Commit Graph

1335 Commits

Author SHA1 Message Date
Manuel Rüger
4b2a61f1b8 rc-status: Remove noise from ini-formatted output
Otherwise this would create the following output:

rc-status -f ini
 * Caching service dependencies ...        [ ok ]
[default]
dbus =  started
NetworkManager =  started
syslog-ng =  started
...

This fixes #364.
2020-12-20 16:01:02 -06:00
William Hubbs
da30767353 supervise-daemon: do not spawn a process if we are exiting
This fixes #375 and allows us to not add another level of indentation in
the supervisor loop.
2020-11-29 21:22:43 -06:00
Michael Orlitzky
00ea216608 src/rc/checkpath.c: replace mkdir() with mkdirat().
The do_check() function recently gained some defenses against symlink
replacement attacks that involve the use of *at functions in place of
their vanilla counterparts; openat() instead of open(), for example.
One opportunity to replace mkdir() with mkdirat() was missed, however,
and this commit replaces it.

This fixes #386.
2020-11-27 17:29:26 -06:00
Michael Orlitzky
ac7ca6d901 src/rc/checkpath.c: fix typo "synbolic" -> "symbolic". 2020-11-27 17:25:30 -06:00
Johannes Heimansberg
47819f004c start-stop-daemon, supervise-daemon: fix parsing of usernames passed via --user that start with a number
start-stop-daemon and supervise-daemon parse usernames and group names
passed via the --user argument as numeric UID/GID if they start with a
number (e.g. user "4foo" will be treated as UID 4). This results in the
process that is being started to run under a totally unexpected user if
that UID exists.

Even though the result of the sscanf calls are tested for a result of
exactly 1, which means exactly one value was extracted, because sscanf's
format string only contains only one placeholder, it will never return
a value greater than 1, even if there are still characters left to be
parsed. This causes start-stop-daemon and supervise-daemon to assume
that usernames starting with a number are just that number. Adding a
second placeholder "%1s" to the format string, which matches a string of
length 1, makes sure that sscanf can distinguish between pure numbers
(in which case it will return 1) and strings either starting with a
number (in which case it will return 2) and any other string (in which
case it will return 0).

This fixes #379.
This fixes #380.
2020-11-27 16:40:12 -06:00
Lars Wendler
aa0fdf6d08 start-stop-daemon: Don't segfault if --exec was given a non-existing file name
Starting program: /sbin/start-stop-daemon --start --exec i-dont-exist

  Program received signal SIGSEGV, Segmentation fault.
  0x0000555555559053 in main (argc=1, argv=0x7fffffffdc20)
      at start-stop-daemon.c:631
  631                         *exec_file ? exec_file : exec);

This fixes #385.
2020-11-20 09:22:18 -06:00
William Hubbs
b6fef599bf checkpath: fix CVE-2018-21269
This walks the directory path to the file we are going to manipulate to make
sure that when we create the file and change the ownership and permissions
we are working on the same file.
Also, all non-terminal symbolic links must be owned by root. This will
keep a non-root user from making a symbolic link as described in the
bug. If root creates the symbolic link, it is assumed to be trusted.

On non-linux platforms, we no longer follow non-terminal symbolic links
by default. If you need to do that, add the -s option on the checkpath
command line, but keep in mind that this is not secure.

This fixes #201.
2020-11-20 09:15:59 -06:00
William Hubbs
2355f1a3f2 supervise-daemon: only log debug logs when verbose mode is active 2020-09-25 16:33:32 -05:00
Sergei Trofimovich
375ef42393 src/rc/rc-logger.h: fix build failure against gcc-10
On gcc-10 (and gcc-9 -fno-common) build fails as:

```
cc  -L../librc -L../libeinfo -O2 -g -std=c99 -Wall -Wextra -Wimplicit -Wshadow \
  -Wformat=2 -Wmissing-prototypes -Wmissing-declarations -Wmissing-noreturn \
  -Wmissing-format-attribute -Wnested-externs -Winline -Wwrite-strings \
  -Wcast-align -Wcast-qual -Wpointer-arith -Wdeclaration-after-statement \
  -Wsequence-point -Werror=implicit-function-declaration    \
  -Wl,-rpath=/lib   -o openrc rc.o rc-logger.o rc-misc.o rc-plugin.o _usage.o -lutil -lrc -leinfo -Wl,-Bdynamic -ldl
ld: rc-logger.o:/home/slyfox/dev/git/openrc/src/rc/rc-logger.h:16:
  multiple definition of `rc_logger_pid'; rc.o:openrc/src/rc/rc-logger.h:16: first defined here
ld: rc-logger.o:/home/slyfox/dev/git/openrc/src/rc/rc-logger.h:17:
  multiple definition of `rc_logger_tty'; rc.o:openrc/src/rc/rc-logger.h:17: first defined here
```

gcc-10 will change the default from -fcommon to fno-common:
https://gcc.gnu.org/PR85678.

The error also happens if CFLAGS=-fno-common passed explicitly.

This fixes #348.
2020-01-19 16:52:21 -06:00
Wolf
6deda13754 supervise-daemon: Fix segfault when executable does not exist
When executable is provided just by name (and therefore searched in a
path), exec_file is reset to NULL every time. exists() handles it being
NULL just fine, but dereferencing it in eerror does not work.

Fixes #326
Fixes #327
2020-01-11 13:36:33 -06:00
William Hubbs
fd852865e0 openrc-shutdown.c: typo fix 2019-12-05 12:11:08 -06:00
William Hubbs
8e31614c4b fix clang build 2019-08-20 16:06:46 -05:00
William Hubbs
1bc96141e6 fix single user mode 2019-08-19 14:55:54 -05:00
William Hubbs
0dabda6f6f fix sysvinit compatibility
This allows openrc to direct sysvinit to shut down the system by setting
the INIT_HALT environment variable appropriately. Also, we do not try to
communicate with sysvinit if its fifo does not exist.
2019-08-15 12:02:30 -05:00
William Hubbs
cac41092e4 add ability for openrc-shutdown to communicate with sysvinit
This fixes #315.
2019-07-25 14:47:18 -05:00
Martin Wilke
7ddc281ab6 Fix build with Clang
This fixes #313.
2019-07-24 12:32:23 -05:00
William Hubbs
54780a4582 supervise-daemon: allow --respawn-max to be zero 2019-03-29 14:09:08 -05:00
William Hubbs
44f5a72d1a remove hidden-visibility.h
I am removing this on the advice of a member of the Gentoo toolchain
team. It was explained to me that this doesn't offer any significant
benefits to OpenRC.

If anyone ffeels differently, please open a pull request reverting
this and adding an explanation of what it does and how to know which
functions to mark hidden in the future.

This fixes #301.
2019-02-26 17:47:55 -06:00
William Hubbs
0d378974bf openrc-init: fix waitpid checks
The do_openrc() function was not waiting properly for the child process
which started the runlevel to return. We need to repeatedly call
waitpid() until its return value matches the pid of the child process or
the child process does not exist.

This fixes #216.
This fixes #300.
2019-02-25 18:55:13 -06:00
William Hubbs
028da5c2e3 librc: fix potential buffer overflow in pid_is_argv
This fixes #299.
2019-02-23 17:44:07 -06:00
William Hubbs
d8dbb890aa Revert "src/librc/librc-daemon.c: fix buffer overrun in pid_is_argv"
This reverts commit 084877eb52.
The mentioned commit caused some systems to have some services reported
as crashed.

This fixes #297.
This fixes #298.
2019-02-23 16:24:55 -06:00
William Hubbs
52d4e56674 combine test directories
This fixes #295.
2019-02-22 18:08:19 -06:00
William Hubbs
6e6902c28b remove unused test ignore patterns 2019-02-22 16:27:52 -06:00
William Hubbs
084823182a remove unused test data files 2019-02-22 13:25:51 -06:00
Georgy Yakovlev
7478c104fc librc/librc-depend.c: fix NULL pointer dereference
In some cases deptree or depinfo can be NULL, check
before dereferencing.

Fixes https://github.com/OpenRC/openrc/issues/293
Fixes https://github.com/OpenRC/openrc/pulls/294
X-Gentoo-Bug: 659906
X-Gentoo-Bug-URL: https://bugs.gentoo.org/659906
2019-02-21 17:49:54 -06:00
Sergei Trofimovich
b054aca50b src/test/runtests.sh: drop 'readelf'-based tests
The 'readelf'-based tests cover a few situations:
1. undefined symbols in shared libraries
2. unexpected exports in shared libraries

Bug #575958 shows that [2.] implementation is too simplistic
in assuming that presence of relocation equals to export presence.

It is incorrect for PLT stubs and local symbols.
Let's just drop these tests.

If one needs to cover [1.] it is better to use LDFLAGS=-Wl,--no-undefined.

This closes #292.

X-Reported-by: Benda Xu
X-Gentoo-Bug: https://bugs.gentoo.org/575958
X-Gentoo-Bug-URL: https://bugs.gentoo.org/575958
2019-02-19 11:50:11 -06:00
William Hubbs
f9e7a00ba9 rc-status: style fixes 2019-02-15 20:36:46 -06:00
William Hubbs
427a1ce299 rc-status: add -f option to allow formatting output
The -f option can be used when showing the status of services in
runlevels to allow making the output more easily parsable.
Currently, the .ini format is the only one supported.
2019-02-15 14:21:43 -06:00
William Hubbs
f43cec34ca rc-status.c: small style changes 2019-02-14 13:14:31 -06:00
Edan Bedrik
b2b2c57a38 librc: fix realpath() return value check
This fixes #226.
2019-02-12 17:56:17 -06:00
William Hubbs
155b845194 improve shutdown documentation
This fixes #290.
2019-02-12 16:54:12 -06:00
William Hubbs
1ff3a37c60 start-stop-daemon: fix compiler warning 2018-12-28 09:31:38 -06:00
philhofer
3e00fbc9b0 fix leading whitespace
Clean up code indented with mixed tabs and spaces.
No actual code changes.

This fixes #280.
2018-12-27 13:13:09 -06:00
philhofer
846e460075 fix potential out-of-bounds reads
readlink(3) does not nul-terminate the result it sticks
into the supplied buffer. Consequently, the code

  rc = readlink(path, buf, sizeof(buf));

does not necessarily produce a C string.

The code in rc_find_pid() produces some C strings this way
and passes them to strlen() and strcmp(), which can lead
to an out-of-bounds read.

In this case, since the code already takes care to
zero-initialize the buffers before passing them
to readlink(3), only allow sizeof(buf)-1 bytes to
be returned.

(While fixing this issue, I fixed two other locations that
used the same problematic pattern.)

This fixes #270.
2018-12-27 11:28:27 -06:00
William Hubbs
a32b14bbb4 Do not use UT_LINESIZE or __UT_LINESIZE
These are not standard.
For more information see issue #279.
This fixes #279.
2018-12-25 12:13:23 -06:00
philhofer
084877eb52 src/librc/librc-daemon.c: fix buffer overrun in pid_is_argv
The contents of /proc/<pid>/cmdline are read into
a stack buffer using

  bytes = read(fd, buffer, sizeof(buffer));

followed by appending a null terminator to the buffer with

  buffer[bytes] = '\0';

If bytes == sizeof(buffer), then this write is out-of-bounds.

Refactor the code to use rc_getfile instead, since PATH_MAX
is not the maximum size of /proc/<pid>/cmdline. (I hit this
issue in practice while compiling Linux; it tripped the
stack-smashing protector.)

This is roughly the same buffer overflow condition
that was fixed by commit 0ddee9b7d2
This fixes #269.
2018-12-24 11:55:48 -06:00
philhofer
97e74f9734 src/rc/supervise-daemon.c: formatting fixes
Fix misleading indentation and other erroneous whitespace.
This fixes #273.
2018-12-24 10:36:12 -06:00
philhofer
a9fc26ac13 src/rc/supervise-daemon.c: do not pass NULL to strcmp
The following will cause a segfault due to NULL being
passed to strcmp(3)

$ RC_SVCNAME=foo supervise-daemon

Fix the bounds check on argc in main. If argc<=1, then
it is not safe to dereference argv[1].
2018-12-23 21:01:39 -05:00
philhofer
40f7046696 src/rc/openrc-run.c: remove duplicate statement
The statement

  ll = strlen(applet);

appears twice in the same block without any
intervening assignment to the variables
'll' or 'applet'

Remove the second (duplicate) statement.
2018-12-23 20:27:06 -05:00
William Hubbs
ed8b768c4a fix compiler warnings 2018-12-21 12:06:15 -06:00
William Hubbs
825caa14de supervise-daemon: do not use the exec_service() function
In order to run healthcheck() and the unhealthy() function, add an
exec_command call to the supervisor.
Another difference is This function also logs errors instead of
attempting to display them.

This is for #271.
2018-12-20 17:39:31 -06:00
William Hubbs
d5c396cbfc Add debug logging to start-stop-daemon and rc-supervisor
This will make it easier to track down why the supervisor intermittently
hangs after it runs for a long time.
2018-12-18 11:29:26 -06:00
William Hubbs
bebc604438 supervise-daemon: fix busy loop
This fixes #264.
2018-12-06 16:22:15 -06:00
Alexander Zubkov
9dae4f2e38 supervise-daemon: redirect std{in,out,err} to /dev/null after demonizing
This fixes #239.
2018-12-04 16:53:39 -06:00
Austin English
fb4dd351c7 misc: make checks always fatal
This fixes #263.
2018-12-03 15:26:42 -06:00
Austin English
10dc65cc46 src/rc/supervise-daemon.c: fix style issue
This is for #263.
2018-12-03 15:26:20 -06:00
William Hubbs
9a2115f762 rc-status: show status for supervised services instead of a list 2018-12-03 15:16:17 -06:00
William Hubbs
af70862a7a supervise-daemon: use a default pid file if one is not specified
Since the pid file is internal to us, start moving toward deprecating it
by not requiring the user to specify it.
In the next release, I plan on working on code to start phasing out the
use of a pid file if this is possible.
2018-12-03 12:41:29 -06:00
William Hubbs
fa6611b5af rc-status: add --supervised option to show supervised services 2018-12-02 18:33:25 -06:00
William Hubbs
db01442580 rc-status: show failed services as failed 2018-12-02 18:33:25 -06:00