Commit Graph

10 Commits

Author SHA1 Message Date
Nicholas J. Kain
484a9c516b Use stb_snprintf instead of libc snprintf.
This gives us consistent behavior and stb_snprintf is async signal
safe.
2022-03-07 20:42:00 -05:00
Nicholas J. Kain
f6dfd9a58a nk/exec.c: Update documentation comment 2022-02-25 07:10:07 -05:00
Nicholas J. Kain
9cd65f35d9 Get rid of nk/copy_cmdarg.h 2022-02-25 07:01:55 -05:00
Nicholas J. Kain
12631c59bb Update to latest nk/exec.c; see ncron repo for changes.
Notably, nk_generate_env() no longer calls malloc().
2022-02-25 06:43:42 -05:00
Nicholas J. Kain
7572e2eb8b snprintf() truncation checks were one byte too conservative. 2022-02-25 06:18:08 -05:00
Nicholas J. Kain
ba8f674e15 nk/exec: Simplify and remove double null termination.
The current code pads with an extra character that is then rewritten
into a null character.  This isn't necessary with post-C99
implementations of standardized snprintf, so get rid of it.

Also add a note warning that nk_generate_env() and nk_execute()
are not async signal safe and are thus unsuitable for use in
multithreaded processes.

nk_execute() could be rewritten to be async signal safe without much
trouble, as the only problem point is snprintf() which is not guaranteed
to be async signal safe by POSIX.

However, nk_generate_env() performs chroot() if a chroot_path is
specified, and chroot() is not async signal safe in POSIX.
Additionally, malloc() can be called in rare cases where user
information fields are very long, and malloc() is obviously not async
signal safe.  Finally, snprintf() is used here, too, but it could be
replaced.

Converting to posix_spawn() is a no-go because posix_spawn() has no
facility for changing rlimits or chroot on the spawned process.

In summary, I don't think the gains are worth it.  Multithreaded
processes should just not fork().
2022-02-25 04:53:02 -05:00
Nicholas J. Kain
62aef529f4 Use safe_write() in nk/exec.c 2022-02-25 00:05:57 -05:00
Nicholas J. Kain
a9874d4959 Support running an executable file when a new lease is acquired.
If no 'script-file = SCRIPTFILE' is specified in the configuration
file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE'
command argument is provided, then this functionality is entirely
inactive and no associated subprocess is spawned.

Otherwise, ndhc will spawn a subprocess that runs as root that has the
sole job of forking off a subprocess that exec's the specified script in
a sanitized and fixed-state environment whenever a new DHCPv4 lease is
acquired.

Note that this script is provided no information about ndhc or the
DHCP state in the environment or in any argument fields; it is the
responsibility of this script to gather whatever information it needs
from either the filesystem or syscalls.  This design is intended to
avoid the historical problems that are associated with dhcp clients
invoking scripts.

The path of the scriptfile cannot be changed after ndhc is initially
run; ndhc forks off the privsep script subprocess that executes scripts
after it has read the configuration file and command arguments, but
before it begins processing network data; thus, it is impossible for the
network-handling process to modify or influence the script assuming
proper OS memory protection.

The privsep channel communicates that the script should be run by simply
writing a newline; anything else will result in ndhc terminating itself.

Before the recommended way to update system state after a change in
lease information was to run the fcactus program and watch the
associated leasefile for the interface for modification; now no external
program is needed for this job.
2022-02-24 03:58:37 -05:00
Nicholas J. Kain
1732bccccc Relicense as MIT.
It's a lot more common than BSD 2-clause it is both compatible
and nearly identical in effect.
2022-02-06 20:05:29 -05:00
Nicholas J. Kain
8db8c5589d Replace CMake with GNU Make.
There was previously support for both build systems, but ndhc is
undemanding and there is no point in maintaining a complex
CMake build.
2022-01-22 18:39:41 -05:00