mhd_init.c revision 7c478bd95313f5f23a4c958a745db2134aa03244
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 1999-2002 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include "mhd_local.h"
#include <grp.h>
#include <pwd.h>
#include <signal.h>
#include <syslog.h>
#include <netdir.h>
#include <netdb.h>
#include <sys/resource.h>
#include <sys/priocntl.h>
#include <sys/rtpriocntl.h>
#include <sys/utsname.h>
extern void nc_perror(const char *msg);
/* daemon name */
static char *myname = "rpc.metamhd";
/*
* reset and exit daemon
*/
void
mhd_exit(
int eval
)
{
/* log exit */
mhd_eprintf("exiting with %d\n", eval);
/* exit with value */
exit(eval);
}
/*
* signal catchers
*/
static void
mhd_catcher(
int sig
)
{
char buf[128];
char *msg;
/* log signal */
if ((msg = strsignal(sig)) == NULL) {
(void) sprintf(buf, "unknown signal %d", sig);
msg = buf;
}
mhd_eprintf("%s\n", msg);
/* let default handler do it's thing */
(void) sigset(sig, SIG_DFL);
if (kill(getpid(), sig) != 0) {
mhd_perror("kill(getpid())");
mhd_exit(-sig);
}
}
/*
* initialize daemon
*/
static int
mhd_setup(
mhd_error_t *mhep
)
{
struct rlimit rlimit;
pcinfo_t pcinfo;
pcparms_t pcparms;
rtparms_t *rtparmsp = (rtparms_t *)pcparms.pc_clparms;
/* catch common signals */
if ((sigset(SIGHUP, mhd_catcher) == SIG_ERR) ||
(sigset(SIGINT, mhd_catcher) == SIG_ERR) ||
(sigset(SIGABRT, mhd_catcher) == SIG_ERR) ||
(sigset(SIGBUS, mhd_catcher) == SIG_ERR) ||
(sigset(SIGSEGV, mhd_catcher) == SIG_ERR) ||
(sigset(SIGPIPE, mhd_catcher) == SIG_ERR) ||
(sigset(SIGTERM, mhd_catcher) == SIG_ERR)) {
return (mhd_error(mhep, errno, "sigset"));
}
/* ignore SIGHUP (used in mhd_cv_timedwait) */
if (sigset(SIGALRM, SIG_IGN) == SIG_ERR) {
return (mhd_error(mhep, errno, "sigset"));
}
/* increase number of file descriptors */
(void) memset(&rlimit, 0, sizeof (rlimit));
if (getrlimit(RLIMIT_NOFILE, &rlimit) != 0)
return (mhd_error(mhep, errno, "getrlimit(RLIMIT_NOFILE)"));
rlimit.rlim_cur = rlimit.rlim_max = 1024;
if (setrlimit(RLIMIT_NOFILE, &rlimit) != 0)
return (mhd_error(mhep, errno, "setrlimit(RLIMIT_NOFILE)"));
/* set default RT priority */
(void) memset(&pcinfo, 0, sizeof (pcinfo));
(void) strncpy(pcinfo.pc_clname, "RT", sizeof (pcinfo.pc_clname));
if (priocntl(0, 0, PC_GETCID, (caddr_t)&pcinfo) < 0)
return (mhd_error(mhep, errno, "priocntl(PC_GETCID): \"RT\""));
(void) memset(&pcparms, 0, sizeof (pcparms));
pcparms.pc_cid = pcinfo.pc_cid;
rtparmsp->rt_pri = RT_NOCHANGE;
rtparmsp->rt_tqsecs = (ulong_t)RT_NOCHANGE;
rtparmsp->rt_tqnsecs = RT_NOCHANGE;
if (priocntl(P_PID, getpid(), PC_SETPARMS, (caddr_t)&pcparms) != 0)
return (mhd_error(mhep, errno, "priocntl(PC_SETPARMS)"));
/* return success */
return (0);
}
/*
* (re)initalize daemon
*/
static int
mhd_init_daemon(
mhd_error_t *mhep
)
{
static int already = 0;
/* setup */
if (! already) {
if (mhd_setup(mhep) != 0)
return (-1);
openlog(myname, LOG_CONS, LOG_DAEMON);
already = 1;
}
/* return success */
return (0);
}
/*
* get my nodename
*/
static char *
mynodename()
{
static struct utsname myuname;
static int done = 0;
if (! done) {
if (uname(&myuname) == -1) {
mhd_perror("uname");
assert(0);
}
done = 1;
}
return (myuname.nodename);
}
/*
* check for trusted host and user
*/
static int
check_host(
struct svc_req *rqstp /* RPC stuff */
)
{
struct authsys_parms *sys_credp;
SVCXPRT *transp = rqstp->rq_xprt;
struct netconfig *nconfp = NULL;
struct nd_hostservlist *hservlistp = NULL;
int i;
int rval = -1;
/* check for root */
/*LINTED*/
sys_credp = (struct authsys_parms *)rqstp->rq_clntcred;
assert(sys_credp != NULL);
if (sys_credp->aup_uid != 0)
goto out;
/* get hostnames */
if (transp->xp_netid == NULL) {
mhd_eprintf("transp->xp_netid == NULL\n");
goto out;
}
if ((nconfp = getnetconfigent(transp->xp_netid)) == NULL) {
#ifdef DEBUG
nc_perror("getnetconfigent(transp->xp_netid)");
#endif
goto out;
}
if ((__netdir_getbyaddr_nosrv(nconfp, &hservlistp, &transp->xp_rtaddr)
!= 0) || (hservlistp == NULL)) {
#ifdef DEBUG
netdir_perror("netdir_getbyaddr(transp->xp_rtaddr)");
#endif
goto out;
}
/* check hostnames */
for (i = 0; (i < hservlistp->h_cnt); ++i) {
struct nd_hostserv *hservp = &hservlistp->h_hostservs[i];
char *hostname = hservp->h_host;
/* localhost is OK */
if (strcmp(hostname, mynodename()) == 0) {
rval = 0;
goto out;
}
/* check for remote root access */
if (ruserok(hostname, 1, "root", "root") == 0) {
rval = 0;
goto out;
}
}
/* cleanup, return success */
out:
if (hservlistp != NULL)
netdir_free(hservlistp, ND_HOSTSERVLIST);
if (nconfp != NULL)
Free(nconfp);
return (rval);
}
/*
* check for user in local group 14
*/
static int
check_gid14(
uid_t uid
)
{
struct passwd *pwp;
struct group *grp;
char **namep;
/* get user info, check default GID */
if ((pwp = getpwuid(uid)) == NULL)
return (-1);
if (pwp->pw_gid == METAMHD_GID)
return (0);
/* check in group */
if ((grp = getgrgid(METAMHD_GID)) == NULL)
return (-1);
for (namep = grp->gr_mem; ((*namep != NULL) && (**namep != '\0'));
++namep) {
if (strcmp(*namep, pwp->pw_name) == 0)
return (0);
}
return (-1);
}
/*
* check AUTH_SYS
*/
static int
check_sys(
struct svc_req *rqstp, /* RPC stuff */
int amode, /* R_OK | W_OK */
mhd_error_t *mhep /* returned status */
)
{
static mutex_t mx = DEFAULTMUTEX;
struct authsys_parms *sys_credp;
/* for read, anything is OK */
if (! (amode & W_OK))
return (0);
/* single thread (not really needed if daemon stays single threaded) */
mutex_lock(&mx);
/* check for remote root or METAMHD_GID */
/*LINTED*/
sys_credp = (struct authsys_parms *)rqstp->rq_clntcred;
if ((check_gid14(sys_credp->aup_uid) == 0) ||
(check_host(rqstp) == 0)) {
mutex_unlock(&mx);
return (0);
}
/* return failure */
mutex_unlock(&mx);
return (mhd_error(mhep, EACCES, myname));
}
/*
* setup RPC service
*
* if can't authenticate return < 0
* if any other error return > 0
*/
int
mhd_init(
struct svc_req *rqstp, /* RPC stuff */
int amode, /* R_OK | W_OK */
mhd_error_t *mhep /* returned status */
)
{
SVCXPRT *transp = rqstp->rq_xprt;
/*
* initialize
*/
(void) memset(mhep, 0, sizeof (*mhep));
/*
* check credentials
*/
switch (rqstp->rq_cred.oa_flavor) {
/* UNIX flavor */
case AUTH_SYS:
{
if (check_sys(rqstp, amode, mhep) != 0)
return (1); /* error */
break;
}
/* can't authenticate anything else */
default:
svcerr_weakauth(transp);
return (-1); /* weak authentication */
}
/*
* (re)initialize
*/
if (mhd_init_daemon(mhep) != 0)
return (1); /* error */
/* return success */
return (0);
}