do_command.c revision 296460 
1/* Copyright 1988,1990,1993,1994 by Paul Vixie
2 * All rights reserved
3 *
4 * Distribute freely, except: don't remove my name from the source or
5 * documentation (don't take credit for my work), mark your changes (don't
6 * get me blamed for your possible bugs), don't alter or remove this
7 * notice.  May be sold if buildable source is provided to buyer.  No
8 * warrantee of any kind, express or implied, is included with this
9 * software; use at your own risk, responsibility for damages (if any) to
10 * anyone resulting from the use of this software rests entirely with the
11 * user.
12 *
13 * Send bug reports, bug fixes, enhancements, requests, flames, etc., and
14 * I'll try to keep a version up to date.  I can be reached as follows:
15 * Paul Vixie          <paul@vix.com>          uunet!decwrl!vixie!paul
16 */
17
18#if !defined(lint) && !defined(LINT)
19static const char rcsid[] =
20  "$FreeBSD: stable/10/usr.sbin/cron/cron/do_command.c 296460 2016-03-07 16:12:04Z pfg $";
21#endif
22
23
24#include "cron.h"
25#include <sys/signal.h>
26#if defined(sequent)
27# include <sys/universe.h>
28#endif
29#if defined(SYSLOG)
30# include <syslog.h>
31#endif
32#if defined(LOGIN_CAP)
33# include <login_cap.h>
34#endif
35#ifdef PAM
36# include <security/pam_appl.h>
37# include <security/openpam.h>
38#endif
39
40
41static void		child_process(entry *, user *),
42			do_univ(user *);
43
44
45void
46do_command(e, u)
47	entry	*e;
48	user	*u;
49{
50	Debug(DPROC, ("[%d] do_command(%s, (%s,%d,%d))\n",
51		getpid(), e->cmd, u->name, e->uid, e->gid))
52
53	/* fork to become asynchronous -- parent process is done immediately,
54	 * and continues to run the normal cron code, which means return to
55	 * tick().  the child and grandchild don't leave this function, alive.
56	 *
57	 * vfork() is unsuitable, since we have much to do, and the parent
58	 * needs to be able to run off and fork other processes.
59	 */
60	switch (fork()) {
61	case -1:
62		log_it("CRON",getpid(),"error","can't fork");
63		break;
64	case 0:
65		/* child process */
66		pidfile_close(pfh);
67		child_process(e, u);
68		Debug(DPROC, ("[%d] child process done, exiting\n", getpid()))
69		_exit(OK_EXIT);
70		break;
71	default:
72		/* parent process */
73		break;
74	}
75	Debug(DPROC, ("[%d] main process returning to work\n", getpid()))
76}
77
78
79static void
80child_process(e, u)
81	entry	*e;
82	user	*u;
83{
84	int		stdin_pipe[2], stdout_pipe[2];
85	register char	*input_data;
86	char		*usernm, *mailto;
87	int		children = 0;
88# if defined(LOGIN_CAP)
89	struct passwd	*pwd;
90	login_cap_t *lc;
91# endif
92
93	Debug(DPROC, ("[%d] child_process('%s')\n", getpid(), e->cmd))
94
95	/* mark ourselves as different to PS command watchers by upshifting
96	 * our program name.  This has no effect on some kernels.
97	 */
98	setproctitle("running job");
99
100	/* discover some useful and important environment settings
101	 */
102	usernm = env_get("LOGNAME", e->envp);
103	mailto = env_get("MAILTO", e->envp);
104
105#ifdef PAM
106	/* use PAM to see if the user's account is available,
107	 * i.e., not locked or expired or whatever.  skip this
108	 * for system tasks from /etc/crontab -- they can run
109	 * as any user.
110	 */
111	if (strcmp(u->name, SYS_NAME)) {	/* not equal */
112		pam_handle_t *pamh = NULL;
113		int pam_err;
114		struct pam_conv pamc = {
115			.conv = openpam_nullconv,
116			.appdata_ptr = NULL
117		};
118
119		Debug(DPROC, ("[%d] checking account with PAM\n", getpid()))
120
121		/* u->name keeps crontab owner name while LOGNAME is the name
122		 * of user to run command on behalf of.  they should be the
123		 * same for a task from a per-user crontab.
124		 */
125		if (strcmp(u->name, usernm)) {
126			log_it(usernm, getpid(), "username ambiguity", u->name);
127			exit(ERROR_EXIT);
128		}
129
130		pam_err = pam_start("cron", usernm, &pamc, &pamh);
131		if (pam_err != PAM_SUCCESS) {
132			log_it("CRON", getpid(), "error", "can't start PAM");
133			exit(ERROR_EXIT);
134		}
135
136		pam_err = pam_acct_mgmt(pamh, PAM_SILENT);
137		/* Expired password shouldn't prevent the job from running. */
138		if (pam_err != PAM_SUCCESS && pam_err != PAM_NEW_AUTHTOK_REQD) {
139			log_it(usernm, getpid(), "USER", "account unavailable");
140			exit(ERROR_EXIT);
141		}
142
143		pam_end(pamh, pam_err);
144	}
145#endif
146
147#ifdef USE_SIGCHLD
148	/* our parent is watching for our death by catching SIGCHLD.  we
149	 * do not care to watch for our children's deaths this way -- we
150	 * use wait() explicitly.  so we have to disable the signal (which
151	 * was inherited from the parent).
152	 */
153	(void) signal(SIGCHLD, SIG_DFL);
154#else
155	/* on system-V systems, we are ignoring SIGCLD.  we have to stop
156	 * ignoring it now or the wait() in cron_pclose() won't work.
157	 * because of this, we have to wait() for our children here, as well.
158	 */
159	(void) signal(SIGCLD, SIG_DFL);
160#endif /*BSD*/
161
162	/* create some pipes to talk to our future child
163	 */
164	if (pipe(stdin_pipe) != 0 || pipe(stdout_pipe) != 0) {
165		log_it("CRON", getpid(), "error", "can't pipe");
166		exit(ERROR_EXIT);
167	}
168
169	/* since we are a forked process, we can diddle the command string
170	 * we were passed -- nobody else is going to use it again, right?
171	 *
172	 * if a % is present in the command, previous characters are the
173	 * command, and subsequent characters are the additional input to
174	 * the command.  Subsequent %'s will be transformed into newlines,
175	 * but that happens later.
176	 *
177	 * If there are escaped %'s, remove the escape character.
178	 */
179	/*local*/{
180		register int escaped = FALSE;
181		register int ch;
182		register char *p;
183
184		for (input_data = p = e->cmd; (ch = *input_data);
185		     input_data++, p++) {
186			if (p != input_data)
187			    *p = ch;
188			if (escaped) {
189				if (ch == '%' || ch == '\\')
190					*--p = ch;
191				escaped = FALSE;
192				continue;
193			}
194			if (ch == '\\') {
195				escaped = TRUE;
196				continue;
197			}
198			if (ch == '%') {
199				*input_data++ = '\0';
200				break;
201			}
202		}
203		*p = '\0';
204	}
205
206	/* fork again, this time so we can exec the user's command.
207	 */
208	switch (vfork()) {
209	case -1:
210		log_it("CRON",getpid(),"error","can't vfork");
211		exit(ERROR_EXIT);
212		/*NOTREACHED*/
213	case 0:
214		Debug(DPROC, ("[%d] grandchild process Vfork()'ed\n",
215			      getpid()))
216
217		if (e->uid == ROOT_UID)
218			Jitter = RootJitter;
219		if (Jitter != 0) {
220			srandom(getpid());
221			sleep(random() % Jitter);
222		}
223
224		/* write a log message.  we've waited this long to do it
225		 * because it was not until now that we knew the PID that
226		 * the actual user command shell was going to get and the
227		 * PID is part of the log message.
228		 */
229		/*local*/{
230			char *x = mkprints((u_char *)e->cmd, strlen(e->cmd));
231
232			log_it(usernm, getpid(), "CMD", x);
233			free(x);
234		}
235
236		/* that's the last thing we'll log.  close the log files.
237		 */
238#ifdef SYSLOG
239		closelog();
240#endif
241
242		/* get new pgrp, void tty, etc.
243		 */
244		(void) setsid();
245
246		/* close the pipe ends that we won't use.  this doesn't affect
247		 * the parent, who has to read and write them; it keeps the
248		 * kernel from recording us as a potential client TWICE --
249		 * which would keep it from sending SIGPIPE in otherwise
250		 * appropriate circumstances.
251		 */
252		close(stdin_pipe[WRITE_PIPE]);
253		close(stdout_pipe[READ_PIPE]);
254
255		/* grandchild process.  make std{in,out} be the ends of
256		 * pipes opened by our daddy; make stderr go to stdout.
257		 */
258		close(STDIN);	dup2(stdin_pipe[READ_PIPE], STDIN);
259		close(STDOUT);	dup2(stdout_pipe[WRITE_PIPE], STDOUT);
260		close(STDERR);	dup2(STDOUT, STDERR);
261
262		/* close the pipes we just dup'ed.  The resources will remain.
263		 */
264		close(stdin_pipe[READ_PIPE]);
265		close(stdout_pipe[WRITE_PIPE]);
266
267		/* set our login universe.  Do this in the grandchild
268		 * so that the child can invoke /usr/lib/sendmail
269		 * without surprises.
270		 */
271		do_univ(u);
272
273# if defined(LOGIN_CAP)
274		/* Set user's entire context, but skip the environment
275		 * as cron provides a separate interface for this
276		 */
277		if ((pwd = getpwnam(usernm)) == NULL)
278			pwd = getpwuid(e->uid);
279		lc = NULL;
280		if (pwd != NULL) {
281			pwd->pw_gid = e->gid;
282			if (e->class != NULL)
283				lc = login_getclass(e->class);
284		}
285		if (pwd &&
286		    setusercontext(lc, pwd, e->uid,
287			    LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETENV)) == 0)
288			(void) endpwent();
289		else {
290			/* fall back to the old method */
291			(void) endpwent();
292# endif
293			/* set our directory, uid and gid.  Set gid first,
294			 * since once we set uid, we've lost root privileges.
295			 */
296			if (setgid(e->gid) != 0) {
297				log_it(usernm, getpid(),
298				    "error", "setgid failed");
299				exit(ERROR_EXIT);
300			}
301# if defined(BSD)
302			if (initgroups(usernm, e->gid) != 0) {
303				log_it(usernm, getpid(),
304				    "error", "initgroups failed");
305				exit(ERROR_EXIT);
306			}
307# endif
308			if (setlogin(usernm) != 0) {
309				log_it(usernm, getpid(),
310				    "error", "setlogin failed");
311				exit(ERROR_EXIT);
312			}
313			if (setuid(e->uid) != 0) {
314				log_it(usernm, getpid(),
315				    "error", "setuid failed");
316				exit(ERROR_EXIT);
317			}
318			/* we aren't root after this..*/
319#if defined(LOGIN_CAP)
320		}
321		if (lc != NULL)
322			login_close(lc);
323#endif
324		chdir(env_get("HOME", e->envp));
325
326		/* exec the command.
327		 */
328		{
329			char	*shell = env_get("SHELL", e->envp);
330
331# if DEBUGGING
332			if (DebugFlags & DTEST) {
333				fprintf(stderr,
334				"debug DTEST is on, not exec'ing command.\n");
335				fprintf(stderr,
336				"\tcmd='%s' shell='%s'\n", e->cmd, shell);
337				_exit(OK_EXIT);
338			}
339# endif /*DEBUGGING*/
340			execle(shell, shell, "-c", e->cmd, (char *)NULL,
341			    e->envp);
342			warn("execle: couldn't exec `%s'", shell);
343			_exit(ERROR_EXIT);
344		}
345		break;
346	default:
347		/* parent process */
348		break;
349	}
350
351	children++;
352
353	/* middle process, child of original cron, parent of process running
354	 * the user's command.
355	 */
356
357	Debug(DPROC, ("[%d] child continues, closing pipes\n", getpid()))
358
359	/* close the ends of the pipe that will only be referenced in the
360	 * grandchild process...
361	 */
362	close(stdin_pipe[READ_PIPE]);
363	close(stdout_pipe[WRITE_PIPE]);
364
365	/*
366	 * write, to the pipe connected to child's stdin, any input specified
367	 * after a % in the crontab entry.  while we copy, convert any
368	 * additional %'s to newlines.  when done, if some characters were
369	 * written and the last one wasn't a newline, write a newline.
370	 *
371	 * Note that if the input data won't fit into one pipe buffer (2K
372	 * or 4K on most BSD systems), and the child doesn't read its stdin,
373	 * we would block here.  thus we must fork again.
374	 */
375
376	if (*input_data && fork() == 0) {
377		register FILE	*out = fdopen(stdin_pipe[WRITE_PIPE], "w");
378		register int	need_newline = FALSE;
379		register int	escaped = FALSE;
380		register int	ch;
381
382		if (out == NULL) {
383			warn("fdopen failed in child2");
384			_exit(ERROR_EXIT);
385		}
386
387		Debug(DPROC, ("[%d] child2 sending data to grandchild\n", getpid()))
388
389		/* close the pipe we don't use, since we inherited it and
390		 * are part of its reference count now.
391		 */
392		close(stdout_pipe[READ_PIPE]);
393
394		/* translation:
395		 *	\% -> %
396		 *	%  -> \n
397		 *	\x -> \x	for all x != %
398		 */
399		while ((ch = *input_data++)) {
400			if (escaped) {
401				if (ch != '%')
402					putc('\\', out);
403			} else {
404				if (ch == '%')
405					ch = '\n';
406			}
407
408			if (!(escaped = (ch == '\\'))) {
409				putc(ch, out);
410				need_newline = (ch != '\n');
411			}
412		}
413		if (escaped)
414			putc('\\', out);
415		if (need_newline)
416			putc('\n', out);
417
418		/* close the pipe, causing an EOF condition.  fclose causes
419		 * stdin_pipe[WRITE_PIPE] to be closed, too.
420		 */
421		fclose(out);
422
423		Debug(DPROC, ("[%d] child2 done sending to grandchild\n", getpid()))
424		exit(0);
425	}
426
427	/* close the pipe to the grandkiddie's stdin, since its wicked uncle
428	 * ernie back there has it open and will close it when he's done.
429	 */
430	close(stdin_pipe[WRITE_PIPE]);
431
432	children++;
433
434	/*
435	 * read output from the grandchild.  it's stderr has been redirected to
436	 * it's stdout, which has been redirected to our pipe.  if there is any
437	 * output, we'll be mailing it to the user whose crontab this is...
438	 * when the grandchild exits, we'll get EOF.
439	 */
440
441	Debug(DPROC, ("[%d] child reading output from grandchild\n", getpid()))
442
443	/*local*/{
444		register FILE	*in = fdopen(stdout_pipe[READ_PIPE], "r");
445		register int	ch;
446
447		if (in == NULL) {
448			warn("fdopen failed in child");
449			_exit(ERROR_EXIT);
450		}
451
452		ch = getc(in);
453		if (ch != EOF) {
454			register FILE	*mail;
455			register int	bytes = 1;
456			int		status = 0;
457
458			Debug(DPROC|DEXT,
459				("[%d] got data (%x:%c) from grandchild\n",
460					getpid(), ch, ch))
461
462			/* get name of recipient.  this is MAILTO if set to a
463			 * valid local username; USER otherwise.
464			 */
465			if (mailto == NULL) {
466				/* MAILTO not present, set to USER,
467				 * unless globally overriden.
468				 */
469				if (defmailto)
470					mailto = defmailto;
471				else
472					mailto = usernm;
473			}
474			if (mailto && *mailto == '\0')
475				mailto = NULL;
476
477			/* if we are supposed to be mailing, MAILTO will
478			 * be non-NULL.  only in this case should we set
479			 * up the mail command and subjects and stuff...
480			 */
481
482			if (mailto) {
483				register char	**env;
484				auto char	mailcmd[MAX_COMMAND];
485				auto char	hostname[MAXHOSTNAMELEN];
486
487				(void) gethostname(hostname, MAXHOSTNAMELEN);
488				(void) snprintf(mailcmd, sizeof(mailcmd),
489					       MAILARGS, MAILCMD);
490				if (!(mail = cron_popen(mailcmd, "w", e))) {
491					warn("%s", MAILCMD);
492					(void) _exit(ERROR_EXIT);
493				}
494				fprintf(mail, "From: %s (Cron Daemon)\n", usernm);
495				fprintf(mail, "To: %s\n", mailto);
496				fprintf(mail, "Subject: Cron <%s@%s> %s\n",
497					usernm, first_word(hostname, "."),
498					e->cmd);
499# if defined(MAIL_DATE)
500				fprintf(mail, "Date: %s\n",
501					arpadate(&TargetTime));
502# endif /* MAIL_DATE */
503				for (env = e->envp;  *env;  env++)
504					fprintf(mail, "X-Cron-Env: <%s>\n",
505						*env);
506				fprintf(mail, "\n");
507
508				/* this was the first char from the pipe
509				 */
510				putc(ch, mail);
511			}
512
513			/* we have to read the input pipe no matter whether
514			 * we mail or not, but obviously we only write to
515			 * mail pipe if we ARE mailing.
516			 */
517
518			while (EOF != (ch = getc(in))) {
519				bytes++;
520				if (mailto)
521					putc(ch, mail);
522			}
523
524			/* only close pipe if we opened it -- i.e., we're
525			 * mailing...
526			 */
527
528			if (mailto) {
529				Debug(DPROC, ("[%d] closing pipe to mail\n",
530					getpid()))
531				/* Note: the pclose will probably see
532				 * the termination of the grandchild
533				 * in addition to the mail process, since
534				 * it (the grandchild) is likely to exit
535				 * after closing its stdout.
536				 */
537				status = cron_pclose(mail);
538			}
539
540			/* if there was output and we could not mail it,
541			 * log the facts so the poor user can figure out
542			 * what's going on.
543			 */
544			if (mailto && status) {
545				char buf[MAX_TEMPSTR];
546
547				snprintf(buf, sizeof(buf),
548			"mailed %d byte%s of output but got status 0x%04x\n",
549					bytes, (bytes==1)?"":"s",
550					status);
551				log_it(usernm, getpid(), "MAIL", buf);
552			}
553
554		} /*if data from grandchild*/
555
556		Debug(DPROC, ("[%d] got EOF from grandchild\n", getpid()))
557
558		fclose(in);	/* also closes stdout_pipe[READ_PIPE] */
559	}
560
561	/* wait for children to die.
562	 */
563	for (;  children > 0;  children--)
564	{
565		WAIT_T		waiter;
566		PID_T		pid;
567
568		Debug(DPROC, ("[%d] waiting for grandchild #%d to finish\n",
569			getpid(), children))
570		pid = wait(&waiter);
571		if (pid < OK) {
572			Debug(DPROC, ("[%d] no more grandchildren--mail written?\n",
573				getpid()))
574			break;
575		}
576		Debug(DPROC, ("[%d] grandchild #%d finished, status=%04x",
577			getpid(), pid, WEXITSTATUS(waiter)))
578		if (WIFSIGNALED(waiter) && WCOREDUMP(waiter))
579			Debug(DPROC, (", dumped core"))
580		Debug(DPROC, ("\n"))
581	}
582}
583
584
585static void
586do_univ(u)
587	user	*u;
588{
589#if defined(sequent)
590/* Dynix (Sequent) hack to put the user associated with
591 * the passed user structure into the ATT universe if
592 * necessary.  We have to dig the gecos info out of
593 * the user's password entry to see if the magic
594 * "universe(att)" string is present.
595 */
596
597	struct	passwd	*p;
598	char	*s;
599	int	i;
600
601	p = getpwuid(u->uid);
602	(void) endpwent();
603
604	if (p == NULL)
605		return;
606
607	s = p->pw_gecos;
608
609	for (i = 0; i < 4; i++)
610	{
611		if ((s = strchr(s, ',')) == NULL)
612			return;
613		s++;
614	}
615	if (strcmp(s, "universe(att)"))
616		return;
617
618	(void) universe(U_ATT);
619#endif
620}
621