "access to %s zone."),
1888 username, zonename);
1889 return (1);
1890 } else {
1891 (void) snprintf(authname, MAXAUTHS, "%s%s%s",
1892 ZONE_LOGIN_AUTH, KV_OBJECT, zonename);
1893 if (failsafe || !interactive) {
1894 zerror(gettext("%s is not authorized for "
1895 "failsafe or non-interactive login "
1896 "to %s zone."), username, zonename);
1897 return (1);
1898 } else if (chkauthattr(authname, username) == 0) {
1899 zerror(gettext("%s is not authorized "
1900 " to login to %s zone."),
1901 username, zonename);
1902 return (1);
1903 }
1904 }
1905 } else {
1906 forced_login = B_TRUE;
1907 }
1908
1909 /*
1910 * The console is a separate case from the rest of the code; handle
1911 * it first.
1912 */
1913 if (console) {
1914 /*
1915 * Ensure that zoneadmd for this zone is running.
1916 */
1917 if (start_zoneadmd(zonename) == -1)
1918 return (1);
1919
1920 /*
1921 * Make contact with zoneadmd.
1922 */
1923 if (get_console_master(zonename) == -1)
1924 return (1);
1925
1926 (void) printf(gettext("[Connected to zone '%s' console]\n"),
1927 zonename);
1928
1929 if (set_tty_rawmode(STDIN_FILENO) == -1) {
1930 reset_tty();
1931 zperror(gettext("failed to set stdin pty to raw mode"));
1932 return (1);
1933 }
1934
1935 (void) sigset(SIGWINCH, sigwinch);
1936 (void) sigwinch(0);
1937
1938 /*
1939 * Run the I/O loop until we get disconnected.
1940 */
1941 doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
1942 reset_tty();
1943 (void) printf(gettext("\n[Connection to zone '%s' console "
1944 "closed]\n"), zonename);
1945
1946 return (0);
1947 }
1948
1949 if (st != ZONE_STATE_RUNNING && st != ZONE_STATE_MOUNTED) {
1950 zerror(gettext("login allowed only to running zones "
1951 "(%s is '%s')."), zonename, zone_state_str(st));
1952 return (1);
1953 }
1954
1955 (void) strlcpy(kernzone, zonename, sizeof (kernzone));
1956 if (zonecfg_in_alt_root()) {
1957 FILE *fp = zonecfg_open_scratch("", B_FALSE);
1958
1959 if (fp == NULL || zonecfg_find_scratch(fp, zonename,
1960 zonecfg_get_root(), kernzone, sizeof (kernzone)) == -1) {
1961 zerror(gettext("cannot find scratch zone %s"),
1962 zonename);
1963 if (fp != NULL)
1964 zonecfg_close_scratch(fp);
1965 return (1);
1966 }
1967 zonecfg_close_scratch(fp);
1968 }
1969
1970 if ((zoneid = getzoneidbyname(kernzone)) == -1) {
1971 zerror(gettext("failed to get zoneid for zone '%s'"),
1972 zonename);
1973 return (1);
1974 }
1975
1976 /*
1977 * We need the zone root path only if we are setting up a pty.
1978 */
1979 if (zone_get_devroot(zonename, devroot, sizeof (devroot)) == -1) {
1980 zerror(gettext("could not get dev path for zone %s"),
1981 zonename);
1982 return (1);
1983 }
1984
1985 if (zone_get_brand(zonename, zonebrand, sizeof (zonebrand)) != Z_OK) {
1986 zerror(gettext("could not get brand for zone %s"), zonename);
1987 return (1);
1988 }
1989 /*
1990 * In the alternate root environment, the only supported
1991 * operations are mount and unmount. In this case, just treat
1992 * the zone as native if it is cluster. Cluster zones can be
1993 * native for the purpose of LU or upgrade, and the cluster
1994 * brand may not exist in the miniroot (such as in net install
1995 * upgrade).
1996 */
1997 if (zonecfg_default_brand(default_brand,
1998 sizeof (default_brand)) != Z_OK) {
1999 zerror(gettext("unable to determine default brand"));
2000 return (1);
2001 }
2002 if (zonecfg_in_alt_root() &&
2003 strcmp(zonebrand, CLUSTER_BRAND_NAME) == 0) {
2004 (void) strlcpy(zonebrand, default_brand, sizeof (zonebrand));
2005 }
2006
2007 if ((bh = brand_open(zonebrand)) == NULL) {
2008 zerror(gettext("could not open brand for zone %s"), zonename);
2009 return (1);
2010 }
2011
2012 if ((new_args = prep_args(bh, login, proc_args)) == NULL) {
2013 zperror(gettext("could not assemble new arguments"));
2014 brand_close(bh);
2015 return (1);
2016 }
2017 /*
2018 * Get the brand specific user_cmd. This command is used to get
2019 * a passwd(4) entry for login.
2020 */
2021 if (!interactive && !failsafe) {
2022 if (zone_get_user_cmd(bh, login, user_cmd,
2023 sizeof (user_cmd)) == NULL) {
2024 zerror(gettext("could not get user_cmd for zone %s"),
2025 zonename);
2026 brand_close(bh);
2027 return (1);
2028 }
2029 }
2030 brand_close(bh);
2031
2032 if ((new_env = prep_env()) == NULL) {
2033 zperror(gettext("could not assemble new environment"));
2034 return (1);
2035 }
2036
2037 if (!interactive)
2038 return (noninteractive_login(zonename, user_cmd, zoneid,
2039 new_args, new_env));
2040
2041 if (zonecfg_in_alt_root()) {
2042 zerror(gettext("cannot use interactive login with scratch "
2043 "zone"));
2044 return (1);
2045 }
2046
2047 /*
2048 * Things are more complex in interactive mode; we get the
2049 * master side of the pty, then place the user's terminal into
2050 * raw mode.
2051 */
2052 if (get_master_pty() == -1) {
2053 zerror(gettext("could not setup master pty device"));
2054 return (1);
2055 }
2056
2057 /*
2058 * Compute the "short name" of the pts. /dev/pts/2 --> pts/2
2059 */
2060 if ((slavename = ptsname(masterfd)) == NULL) {
2061 zperror(gettext("failed to get name for pseudo-tty"));
2062 return (1);
2063 }
2064 if (strncmp(slavename, "/dev/", strlen("/dev/")) == 0)
2065 (void) strlcpy(slaveshortname, slavename + strlen("/dev/"),
2066 sizeof (slaveshortname));
2067 else
2068 (void) strlcpy(slaveshortname, slavename,
2069 sizeof (slaveshortname));
2070
2071 (void) printf(gettext("[Connected to zone '%s' %s]\n"), zonename,
2072 slaveshortname);
2073
2074 if (set_tty_rawmode(STDIN_FILENO) == -1) {
2075 reset_tty();
2076 zperror(gettext("failed to set stdin pty to raw mode"));
2077 return (1);
2078 }
2079
2080 if (prefork_dropprivs() != 0) {
2081 reset_tty();
2082 zperror(gettext("could not allocate privilege set"));
2083 return (1);
2084 }
2085
2086 /*
2087 * We must mask SIGCLD until after we have coped with the fork
2088 * sufficiently to deal with it; otherwise we can race and receive the
2089 * signal before child_pid has been initialized (yes, this really
2090 * happens).
2091 */
2092 (void) sigset(SIGCLD, sigcld);
2093 (void) sigemptyset(&block_cld);
2094 (void) sigaddset(&block_cld, SIGCLD);
2095 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
2096
2097 /*
2098 * We activate the contract template at the last minute to
2099 * avoid intermediate functions that could be using fork(2)
2100 * internally.
2101 */
2102 if ((tmpl_fd = init_template()) == -1) {
2103 reset_tty();
2104 zperror(gettext("could not create contract"));
2105 return (1);
2106 }
2107
2108 if ((child_pid = fork()) == -1) {
2109 (void) ct_tmpl_clear(tmpl_fd);
2110 reset_tty();
2111 zperror(gettext("could not fork"));
2112 return (1);
2113 } else if (child_pid == 0) { /* child process */
2114 int slavefd, newslave;
2115
2116 (void) ct_tmpl_clear(tmpl_fd);
2117 (void) close(tmpl_fd);
2118
2119 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2120
2121 if ((slavefd = init_slave_pty(zoneid, devroot)) == -1)
2122 return (1);
2123
2124 /*
2125 * Close all fds except for the slave pty.
2126 */
2127 (void) fdwalk(close_func, &slavefd);
2128
2129 /*
2130 * Temporarily dup slavefd to stderr; that way if we have
2131 * to print out that zone_enter failed, the output will
2132 * have somewhere to go.
2133 */
2134 if (slavefd != STDERR_FILENO)
2135 (void) dup2(slavefd, STDERR_FILENO);
2136
2137 if (zone_enter(zoneid) == -1) {
2138 zerror(gettext("could not enter zone %s: %s"),
2139 zonename, strerror(errno));
2140 return (1);
2141 }
2142
2143 if (slavefd != STDERR_FILENO)
2144 (void) close(STDERR_FILENO);
2145
2146 /*
2147 * We take pains to get this process into a new process
2148 * group, and subsequently a new session. In this way,
2149 * we'll have a session which doesn't yet have a controlling
2150 * terminal. When we open the slave, it will become the
2151 * controlling terminal; no PIDs concerning pgrps or sids
2152 * will leak inappropriately into the zone.
2153 */
2154 (void) setpgrp();
2155
2156 /*
2157 * We need the slave pty to be referenced from the zone's
2158 * /dev in order to ensure that the devt's, etc are all
2159 * correct. Otherwise we break ttyname and the like.
2160 */
2161 if ((newslave = open(slavename, O_RDWR)) == -1) {
2162 (void) close(slavefd);
2163 return (1);
2164 }
2165 (void) close(slavefd);
2166 slavefd = newslave;
2167
2168 /*
2169 * dup the slave to the various FDs, so that when the
2170 * spawned process does a write/read it maps to the slave
2171 * pty.
2172 */
2173 (void) dup2(slavefd, STDIN_FILENO);
2174 (void) dup2(slavefd, STDOUT_FILENO);
2175 (void) dup2(slavefd, STDERR_FILENO);
2176 if (slavefd != STDIN_FILENO && slavefd != STDOUT_FILENO &&
2177 slavefd != STDERR_FILENO) {
2178 (void) close(slavefd);
2179 }
2180
2181 /*
2182 * In failsafe mode, we don't use login(1), so don't try
2183 * setting up a utmpx entry.
2184 */
2185 if (!failsafe)
2186 if (setup_utmpx(slaveshortname) == -1)
2187 return (1);
2188
2189 /*
2190 * The child needs to run as root to
2191 * execute the brand's login program.
2192 */
2193 if (setuid(0) == -1) {
2194 zperror(gettext("insufficient privilege"));
2195 return (1);
2196 }
2197
2198 (void) execve(new_args[0], new_args, new_env);
2199 zperror(gettext("exec failure"));
2200 return (1);
2201 }
2202
2203 (void) ct_tmpl_clear(tmpl_fd);
2204 (void) close(tmpl_fd);
2205
2206 /*
2207 * The rest is only for the parent process.
2208 */
2209 (void) sigset(SIGWINCH, sigwinch);
2210
2211 postfork_dropprivs();
2212
2213 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2214 doio(masterfd, -1, masterfd, -1, -1, B_FALSE);
2215
2216 reset_tty();
2217 (void) fprintf(stderr,
2218 gettext("\n[Connection to zone '%s' %s closed]\n"), zonename,
2219 slaveshortname);
2220
2221 if (pollerr != 0) {
2222 (void) fprintf(stderr, gettext("Error: connection closed due "
2223 "to unexpected pollevents=0x%x.\n"), pollerr);
2224 return (1);
2225 }
2226
2227 return (0);
2228 }
2229