From owner-svn-src-all@FreeBSD.ORG Sun Feb 5 21:27:16 2012 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ACBBB106566B; Sun, 5 Feb 2012 21:27:16 +0000 (UTC) (envelope-from to.my.trociny@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5E51B8FC18; Sun, 5 Feb 2012 21:27:15 +0000 (UTC) Received: by bkbzx1 with SMTP id zx1so5877497bkb.13 for ; Sun, 05 Feb 2012 13:27:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:to:cc:subject:references:x-comment-to:sender:date:in-reply-to :message-id:user-agent:mime-version:content-type; bh=yyvWPrW2AY2nBUBHxvGc02Sw0GBokmc1Eux2SiP6Rrc=; b=hyz8sO2K72oJiCm/OAtJ2tYoSzcLwpkj88aNAriyol75oj0Bb0nmAEQX9ChCkrSaoN z3rUvBEZdwbktsx+Po7th/pbSJXY5415qAtxmxvYrQcdOH8w8fKKJXenVTw9d9m+Lw0d stdxB4UR2IUhDgxB/A+kQwM5ScxNQjoJMiBg0= Received: by 10.204.129.200 with SMTP id p8mr7322015bks.114.1328477234411; Sun, 05 Feb 2012 13:27:14 -0800 (PST) Received: from localhost ([95.69.173.122]) by mx.google.com with ESMTPS id t17sm38600935bke.6.2012.02.05.13.27.12 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 05 Feb 2012 13:27:13 -0800 (PST) From: Mikolaj Golub To: Pawel Jakub Dawidek References: <201202011641.q11Gf0j6095461@svn.freebsd.org> <20120204074201.GA1694@garage.freebsd.pl> <4F2CEB1D.10607@zonov.org> <27A0A960-F767-4D2C-BF3E-31F73FBF4E28@palisadesystems.com> <86zkcy5ur9.fsf@kopusha.home.net> <20120205093938.GC30033@garage.freebsd.pl> X-Comment-To: Pawel Jakub Dawidek Sender: Mikolaj Golub Date: Sun, 05 Feb 2012 23:27:10 +0200 In-Reply-To: <20120205093938.GC30033@garage.freebsd.pl> (Pawel Jakub Dawidek's message of "Sun, 5 Feb 2012 10:39:38 +0100") Message-ID: <86lioh7yz5.fsf@kopusha.home.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Cc: svn-src-head@FreeBSD.org, Guy Helmer , svn-src-all@FreeBSD.org, Andrey Zonov , src-committers@FreeBSD.org Subject: Re: svn commit: r230869 - head/usr.sbin/daemon X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Feb 2012 21:27:16 -0000 --=-=-= On Sun, 5 Feb 2012 10:39:38 +0100 Pawel Jakub Dawidek wrote: PJD> On Sat, Feb 04, 2012 at 08:16:42PM +0200, Mikolaj Golub wrote: >> ref8-amd64:/home/trociny% uname -r >> 8.2-STABLE >> ref8-amd64:/home/trociny% daemon -p /tmp/sleep.pid sleep 10 >> ref8-amd64:/home/trociny% daemon -p /tmp/sleep.pid sleep 10 >> daemon: process already running, pid: 19799 >> >> kopusha:~% uname -r >> 10.0-CURRENT >> kopusha:~% daemon -p /tmp/sleep.pid sleep 10 >> kopusha:~% daemon -p /tmp/sleep.pid sleep 10 >> kopusha:~% PJD> Mikolaj, eventhough what we had in 8.2-STABLE looks correct, it also PJD> isn't correct. PJD> Passing open descriptor to a process that doesn't expect that is bad PJD> behaviour. If you pass, eg. open descriptor to a directory and the PJD> process is using chroot(2) or jail(2) to sandbox itself it will be able PJD> to escape from that sandbox. Passing descriptor to a file has smaller PJD> security implication, but it is still wrong. For example hastd, as you PJD> probably know, asserts, before sandboxing, that he knows about all open PJD> descriptors - if there are some unknown descriptors open it won't run. PJD> Also, daemon was passing open descriptor to a pidfile that the child PJD> process cannot clean up, because he doesn't know its name. This leaves PJD> pidfile with stale PID in it once the process exits, which is also bad. PJD> In my opinion, to make daemon(8) work with pidfiles, it cannot exit PJD> after executing the given command. It should stay around with pidfile PJD> open and just wait for the child to exit. Once the child exits, it PJD> should remove the pidfile and also exit. Ok, using hastd code as a reference :-) here is my implementation. -- Mikolaj Golub --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=daemon.c.patch Index: usr.sbin/daemon/daemon.c =================================================================== --- usr.sbin/daemon/daemon.c (revision 231014) +++ usr.sbin/daemon/daemon.c (working copy) @@ -32,26 +32,31 @@ __FBSDID("$FreeBSD$"); #include +#include #include #include -#include #include #include +#include +#include #include #include #include static void restrict_process(const char *); +static void wait_child(pid_t, sigset_t *); +static void dummy_sighandler(int); static void usage(void); int main(int argc, char *argv[]) { struct pidfh *pfh = NULL; - int ch, nochdir, noclose, errcode; + sigset_t mask, oldmask; + int ch, nochdir, noclose; const char *pidfile, *user; - pid_t otherpid; + pid_t otherpid, pid; nochdir = noclose = 1; pidfile = user = NULL; @@ -82,40 +87,96 @@ main(int argc, char *argv[]) if (user != NULL) restrict_process(user); + if (pidfile == NULL) { + /* + * This is a simple case. Daemonize and exec. + */ + if (daemon(nochdir, noclose) == -1) + err(1, NULL); + + execvp(argv[0], argv); + + /* + * execvp() failed -- report the error. The child is + * now running, so the exit status doesn't matter. + */ + err(1, "%s", argv[0]); + } + /* * Try to open the pidfile before calling daemon(3), - * to be able to report the error intelligently + * to be able to report the error intelligently. */ - if (pidfile) { - pfh = pidfile_open(pidfile, 0600, &otherpid); - if (pfh == NULL) { - if (errno == EEXIST) { - errx(3, "process already running, pid: %d", - otherpid); - } - err(2, "pidfile ``%s''", pidfile); + pfh = pidfile_open(pidfile, 0600, &otherpid); + if (pfh == NULL) { + if (errno == EEXIST) { + errx(3, "process already running, pid: %d", + otherpid); } + err(2, "pidfile ``%s''", pidfile); } - if (daemon(nochdir, noclose) == -1) err(1, NULL); + /* + * We want to keep pidfile open while the command is running + * and remove it on exit. So we execute the command in a + * forked process and wait for the child to exit. We don't + * want the waiting daemon to be killed leaving the running + * process and the stale pidfile, so we pass received SIGHUP, + * SIGINT and SIGTERM to the children expecting to get SIGCHLD + * eventually. + */ - /* Now that we are the child, write out the pid */ - if (pidfile) - pidfile_write(pfh); - - execvp(argv[0], argv); - /* - * execvp() failed -- unlink pidfile if any, and - * report the error + * Restore default actions for interesting signals in case + * the parent process decided to ignore some of them. */ - errcode = errno; /* Preserve errcode -- unlink may reset it */ - if (pidfile) + if (signal(SIGHUP, SIG_DFL) == SIG_ERR) + err(1, "signal"); + if (signal(SIGINT, SIG_DFL) == SIG_ERR) + err(1, "signal"); + if (signal(SIGTERM, SIG_DFL) == SIG_ERR) + err(1, "signal"); + /* + * Because SIGCHLD is ignored by default, setup dummy handler + * for it, so we can mask it. + */ + if (signal(SIGCHLD, dummy_sighandler) == SIG_ERR) + err(1, "signal"); + /* + * Block interesting signals. + */ + sigemptyset(&mask); + sigaddset(&mask, SIGHUP); + sigaddset(&mask, SIGINT); + sigaddset(&mask, SIGTERM); + sigaddset(&mask, SIGCHLD); + if (sigprocmask(SIG_SETMASK, &mask, &oldmask) == -1) + err(1, "sigprocmask"); + /* + * Fork a child to exec and wait until it exits to remove the + * pidfile. + */ + pid = fork(); + if (pid == -1) { pidfile_remove(pfh); + err(1, "fork"); + } + if (pid == 0) { + /* Restore old sigmask in the child. */ + if (sigprocmask(SIG_SETMASK, &oldmask, NULL) == -1) + err(1, "sigprocmask"); + /* Now that we are the child, write out the pid. */ + pidfile_write(pfh); - /* The child is now running, so the exit status doesn't matter. */ - errc(1, errcode, "%s", argv[0]); + execvp(argv[0], argv); + + /* execvp() failed. */ + err(1, "%s", argv[0]); + } + wait_child(pid, &mask); + pidfile_remove(pfh); + exit(0); } static void @@ -132,6 +193,30 @@ restrict_process(const char *user) } static void +wait_child(pid_t pid, sigset_t *mask) +{ + int signo; + + while ((signo = sigwaitinfo(mask, NULL)) != -1) { + switch (signo) { + case SIGCHLD: + return; + default: + if (kill(pid, signo) == -1) { + warn("kill"); + return; + } + } + } +} + +static void +dummy_sighandler(int sig __unused) +{ + /* Nothing to do. */ +} + +static void usage(void) { (void)fprintf(stderr, --=-=-=--