| File: | src/usr.sbin/syslogd/privsep.c | 
| Warning: | line 213, column 7 Although the value stored to 'argc' is used in the enclosing expression, the value is never actually read from 'argc' | 
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
| 1 | /* $OpenBSD: privsep.c,v 1.74 2021/10/24 21:24:19 deraadt Exp $ */ | 
| 2 | |
| 3 | /* | 
| 4 | * Copyright (c) 2003 Anil Madhavapeddy <anil@recoil.org> | 
| 5 | * Copyright (c) 2016 Alexander Bluhm <bluhm@openbsd.org> | 
| 6 | * | 
| 7 | * Permission to use, copy, modify, and distribute this software for any | 
| 8 | * purpose with or without fee is hereby granted, provided that the above | 
| 9 | * copyright notice and this permission notice appear in all copies. | 
| 10 | * | 
| 11 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | 
| 12 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | 
| 13 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | 
| 14 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | 
| 15 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | 
| 16 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | 
| 17 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 
| 18 | */ | 
| 19 | |
| 20 | #include <sys/queue.h> | 
| 21 | #include <sys/stat.h> | 
| 22 | #include <sys/wait.h> | 
| 23 | |
| 24 | #include <err.h> | 
| 25 | #include <errno(*__errno()).h> | 
| 26 | #include <fcntl.h> | 
| 27 | #include <limits.h> | 
| 28 | #include <netdb.h> | 
| 29 | #include <paths.h> | 
| 30 | #include <pwd.h> | 
| 31 | #include <signal.h> | 
| 32 | #include <stdio.h> | 
| 33 | #include <stdlib.h> | 
| 34 | #include <string.h> | 
| 35 | #include <unistd.h> | 
| 36 | #include <utmp.h> | 
| 37 | |
| 38 | #include "log.h" | 
| 39 | #include "syslogd.h" | 
| 40 | |
| 41 | /* | 
| 42 | * syslogd can only go forward in these states; each state should represent | 
| 43 | * less privilege. After STATE_INIT, the child is allowed to parse its | 
| 44 | * config file once, and communicate the information regarding what logfiles | 
| 45 | * it needs access to back to the parent. When that is done, it sends a | 
| 46 | * message to the priv parent revoking this access, moving to STATE_RUNNING. | 
| 47 | * In this state, any log-files not in the access list are rejected. | 
| 48 | * | 
| 49 | * This allows a HUP signal to the child to reopen its log files, and | 
| 50 | * the config file to be parsed if it hasn't been changed (this is still | 
| 51 | * useful to force resolution of remote syslog servers again). | 
| 52 | * If the config file has been modified, then the child dies, and | 
| 53 | * the priv parent restarts itself. | 
| 54 | */ | 
| 55 | enum priv_state { | 
| 56 | STATE_INIT, /* just started up */ | 
| 57 | STATE_CONFIG, /* parsing config file for first time */ | 
| 58 | STATE_RUNNING, /* running and accepting network traffic */ | 
| 59 | STATE_QUIT /* shutting down */ | 
| 60 | }; | 
| 61 | |
| 62 | enum cmd_types { | 
| 63 | PRIV_OPEN_TTY, /* open terminal or console device */ | 
| 64 | PRIV_OPEN_LOG, /* open logfile for appending */ | 
| 65 | PRIV_OPEN_PIPE, /* fork & exec child that gets logs on stdin */ | 
| 66 | PRIV_OPEN_UTMP, /* open utmp for reading only */ | 
| 67 | PRIV_OPEN_CONFIG, /* open config file for reading only */ | 
| 68 | PRIV_CONFIG_MODIFIED, /* check if config file has been modified */ | 
| 69 | PRIV_GETADDRINFO, /* resolve host/service names */ | 
| 70 | PRIV_GETNAMEINFO, /* resolve numeric address into hostname */ | 
| 71 | PRIV_DONE_CONFIG_PARSE /* signal that initial config parse is done */ | 
| 72 | }; | 
| 73 | |
| 74 | static int priv_fd = -1; | 
| 75 | static volatile pid_t child_pid = -1; | 
| 76 | static volatile sig_atomic_t cur_state = STATE_INIT; | 
| 77 | |
| 78 | /* Queue for the allowed logfiles */ | 
| 79 | struct logname { | 
| 80 | char path[PATH_MAX1024]; | 
| 81 | TAILQ_ENTRY(logname)struct { struct logname *tqe_next; struct logname **tqe_prev; } next; | 
| 82 | }; | 
| 83 | static TAILQ_HEAD(, logname)struct { struct logname *tqh_first; struct logname **tqh_last ; } lognames; | 
| 84 | |
| 85 | static void check_log_name(char *, size_t); | 
| 86 | static int open_file(char *); | 
| 87 | static int open_pipe(char *); | 
| 88 | static void check_tty_name(char *, size_t); | 
| 89 | static void increase_state(int); | 
| 90 | static void sig_pass_to_chld(int); | 
| 91 | static void sig_got_chld(int); | 
| 92 | static void must_read(int, void *, size_t); | 
| 93 | static void must_write(int, void *, size_t); | 
| 94 | static int may_read(int, void *, size_t); | 
| 95 | |
| 96 | static struct passwd *pw; | 
| 97 | |
| 98 | void | 
| 99 | priv_init(int lockfd, int nullfd, int argc, char *argv[]) | 
| 100 | { | 
| 101 | int i, socks[2]; | 
| 102 | char *execpath, childnum[11], **privargv; | 
| 103 | |
| 104 | /* Create sockets */ | 
| 105 | if (socketpair(AF_LOCAL1, SOCK_STREAM1, PF_UNSPEC0, socks) == -1) | 
| 106 | err(1, "socketpair() failed"); | 
| 107 | |
| 108 | pw = getpwnam("_syslogd"); | 
| 109 | if (pw == NULL((void *)0)) | 
| 110 | errx(1, "unknown user _syslogd"); | 
| 111 | |
| 112 | child_pid = fork(); | 
| 113 | if (child_pid == -1) | 
| 114 | err(1, "fork() failed"); | 
| 115 | |
| 116 | if (!child_pid) { | 
| 117 | /* Child - drop privileges and return */ | 
| 118 | if (chroot(pw->pw_dir) != 0) | 
| 119 | err(1, "chroot %s", pw->pw_dir); | 
| 120 | if (chdir("/") != 0) | 
| 121 | err(1, "chdir %s", pw->pw_dir); | 
| 122 | |
| 123 | if (setgroups(1, &pw->pw_gid) == -1) | 
| 124 | err(1, "setgroups() failed"); | 
| 125 | if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) | 
| 126 | err(1, "setresgid() failed"); | 
| 127 | if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1) | 
| 128 | err(1, "setresuid() failed"); | 
| 129 | close(socks[0]); | 
| 130 | priv_fd = socks[1]; | 
| 131 | return; | 
| 132 | } | 
| 133 | close(socks[1]); | 
| 134 | |
| 135 | if (strchr(argv[0], '/') == NULL((void *)0)) | 
| 136 | execpath = argv[0]; | 
| 137 | else if ((execpath = realpath(argv[0], NULL((void *)0))) == NULL((void *)0)) | 
| 138 | err(1, "realpath %s", argv[0]); | 
| 139 | if (chdir("/") != 0) | 
| 140 | err(1, "chdir /"); | 
| 141 | |
| 142 | if (!Debug) { | 
| 143 | close(lockfd); | 
| 144 | dup2(nullfd, STDIN_FILENO0); | 
| 145 | dup2(nullfd, STDOUT_FILENO1); | 
| 146 | dup2(nullfd, STDERR_FILENO2); | 
| 147 | } | 
| 148 | if (nullfd > 2) | 
| 149 | close(nullfd); | 
| 150 | |
| 151 | if (dup3(socks[0], 3, 0) == -1) | 
| 152 | err(1, "dup3 priv sock failed"); | 
| 153 | if (closefrom(4) == -1) | 
| 154 | err(1, "closefrom 4 failed"); | 
| 155 | |
| 156 | snprintf(childnum, sizeof(childnum), "%d", child_pid); | 
| 157 | if ((privargv = reallocarray(NULL((void *)0), argc + 3, sizeof(char *))) == NULL((void *)0)) | 
| 158 | err(1, "alloc priv argv failed"); | 
| 159 | privargv[0] = execpath; | 
| 160 | for (i = 1; i < argc; i++) | 
| 161 | privargv[i] = argv[i]; | 
| 162 | privargv[i++] = "-P"; | 
| 163 | privargv[i++] = childnum; | 
| 164 | privargv[i++] = NULL((void *)0); | 
| 165 | execvp(privargv[0], privargv); | 
| 166 | err(1, "exec priv '%s' failed", privargv[0]); | 
| 167 | } | 
| 168 | |
| 169 | __dead__attribute__((__noreturn__)) void | 
| 170 | priv_exec(char *conf, int numeric, int child, int argc, char *argv[]) | 
| 171 | { | 
| 172 | int i, fd, sock, cmd, addr_len, result, restart; | 
| 173 | size_t path_len, protoname_len, hostname_len, servname_len; | 
| 174 | char path[PATH_MAX1024], protoname[5]; | 
| 175 | char hostname[NI_MAXHOST256], servname[NI_MAXSERV32]; | 
| 176 | struct sockaddr_storage addr; | 
| 177 | struct stat cf_info, cf_stat; | 
| 178 | struct addrinfo hints, *res0; | 
| 179 | struct sigaction sa; | 
| 180 | sigset_t sigmask; | 
| 181 | |
| 182 | /* Redo the password lookup after re-exec of the privsep parent. */ | 
| 183 | pw = getpwnam("_syslogd"); | 
| 184 | if (pw == NULL((void *)0)) | 
| 185 | errx(1, "unknown user _syslogd"); | 
| 186 | |
| 187 | if (unveil(conf, "r") == -1) | 
| 188 | err(1, "unveil %s", conf); | 
| 189 | if (unveil(_PATH_UTMP"/var/run/utmp", "r") == -1) | 
| 190 | err(1, "unveil %s", _PATH_UTMP"/var/run/utmp"); | 
| 191 | if (unveil(_PATH_DEV"/dev/", "rw") == -1) | 
| 192 | err(1, "unveil %s", _PATH_DEV"/dev/"); | 
| 193 | if (unveil(_PATH_LOGPID"/var/run/syslog.pid", "c") == -1) | 
| 194 | err(1, "unveil %s", _PATH_LOGPID"/var/run/syslog.pid"); | 
| 195 | |
| 196 | /* for pipes */ | 
| 197 | if (unveil(_PATH_BSHELL"/bin/sh", "x") == -1) | 
| 198 | err(1, "unveil %s", _PATH_BSHELL"/bin/sh"); | 
| 199 | |
| 200 | /* For HUP / re-exec */ | 
| 201 | if (unveil("/usr/sbin/syslogd", "x") == -1) | 
| 202 | err(1, "unveil /usr/sbin/syslogd"); | 
| 203 | if (argv[0][0] == '/') | 
| 204 | if (unveil(argv[0], "x") == -1) | 
| 205 | err(1, "unveil %s", argv[0]); | 
| 206 | |
| 207 | if (pledge("stdio unveil rpath wpath cpath dns sendfd id proc exec", | 
| 208 | NULL((void *)0)) == -1) | 
| 209 | err(1, "pledge priv"); | 
| 210 | |
| 211 | if (argc <= 2 || strcmp("-P", argv[argc - 2]) != 0) | 
| 212 | errx(1, "exec without priv"); | 
| 213 | argv[argc -= 2] = NULL((void *)0); | 
| Although the value stored to 'argc' is used in the enclosing expression, the value is never actually read from 'argc' | |
| 214 | |
| 215 | sock = 3; | 
| 216 | closefrom(4); | 
| 217 | |
| 218 | child_pid = child; | 
| 219 | |
| 220 | memset(&sa, 0, sizeof(sa)); | 
| 221 | sigemptyset(&sa.sa_mask); | 
| 222 | sa.sa_flags = SA_RESTART0x0002; | 
| 223 | sa.sa_handler__sigaction_u.__sa_handler = SIG_DFL(void (*)(int))0; | 
| 224 | for (i = 1; i < _NSIG33; i++) | 
| 225 | sigaction(i, &sa, NULL((void *)0)); | 
| 226 | |
| 227 | /* Pass TERM/HUP/INT/QUIT through to child, and accept CHLD */ | 
| 228 | sa.sa_handler__sigaction_u.__sa_handler = sig_pass_to_chld; | 
| 229 | sigaction(SIGTERM15, &sa, NULL((void *)0)); | 
| 230 | sigaction(SIGHUP1, &sa, NULL((void *)0)); | 
| 231 | sigaction(SIGINT2, &sa, NULL((void *)0)); | 
| 232 | sigaction(SIGQUIT3, &sa, NULL((void *)0)); | 
| 233 | sa.sa_handler__sigaction_u.__sa_handler = sig_got_chld; | 
| 234 | sa.sa_flags |= SA_NOCLDSTOP0x0008; | 
| 235 | sigaction(SIGCHLD20, &sa, NULL((void *)0)); | 
| 236 | |
| 237 | setproctitle("[priv]"); | 
| 238 | log_debug("[priv]: fork+exec done"); | 
| 239 | |
| 240 | sigemptyset(&sigmask); | 
| 241 | if (sigprocmask(SIG_SETMASK3, &sigmask, NULL((void *)0)) == -1) | 
| 242 | err(1, "sigprocmask priv"); | 
| 243 | |
| 244 | if (stat(conf, &cf_info) == -1) | 
| 245 | err(1, "stat config file failed"); | 
| 246 | |
| 247 | TAILQ_INIT(&lognames)do { (&lognames)->tqh_first = ((void *)0); (&lognames )->tqh_last = &(&lognames)->tqh_first; } while ( 0); | 
| 248 | increase_state(STATE_CONFIG); | 
| 249 | restart = 0; | 
| 250 | |
| 251 | while (cur_state < STATE_QUIT) { | 
| 252 | if (may_read(sock, &cmd, sizeof(int))) | 
| 253 | break; | 
| 254 | switch (cmd) { | 
| 255 | case PRIV_OPEN_TTY: | 
| 256 | log_debug("[priv]: msg PRIV_OPEN_TTY received"); | 
| 257 | /* Expecting: length, path */ | 
| 258 | must_read(sock, &path_len, sizeof(size_t)); | 
| 259 | if (path_len == 0 || path_len > sizeof(path)) | 
| 260 | _exit(1); | 
| 261 | must_read(sock, &path, path_len); | 
| 262 | path[path_len - 1] = '\0'; | 
| 263 | check_tty_name(path, sizeof(path)); | 
| 264 | fd = open(path, O_WRONLY0x0001|O_NONBLOCK0x0004); | 
| 265 | send_fd(sock, fd); | 
| 266 | if (fd == -1) | 
| 267 | warnx("priv_open_tty failed"); | 
| 268 | else | 
| 269 | close(fd); | 
| 270 | break; | 
| 271 | |
| 272 | case PRIV_OPEN_LOG: | 
| 273 | case PRIV_OPEN_PIPE: | 
| 274 | log_debug("[priv]: msg PRIV_OPEN_%s received", | 
| 275 | cmd == PRIV_OPEN_PIPE ? "PIPE" : "LOG"); | 
| 276 | /* Expecting: length, path */ | 
| 277 | must_read(sock, &path_len, sizeof(size_t)); | 
| 278 | if (path_len == 0 || path_len > sizeof(path)) | 
| 279 | _exit(1); | 
| 280 | must_read(sock, &path, path_len); | 
| 281 | path[path_len - 1] = '\0'; | 
| 282 | check_log_name(path, sizeof(path)); | 
| 283 | |
| 284 | if (cmd == PRIV_OPEN_LOG) | 
| 285 | fd = open_file(path); | 
| 286 | else if (cmd == PRIV_OPEN_PIPE) | 
| 287 | fd = open_pipe(path); | 
| 288 | else | 
| 289 | errx(1, "invalid cmd"); | 
| 290 | |
| 291 | send_fd(sock, fd); | 
| 292 | if (fd == -1) | 
| 293 | warnx("priv_open_log failed"); | 
| 294 | else | 
| 295 | close(fd); | 
| 296 | break; | 
| 297 | |
| 298 | case PRIV_OPEN_UTMP: | 
| 299 | log_debug("[priv]: msg PRIV_OPEN_UTMP received"); | 
| 300 | fd = open(_PATH_UTMP"/var/run/utmp", O_RDONLY0x0000|O_NONBLOCK0x0004); | 
| 301 | send_fd(sock, fd); | 
| 302 | if (fd == -1) | 
| 303 | warnx("priv_open_utmp failed"); | 
| 304 | else | 
| 305 | close(fd); | 
| 306 | break; | 
| 307 | |
| 308 | case PRIV_OPEN_CONFIG: | 
| 309 | log_debug("[priv]: msg PRIV_OPEN_CONFIG received"); | 
| 310 | stat(conf, &cf_info); | 
| 311 | fd = open(conf, O_RDONLY0x0000|O_NONBLOCK0x0004); | 
| 312 | send_fd(sock, fd); | 
| 313 | if (fd == -1) | 
| 314 | warnx("priv_open_config failed"); | 
| 315 | else | 
| 316 | close(fd); | 
| 317 | break; | 
| 318 | |
| 319 | case PRIV_CONFIG_MODIFIED: | 
| 320 | log_debug("[priv]: msg PRIV_CONFIG_MODIFIED received"); | 
| 321 | if (stat(conf, &cf_stat) == -1 || | 
| 322 | timespeccmp(&cf_info.st_mtimespec,(((&cf_info.st_mtim)->tv_sec == (&cf_stat.st_mtim) ->tv_sec) ? ((&cf_info.st_mtim)->tv_nsec < (& cf_stat.st_mtim)->tv_nsec) : ((&cf_info.st_mtim)->tv_sec < (&cf_stat.st_mtim)->tv_sec)) | 
| 323 | &cf_stat.st_mtimespec, <)(((&cf_info.st_mtim)->tv_sec == (&cf_stat.st_mtim) ->tv_sec) ? ((&cf_info.st_mtim)->tv_nsec < (& cf_stat.st_mtim)->tv_nsec) : ((&cf_info.st_mtim)->tv_sec < (&cf_stat.st_mtim)->tv_sec)) || | 
| 324 | cf_info.st_size != cf_stat.st_size) { | 
| 325 | log_debug("config file modified: restarting"); | 
| 326 | restart = result = 1; | 
| 327 | must_write(sock, &result, sizeof(int)); | 
| 328 | } else { | 
| 329 | result = 0; | 
| 330 | must_write(sock, &result, sizeof(int)); | 
| 331 | } | 
| 332 | break; | 
| 333 | |
| 334 | case PRIV_DONE_CONFIG_PARSE: | 
| 335 | if (pledge("stdio rpath wpath cpath dns sendfd id proc exec", | 
| 336 | NULL((void *)0)) == -1) | 
| 337 | err(1, "pledge done config"); | 
| 338 | log_debug("[priv]: msg PRIV_DONE_CONFIG_PARSE " | 
| 339 | "received"); | 
| 340 | increase_state(STATE_RUNNING); | 
| 341 | break; | 
| 342 | |
| 343 | case PRIV_GETADDRINFO: | 
| 344 | log_debug("[priv]: msg PRIV_GETADDRINFO received"); | 
| 345 | /* Expecting: len, proto, len, host, len, serv */ | 
| 346 | must_read(sock, &protoname_len, sizeof(size_t)); | 
| 347 | if (protoname_len == 0 || | 
| 348 | protoname_len > sizeof(protoname)) | 
| 349 | _exit(1); | 
| 350 | must_read(sock, &protoname, protoname_len); | 
| 351 | protoname[protoname_len - 1] = '\0'; | 
| 352 | |
| 353 | must_read(sock, &hostname_len, sizeof(size_t)); | 
| 354 | if (hostname_len == 0 || | 
| 355 | hostname_len > sizeof(hostname)) | 
| 356 | _exit(1); | 
| 357 | must_read(sock, &hostname, hostname_len); | 
| 358 | hostname[hostname_len - 1] = '\0'; | 
| 359 | |
| 360 | must_read(sock, &servname_len, sizeof(size_t)); | 
| 361 | if (servname_len == 0 || | 
| 362 | servname_len > sizeof(servname)) | 
| 363 | _exit(1); | 
| 364 | must_read(sock, &servname, servname_len); | 
| 365 | servname[servname_len - 1] = '\0'; | 
| 366 | |
| 367 | memset(&hints, 0, sizeof(hints)); | 
| 368 | switch (strlen(protoname)) { | 
| 369 | case 3: | 
| 370 | hints.ai_family = AF_UNSPEC0; | 
| 371 | break; | 
| 372 | case 4: | 
| 373 | switch (protoname[3]) { | 
| 374 | case '4': | 
| 375 | hints.ai_family = AF_INET2; | 
| 376 | break; | 
| 377 | case '6': | 
| 378 | hints.ai_family = AF_INET624; | 
| 379 | break; | 
| 380 | default: | 
| 381 | errx(1, "bad ip version %s", protoname); | 
| 382 | } | 
| 383 | break; | 
| 384 | default: | 
| 385 | errx(1, "bad protocol length %s", protoname); | 
| 386 | } | 
| 387 | if (strncmp(protoname, "udp", 3) == 0) { | 
| 388 | hints.ai_socktype = SOCK_DGRAM2; | 
| 389 | hints.ai_protocol = IPPROTO_UDP17; | 
| 390 | } else if (strncmp(protoname, "tcp", 3) == 0) { | 
| 391 | hints.ai_socktype = SOCK_STREAM1; | 
| 392 | hints.ai_protocol = IPPROTO_TCP6; | 
| 393 | } else { | 
| 394 | errx(1, "unknown protocol %s", protoname); | 
| 395 | } | 
| 396 | i = getaddrinfo(hostname, servname, &hints, &res0); | 
| 397 | if (i != 0 || res0 == NULL((void *)0)) { | 
| 398 | addr_len = 0; | 
| 399 | must_write(sock, &addr_len, sizeof(int)); | 
| 400 | } else { | 
| 401 | /* Just send the first address */ | 
| 402 | i = res0->ai_addrlen; | 
| 403 | must_write(sock, &i, sizeof(int)); | 
| 404 | must_write(sock, res0->ai_addr, i); | 
| 405 | freeaddrinfo(res0); | 
| 406 | } | 
| 407 | break; | 
| 408 | |
| 409 | case PRIV_GETNAMEINFO: | 
| 410 | log_debug("[priv]: msg PRIV_GETNAMEINFO received"); | 
| 411 | if (numeric) | 
| 412 | errx(1, "rejected attempt to getnameinfo"); | 
| 413 | /* Expecting: length, sockaddr */ | 
| 414 | must_read(sock, &addr_len, sizeof(int)); | 
| 415 | if (addr_len <= 0 || (size_t)addr_len > sizeof(addr)) | 
| 416 | _exit(1); | 
| 417 | must_read(sock, &addr, addr_len); | 
| 418 | if (getnameinfo((struct sockaddr *)&addr, addr_len, | 
| 419 | hostname, sizeof(hostname), NULL((void *)0), 0, | 
| 420 | NI_NOFQDN4|NI_NAMEREQD8|NI_DGRAM16) != 0) { | 
| 421 | addr_len = 0; | 
| 422 | must_write(sock, &addr_len, sizeof(int)); | 
| 423 | } else { | 
| 424 | addr_len = strlen(hostname) + 1; | 
| 425 | must_write(sock, &addr_len, sizeof(int)); | 
| 426 | must_write(sock, hostname, addr_len); | 
| 427 | } | 
| 428 | break; | 
| 429 | default: | 
| 430 | errx(1, "unknown command %d", cmd); | 
| 431 | break; | 
| 432 | } | 
| 433 | } | 
| 434 | |
| 435 | close(sock); | 
| 436 | |
| 437 | if (restart) { | 
| 438 | int status; | 
| 439 | |
| 440 | waitpid(child_pid, &status, 0); | 
| 441 | sigemptyset(&sigmask); | 
| 442 | sigaddset(&sigmask, SIGHUP1); | 
| 443 | if (sigprocmask(SIG_SETMASK3, &sigmask, NULL((void *)0)) == -1) | 
| 444 | err(1, "sigprocmask exec"); | 
| 445 | execvp(argv[0], argv); | 
| 446 | err(1, "exec restart '%s' failed", argv[0]); | 
| 447 | } | 
| 448 | unlink(_PATH_LOGPID"/var/run/syslog.pid"); | 
| 449 | exit(0); | 
| 450 | } | 
| 451 | |
| 452 | static int | 
| 453 | open_file(char *path) | 
| 454 | { | 
| 455 | /* must not start with | */ | 
| 456 | if (path[0] == '|') | 
| 457 | return (-1); | 
| 458 | |
| 459 | return (open(path, O_WRONLY0x0001|O_APPEND0x0008|O_NONBLOCK0x0004)); | 
| 460 | } | 
| 461 | |
| 462 | static int | 
| 463 | open_pipe(char *cmd) | 
| 464 | { | 
| 465 | char *argp[] = {"sh", "-c", NULL((void *)0), NULL((void *)0)}; | 
| 466 | int fd[2]; | 
| 467 | int bsize, flags; | 
| 468 | pid_t pid; | 
| 469 | |
| 470 | /* skip over leading | and whitespace */ | 
| 471 | if (cmd[0] != '|') | 
| 472 | return (-1); | 
| 473 | for (cmd++; *cmd && *cmd == ' '; cmd++) | 
| 474 | ; /* nothing */ | 
| 475 | if (!*cmd) | 
| 476 | return (-1); | 
| 477 | |
| 478 | argp[2] = cmd; | 
| 479 | |
| 480 | if (socketpair(AF_UNIX1, SOCK_STREAM1, PF_UNSPEC0, fd) == -1) { | 
| 481 | warnx("open_pipe"); | 
| 482 | return (-1); | 
| 483 | } | 
| 484 | |
| 485 | /* make the fd on syslogd's side nonblocking */ | 
| 486 | if ((flags = fcntl(fd[1], F_GETFL3)) == -1) { | 
| 487 | warnx("fcntl"); | 
| 488 | return (-1); | 
| 489 | } | 
| 490 | flags |= O_NONBLOCK0x0004; | 
| 491 | if ((flags = fcntl(fd[1], F_SETFL4, flags)) == -1) { | 
| 492 | warnx("fcntl"); | 
| 493 | return (-1); | 
| 494 | } | 
| 495 | |
| 496 | switch (pid = fork()) { | 
| 497 | case -1: | 
| 498 | warnx("fork error"); | 
| 499 | return (-1); | 
| 500 | case 0: | 
| 501 | break; | 
| 502 | default: | 
| 503 | close(fd[0]); | 
| 504 | return (fd[1]); | 
| 505 | } | 
| 506 | |
| 507 | close(fd[1]); | 
| 508 | |
| 509 | /* grow receive buffer */ | 
| 510 | bsize = 65535; | 
| 511 | while (bsize > 0 && setsockopt(fd[0], SOL_SOCKET0xffff, SO_RCVBUF0x1002, | 
| 512 | &bsize, sizeof(bsize)) == -1) | 
| 513 | bsize /= 2; | 
| 514 | |
| 515 | if (setgroups(1, &pw->pw_gid) == -1 || | 
| 516 | setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1 || | 
| 517 | setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1) | 
| 518 | err(1, "failure dropping privs"); | 
| 519 | |
| 520 | if (dup2(fd[0], STDIN_FILENO0) == -1) | 
| 521 | err(1, "dup2 failed"); | 
| 522 | closefrom(STDERR_FILENO2 + 1); | 
| 523 | if (execv("/bin/sh", argp) == -1) | 
| 524 | err(1, "execv %s", cmd); | 
| 525 | /* NOTREACHED */ | 
| 526 | return (-1); | 
| 527 | } | 
| 528 | |
| 529 | /* Check that the terminal device is ok, and if not, rewrite to /dev/null. | 
| 530 | * Either /dev/console or /dev/tty* are allowed. | 
| 531 | */ | 
| 532 | static void | 
| 533 | check_tty_name(char *tty, size_t ttysize) | 
| 534 | { | 
| 535 | const char ttypre[] = "/dev/tty"; | 
| 536 | char *p; | 
| 537 | |
| 538 | /* Any path containing '..' is invalid. */ | 
| 539 | for (p = tty; p + 1 < tty + ttysize && *p; p++) | 
| 540 | if (*p == '.' && *(p + 1) == '.') | 
| 541 | goto bad_path; | 
| 542 | |
| 543 | if (strcmp(_PATH_CONSOLE"/dev/console", tty) && strncmp(tty, ttypre, strlen(ttypre))) | 
| 544 | goto bad_path; | 
| 545 | return; | 
| 546 | |
| 547 | bad_path: | 
| 548 | warnx ("%s: invalid attempt to open %s: rewriting to /dev/null", | 
| 549 | "check_tty_name", tty); | 
| 550 | strlcpy(tty, "/dev/null", ttysize); | 
| 551 | } | 
| 552 | |
| 553 | /* If we are in the initial configuration state, accept a logname and add | 
| 554 | * it to the list of acceptable logfiles. Otherwise, check against this list | 
| 555 | * and rewrite to /dev/null if it's a bad path. | 
| 556 | */ | 
| 557 | static void | 
| 558 | check_log_name(char *lognam, size_t logsize) | 
| 559 | { | 
| 560 | struct logname *lg; | 
| 561 | char *p; | 
| 562 | |
| 563 | /* Any path containing '..' is invalid. */ | 
| 564 | for (p = lognam; p + 1 < lognam + logsize && *p; p++) | 
| 565 | if (*p == '.' && *(p + 1) == '.') | 
| 566 | goto bad_path; | 
| 567 | |
| 568 | switch (cur_state) { | 
| 569 | case STATE_CONFIG: | 
| 570 | lg = malloc(sizeof(struct logname)); | 
| 571 | if (!lg) | 
| 572 | err(1, "check_log_name() malloc"); | 
| 573 | strlcpy(lg->path, lognam, PATH_MAX1024); | 
| 574 | TAILQ_INSERT_TAIL(&lognames, lg, next)do { (lg)->next.tqe_next = ((void *)0); (lg)->next.tqe_prev = (&lognames)->tqh_last; *(&lognames)->tqh_last = (lg); (&lognames)->tqh_last = &(lg)->next.tqe_next ; } while (0); | 
| 575 | if (lognam[0] != '|') { | 
| 576 | if (unveil(lognam, "w") == -1) | 
| 577 | goto bad_path; | 
| 578 | } | 
| 579 | break; | 
| 580 | case STATE_RUNNING: | 
| 581 | TAILQ_FOREACH(lg, &lognames, next)for((lg) = ((&lognames)->tqh_first); (lg) != ((void *) 0); (lg) = ((lg)->next.tqe_next)) | 
| 582 | if (!strcmp(lg->path, lognam)) | 
| 583 | return; | 
| 584 | goto bad_path; | 
| 585 | break; | 
| 586 | default: | 
| 587 | /* Any other state should just refuse the request */ | 
| 588 | goto bad_path; | 
| 589 | break; | 
| 590 | } | 
| 591 | return; | 
| 592 | |
| 593 | bad_path: | 
| 594 | warnx("%s: invalid attempt to open %s: rewriting to /dev/null", | 
| 595 | "check_log_name", lognam); | 
| 596 | strlcpy(lognam, "/dev/null", logsize); | 
| 597 | } | 
| 598 | |
| 599 | /* Crank our state into less permissive modes */ | 
| 600 | static void | 
| 601 | increase_state(int state) | 
| 602 | { | 
| 603 | if (state <= cur_state) | 
| 604 | errx(1, "attempt to decrease or match current state"); | 
| 605 | if (state < STATE_INIT || state > STATE_QUIT) | 
| 606 | errx(1, "attempt to switch to invalid state"); | 
| 607 | cur_state = state; | 
| 608 | } | 
| 609 | |
| 610 | /* Open console or a terminal device for writing */ | 
| 611 | int | 
| 612 | priv_open_tty(const char *tty) | 
| 613 | { | 
| 614 | char path[PATH_MAX1024]; | 
| 615 | int cmd, fd; | 
| 616 | size_t path_len; | 
| 617 | |
| 618 | if (priv_fd < 0) | 
| 619 | errx(1, "%s: called from privileged portion", __func__); | 
| 620 | |
| 621 | if (strlcpy(path, tty, sizeof path) >= sizeof(path)) | 
| 622 | return -1; | 
| 623 | path_len = strlen(path) + 1; | 
| 624 | |
| 625 | cmd = PRIV_OPEN_TTY; | 
| 626 | must_write(priv_fd, &cmd, sizeof(int)); | 
| 627 | must_write(priv_fd, &path_len, sizeof(size_t)); | 
| 628 | must_write(priv_fd, path, path_len); | 
| 629 | fd = receive_fd(priv_fd); | 
| 630 | return fd; | 
| 631 | } | 
| 632 | |
| 633 | /* Open log-file */ | 
| 634 | int | 
| 635 | priv_open_log(const char *lognam) | 
| 636 | { | 
| 637 | char path[PATH_MAX1024]; | 
| 638 | int cmd, fd; | 
| 639 | size_t path_len; | 
| 640 | |
| 641 | if (priv_fd < 0) | 
| 642 | errx(1, "%s: called from privileged child", __func__); | 
| 643 | |
| 644 | if (strlcpy(path, lognam, sizeof path) >= sizeof(path)) | 
| 645 | return -1; | 
| 646 | path_len = strlen(path) + 1; | 
| 647 | |
| 648 | if (lognam[0] == '|') | 
| 649 | cmd = PRIV_OPEN_PIPE; | 
| 650 | else | 
| 651 | cmd = PRIV_OPEN_LOG; | 
| 652 | must_write(priv_fd, &cmd, sizeof(int)); | 
| 653 | must_write(priv_fd, &path_len, sizeof(size_t)); | 
| 654 | must_write(priv_fd, path, path_len); | 
| 655 | fd = receive_fd(priv_fd); | 
| 656 | return fd; | 
| 657 | } | 
| 658 | |
| 659 | /* Open utmp for reading */ | 
| 660 | FILE * | 
| 661 | priv_open_utmp(void) | 
| 662 | { | 
| 663 | int cmd, fd; | 
| 664 | FILE *fp; | 
| 665 | |
| 666 | if (priv_fd < 0) | 
| 667 | errx(1, "%s: called from privileged portion", __func__); | 
| 668 | |
| 669 | cmd = PRIV_OPEN_UTMP; | 
| 670 | must_write(priv_fd, &cmd, sizeof(int)); | 
| 671 | fd = receive_fd(priv_fd); | 
| 672 | if (fd < 0) | 
| 673 | return NULL((void *)0); | 
| 674 | |
| 675 | fp = fdopen(fd, "r"); | 
| 676 | if (!fp) { | 
| 677 | warn("priv_open_utmp: fdopen() failed"); | 
| 678 | close(fd); | 
| 679 | return NULL((void *)0); | 
| 680 | } | 
| 681 | |
| 682 | return fp; | 
| 683 | } | 
| 684 | |
| 685 | /* Open syslog config file for reading */ | 
| 686 | FILE * | 
| 687 | priv_open_config(void) | 
| 688 | { | 
| 689 | int cmd, fd; | 
| 690 | FILE *fp; | 
| 691 | |
| 692 | if (priv_fd < 0) | 
| 693 | errx(1, "%s: called from privileged portion", __func__); | 
| 694 | |
| 695 | cmd = PRIV_OPEN_CONFIG; | 
| 696 | must_write(priv_fd, &cmd, sizeof(int)); | 
| 697 | fd = receive_fd(priv_fd); | 
| 698 | if (fd < 0) | 
| 699 | return NULL((void *)0); | 
| 700 | |
| 701 | fp = fdopen(fd, "r"); | 
| 702 | if (!fp) { | 
| 703 | warn("priv_open_config: fdopen() failed"); | 
| 704 | close(fd); | 
| 705 | return NULL((void *)0); | 
| 706 | } | 
| 707 | |
| 708 | return fp; | 
| 709 | } | 
| 710 | |
| 711 | /* Ask if config file has been modified since last attempt to read it */ | 
| 712 | int | 
| 713 | priv_config_modified(void) | 
| 714 | { | 
| 715 | int cmd, res; | 
| 716 | |
| 717 | if (priv_fd < 0) | 
| 718 | errx(1, "%s: called from privileged portion", __func__); | 
| 719 | |
| 720 | cmd = PRIV_CONFIG_MODIFIED; | 
| 721 | must_write(priv_fd, &cmd, sizeof(int)); | 
| 722 | |
| 723 | /* Expect back integer signalling 1 for modification */ | 
| 724 | must_read(priv_fd, &res, sizeof(int)); | 
| 725 | return res; | 
| 726 | } | 
| 727 | |
| 728 | /* Child can signal that its initial parsing is done, so that parent | 
| 729 | * can revoke further logfile permissions. This call only works once. */ | 
| 730 | void | 
| 731 | priv_config_parse_done(void) | 
| 732 | { | 
| 733 | int cmd; | 
| 734 | |
| 735 | if (priv_fd < 0) | 
| 736 | errx(1, "%s: called from privileged portion", __func__); | 
| 737 | |
| 738 | cmd = PRIV_DONE_CONFIG_PARSE; | 
| 739 | must_write(priv_fd, &cmd, sizeof(int)); | 
| 740 | } | 
| 741 | |
| 742 | /* Name/service to address translation. Response is placed into addr. | 
| 743 | * Return 0 for success or < 0 for error like getaddrinfo(3) */ | 
| 744 | int | 
| 745 | priv_getaddrinfo(char *proto, char *host, char *serv, struct sockaddr *addr, | 
| 746 | size_t addr_len) | 
| 747 | { | 
| 748 | char protocpy[5], hostcpy[NI_MAXHOST256], servcpy[NI_MAXSERV32]; | 
| 749 | int cmd, ret_len; | 
| 750 | size_t protoname_len, hostname_len, servname_len; | 
| 751 | |
| 752 | if (priv_fd < 0) | 
| 753 | errx(1, "%s: called from privileged portion", __func__); | 
| 754 | |
| 755 | if (strlcpy(protocpy, proto, sizeof(protocpy)) >= sizeof(protocpy)) | 
| 756 | errx(1, "%s: overflow attempt in protoname", __func__); | 
| 757 | protoname_len = strlen(protocpy) + 1; | 
| 758 | if (strlcpy(hostcpy, host, sizeof(hostcpy)) >= sizeof(hostcpy)) | 
| 759 | errx(1, "%s: overflow attempt in hostname", __func__); | 
| 760 | hostname_len = strlen(hostcpy) + 1; | 
| 761 | if (strlcpy(servcpy, serv, sizeof(servcpy)) >= sizeof(servcpy)) | 
| 762 | errx(1, "%s: overflow attempt in servname", __func__); | 
| 763 | servname_len = strlen(servcpy) + 1; | 
| 764 | |
| 765 | cmd = PRIV_GETADDRINFO; | 
| 766 | must_write(priv_fd, &cmd, sizeof(int)); | 
| 767 | must_write(priv_fd, &protoname_len, sizeof(size_t)); | 
| 768 | must_write(priv_fd, protocpy, protoname_len); | 
| 769 | must_write(priv_fd, &hostname_len, sizeof(size_t)); | 
| 770 | must_write(priv_fd, hostcpy, hostname_len); | 
| 771 | must_write(priv_fd, &servname_len, sizeof(size_t)); | 
| 772 | must_write(priv_fd, servcpy, servname_len); | 
| 773 | |
| 774 | /* Expect back an integer size, and then a string of that length */ | 
| 775 | must_read(priv_fd, &ret_len, sizeof(int)); | 
| 776 | |
| 777 | /* Check there was no error (indicated by a return of 0) */ | 
| 778 | if (!ret_len) | 
| 779 | return (-1); | 
| 780 | |
| 781 | /* Make sure we aren't overflowing the passed in buffer */ | 
| 782 | if (ret_len < 0 || (size_t)ret_len > addr_len) | 
| 783 | errx(1, "%s: overflow attempt in return", __func__); | 
| 784 | |
| 785 | /* Read the resolved address and make sure we got all of it */ | 
| 786 | memset(addr, '\0', addr_len); | 
| 787 | must_read(priv_fd, addr, ret_len); | 
| 788 | |
| 789 | return (0); | 
| 790 | } | 
| 791 | |
| 792 | /* Reverse address resolution; response is placed into host. | 
| 793 | * Return 0 for success or < 0 for error like getnameinfo(3) */ | 
| 794 | int | 
| 795 | priv_getnameinfo(struct sockaddr *sa, socklen_t salen, char *host, | 
| 796 | size_t hostlen) | 
| 797 | { | 
| 798 | int cmd, ret_len; | 
| 799 | |
| 800 | if (priv_fd < 0) | 
| 801 | errx(1, "%s called from privileged portion", __func__); | 
| 802 | |
| 803 | cmd = PRIV_GETNAMEINFO; | 
| 804 | must_write(priv_fd, &cmd, sizeof(int)); | 
| 805 | must_write(priv_fd, &salen, sizeof(int)); | 
| 806 | must_write(priv_fd, sa, salen); | 
| 807 | |
| 808 | /* Expect back an integer size, and then a string of that length */ | 
| 809 | must_read(priv_fd, &ret_len, sizeof(int)); | 
| 810 | |
| 811 | /* Check there was no error (indicated by a return of 0) */ | 
| 812 | if (!ret_len) | 
| 813 | return (-1); | 
| 814 | |
| 815 | /* Check we don't overflow the passed in buffer */ | 
| 816 | if (ret_len < 0 || (size_t)ret_len > hostlen) | 
| 817 | errx(1, "%s: overflow attempt in return", __func__); | 
| 818 | |
| 819 | /* Read the resolved hostname */ | 
| 820 | must_read(priv_fd, host, ret_len); | 
| 821 | return (0); | 
| 822 | } | 
| 823 | |
| 824 | /* Pass the signal through to child */ | 
| 825 | static void | 
| 826 | sig_pass_to_chld(int sig) | 
| 827 | { | 
| 828 | int save_errno = errno(*__errno()); | 
| 829 | |
| 830 | if (child_pid != -1) | 
| 831 | kill(child_pid, sig); | 
| 832 | errno(*__errno()) = save_errno; | 
| 833 | } | 
| 834 | |
| 835 | /* When child dies, move into the shutdown state */ | 
| 836 | /* ARGSUSED */ | 
| 837 | static void | 
| 838 | sig_got_chld(int sig) | 
| 839 | { | 
| 840 | int save_errno = errno(*__errno()); | 
| 841 | pid_t pid; | 
| 842 | |
| 843 | do { | 
| 844 | pid = waitpid(WAIT_ANY(-1), NULL((void *)0), WNOHANG1); | 
| 845 | if (pid == child_pid && cur_state < STATE_QUIT) | 
| 846 | cur_state = STATE_QUIT; | 
| 847 | } while (pid > 0 || (pid == -1 && errno(*__errno()) == EINTR4)); | 
| 848 | errno(*__errno()) = save_errno; | 
| 849 | } | 
| 850 | |
| 851 | /* Read all data or return 1 for error. */ | 
| 852 | static int | 
| 853 | may_read(int fd, void *buf, size_t n) | 
| 854 | { | 
| 855 | char *s = buf; | 
| 856 | ssize_t res; | 
| 857 | size_t pos = 0; | 
| 858 | |
| 859 | while (n > pos) { | 
| 860 | res = read(fd, s + pos, n - pos); | 
| 861 | switch (res) { | 
| 862 | case -1: | 
| 863 | if (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35) | 
| 864 | continue; | 
| 865 | case 0: | 
| 866 | return (1); | 
| 867 | default: | 
| 868 | pos += res; | 
| 869 | } | 
| 870 | } | 
| 871 | return (0); | 
| 872 | } | 
| 873 | |
| 874 | /* Read data with the assertion that it all must come through, or | 
| 875 | * else abort the process. Based on atomicio() from openssh. */ | 
| 876 | static void | 
| 877 | must_read(int fd, void *buf, size_t n) | 
| 878 | { | 
| 879 | char *s = buf; | 
| 880 | ssize_t res; | 
| 881 | size_t pos = 0; | 
| 882 | |
| 883 | while (n > pos) { | 
| 884 | res = read(fd, s + pos, n - pos); | 
| 885 | switch (res) { | 
| 886 | case -1: | 
| 887 | if (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35) | 
| 888 | continue; | 
| 889 | case 0: | 
| 890 | _exit(1); | 
| 891 | default: | 
| 892 | pos += res; | 
| 893 | } | 
| 894 | } | 
| 895 | } | 
| 896 | |
| 897 | /* Write data with the assertion that it all has to be written, or | 
| 898 | * else abort the process. Based on atomicio() from openssh. */ | 
| 899 | static void | 
| 900 | must_write(int fd, void *buf, size_t n) | 
| 901 | { | 
| 902 | char *s = buf; | 
| 903 | ssize_t res; | 
| 904 | size_t pos = 0; | 
| 905 | |
| 906 | while (n > pos) { | 
| 907 | res = write(fd, s + pos, n - pos); | 
| 908 | switch (res) { | 
| 909 | case -1: | 
| 910 | if (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35) | 
| 911 | continue; | 
| 912 | case 0: | 
| 913 | _exit(1); | 
| 914 | default: | 
| 915 | pos += res; | 
| 916 | } | 
| 917 | } | 
| 918 | } |