The previous fix excludes PIDs of processes running in a different namespace
regardless of whether the PID has been explicitly stored in a PID file mentioned
in the --pidfile parameter. The correct behavior is to only exclude the pid if
it is not stored in a pidfile.
X-Gentoo-Bug: 776010
X-Gentoo-Bug-URL: https://bugs.gentoo.org/776010
Otherwise this would create the following output:
rc-status -f ini
* Caching service dependencies ... [ ok ]
[default]
dbus = started
NetworkManager = started
syslog-ng = started
...
This fixes#364.
The do_check() function recently gained some defenses against symlink
replacement attacks that involve the use of *at functions in place of
their vanilla counterparts; openat() instead of open(), for example.
One opportunity to replace mkdir() with mkdirat() was missed, however,
and this commit replaces it.
This fixes#386.
start-stop-daemon and supervise-daemon parse usernames and group names
passed via the --user argument as numeric UID/GID if they start with a
number (e.g. user "4foo" will be treated as UID 4). This results in the
process that is being started to run under a totally unexpected user if
that UID exists.
Even though the result of the sscanf calls are tested for a result of
exactly 1, which means exactly one value was extracted, because sscanf's
format string only contains only one placeholder, it will never return
a value greater than 1, even if there are still characters left to be
parsed. This causes start-stop-daemon and supervise-daemon to assume
that usernames starting with a number are just that number. Adding a
second placeholder "%1s" to the format string, which matches a string of
length 1, makes sure that sscanf can distinguish between pure numbers
(in which case it will return 1) and strings either starting with a
number (in which case it will return 2) and any other string (in which
case it will return 0).
This fixes#379.
This fixes#380.
Starting program: /sbin/start-stop-daemon --start --exec i-dont-exist
Program received signal SIGSEGV, Segmentation fault.
0x0000555555559053 in main (argc=1, argv=0x7fffffffdc20)
at start-stop-daemon.c:631
631 *exec_file ? exec_file : exec);
This fixes#385.
This walks the directory path to the file we are going to manipulate to make
sure that when we create the file and change the ownership and permissions
we are working on the same file.
Also, all non-terminal symbolic links must be owned by root. This will
keep a non-root user from making a symbolic link as described in the
bug. If root creates the symbolic link, it is assumed to be trusted.
On non-linux platforms, we no longer follow non-terminal symbolic links
by default. If you need to do that, add the -s option on the checkpath
command line, but keep in mind that this is not secure.
This fixes#201.
When executable is provided just by name (and therefore searched in a
path), exec_file is reset to NULL every time. exists() handles it being
NULL just fine, but dereferencing it in eerror does not work.
Fixes#326Fixes#327
This allows openrc to direct sysvinit to shut down the system by setting
the INIT_HALT environment variable appropriately. Also, we do not try to
communicate with sysvinit if its fifo does not exist.
I am removing this on the advice of a member of the Gentoo toolchain
team. It was explained to me that this doesn't offer any significant
benefits to OpenRC.
If anyone ffeels differently, please open a pull request reverting
this and adding an explanation of what it does and how to know which
functions to mark hidden in the future.
This fixes#301.
The do_openrc() function was not waiting properly for the child process
which started the runlevel to return. We need to repeatedly call
waitpid() until its return value matches the pid of the child process or
the child process does not exist.
This fixes#216.
This fixes#300.
The 'readelf'-based tests cover a few situations:
1. undefined symbols in shared libraries
2. unexpected exports in shared libraries
Bug #575958 shows that [2.] implementation is too simplistic
in assuming that presence of relocation equals to export presence.
It is incorrect for PLT stubs and local symbols.
Let's just drop these tests.
If one needs to cover [1.] it is better to use LDFLAGS=-Wl,--no-undefined.
This closes#292.
X-Reported-by: Benda Xu
X-Gentoo-Bug: https://bugs.gentoo.org/575958
X-Gentoo-Bug-URL: https://bugs.gentoo.org/575958
The -f option can be used when showing the status of services in
runlevels to allow making the output more easily parsable.
Currently, the .ini format is the only one supported.
readlink(3) does not nul-terminate the result it sticks
into the supplied buffer. Consequently, the code
rc = readlink(path, buf, sizeof(buf));
does not necessarily produce a C string.
The code in rc_find_pid() produces some C strings this way
and passes them to strlen() and strcmp(), which can lead
to an out-of-bounds read.
In this case, since the code already takes care to
zero-initialize the buffers before passing them
to readlink(3), only allow sizeof(buf)-1 bytes to
be returned.
(While fixing this issue, I fixed two other locations that
used the same problematic pattern.)
This fixes#270.
The contents of /proc/<pid>/cmdline are read into
a stack buffer using
bytes = read(fd, buffer, sizeof(buffer));
followed by appending a null terminator to the buffer with
buffer[bytes] = '\0';
If bytes == sizeof(buffer), then this write is out-of-bounds.
Refactor the code to use rc_getfile instead, since PATH_MAX
is not the maximum size of /proc/<pid>/cmdline. (I hit this
issue in practice while compiling Linux; it tripped the
stack-smashing protector.)
This is roughly the same buffer overflow condition
that was fixed by commit 0ddee9b7d2
This fixes#269.
The following will cause a segfault due to NULL being
passed to strcmp(3)
$ RC_SVCNAME=foo supervise-daemon
Fix the bounds check on argc in main. If argc<=1, then
it is not safe to dereference argv[1].
The statement
ll = strlen(applet);
appears twice in the same block without any
intervening assignment to the variables
'll' or 'applet'
Remove the second (duplicate) statement.
In order to run healthcheck() and the unhealthy() function, add an
exec_command call to the supervisor.
Another difference is This function also logs errors instead of
attempting to display them.
This is for #271.
Since the pid file is internal to us, start moving toward deprecating it
by not requiring the user to specify it.
In the next release, I plan on working on code to start phasing out the
use of a pid file if this is possible.
This is needed in preparation for adding support for a fifo to allow us
to communicate with the supervisor to ask it to signal the child it is
supervising.
This reverts commit 2af0cedd59.
After speaking with Luis Ressel on the Gentoo selinux team, I am reverting
this commit for the following reasons:
- Luis told me that he feels this is not the solution we need to address
the concern with checkpath; I will be working with him on another
solution.
- There are concerns about the way the path variable was handled
and the assert() call.
The path variable should be dynamically allocated using xasprintf
instead of defining a length at compile time. This would eliminate the
need for the assert() call.
- It introduces the definition of _GNU_SOURCE which makes it
easier to introduce portability concerns in the future (see #262).
The pidfile of the supervisor doesn't need to be adjustable by the
service script. It is only used so the supervisor can stop itself when
the --stop option is used.
In start-stop-daemon and rc-schedules, we were printing out a warning if
the nanosleep call was interrupted by a signal, but we did not treat
this as an error situation other than displaying the message, so there
is no need for the message.
Health checks are a way to monitor a service and make sure it stays
healthy.
If a service is not healthy, it will be automatically restarted after
running the unhealthy() function to clean up.
You can now schedule a shutdown for a certain time or a cpecific number
of minutes into the future.
When a shutdown is running, you can now cancel it with ^c from the
keyboard or by running "openrc-shutdown -c" from another shell.
Fix the comparison between respawn_count and respawn_max so that
respawn_max = 1 will allow for one respawn. Since respawn_count is
incremented before the comparison, use a 'greater than' comparison
so that respawn will be triggered when respawn_count is equal to
respawn_max.
Fixes: https://github.com/OpenRC/openrc/issues/247
Fixes: https://github.com/OpenRC/openrc/issues/248
Use errno != EACCES to fix false-positive for non-root users
with grsecurity kernels.
Fixes: 37e2944272 ("librc: Add check for crashed state")
This fixes#237
This test to find if we could see pid 1 was being used inconsistently in
rc-status and mark_service_crashed to decide whether we could test to
see if the daemon for the service was crashed, and it was not part of
the librc library.
I am removing it from the executables because of inconsistent usage. I
will add it to the library if it is needed there.
If pidfile does not exist when we are stopping the daemon, assume it is
already stopped, and report success.
hostapd is an example of a daemon which removes its pidfile when it is
exiting. If this daemon terminates prematurely, that is, without s-s-d
involvement, then openrc fails to restart it, because s-s-d "stop"
command fails when pidfile is missing.
X-Gentoo-Bug: 646274
X-Gentoo-Bug-URL: https://bugs.gentoo.org/646274
This is our own version of asprintf(). This original code was written by
Mike Frysinger, and I was able to modify it to use our memory helper
functions.
We need a version of this code because it is not available on glibc at
least without defining _GNU_SOURCE, and I would rather not do that.
This is the first step in improving string handling in OpenRC for #207.
This is related to #195.
This is an attempt to shorten the window for the first two issues
discussed by using a file descriptor which does not follow symbolic
links and using the fchmod and fchown calls instead of chown and chmod.
with.
rc_deptree_update_needed would return early as soon as it found
any file newer than the existing dependency cache. Unfortunately,
the first file found may not be the newest one there; so the
clock skew workaround in rc-misc:_rc_deptree_load would be given
a timestamp that was still too old.
This fix forces a full scan of all relevant files, so as to
ensure that we return a timestamp that will allow the clock skew
fix to operate. The runtime cost is no worse than the case where
the cache is up to date (ie. we must check every possible file).
This fixes#161.
Ignore namespaces if there are errors reading either the pid namespace
for the current process or the process we aare testing.
This fixes https://github.com/openrc/openrc/issues/180.
- Harden against dying by handling all signals that would terminate the
program and adding --reexec support
- factor the supervisor into its own function
- fix test for whether we are already running
Prior to this change, we were logging unexpected terminations of daemons
we were supervising at the info level. This change moves the logs to
warnings.
The service binary was just a synonym for rc-service, so use rc-service
instead of service. If you want a "service" binary, it should be
something that can determine which service manager you are running and
run the appropriate service manager commands.
rc-selinux.c: In function ‘selinux_setup’:
rc-selinux.c:361:9: warning: assignment discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
curr_t = context_type_get(curr_con);
^
The --retry option for supervise-daemon defines how the supervisor will
attempt to stop the child process it is monitoring. It is defined when
the supervisor is started since stopping the supervisor just sends a
signal to the active supervisor.
This fixes#160.
How to reproduce 1-byte overflow:
```
$ FEATURES=-test CFLAGS="-fsanitize=address -O0 -ggdb3" emerge -1 openrc
=================================================================
==1==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff0efd8710
at pc 0x000000402076 bp 0x7fff0efd7d50 sp 0x7fff0efd7d40
WRITE of size 1 at 0x7fff0efd8710 thread T0
#0 0x402075 (/sbin/openrc-init+0x402075)
#1 0x3cf6e2070f in __libc_start_main (/lib64/libc.so.6+0x3cf6e2070f)
#2 0x4013b8 (/sbin/openrc-init+0x4013b8)
Address 0x7fff0efd8710 is located in stack of thread T0 at offset 2432 in frame
#0 0x401cfb (/sbin/openrc-init+0x401cfb)
This frame has 3 object(s):
[32, 160) 'signals'
[192, 344) 'sa'
[384, 2432) 'buf' <== Memory access at offset 2432 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
```
The problem here is in the code handling reads from 'init.ctl':
```
int main(int argc, char **argv) {
...
char buf[2048];
for (;;) {
/* This will block until a command is sent down the pipe... */
fifo = fopen(RC_INIT_FIFO, "r");
count = fread(buf, 1, 2048, fifo);
buf[count] = 0;
...
}
```
`buf[count] = 0;` writes outside the buffer when `fread()` returns non-truncated read.
This fixes#138.
Only close the log if we successfully opened it.
Reported-by: Brian Evans <grknight@gentoo.org>
Tested-by: Brian Evans <grknight@gentoo.org>
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>