2 * Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2002 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: os.c,v 1.107 2011/03/02 00:02:54 marka Exp $ */
25 #include <sys/types.h> /* dev_t FreeBSD 2.1 */
31 #include <grp.h> /* Required for initgroups() on IRIX. */
42 #include <isc/buffer.h>
44 #include <isc/print.h>
45 #include <isc/resource.h>
46 #include <isc/result.h>
47 #include <isc/strerror.h>
48 #include <isc/string.h>
50 #include <named/main.h>
53 #include <named/ns_smf_globals.h>
56 static char *pidfile = NULL;
57 static int devnullfd = -1;
60 #define ISC_FACILITY LOG_DAEMON
64 * If there's no <linux/capability.h>, we don't care about <sys/prctl.h>
66 #ifndef HAVE_LINUX_CAPABILITY_H
67 #undef HAVE_SYS_PRCTL_H
72 * (T) HAVE_LINUXTHREADS
73 * (C) HAVE_SYS_CAPABILITY_H (or HAVE_LINUX_CAPABILITY_H)
74 * (P) HAVE_SYS_PRCTL_H
75 * The possible cases are:
76 * none: setuid() normally
78 * C: setuid() normally, drop caps (keep CAP_SETUID)
79 * T+C: no setuid(), drop caps (don't keep CAP_SETUID)
80 * T+C+P: setuid() early, drop caps (keep CAP_SETUID)
81 * C+P: setuid() normally, drop caps (keep CAP_SETUID)
86 * caps = BIND_SERVICE + CHROOT + SETGID
87 * if ((T && C && P) || !T)
92 * if (T && C && P && -u)
99 * if (C && (P || !-u))
100 * caps = BIND_SERVICE
104 * It will be nice when Linux threads work properly with setuid().
107 #ifdef HAVE_LINUXTHREADS
108 static pid_t mainpid = 0;
111 static struct passwd *runas_pw = NULL;
112 static isc_boolean_t done_setuid = ISC_FALSE;
113 static int dfd[2] = { -1, -1 };
115 #ifdef HAVE_LINUX_CAPABILITY_H
117 static isc_boolean_t non_root = ISC_FALSE;
118 static isc_boolean_t non_root_caps = ISC_FALSE;
120 #ifdef HAVE_SYS_CAPABILITY_H
121 #include <sys/capability.h>
123 #ifdef HAVE_LINUX_TYPES_H
124 #include <linux/types.h>
127 * We define _LINUX_FS_H to prevent it from being included. We don't need
128 * anything from it, and the files it includes cause warnings with 2.2
129 * kernels, and compilation failures (due to conflicts between <linux/string.h>
130 * and <string.h>) on 2.3 kernels.
133 #include <linux/capability.h>
137 #include <asm/unistd.h> /* Slackware 4.0 needs this. */
138 #endif /* __NR_capset */
139 #define SYS_capset __NR_capset
140 #endif /* SYS_capset */
141 #endif /* HAVE_SYS_CAPABILITY_H */
143 #ifdef HAVE_SYS_PRCTL_H
144 #include <sys/prctl.h> /* Required for prctl(). */
147 * If the value of PR_SET_KEEPCAPS is not in <sys/prctl.h>, define it
148 * here. This allows setuid() to work on systems running a new enough
149 * kernel but with /usr/include/linux pointing to "standard" kernel
152 #ifndef PR_SET_KEEPCAPS
153 #define PR_SET_KEEPCAPS 8
156 #endif /* HAVE_SYS_PRCTL_H */
159 #define SETCAPS_FUNC "cap_set_proc "
161 typedef unsigned int cap_t;
162 #define SETCAPS_FUNC "syscall(capset) "
163 #endif /* HAVE_LIBCAP */
166 linux_setcaps(cap_t caps) {
168 struct __user_cap_header_struct caphead;
169 struct __user_cap_data_struct cap;
171 char strbuf[ISC_STRERRORSIZE];
173 if ((getuid() != 0 && !non_root_caps) || non_root)
176 memset(&caphead, 0, sizeof(caphead));
177 caphead.version = _LINUX_CAPABILITY_VERSION;
179 memset(&cap, 0, sizeof(cap));
180 cap.effective = caps;
181 cap.permitted = caps;
185 if (cap_set_proc(caps) < 0) {
187 if (syscall(SYS_capset, &caphead, &cap) < 0) {
189 isc__strerror(errno, strbuf, sizeof(strbuf));
190 ns_main_earlyfatal(SETCAPS_FUNC "failed: %s:"
191 " please ensure that the capset kernel"
192 " module is loaded. see insmod(8)",
198 #define SET_CAP(flag) \
201 cap_flag_value_t curval; \
202 err = cap_get_flag(curcaps, capval, CAP_PERMITTED, &curval); \
203 if (err != -1 && curval) { \
204 err = cap_set_flag(caps, CAP_EFFECTIVE, 1, &capval, CAP_SET); \
206 isc__strerror(errno, strbuf, sizeof(strbuf)); \
207 ns_main_earlyfatal("cap_set_proc failed: %s", strbuf); \
210 err = cap_set_flag(caps, CAP_PERMITTED, 1, &capval, CAP_SET); \
212 isc__strerror(errno, strbuf, sizeof(strbuf)); \
213 ns_main_earlyfatal("cap_set_proc failed: %s", strbuf); \
220 if (caps == NULL) { \
221 isc__strerror(errno, strbuf, sizeof(strbuf)); \
222 ns_main_earlyfatal("cap_init failed: %s", strbuf); \
224 curcaps = cap_get_proc(); \
225 if (curcaps == NULL) { \
226 isc__strerror(errno, strbuf, sizeof(strbuf)); \
227 ns_main_earlyfatal("cap_get_proc failed: %s", strbuf); \
236 #define SET_CAP(flag) do { caps |= (1 << (flag)); } while (0)
237 #define INIT_CAP do { caps = 0; } while (0)
238 #endif /* HAVE_LIBCAP */
241 linux_initialprivs(void) {
246 char strbuf[ISC_STRERRORSIZE];
251 * We don't need most privileges, so we drop them right away.
252 * Later on linux_minprivs() will be called, which will drop our
253 * capabilities to the minimum needed to run the server.
258 * We need to be able to bind() to privileged ports, notably port 53!
260 SET_CAP(CAP_NET_BIND_SERVICE);
263 * We need chroot() initially too.
265 SET_CAP(CAP_SYS_CHROOT);
267 #if defined(HAVE_SYS_PRCTL_H) || !defined(HAVE_LINUXTHREADS)
269 * We can setuid() only if either the kernel supports keeping
270 * capabilities after setuid() (which we don't know until we've
271 * tried) or we're not using threads. If either of these is
272 * true, we want the setuid capability.
278 * Since we call initgroups, we need this.
283 * Without this, we run into problems reading a configuration file
284 * owned by a non-root user and non-world-readable on startup.
286 SET_CAP(CAP_DAC_READ_SEARCH);
289 * XXX We might want to add CAP_SYS_RESOURCE, though it's not
290 * clear it would work right given the way linuxthreads work.
291 * XXXDCL But since we need to be able to set the maximum number
292 * of files, the stack size, data size, and core dump size to
293 * support named.conf options, this is now being added to test.
295 SET_CAP(CAP_SYS_RESOURCE);
298 * We need to be able to set the ownership of the containing
299 * directory of the pid file when we create it.
311 linux_minprivs(void) {
316 char strbuf[ISC_STRERRORSIZE];
322 * Drop all privileges except the ability to bind() to privileged
325 * It's important that we drop CAP_SYS_CHROOT. If we didn't, it
326 * chroot() could be used to escape from the chrooted area.
329 SET_CAP(CAP_NET_BIND_SERVICE);
332 * XXX We might want to add CAP_SYS_RESOURCE, though it's not
333 * clear it would work right given the way linuxthreads work.
334 * XXXDCL But since we need to be able to set the maximum number
335 * of files, the stack size, data size, and core dump size to
336 * support named.conf options, this is now being added to test.
338 SET_CAP(CAP_SYS_RESOURCE);
347 #ifdef HAVE_SYS_PRCTL_H
349 linux_keepcaps(void) {
350 char strbuf[ISC_STRERRORSIZE];
352 * Ask the kernel to allow us to keep our capabilities after we
356 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
357 if (errno != EINVAL) {
358 isc__strerror(errno, strbuf, sizeof(strbuf));
359 ns_main_earlyfatal("prctl() failed: %s", strbuf);
362 non_root_caps = ISC_TRUE;
369 #endif /* HAVE_LINUX_CAPABILITY_H */
373 setup_syslog(const char *progname) {
378 options |= LOG_NDELAY;
380 openlog(isc_file_basename(progname), options, ISC_FACILITY);
384 ns_os_init(const char *progname) {
385 setup_syslog(progname);
386 #ifdef HAVE_LINUX_CAPABILITY_H
387 linux_initialprivs();
389 #ifdef HAVE_LINUXTHREADS
393 signal(SIGXFSZ, SIG_IGN);
398 ns_os_daemonize(void) {
400 char strbuf[ISC_STRERRORSIZE];
402 if (pipe(dfd) == -1) {
403 isc__strerror(errno, strbuf, sizeof(strbuf));
404 ns_main_earlyfatal("pipe(): %s", strbuf);
409 isc__strerror(errno, strbuf, sizeof(strbuf));
410 ns_main_earlyfatal("fork(): %s", strbuf);
415 * Wait for the child to finish loading for the first time.
416 * This would be so much simpler if fork() worked once we
417 * were multi-threaded.
422 n = read(dfd[0], &buf, 1);
425 } while (n == -1 && errno == EINTR);
434 #ifdef HAVE_LINUXTHREADS
438 if (setsid() == -1) {
439 isc__strerror(errno, strbuf, sizeof(strbuf));
440 ns_main_earlyfatal("setsid(): %s", strbuf);
444 * Try to set stdin, stdout, and stderr to /dev/null, but press
445 * on even if it fails.
447 * XXXMLG The close() calls here are unneeded on all but NetBSD, but
448 * are harmless to include everywhere. dup2() is supposed to close
449 * the FD if it is in use, but unproven-pthreads-0.16 is broken
450 * and will end up closing the wrong FD. This will be fixed eventually,
451 * and these calls will be removed.
453 if (devnullfd != -1) {
454 if (devnullfd != STDIN_FILENO) {
455 (void)close(STDIN_FILENO);
456 (void)dup2(devnullfd, STDIN_FILENO);
458 if (devnullfd != STDOUT_FILENO) {
459 (void)close(STDOUT_FILENO);
460 (void)dup2(devnullfd, STDOUT_FILENO);
462 if (devnullfd != STDERR_FILENO) {
463 (void)close(STDERR_FILENO);
464 (void)dup2(devnullfd, STDERR_FILENO);
470 ns_os_started(void) {
474 * Signal to the parent that we started successfully.
476 if (dfd[0] != -1 && dfd[1] != -1) {
477 if (write(dfd[1], &buf, 1) != 1)
478 ns_main_earlyfatal("unable to signal parent that we "
479 "otherwise started successfully.");
481 dfd[0] = dfd[1] = -1;
486 ns_os_opendevnull(void) {
487 devnullfd = open("/dev/null", O_RDWR, 0);
491 ns_os_closedevnull(void) {
492 if (devnullfd != STDIN_FILENO &&
493 devnullfd != STDOUT_FILENO &&
494 devnullfd != STDERR_FILENO) {
501 all_digits(const char *s) {
505 if (!isdigit((*s)&0xff))
513 ns_os_chroot(const char *root) {
514 char strbuf[ISC_STRERRORSIZE];
520 if (chroot(root) < 0) {
521 isc__strerror(errno, strbuf, sizeof(strbuf));
522 ns_main_earlyfatal("chroot(): %s", strbuf);
525 ns_main_earlyfatal("chroot(): disabled");
527 if (chdir("/") < 0) {
528 isc__strerror(errno, strbuf, sizeof(strbuf));
529 ns_main_earlyfatal("chdir(/): %s", strbuf);
532 /* Set ns_smf_chroot flag on successful chroot. */
539 ns_os_inituserinfo(const char *username) {
540 char strbuf[ISC_STRERRORSIZE];
541 if (username == NULL)
544 if (all_digits(username))
545 runas_pw = getpwuid((uid_t)atoi(username));
547 runas_pw = getpwnam(username);
550 if (runas_pw == NULL)
551 ns_main_earlyfatal("user '%s' unknown", username);
554 if (initgroups(runas_pw->pw_name, runas_pw->pw_gid) < 0) {
555 isc__strerror(errno, strbuf, sizeof(strbuf));
556 ns_main_earlyfatal("initgroups(): %s", strbuf);
563 ns_os_changeuser(void) {
564 char strbuf[ISC_STRERRORSIZE];
565 if (runas_pw == NULL || done_setuid)
568 done_setuid = ISC_TRUE;
570 #ifdef HAVE_LINUXTHREADS
571 #ifdef HAVE_LINUX_CAPABILITY_H
573 ns_main_earlyfatal("-u with Linux threads not supported: "
574 "requires kernel support for "
575 "prctl(PR_SET_KEEPCAPS)");
577 ns_main_earlyfatal("-u with Linux threads not supported: "
578 "no capabilities support or capabilities "
579 "disabled at build time");
583 if (setgid(runas_pw->pw_gid) < 0) {
584 isc__strerror(errno, strbuf, sizeof(strbuf));
585 ns_main_earlyfatal("setgid(): %s", strbuf);
588 if (setuid(runas_pw->pw_uid) < 0) {
589 isc__strerror(errno, strbuf, sizeof(strbuf));
590 ns_main_earlyfatal("setuid(): %s", strbuf);
593 #if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE)
595 * Restore the ability of named to drop core after the setuid()
596 * call has disabled it.
598 if (prctl(PR_SET_DUMPABLE,1,0,0,0) < 0) {
599 isc__strerror(errno, strbuf, sizeof(strbuf));
600 ns_main_earlywarning("prctl(PR_SET_DUMPABLE) failed: %s",
604 #if defined(HAVE_LINUX_CAPABILITY_H) && !defined(HAVE_LINUXTHREADS)
610 ns_os_adjustnofile() {
611 #ifdef HAVE_LINUXTHREADS
613 isc_resourcevalue_t newvalue;
616 * Linux: max number of open files specified by one thread doesn't seem
617 * to apply to other threads on Linux.
619 newvalue = ISC_RESOURCE_UNLIMITED;
621 result = isc_resource_setlimit(isc_resource_openfiles, newvalue);
622 if (result != ISC_R_SUCCESS)
623 ns_main_earlywarning("couldn't adjust limit on open files");
628 ns_os_minprivs(void) {
629 #ifdef HAVE_SYS_PRCTL_H
633 #ifdef HAVE_LINUXTHREADS
634 ns_os_changeuser(); /* Call setuid() before threads are started */
637 #if defined(HAVE_LINUX_CAPABILITY_H) && defined(HAVE_LINUXTHREADS)
643 safe_open(const char *filename, mode_t mode, isc_boolean_t append) {
647 if (stat(filename, &sb) == -1) {
650 } else if ((sb.st_mode & S_IFREG) == 0) {
656 fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, mode);
658 if (unlink(filename) < 0 && errno != ENOENT)
660 fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, mode);
666 cleanup_pidfile(void) {
668 if (pidfile != NULL) {
670 if (n == -1 && errno != ENOENT)
671 ns_main_earlywarning("unlink '%s': failed", pidfile);
678 mkdirpath(char *filename, void (*report)(const char *, ...)) {
679 char *slash = strrchr(filename, '/');
680 char strbuf[ISC_STRERRORSIZE];
683 if (slash != NULL && slash != filename) {
687 if (stat(filename, &sb) == -1) {
688 if (errno != ENOENT) {
689 isc__strerror(errno, strbuf, sizeof(strbuf));
690 (*report)("couldn't stat '%s': %s", filename,
694 if (mkdirpath(filename, report) == -1)
697 * Handle "//", "/./" and "/../" in path.
699 if (!strcmp(slash + 1, "") ||
700 !strcmp(slash + 1, ".") ||
701 !strcmp(slash + 1, "..")) {
705 mode = S_IRUSR | S_IWUSR | S_IXUSR; /* u=rwx */
706 mode |= S_IRGRP | S_IXGRP; /* g=rx */
707 mode |= S_IROTH | S_IXOTH; /* o=rx */
708 if (mkdir(filename, mode) == -1) {
709 isc__strerror(errno, strbuf, sizeof(strbuf));
710 (*report)("couldn't mkdir '%s': %s", filename,
714 if (runas_pw != NULL &&
715 chown(filename, runas_pw->pw_uid,
716 runas_pw->pw_gid) == -1) {
717 isc__strerror(errno, strbuf, sizeof(strbuf));
718 (*report)("couldn't chown '%s': %s", filename,
732 setperms(uid_t uid, gid_t gid) {
733 char strbuf[ISC_STRERRORSIZE];
734 #if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID)
737 #if !defined(HAVE_SETEUID) && defined(HAVE_SETRESUID)
740 #if defined(HAVE_SETEGID)
741 if (getegid() != gid && setegid(gid) == -1) {
742 isc__strerror(errno, strbuf, sizeof(strbuf));
743 ns_main_earlywarning("unable to set effective gid to %ld: %s",
746 #elif defined(HAVE_SETRESGID)
747 if (getresgid(&tmpg, &oldgid, &tmpg) == -1 || oldgid != gid) {
748 if (setresgid(-1, gid, -1) == -1) {
749 isc__strerror(errno, strbuf, sizeof(strbuf));
750 ns_main_earlywarning("unable to set effective "
751 "gid to %d: %s", gid, strbuf);
756 #if defined(HAVE_SETEUID)
757 if (geteuid() != uid && seteuid(uid) == -1) {
758 isc__strerror(errno, strbuf, sizeof(strbuf));
759 ns_main_earlywarning("unable to set effective uid to %ld: %s",
762 #elif defined(HAVE_SETRESUID)
763 if (getresuid(&tmpu, &olduid, &tmpu) == -1 || olduid != uid) {
764 if (setresuid(-1, uid, -1) == -1) {
765 isc__strerror(errno, strbuf, sizeof(strbuf));
766 ns_main_earlywarning("unable to set effective "
767 "uid to %d: %s", uid, strbuf);
774 ns_os_openfile(const char *filename, mode_t mode, isc_boolean_t switch_user) {
775 char strbuf[ISC_STRERRORSIZE], *f;
780 * Make the containing directory if it doesn't exist.
782 f = strdup(filename);
784 isc__strerror(errno, strbuf, sizeof(strbuf));
785 ns_main_earlywarning("couldn't strdup() '%s': %s",
789 if (mkdirpath(f, ns_main_earlywarning) == -1) {
795 if (switch_user && runas_pw != NULL) {
796 #ifndef HAVE_LINUXTHREADS
797 gid_t oldgid = getgid();
799 /* Set UID/GID to the one we'll be running with eventually */
800 setperms(runas_pw->pw_uid, runas_pw->pw_gid);
802 fd = safe_open(filename, mode, ISC_FALSE);
804 #ifndef HAVE_LINUXTHREADS
805 /* Restore UID/GID to root */
807 #endif /* HAVE_LINUXTHREADS */
810 #ifndef HAVE_LINUXTHREADS
811 fd = safe_open(filename, mode, ISC_FALSE);
813 ns_main_earlywarning("Required root "
814 "permissions to open "
817 ns_main_earlywarning("Could not open "
820 ns_main_earlywarning("Please check file and "
821 "directory permissions "
822 "or reconfigure the filename.");
823 #else /* HAVE_LINUXTHREADS */
824 ns_main_earlywarning("Could not open "
826 ns_main_earlywarning("Please check file and "
827 "directory permissions "
828 "or reconfigure the filename.");
829 #endif /* HAVE_LINUXTHREADS */
832 fd = safe_open(filename, mode, ISC_FALSE);
836 isc__strerror(errno, strbuf, sizeof(strbuf));
837 ns_main_earlywarning("could not open file '%s': %s",
842 fp = fdopen(fd, "w");
844 isc__strerror(errno, strbuf, sizeof(strbuf));
845 ns_main_earlywarning("could not fdopen() file '%s': %s",
853 ns_os_writepidfile(const char *filename, isc_boolean_t first_time) {
856 char strbuf[ISC_STRERRORSIZE];
857 void (*report)(const char *, ...);
860 * The caller must ensure any required synchronization.
863 report = first_time ? ns_main_earlyfatal : ns_main_earlywarning;
867 if (filename == NULL)
870 pidfile = strdup(filename);
871 if (pidfile == NULL) {
872 isc__strerror(errno, strbuf, sizeof(strbuf));
873 (*report)("couldn't strdup() '%s': %s", filename, strbuf);
877 lockfile = ns_os_openfile(filename, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH,
879 if (lockfile == NULL) {
883 #ifdef HAVE_LINUXTHREADS
888 if (fprintf(lockfile, "%ld\n", (long)pid) < 0) {
889 (*report)("fprintf() to pid file '%s' failed", filename);
890 (void)fclose(lockfile);
894 if (fflush(lockfile) == EOF) {
895 (*report)("fflush() to pid file '%s' failed", filename);
896 (void)fclose(lockfile);
900 (void)fclose(lockfile);
904 ns_os_shutdown(void) {
910 ns_os_gethostname(char *buf, size_t len) {
913 n = gethostname(buf, len);
914 return ((n == 0) ? ISC_R_SUCCESS : ISC_R_FAILURE);
918 next_token(char **stringp, const char *delim) {
922 res = strsep(stringp, delim);
925 } while (*res == '\0');
930 ns_os_shutdownmsg(char *command, isc_buffer_t *text) {
937 /* Skip the command name. */
938 ptr = next_token(&input, " \t");
942 ptr = next_token(&input, " \t");
946 if (strcmp(ptr, "-p") != 0)
949 #ifdef HAVE_LINUXTHREADS
955 n = snprintf((char *)isc_buffer_used(text),
956 isc_buffer_availablelength(text),
957 "pid: %ld", (long)pid);
958 /* Only send a message if it is complete. */
959 if (n > 0 && n < isc_buffer_availablelength(text))
960 isc_buffer_add(text, n);