emo/ndhc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
cd859ce8c3
ndhc/nk/exec.c

194 lines
6.8 KiB
C
Raw Normal View History

Update to latest nk/exec.c; see ncron repo for changes. Notably, nk_generate_env() no longer calls malloc().
2022-02-25 17:13:42 +05:30
// Copyright 2003-2022 Nicholas J. Kain <njkain at gmail dot com>
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
// SPDX-License-Identifier: MIT
#include <sys/types.h>
#include <stdbool.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <limits.h>
#include <pwd.h>
Use stb_snprintf instead of libc snprintf. This gives us consistent behavior and stb_snprintf is async signal safe.
2022-03-08 07:12:00 +05:30
#include "nk/stb_sprintf.h"
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
#include "nk/exec.h"
Use safe_write() in nk/exec.c
2022-02-25 10:35:57 +05:30
#include "nk/io.h"
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
nk/exec: Simplify and remove double null termination. The current code pads with an extra character that is then rewritten into a null character. This isn't necessary with post-C99 implementations of standardized snprintf, so get rid of it. Also add a note warning that nk_generate_env() and nk_execute() are not async signal safe and are thus unsuitable for use in multithreaded processes. nk_execute() could be rewritten to be async signal safe without much trouble, as the only problem point is snprintf() which is not guaranteed to be async signal safe by POSIX. However, nk_generate_env() performs chroot() if a chroot_path is specified, and chroot() is not async signal safe in POSIX. Additionally, malloc() can be called in rare cases where user information fields are very long, and malloc() is obviously not async signal safe. Finally, snprintf() is used here, too, but it could be replaced. Converting to posix_spawn() is a no-go because posix_spawn() has no facility for changing rlimits or chroot on the spawned process. In summary, I don't think the gains are worth it. Multithreaded processes should just not fork().
2022-02-25 15:23:02 +05:30
/*
Use stb_snprintf instead of libc snprintf. This gives us consistent behavior and stb_snprintf is async signal safe.
2022-03-08 07:12:00 +05:30
* Note that nk_generate_env is not async signal safe if chroot_path is not
* NULL, so it should only be called after fork() in a non-multithreaded
* process if chroot_path is ever non-NULL.
nk/exec: Simplify and remove double null termination. The current code pads with an extra character that is then rewritten into a null character. This isn't necessary with post-C99 implementations of standardized snprintf, so get rid of it. Also add a note warning that nk_generate_env() and nk_execute() are not async signal safe and are thus unsuitable for use in multithreaded processes. nk_execute() could be rewritten to be async signal safe without much trouble, as the only problem point is snprintf() which is not guaranteed to be async signal safe by POSIX. However, nk_generate_env() performs chroot() if a chroot_path is specified, and chroot() is not async signal safe in POSIX. Additionally, malloc() can be called in rare cases where user information fields are very long, and malloc() is obviously not async signal safe. Finally, snprintf() is used here, too, but it could be replaced. Converting to posix_spawn() is a no-go because posix_spawn() has no facility for changing rlimits or chroot on the spawned process. In summary, I don't think the gains are worth it. Multithreaded processes should just not fork().
2022-02-25 15:23:02 +05:30
*
* I don't consider this to be a problem in general, since in a multithreaded process
* it would be far better to fork off a subprocess early on before threads are
* created and use a socketpair() to request subprocess creation from the
* single-threaded subprocess from the multithreaded main program.
*/
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
#define DEFAULT_ROOT_PATH "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
#define DEFAULT_PATH "/bin:/usr/bin:/usr/local/bin"
#define MAX_ARGS 256
Update to latest nk/exec.c; see ncron repo for changes. Notably, nk_generate_env() no longer calls malloc().
2022-02-25 17:13:42 +05:30
#define MAX_ARGBUF 16384
#define MAX_PWBUF 16384
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
#define NK_GEN_ENV(GEN_STR, ...) do { \
if (env_offset >= envlen) return -3; \
Use stb_snprintf instead of libc snprintf. This gives us consistent behavior and stb_snprintf is async signal safe.
2022-03-08 07:12:00 +05:30
ssize_t snlen = stbsp_snprintf(envbuf, envbuflen, GEN_STR, __VA_ARGS__); \
Update to latest nk/exec.c; see ncron repo for changes. Notably, nk_generate_env() no longer calls malloc().
2022-02-25 17:13:42 +05:30
if (snlen < 0 || (size_t)snlen > envbuflen) return -2; \
xe->env[env_offset++] = envbuf; envbuf += snlen; envbuflen -= (size_t)snlen; \
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
} while (0)
/*
nk/exec.c: Update documentation comment
2022-02-25 17:40:07 +05:30
* xe: contains generated env and backing buffer
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
* uid: userid of the user account that the environment will constructed for
* chroot_path: path where the environment will be chrooted or NULL if no chroot
* path_var: value of the PATH variable in the environment or defaults if NULL
*
* returns:
* 0 on success
* -1 if an account for uid does not exist
* -2 if there is not enough space in envbuf for the generated environment
* -3 if there is not enough space in env for the generated environment
* -4 if chdir to homedir or rootdir failed
* -5 if oom or i/o failed
Update to latest nk/exec.c; see ncron repo for changes. Notably, nk_generate_env() no longer calls malloc().
2022-02-25 17:13:42 +05:30
* -6 if MAX_PWBUF is too small
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
*/
Update to latest nk/exec.c; see ncron repo for changes. Notably, nk_generate_env() no longer calls malloc().
2022-02-25 17:13:42 +05:30
int nk_generate_env(struct nk_exec_env *xe, uid_t uid, const char *chroot_path, const char *path_var)
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
{
Update to latest nk/exec.c; see ncron repo for changes. Notably, nk_generate_env() no longer calls malloc().
2022-02-25 17:13:42 +05:30
char pwbuf[MAX_PWBUF];
struct passwd pw_s, *pw;
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
Update to latest nk/exec.c; see ncron repo for changes. Notably, nk_generate_env() no longer calls malloc().
2022-02-25 17:13:42 +05:30
for (;;) {
int r = getpwuid_r(uid, &pw_s, pwbuf, sizeof pwbuf, &pw);
if (!r) {
if (pw == NULL) return -1;
break;
} else {
if (r == EINTR) continue;
if (r == ERANGE) return -6;
return -5;
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
}
}
size_t env_offset = 0;
Update to latest nk/exec.c; see ncron repo for changes. Notably, nk_generate_env() no longer calls malloc().
2022-02-25 17:13:42 +05:30
size_t envlen = sizeof xe->env / sizeof xe->env[0];
char *envbuf = xe->envbuf;
size_t envbuflen = sizeof xe->envbuf;
if (envlen-- < 1) return -3; // So we don't have to account for the terminal NULL
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
NK_GEN_ENV("UID=%i", uid);
NK_GEN_ENV("USER=%s", pw->pw_name);
NK_GEN_ENV("USERNAME=%s", pw->pw_name);
NK_GEN_ENV("LOGNAME=%s", pw->pw_name);
NK_GEN_ENV("HOME=%s", pw->pw_dir);
NK_GEN_ENV("SHELL=%s", pw->pw_shell);
NK_GEN_ENV("PATH=%s", path_var ? path_var : (uid > 0 ? DEFAULT_PATH : DEFAULT_ROOT_PATH));
NK_GEN_ENV("PWD=%s", !chroot_path ? pw->pw_dir : "/");
Update to latest nk/exec.c; see ncron repo for changes. Notably, nk_generate_env() no longer calls malloc().
2022-02-25 17:13:42 +05:30
if (chroot_path && chroot(chroot_path)) return -4;
if (chdir(chroot_path ? chroot_path : "/")) return -4;
xe->env[env_offset] = 0;
return 0;
}
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
Update to latest nk/exec.c; see ncron repo for changes. Notably, nk_generate_env() no longer calls malloc().
2022-02-25 17:13:42 +05:30
#define ERRSTR0 "exec: failed to generate environment - (?) unknown error\n"
#define ERRSTR1 "exec: failed to generate environment - (-1) account for uid does not exist\n"
#define ERRSTR2 "exec: failed to generate environment - (-2) not enough space in envbuf\n"
#define ERRSTR3 "exec: failed to generate environment - (-3) not enough space in env\n"
#define ERRSTR4 "exec: failed to generate environment - (-4) chdir to homedir or rootdir failed\n"
#define ERRSTR5 "exec: failed to generate environment - (-5) oom or i/o error\n"
#define ERRSTR6 "exec: failed to generate environment - (-6) MAX_PWBUF is too small\n"
void nk_generate_env_print_error(int err)
{
switch (err) {
default: safe_write(STDERR_FILENO, ERRSTR0, sizeof ERRSTR0); break;
case -1: safe_write(STDERR_FILENO, ERRSTR1, sizeof ERRSTR1); break;
case -2: safe_write(STDERR_FILENO, ERRSTR2, sizeof ERRSTR2); break;
case -3: safe_write(STDERR_FILENO, ERRSTR3, sizeof ERRSTR3); break;
case -4: safe_write(STDERR_FILENO, ERRSTR4, sizeof ERRSTR4); break;
case -5: safe_write(STDERR_FILENO, ERRSTR5, sizeof ERRSTR5); break;
case -6: safe_write(STDERR_FILENO, ERRSTR6, sizeof ERRSTR6); break;
}
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
}
Update to latest nk/exec.c; see ncron repo for changes. Notably, nk_generate_env() no longer calls malloc().
2022-02-25 17:13:42 +05:30
#undef ERRSTR0
#undef ERRSTR1
#undef ERRSTR2
#undef ERRSTR3
#undef ERRSTR4
#undef ERRSTR5
#undef ERRSTR6
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
#define NK_GEN_ARG(GEN_STR, ...) do { \
Use stb_snprintf instead of libc snprintf. This gives us consistent behavior and stb_snprintf is async signal safe.
2022-03-08 07:12:00 +05:30
ssize_t snlen = stbsp_snprintf(argbuf, argbuflen, GEN_STR, __VA_ARGS__); \
Update to latest nk/exec.c; see ncron repo for changes. Notably, nk_generate_env() no longer calls malloc().
2022-02-25 17:13:42 +05:30
if (snlen < 0 || (size_t)snlen > argbuflen) { \
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
static const char errstr[] = "nk_execute: constructing argument list failed\n"; \
Use safe_write() in nk/exec.c
2022-02-25 10:35:57 +05:30
safe_write(STDERR_FILENO, errstr, sizeof errstr); \
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
_Exit(EXIT_FAILURE); \
} \
nk/exec: Simplify and remove double null termination. The current code pads with an extra character that is then rewritten into a null character. This isn't necessary with post-C99 implementations of standardized snprintf, so get rid of it. Also add a note warning that nk_generate_env() and nk_execute() are not async signal safe and are thus unsuitable for use in multithreaded processes. nk_execute() could be rewritten to be async signal safe without much trouble, as the only problem point is snprintf() which is not guaranteed to be async signal safe by POSIX. However, nk_generate_env() performs chroot() if a chroot_path is specified, and chroot() is not async signal safe in POSIX. Additionally, malloc() can be called in rare cases where user information fields are very long, and malloc() is obviously not async signal safe. Finally, snprintf() is used here, too, but it could be replaced. Converting to posix_spawn() is a no-go because posix_spawn() has no facility for changing rlimits or chroot on the spawned process. In summary, I don't think the gains are worth it. Multithreaded processes should just not fork().
2022-02-25 15:23:02 +05:30
argv[curv] = argbuf; argv[++curv] = NULL; \
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
argbuf += snlen; argbuflen -= (size_t)snlen; \
} while (0)
void __attribute__((noreturn))
nk_execute(const char *command, const char *args, char * const envp[])
{
char *argv[MAX_ARGS];
char argbuf_s[MAX_ARGBUF];
char *argbuf = argbuf_s;
size_t curv = 0;
size_t argbuflen = sizeof argbuf_s;
if (!command)
_Exit(EXIT_SUCCESS);
// strip the path from the command name and set argv[0]
const char *p = strrchr(command, '/');
NK_GEN_ARG("%s", p ? p + 1 : command);
if (args) {
p = args;
const char *q = args;
bool squote = false, dquote = false, atend = false;
for (;; ++p) {
switch (*p) {
default: continue;
case '\0':
atend = true;
goto endarg;
case ' ':
if (!squote && !dquote)
goto endarg;
continue;
case '\'':
if (!dquote)
squote = !squote;
continue;
case '"':
if (!squote)
dquote = !dquote;
continue;
}
endarg:
{
if (p == q) break;
// Push an argument.
if (q > p) {
static const char errstr[] = "nk_execute: argument length too long\n";
Use safe_write() in nk/exec.c
2022-02-25 10:35:57 +05:30
safe_write(STDERR_FILENO, errstr, sizeof errstr);
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
_Exit(EXIT_FAILURE);
}
nk/exec: Simplify and remove double null termination. The current code pads with an extra character that is then rewritten into a null character. This isn't necessary with post-C99 implementations of standardized snprintf, so get rid of it. Also add a note warning that nk_generate_env() and nk_execute() are not async signal safe and are thus unsuitable for use in multithreaded processes. nk_execute() could be rewritten to be async signal safe without much trouble, as the only problem point is snprintf() which is not guaranteed to be async signal safe by POSIX. However, nk_generate_env() performs chroot() if a chroot_path is specified, and chroot() is not async signal safe in POSIX. Additionally, malloc() can be called in rare cases where user information fields are very long, and malloc() is obviously not async signal safe. Finally, snprintf() is used here, too, but it could be replaced. Converting to posix_spawn() is a no-go because posix_spawn() has no facility for changing rlimits or chroot on the spawned process. In summary, I don't think the gains are worth it. Multithreaded processes should just not fork().
2022-02-25 15:23:02 +05:30
NK_GEN_ARG("%.*s", (int)(p - q), q);
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
q = p + 1;
if (atend || curv >= (MAX_ARGS - 1))
break;
}
}
}
execve(command, argv, envp);
{
static const char errstr[] = "nk_execute: execve failed\n";
Use safe_write() in nk/exec.c
2022-02-25 10:35:57 +05:30
safe_write(STDERR_FILENO, errstr, sizeof errstr);
Support running an executable file when a new lease is acquired. If no 'script-file = SCRIPTFILE' is specified in the configuration file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE' command argument is provided, then this functionality is entirely inactive and no associated subprocess is spawned. Otherwise, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired. Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts. The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection. The privsep channel communicates that the script should be run by simply writing a newline; anything else will result in ndhc terminating itself. Before the recommended way to update system state after a change in lease information was to run the fcactus program and watch the associated leasefile for the interface for modification; now no external program is needed for this job.
2022-02-24 11:22:26 +05:30
_Exit(EXIT_FAILURE);
}
}
Reference in New Issue Copy Permalink