2 * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2002 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: os.c,v 1.104.38.3 2011/03/02 00:04:01 marka Exp $ */
25 #include <sys/types.h> /* dev_t FreeBSD 2.1 */
31 #include <grp.h> /* Required for initgroups() on IRIX. */
42 #include <isc/buffer.h>
44 #include <isc/print.h>
45 #include <isc/resource.h>
46 #include <isc/result.h>
47 #include <isc/strerror.h>
48 #include <isc/string.h>
50 #include <named/main.h>
53 #include <named/ns_smf_globals.h>
56 static char *pidfile = NULL;
57 static int devnullfd = -1;
60 #define ISC_FACILITY LOG_DAEMON
64 * If there's no <linux/capability.h>, we don't care about <sys/prctl.h>
66 #ifndef HAVE_LINUX_CAPABILITY_H
67 #undef HAVE_SYS_PRCTL_H
72 * (T) HAVE_LINUXTHREADS
73 * (C) HAVE_SYS_CAPABILITY_H (or HAVE_LINUX_CAPABILITY_H)
74 * (P) HAVE_SYS_PRCTL_H
75 * The possible cases are:
76 * none: setuid() normally
78 * C: setuid() normally, drop caps (keep CAP_SETUID)
79 * T+C: no setuid(), drop caps (don't keep CAP_SETUID)
80 * T+C+P: setuid() early, drop caps (keep CAP_SETUID)
81 * C+P: setuid() normally, drop caps (keep CAP_SETUID)
86 * caps = BIND_SERVICE + CHROOT + SETGID
87 * if ((T && C && P) || !T)
92 * if (T && C && P && -u)
99 * if (C && (P || !-u))
100 * caps = BIND_SERVICE
104 * It will be nice when Linux threads work properly with setuid().
107 #ifdef HAVE_LINUXTHREADS
108 static pid_t mainpid = 0;
111 static struct passwd *runas_pw = NULL;
112 static isc_boolean_t done_setuid = ISC_FALSE;
113 static int dfd[2] = { -1, -1 };
115 #ifdef HAVE_LINUX_CAPABILITY_H
117 static isc_boolean_t non_root = ISC_FALSE;
118 static isc_boolean_t non_root_caps = ISC_FALSE;
120 #ifdef HAVE_SYS_CAPABILITY_H
121 #include <sys/capability.h>
124 * We define _LINUX_FS_H to prevent it from being included. We don't need
125 * anything from it, and the files it includes cause warnings with 2.2
126 * kernels, and compilation failures (due to conflicts between <linux/string.h>
127 * and <string.h>) on 2.3 kernels.
130 #include <linux/capability.h>
134 #include <asm/unistd.h> /* Slackware 4.0 needs this. */
135 #endif /* __NR_capset */
136 #define SYS_capset __NR_capset
137 #endif /* SYS_capset */
138 #endif /* HAVE_SYS_CAPABILITY_H */
140 #ifdef HAVE_SYS_PRCTL_H
141 #include <sys/prctl.h> /* Required for prctl(). */
144 * If the value of PR_SET_KEEPCAPS is not in <sys/prctl.h>, define it
145 * here. This allows setuid() to work on systems running a new enough
146 * kernel but with /usr/include/linux pointing to "standard" kernel
149 #ifndef PR_SET_KEEPCAPS
150 #define PR_SET_KEEPCAPS 8
153 #endif /* HAVE_SYS_PRCTL_H */
156 #define SETCAPS_FUNC "cap_set_proc "
158 typedef unsigned int cap_t;
159 #define SETCAPS_FUNC "syscall(capset) "
160 #endif /* HAVE_LIBCAP */
163 linux_setcaps(cap_t caps) {
165 struct __user_cap_header_struct caphead;
166 struct __user_cap_data_struct cap;
168 char strbuf[ISC_STRERRORSIZE];
170 if ((getuid() != 0 && !non_root_caps) || non_root)
173 memset(&caphead, 0, sizeof(caphead));
174 caphead.version = _LINUX_CAPABILITY_VERSION;
176 memset(&cap, 0, sizeof(cap));
177 cap.effective = caps;
178 cap.permitted = caps;
182 if (cap_set_proc(caps) < 0) {
184 if (syscall(SYS_capset, &caphead, &cap) < 0) {
186 isc__strerror(errno, strbuf, sizeof(strbuf));
187 ns_main_earlyfatal(SETCAPS_FUNC "failed: %s:"
188 " please ensure that the capset kernel"
189 " module is loaded. see insmod(8)",
195 #define SET_CAP(flag) \
198 cap_flag_value_t curval; \
199 err = cap_get_flag(curcaps, capval, CAP_PERMITTED, &curval); \
200 if (err != -1 && curval) { \
201 err = cap_set_flag(caps, CAP_EFFECTIVE, 1, &capval, CAP_SET); \
203 isc__strerror(errno, strbuf, sizeof(strbuf)); \
204 ns_main_earlyfatal("cap_set_proc failed: %s", strbuf); \
207 err = cap_set_flag(caps, CAP_PERMITTED, 1, &capval, CAP_SET); \
209 isc__strerror(errno, strbuf, sizeof(strbuf)); \
210 ns_main_earlyfatal("cap_set_proc failed: %s", strbuf); \
217 if (caps == NULL) { \
218 isc__strerror(errno, strbuf, sizeof(strbuf)); \
219 ns_main_earlyfatal("cap_init failed: %s", strbuf); \
221 curcaps = cap_get_proc(); \
222 if (curcaps == NULL) { \
223 isc__strerror(errno, strbuf, sizeof(strbuf)); \
224 ns_main_earlyfatal("cap_get_proc failed: %s", strbuf); \
233 #define SET_CAP(flag) do { caps |= (1 << (flag)); } while (0)
234 #define INIT_CAP do { caps = 0; } while (0)
235 #endif /* HAVE_LIBCAP */
238 linux_initialprivs(void) {
243 char strbuf[ISC_STRERRORSIZE];
248 * We don't need most privileges, so we drop them right away.
249 * Later on linux_minprivs() will be called, which will drop our
250 * capabilities to the minimum needed to run the server.
255 * We need to be able to bind() to privileged ports, notably port 53!
257 SET_CAP(CAP_NET_BIND_SERVICE);
260 * We need chroot() initially too.
262 SET_CAP(CAP_SYS_CHROOT);
264 #if defined(HAVE_SYS_PRCTL_H) || !defined(HAVE_LINUXTHREADS)
266 * We can setuid() only if either the kernel supports keeping
267 * capabilities after setuid() (which we don't know until we've
268 * tried) or we're not using threads. If either of these is
269 * true, we want the setuid capability.
275 * Since we call initgroups, we need this.
280 * Without this, we run into problems reading a configuration file
281 * owned by a non-root user and non-world-readable on startup.
283 SET_CAP(CAP_DAC_READ_SEARCH);
286 * XXX We might want to add CAP_SYS_RESOURCE, though it's not
287 * clear it would work right given the way linuxthreads work.
288 * XXXDCL But since we need to be able to set the maximum number
289 * of files, the stack size, data size, and core dump size to
290 * support named.conf options, this is now being added to test.
292 SET_CAP(CAP_SYS_RESOURCE);
295 * We need to be able to set the ownership of the containing
296 * directory of the pid file when we create it.
308 linux_minprivs(void) {
313 char strbuf[ISC_STRERRORSIZE];
319 * Drop all privileges except the ability to bind() to privileged
322 * It's important that we drop CAP_SYS_CHROOT. If we didn't, it
323 * chroot() could be used to escape from the chrooted area.
326 SET_CAP(CAP_NET_BIND_SERVICE);
329 * XXX We might want to add CAP_SYS_RESOURCE, though it's not
330 * clear it would work right given the way linuxthreads work.
331 * XXXDCL But since we need to be able to set the maximum number
332 * of files, the stack size, data size, and core dump size to
333 * support named.conf options, this is now being added to test.
335 SET_CAP(CAP_SYS_RESOURCE);
344 #ifdef HAVE_SYS_PRCTL_H
346 linux_keepcaps(void) {
347 char strbuf[ISC_STRERRORSIZE];
349 * Ask the kernel to allow us to keep our capabilities after we
353 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
354 if (errno != EINVAL) {
355 isc__strerror(errno, strbuf, sizeof(strbuf));
356 ns_main_earlyfatal("prctl() failed: %s", strbuf);
359 non_root_caps = ISC_TRUE;
366 #endif /* HAVE_LINUX_CAPABILITY_H */
370 setup_syslog(const char *progname) {
375 options |= LOG_NDELAY;
377 openlog(isc_file_basename(progname), options, ISC_FACILITY);
381 ns_os_init(const char *progname) {
382 setup_syslog(progname);
383 #ifdef HAVE_LINUX_CAPABILITY_H
384 linux_initialprivs();
386 #ifdef HAVE_LINUXTHREADS
390 signal(SIGXFSZ, SIG_IGN);
395 ns_os_daemonize(void) {
397 char strbuf[ISC_STRERRORSIZE];
399 if (pipe(dfd) == -1) {
400 isc__strerror(errno, strbuf, sizeof(strbuf));
401 ns_main_earlyfatal("pipe(): %s", strbuf);
406 isc__strerror(errno, strbuf, sizeof(strbuf));
407 ns_main_earlyfatal("fork(): %s", strbuf);
412 * Wait for the child to finish loading for the first time.
413 * This would be so much simpler if fork() worked once we
414 * were multi-threaded.
419 n = read(dfd[0], &buf, 1);
422 } while (n == -1 && errno == EINTR);
431 #ifdef HAVE_LINUXTHREADS
435 if (setsid() == -1) {
436 isc__strerror(errno, strbuf, sizeof(strbuf));
437 ns_main_earlyfatal("setsid(): %s", strbuf);
441 * Try to set stdin, stdout, and stderr to /dev/null, but press
442 * on even if it fails.
444 * XXXMLG The close() calls here are unneeded on all but NetBSD, but
445 * are harmless to include everywhere. dup2() is supposed to close
446 * the FD if it is in use, but unproven-pthreads-0.16 is broken
447 * and will end up closing the wrong FD. This will be fixed eventually,
448 * and these calls will be removed.
450 if (devnullfd != -1) {
451 if (devnullfd != STDIN_FILENO) {
452 (void)close(STDIN_FILENO);
453 (void)dup2(devnullfd, STDIN_FILENO);
455 if (devnullfd != STDOUT_FILENO) {
456 (void)close(STDOUT_FILENO);
457 (void)dup2(devnullfd, STDOUT_FILENO);
459 if (devnullfd != STDERR_FILENO) {
460 (void)close(STDERR_FILENO);
461 (void)dup2(devnullfd, STDERR_FILENO);
467 ns_os_started(void) {
471 * Signal to the parent that we started successfully.
473 if (dfd[0] != -1 && dfd[1] != -1) {
474 if (write(dfd[1], &buf, 1) != 1)
475 ns_main_earlyfatal("unable to signal parent that we "
476 "otherwise started successfully.");
478 dfd[0] = dfd[1] = -1;
483 ns_os_opendevnull(void) {
484 devnullfd = open("/dev/null", O_RDWR, 0);
488 ns_os_closedevnull(void) {
489 if (devnullfd != STDIN_FILENO &&
490 devnullfd != STDOUT_FILENO &&
491 devnullfd != STDERR_FILENO) {
498 all_digits(const char *s) {
502 if (!isdigit((*s)&0xff))
510 ns_os_chroot(const char *root) {
511 char strbuf[ISC_STRERRORSIZE];
517 if (chroot(root) < 0) {
518 isc__strerror(errno, strbuf, sizeof(strbuf));
519 ns_main_earlyfatal("chroot(): %s", strbuf);
522 ns_main_earlyfatal("chroot(): disabled");
524 if (chdir("/") < 0) {
525 isc__strerror(errno, strbuf, sizeof(strbuf));
526 ns_main_earlyfatal("chdir(/): %s", strbuf);
529 /* Set ns_smf_chroot flag on successful chroot. */
536 ns_os_inituserinfo(const char *username) {
537 char strbuf[ISC_STRERRORSIZE];
538 if (username == NULL)
541 if (all_digits(username))
542 runas_pw = getpwuid((uid_t)atoi(username));
544 runas_pw = getpwnam(username);
547 if (runas_pw == NULL)
548 ns_main_earlyfatal("user '%s' unknown", username);
551 if (initgroups(runas_pw->pw_name, runas_pw->pw_gid) < 0) {
552 isc__strerror(errno, strbuf, sizeof(strbuf));
553 ns_main_earlyfatal("initgroups(): %s", strbuf);
560 ns_os_changeuser(void) {
561 char strbuf[ISC_STRERRORSIZE];
562 if (runas_pw == NULL || done_setuid)
565 done_setuid = ISC_TRUE;
567 #ifdef HAVE_LINUXTHREADS
568 #ifdef HAVE_LINUX_CAPABILITY_H
570 ns_main_earlyfatal("-u with Linux threads not supported: "
571 "requires kernel support for "
572 "prctl(PR_SET_KEEPCAPS)");
574 ns_main_earlyfatal("-u with Linux threads not supported: "
575 "no capabilities support or capabilities "
576 "disabled at build time");
580 if (setgid(runas_pw->pw_gid) < 0) {
581 isc__strerror(errno, strbuf, sizeof(strbuf));
582 ns_main_earlyfatal("setgid(): %s", strbuf);
585 if (setuid(runas_pw->pw_uid) < 0) {
586 isc__strerror(errno, strbuf, sizeof(strbuf));
587 ns_main_earlyfatal("setuid(): %s", strbuf);
590 #if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE)
592 * Restore the ability of named to drop core after the setuid()
593 * call has disabled it.
595 if (prctl(PR_SET_DUMPABLE,1,0,0,0) < 0) {
596 isc__strerror(errno, strbuf, sizeof(strbuf));
597 ns_main_earlywarning("prctl(PR_SET_DUMPABLE) failed: %s",
601 #if defined(HAVE_LINUX_CAPABILITY_H) && !defined(HAVE_LINUXTHREADS)
607 ns_os_adjustnofile() {
608 #ifdef HAVE_LINUXTHREADS
610 isc_resourcevalue_t newvalue;
613 * Linux: max number of open files specified by one thread doesn't seem
614 * to apply to other threads on Linux.
616 newvalue = ISC_RESOURCE_UNLIMITED;
618 result = isc_resource_setlimit(isc_resource_openfiles, newvalue);
619 if (result != ISC_R_SUCCESS)
620 ns_main_earlywarning("couldn't adjust limit on open files");
625 ns_os_minprivs(void) {
626 #ifdef HAVE_SYS_PRCTL_H
630 #ifdef HAVE_LINUXTHREADS
631 ns_os_changeuser(); /* Call setuid() before threads are started */
634 #if defined(HAVE_LINUX_CAPABILITY_H) && defined(HAVE_LINUXTHREADS)
640 safe_open(const char *filename, mode_t mode, isc_boolean_t append) {
644 if (stat(filename, &sb) == -1) {
647 } else if ((sb.st_mode & S_IFREG) == 0) {
653 fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, mode);
655 if (unlink(filename) < 0 && errno != ENOENT)
657 fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, mode);
663 cleanup_pidfile(void) {
665 if (pidfile != NULL) {
667 if (n == -1 && errno != ENOENT)
668 ns_main_earlywarning("unlink '%s': failed", pidfile);
675 mkdirpath(char *filename, void (*report)(const char *, ...)) {
676 char *slash = strrchr(filename, '/');
677 char strbuf[ISC_STRERRORSIZE];
680 if (slash != NULL && slash != filename) {
684 if (stat(filename, &sb) == -1) {
685 if (errno != ENOENT) {
686 isc__strerror(errno, strbuf, sizeof(strbuf));
687 (*report)("couldn't stat '%s': %s", filename,
691 if (mkdirpath(filename, report) == -1)
694 * Handle "//", "/./" and "/../" in path.
696 if (!strcmp(slash + 1, "") ||
697 !strcmp(slash + 1, ".") ||
698 !strcmp(slash + 1, "..")) {
702 mode = S_IRUSR | S_IWUSR | S_IXUSR; /* u=rwx */
703 mode |= S_IRGRP | S_IXGRP; /* g=rx */
704 mode |= S_IROTH | S_IXOTH; /* o=rx */
705 if (mkdir(filename, mode) == -1) {
706 isc__strerror(errno, strbuf, sizeof(strbuf));
707 (*report)("couldn't mkdir '%s': %s", filename,
711 if (runas_pw != NULL &&
712 chown(filename, runas_pw->pw_uid,
713 runas_pw->pw_gid) == -1) {
714 isc__strerror(errno, strbuf, sizeof(strbuf));
715 (*report)("couldn't chown '%s': %s", filename,
729 setperms(uid_t uid, gid_t gid) {
730 char strbuf[ISC_STRERRORSIZE];
731 #if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID)
734 #if !defined(HAVE_SETEUID) && defined(HAVE_SETRESUID)
737 #if defined(HAVE_SETEGID)
738 if (getegid() != gid && setegid(gid) == -1) {
739 isc__strerror(errno, strbuf, sizeof(strbuf));
740 ns_main_earlywarning("unable to set effective gid to %ld: %s",
743 #elif defined(HAVE_SETRESGID)
744 if (getresgid(&tmpg, &oldgid, &tmpg) == -1 || oldgid != gid) {
745 if (setresgid(-1, gid, -1) == -1) {
746 isc__strerror(errno, strbuf, sizeof(strbuf));
747 ns_main_earlywarning("unable to set effective "
748 "gid to %d: %s", gid, strbuf);
753 #if defined(HAVE_SETEUID)
754 if (geteuid() != uid && seteuid(uid) == -1) {
755 isc__strerror(errno, strbuf, sizeof(strbuf));
756 ns_main_earlywarning("unable to set effective uid to %ld: %s",
759 #elif defined(HAVE_SETRESUID)
760 if (getresuid(&tmpu, &olduid, &tmpu) == -1 || olduid != uid) {
761 if (setresuid(-1, uid, -1) == -1) {
762 isc__strerror(errno, strbuf, sizeof(strbuf));
763 ns_main_earlywarning("unable to set effective "
764 "uid to %d: %s", uid, strbuf);
771 ns_os_openfile(const char *filename, mode_t mode, isc_boolean_t switch_user) {
772 char strbuf[ISC_STRERRORSIZE], *f;
777 * Make the containing directory if it doesn't exist.
779 f = strdup(filename);
781 isc__strerror(errno, strbuf, sizeof(strbuf));
782 ns_main_earlywarning("couldn't strdup() '%s': %s",
786 if (mkdirpath(f, ns_main_earlywarning) == -1) {
792 if (switch_user && runas_pw != NULL) {
793 #ifndef HAVE_LINUXTHREADS
794 gid_t oldgid = getgid();
796 /* Set UID/GID to the one we'll be running with eventually */
797 setperms(runas_pw->pw_uid, runas_pw->pw_gid);
799 fd = safe_open(filename, mode, ISC_FALSE);
801 #ifndef HAVE_LINUXTHREADS
802 /* Restore UID/GID to root */
804 #endif /* HAVE_LINUXTHREADS */
807 #ifndef HAVE_LINUXTHREADS
808 fd = safe_open(filename, mode, ISC_FALSE);
810 ns_main_earlywarning("Required root "
811 "permissions to open "
814 ns_main_earlywarning("Could not open "
817 ns_main_earlywarning("Please check file and "
818 "directory permissions "
819 "or reconfigure the filename.");
820 #else /* HAVE_LINUXTHREADS */
821 ns_main_earlywarning("Could not open "
823 ns_main_earlywarning("Please check file and "
824 "directory permissions "
825 "or reconfigure the filename.");
826 #endif /* HAVE_LINUXTHREADS */
829 fd = safe_open(filename, mode, ISC_FALSE);
833 isc__strerror(errno, strbuf, sizeof(strbuf));
834 ns_main_earlywarning("could not open file '%s': %s",
839 fp = fdopen(fd, "w");
841 isc__strerror(errno, strbuf, sizeof(strbuf));
842 ns_main_earlywarning("could not fdopen() file '%s': %s",
850 ns_os_writepidfile(const char *filename, isc_boolean_t first_time) {
853 char strbuf[ISC_STRERRORSIZE];
854 void (*report)(const char *, ...);
857 * The caller must ensure any required synchronization.
860 report = first_time ? ns_main_earlyfatal : ns_main_earlywarning;
864 if (filename == NULL)
867 pidfile = strdup(filename);
868 if (pidfile == NULL) {
869 isc__strerror(errno, strbuf, sizeof(strbuf));
870 (*report)("couldn't strdup() '%s': %s", filename, strbuf);
874 lockfile = ns_os_openfile(filename, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH,
876 if (lockfile == NULL) {
880 #ifdef HAVE_LINUXTHREADS
885 if (fprintf(lockfile, "%ld\n", (long)pid) < 0) {
886 (*report)("fprintf() to pid file '%s' failed", filename);
887 (void)fclose(lockfile);
891 if (fflush(lockfile) == EOF) {
892 (*report)("fflush() to pid file '%s' failed", filename);
893 (void)fclose(lockfile);
897 (void)fclose(lockfile);
901 ns_os_shutdown(void) {
907 ns_os_gethostname(char *buf, size_t len) {
910 n = gethostname(buf, len);
911 return ((n == 0) ? ISC_R_SUCCESS : ISC_R_FAILURE);
915 next_token(char **stringp, const char *delim) {
919 res = strsep(stringp, delim);
922 } while (*res == '\0');
927 ns_os_shutdownmsg(char *command, isc_buffer_t *text) {
934 /* Skip the command name. */
935 ptr = next_token(&input, " \t");
939 ptr = next_token(&input, " \t");
943 if (strcmp(ptr, "-p") != 0)
946 #ifdef HAVE_LINUXTHREADS
952 n = snprintf((char *)isc_buffer_used(text),
953 isc_buffer_availablelength(text),
954 "pid: %ld", (long)pid);
955 /* Only send a message if it is complete. */
956 if (n > 0 && n < isc_buffer_availablelength(text))
957 isc_buffer_add(text, n);