1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
|
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
/* Copyright (c) The Exim Maintainers 2020 - 2022 */
/* Copyright (c) University of Cambridge 1995 - 2015 */
/* See the file NOTICE for conditions of use and distribution. */
#include "exim.h"
static void (*oldsignal)(int);
/*************************************************
* Ensure an fd has a given value *
*************************************************/
/* This function is called when we want to ensure that a certain fd has a
specific value (one of 0, 1, 2). If it hasn't got it already, close the value
we want, duplicate the fd, then close the old one.
Arguments:
oldfd original fd
newfd the fd we want
Returns: nothing
*/
void
force_fd(int oldfd, int newfd)
{
if (oldfd == newfd) return;
(void)close(newfd);
(void)dup2(oldfd, newfd);
(void)close(oldfd);
}
#ifndef STAND_ALONE
/*************************************************
* Build argv list and optionally re-exec Exim *
*************************************************/
/* This function is called when Exim wants to re-exec (overlay) itself in the
current process. This is different to child_open_exim(), which runs another
Exim process in parallel (but it then calls this function). The function's
basic job is to build the argv list according to the values of current options
settings. There is a basic list that all calls require, and an additional list
that some do not require. Further additions can be given as additional
arguments. An option specifies whether the exec() is actually to happen, and if
so, what is to be done if it fails.
Arguments:
exec_type CEE_RETURN_ARGV => don't exec; return the argv list
CEE_EXEC_EXIT => just exit() on exec failure
CEE_EXEC_PANIC => panic-die on exec failure
kill_v if TRUE, don't pass on the D_v flag
pcount if not NULL, points to extra size of argv required, and if
CEE_RETURN_ARGV is specified, it is updated to give the
number of slots used
minimal TRUE if only minimal argv is required
acount number of additional arguments
... further values to add to argv
Returns: if CEE_RETURN_ARGV is given, returns a pointer to argv;
otherwise, does not return
*/
uschar **
child_exec_exim(int exec_type, BOOL kill_v, int *pcount, BOOL minimal,
int acount, ...)
{
int first_special = -1;
int n = 0;
int extra = pcount ? *pcount : 0;
uschar **argv;
argv = store_get((extra + acount + MAX_CLMACROS + 24) * sizeof(char *), GET_UNTAINTED);
/* In all case, the list starts out with the path, any macros, and a changed
config file. */
argv[n++] = exim_path; /* assume untainted */
if (clmacro_count > 0)
{
memcpy(argv + n, clmacros, clmacro_count * sizeof(uschar *));
n += clmacro_count;
}
if (f.config_changed)
{ argv[n++] = US"-C"; argv[n++] = config_main_filename; }
/* These values are added only for non-minimal cases. If debug_selector is
precisely D_v, we have to assume this was started by a non-admin user, and
we suppress the flag when requested. (This happens when passing on an SMTP
connection, and after ETRN.) If there's more debugging going on, an admin user
was involved, so we do pass it on. */
if (!minimal)
{
if (debug_selector == D_v)
{
if (!kill_v) argv[n++] = US"-v";
}
else
{
if (debug_selector != 0)
{
argv[n++] = string_sprintf("-d=0x%x", debug_selector);
if (debug_fd > 2)
{
int flags = fcntl(debug_fd, F_GETFD);
if (flags != -1) (void)fcntl(debug_fd, F_SETFD, flags & ~FD_CLOEXEC);
close(2);
dup2(debug_fd, 2);
close(debug_fd);
}
}
}
if (debug_pretrigger_buf)
{ argv[n++] = US"-dp"; argv[n++] = string_sprintf("0x%x", debug_pretrigger_bsize); }
if (dtrigger_selector != 0)
argv[n++] = string_sprintf("-dt=0x%x", dtrigger_selector);
DEBUG(D_any)
{
argv[n++] = US"-MCd";
argv[n++] = US process_purpose;
}
if (!f.testsuite_delays) argv[n++] = US"-odd";
if (f.dont_deliver) argv[n++] = US"-N";
if (f.queue_smtp) argv[n++] = US"-odqs";
if (f.synchronous_delivery) argv[n++] = US"-odi";
if (connection_max_messages >= 0)
argv[n++] = string_sprintf("-oB%d", connection_max_messages);
if (*queue_name)
{ argv[n++] = US"-MCG"; argv[n++] = queue_name; }
}
/* Now add in any others that are in the call. Remember which they were,
for more helpful diagnosis on failure. */
if (acount > 0)
{
va_list ap;
va_start(ap, acount);
first_special = n;
while (acount-- > 0)
argv[n++] = va_arg(ap, uschar *);
va_end(ap);
}
/* Terminate the list, and return it, if that is what is wanted. */
argv[n] = NULL;
if (exec_type == CEE_RETURN_ARGV)
{
if (pcount) *pcount = n;
return argv;
}
/* Otherwise, do the exec() here, and handle the consequences of an unexpected
failure. We know that there will always be at least one extra option in the
call when exec() is done here, so it can be used to add to the panic data. */
DEBUG(D_exec) debug_print_argv(CUSS argv);
exim_nullstd(); /* Make sure std{in,out,err} exist */
execv(CS argv[0], (char *const *)argv);
log_write(0,
LOG_MAIN | (exec_type == CEE_EXEC_EXIT ? LOG_PANIC : LOG_PANIC_DIE),
"re-exec of exim (%s) with %s failed: %s", exim_path, argv[first_special],
strerror(errno));
/* Get here if exec_type == CEE_EXEC_EXIT.
Note: this must be _exit(), not exit(). */
_exit(EX_EXECFAILED);
return NULL; /* To keep compilers happy */
}
/*************************************************
* Create a child Exim process *
*************************************************/
/* This function is called when Exim wants to run a parallel instance of itself
in order to inject a message via the standard input. The function creates a
child process and runs Exim in it. It sets up a pipe to the standard input of
the new process, and returns that to the caller via fdptr. The function returns
the pid of the new process, or -1 if things go wrong. If debug_fd is
non-negative, it is passed as stderr.
This interface is now a just wrapper for the more complicated function
child_open_exim2(), which has additional arguments. The wrapper must continue
to exist, even if all calls from within Exim are changed, because it is
documented for use from local_scan().
Argument: fdptr pointer to int for the stdin fd
purpose of the child process, for debug
Returns: pid of the created process or -1 if anything has gone wrong
*/
pid_t
child_open_exim_function(int * fdptr, const uschar * purpose)
{
return child_open_exim2_function(fdptr, US"<>", bounce_sender_authentication,
purpose);
}
/* This is a more complicated function for creating a child Exim process, with
more arguments.
Arguments:
fdptr pointer to int for the stdin fd
sender for a sender address (data for -f)
sender_authentication authenticated sender address or NULL
purpose of the child process, for debug
Returns: pid of the created process or -1 if anything has gone wrong
*/
pid_t
child_open_exim2_function(int * fdptr, uschar * sender,
uschar * sender_authentication, const uschar * purpose)
{
int pfd[2];
int save_errno;
pid_t pid;
/* Create the pipe and fork the process. Ensure that SIGCHLD is set to
SIG_DFL before forking, so that the child process can be waited for. We
sometimes get here with it set otherwise. Save the old state for resetting
on the wait. */
if (pipe(pfd) != 0) return (pid_t)(-1);
oldsignal = signal(SIGCHLD, SIG_DFL);
pid = exim_fork(purpose);
/* Child process: make the reading end of the pipe into the standard input and
close the writing end. If debugging, pass debug_fd as stderr. Then re-exec
Exim with appropriate options. In the test harness, use -odi unless queue_only
is set, so that the bounce is fully delivered before returning. Failure is
signalled with EX_EXECFAILED (specified by CEE_EXEC_EXIT), but this shouldn't
occur. */
if (pid == 0)
{
force_fd(pfd[pipe_read], 0);
(void)close(pfd[pipe_write]);
if (debug_fd > 0) force_fd(debug_fd, 2);
if (f.running_in_test_harness && !queue_only)
{
if (sender_authentication)
child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 9,
US "-odi", US"-t", US"-oem", US"-oi", US"-f", sender, US"-oMas",
sender_authentication, message_id_option);
else
child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 7,
US "-odi", US"-t", US"-oem", US"-oi", US"-f", sender,
message_id_option);
/* Control does not return here. */
}
else /* Not test harness */
{
if (sender_authentication)
child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 8,
US"-t", US"-oem", US"-oi", US"-f", sender, US"-oMas",
sender_authentication, message_id_option);
else
child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 6,
US"-t", US"-oem", US"-oi", US"-f", sender, message_id_option);
/* Control does not return here. */
}
}
testharness_pause_ms(100); /* let child work even longer, for exec */
/* Parent process. Save fork() errno and close the reading end of the stdin
pipe. */
save_errno = errno;
(void)close(pfd[pipe_read]);
/* Fork succeeded */
if (pid > 0)
{
*fdptr = pfd[pipe_write]; /* return writing end of stdin pipe */
return pid; /* and pid of new process */
}
/* Fork failed */
(void)close(pfd[pipe_write]);
errno = save_errno;
return (pid_t)(-1);
}
#endif /* STAND_ALONE */
/*************************************************
* Create a non-Exim child process *
*************************************************/
/* This function creates a child process and runs the given command in it. It
sets up pipes to the standard input and output of the new process, and returns
them to the caller. The standard error is cloned to the output. If there are
any file descriptors "in the way" in the new process, they are closed. A new
umask is supplied for the process, and an optional new uid and gid are also
available. These are used by the queryprogram router to set an unprivileged id.
SIGUSR1 is always disabled in the new process, as it is not going to be running
Exim (the function child_open_exim() is provided for that). This function
returns the pid of the new process, or -1 if things go wrong.
Arguments:
argv the argv for exec in the new process
envp the envp for exec in the new process
newumask umask to set in the new process
newuid point to uid for the new process or NULL for no change
newgid point to gid for the new process or NULL for no change
infdptr pointer to int into which the fd of the stdin of the new process
is placed
outfdptr pointer to int into which the fd of the stdout/stderr of the new
process is placed
wd if not NULL, a path to be handed to chdir() in the new process
make_leader if TRUE, make the new process a process group leader
purpose for debug: reason for running the task
Returns: the pid of the created process or -1 if anything has gone wrong
*/
pid_t
child_open_uid(const uschar **argv, const uschar **envp, int newumask,
uid_t *newuid, gid_t *newgid, int *infdptr, int *outfdptr, uschar *wd,
BOOL make_leader, const uschar * purpose)
{
int save_errno;
int inpfd[2], outpfd[2];
pid_t pid;
if (is_tainted(argv[0]))
{
log_write(0, LOG_MAIN | LOG_PANIC, "Attempt to exec tainted path: '%s'", argv[0]);
errno = EPERM;
return (pid_t)(-1);
}
/* Create the pipes. */
if (pipe(inpfd) != 0) return (pid_t)(-1);
if (pipe(outpfd) != 0)
{
(void)close(inpfd[pipe_read]);
(void)close(inpfd[pipe_write]);
return (pid_t)(-1);
}
/* Fork the process. Ensure that SIGCHLD is set to SIG_DFL before forking, so
that the child process can be waited for. We sometimes get here with it set
otherwise. Save the old state for resetting on the wait. */
oldsignal = signal(SIGCHLD, SIG_DFL);
pid = exim_fork(purpose);
/* Handle the child process. First, set the required environment. We must do
this before messing with the pipes, in order to be able to write debugging
output when things go wrong. */
if (pid == 0)
{
signal(SIGUSR1, SIG_IGN);
signal(SIGPIPE, SIG_DFL);
if (newgid && setgid(*newgid) < 0)
{
DEBUG(D_any) debug_printf("failed to set gid=%ld in subprocess: %s\n",
(long int)(*newgid), strerror(errno));
goto CHILD_FAILED;
}
if (newuid && setuid(*newuid) < 0)
{
DEBUG(D_any) debug_printf("failed to set uid=%ld in subprocess: %s\n",
(long int)(*newuid), strerror(errno));
goto CHILD_FAILED;
}
(void)umask(newumask);
if (wd && Uchdir(wd) < 0)
{
DEBUG(D_any) debug_printf("failed to chdir to %s: %s\n", wd,
strerror(errno));
goto CHILD_FAILED;
}
/* Becomes a process group leader if requested, and then organize the pipes.
Any unexpected failure is signalled with EX_EXECFAILED; these are all "should
never occur" failures, except for exec failing because the command doesn't
exist. */
if (make_leader && setpgid(0,0) < 0)
{
DEBUG(D_any) debug_printf("failed to set group leader in subprocess: %s\n",
strerror(errno));
goto CHILD_FAILED;
}
(void)close(inpfd[pipe_write]);
force_fd(inpfd[pipe_read], 0);
(void)close(outpfd[pipe_read]);
force_fd(outpfd[pipe_write], 1);
(void)close(2);
(void)dup2(1, 2);
/* Now do the exec */
if (envp) execve(CS argv[0], (char *const *)argv, (char *const *)envp);
else execv(CS argv[0], (char *const *)argv);
/* Failed to execv. Signal this failure using EX_EXECFAILED. We are
losing the actual errno we got back, because there is no way to return
this information. */
CHILD_FAILED:
_exit(EX_EXECFAILED); /* Note: must be _exit(), NOT exit() */
}
/* Parent process. Save any fork failure code, and close the reading end of the
stdin pipe, and the writing end of the stdout pipe. */
save_errno = errno;
(void)close(inpfd[pipe_read]);
(void)close(outpfd[pipe_write]);
/* Fork succeeded; return the input/output pipes and the pid */
if (pid > 0)
{
*infdptr = inpfd[pipe_write];
*outfdptr = outpfd[pipe_read];
return pid;
}
/* Fork failed; reset fork errno before returning */
(void)close(inpfd[pipe_write]);
(void)close(outpfd[pipe_read]);
errno = save_errno;
return (pid_t)(-1);
}
/*************************************************
* Create child process without uid change *
*************************************************/
/* This function is a wrapper for child_open_uid() that doesn't have the uid,
gid and working directory changing arguments. The function is provided so as to
have a clean interface for use from local_scan(), but also saves writing NULL
arguments several calls that would otherwise use child_open_uid().
Arguments:
argv the argv for exec in the new process
envp the envp for exec in the new process
newumask umask to set in the new process
infdptr pointer to int into which the fd of the stdin of the new process
is placed
outfdptr pointer to int into which the fd of the stdout/stderr of the new
process is placed
make_leader if TRUE, make the new process a process group leader
purpose for debug: reason for running the task
Returns: the pid of the created process or -1 if anything has gone wrong
*/
pid_t
child_open_function(uschar **argv, uschar **envp, int newumask, int *infdptr,
int *outfdptr, BOOL make_leader, const uschar * purpose)
{
return child_open_uid(CUSS argv, CUSS envp, newumask, NULL, NULL,
infdptr, outfdptr, NULL, make_leader, purpose);
}
/*************************************************
* Close down child process *
*************************************************/
/* Wait for the given process to finish, with optional timeout.
Arguments
pid: the pid to wait for
timeout: maximum time to wait; 0 means for as long as it takes
Returns: >= 0 process terminated by exiting; value is process
ending status; if an execve() failed, the value
is typically 127 (defined as EX_EXECFAILED)
< 0 & > -256 process was terminated by a signal; value is the
negation of the signal number
-256 timed out
-257 other error in wait(); errno still set
*/
int
child_close(pid_t pid, int timeout)
{
int yield;
if (timeout > 0)
{
sigalrm_seen = FALSE;
ALARM(timeout);
}
for(;;)
{
int status;
pid_t rc = waitpid(pid, &status, 0);
if (rc == pid)
{
int lowbyte = status & 255;
yield = lowbyte == 0 ? (status >> 8) & 255 : -lowbyte;
break;
}
if (rc < 0)
{
/* This "shouldn't happen" test does happen on MacOS: for some reason
I do not understand we seems to get an alarm signal despite not having
an active alarm set. There seems to be only one, so just go round again. */
if (errno == EINTR && sigalrm_seen && timeout <= 0) continue;
yield = (errno == EINTR && sigalrm_seen) ? -256 : -257;
break;
}
}
if (timeout > 0) ALARM_CLR(0);
signal(SIGCHLD, oldsignal); /* restore */
return yield;
}
/* End of child.c */
|
