/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2013 DEY Storage Systems, Inc.
* Copyright (c) 2014 Gary Mills
* Copyright 2015 Nexenta Systems, Inc. All rights reserved.
*/
/*
* zlogin provides three types of login which allow users in the global
* zone to access non-global zones.
*
* - "interactive login" is similar to rlogin(1); for example, the user could
* issue 'zlogin my-zone' or 'zlogin -e ^ -l me my-zone'. The user is
* granted a new pty (which is then shoved into the zone), and an I/O
* loop between parent and child processes takes care of the interactive
* session. In this mode, login(1) (and its -c option, which means
* "already authenticated") is employed to take care of the initialization
* of the user's session.
*
* - "non-interactive login" is similar to su(1M); the user could issue
* 'zlogin my-zone ls -l' and the command would be run as specified.
* In this mode, zlogin sets up pipes as the communication channel, and
* 'su' is used to do the login setup work.
*
* - "console login" is the equivalent to accessing the tip line for a
* zone. For example, the user can issue 'zlogin -C my-zone'.
* In this mode, zlogin contacts the zoneadmd process via unix domain
* socket. If zoneadmd is not running, it starts it. This allows the
* console to be available anytime the zone is installed, regardless of
* whether it is running.
*/
#include <alloca.h>
#include <assert.h>
#include <ctype.h>
#include <paths.h>
#include <door.h>
#include <errno.h>
#include <nss_dbdefs.h>
#include <poll.h>
#include <priv.h>
#include <pwd.h>
#include <unistd.h>
#include <utmpx.h>
#include <sac.h>
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <stropts.h>
#include <wait.h>
#include <zone.h>
#include <fcntl.h>
#include <libdevinfo.h>
#include <libintl.h>
#include <locale.h>
#include <libzonecfg.h>
#include <libcontract.h>
#include <libbrand.h>
#include <auth_list.h>
#include <auth_attr.h>
#include <secdb.h>
static int masterfd;
static int save_fd;
static volatile int dead;
static int interactive = 0;
static int nocmdchar = 0;
static int failsafe = 0;
static int disconnect = 0;
static int quiet = 0;
static int pollerr = 0;
static const char *pname;
static char *username;
/*
* When forced_login is true, the user is not prompted
* for an authentication password in the target zone.
*/
#if !defined(TEXT_DOMAIN) /* should be defined by cc -D */
#endif
/*
* The ZLOGIN_BUFSIZ is larger than PIPE_BUF so we can be sure we're clearing
* out the pipe when the child is exiting. The ZLOGIN_RDBUFSIZ must be less
* than ZLOGIN_BUFSIZ (because we share the buffer in doio). This value is
* also chosen in conjunction with the HI_WATER setting to make sure we
* don't fill up the pipe. We can write FIFOHIWAT (16k) into the pipe before
* blocking. By having ZLOGIN_RDBUFSIZ set to 1k and HI_WATER set to 8k, we
* know we can always write a ZLOGIN_RDBUFSIZ chunk into the pipe when there
* is less than HI_WATER data already in the pipe.
*/
/*
* See canonify() below. CANONIFY_LEN is the maximum length that a
* "canonical" sequence will expand to (backslash, three octal digits, NUL).
*/
static void
usage(void)
{
"[-l user] zonename [command [args ...] ]\n"), pname);
exit(2);
}
static const char *
{
if (p == NULL)
p = arg0;
else
p++;
pname = p;
return (p);
}
static void
{
}
static void
{
const char *estr;
else
}
/*
* The first part of our privilege dropping scheme needs to be called before
* fork(), since we must have it for security; we don't want to be surprised
* later that we couldn't allocate the privset.
*/
static int
{
return (1);
/*
* We need to keep the basic privilege PROC_SESSION and all unknown
* basic privileges as well as the privileges PROC_ZONE and
* PROC_OWNER in order to query session information and
* send signals.
*/
if (interactive == 0) {
} else {
}
return (0);
}
/*
* The second part of the privilege drop. We are paranoid about being attacked
* by the zone, so we drop all privileges. This should prevent a compromise
* which gets us to fork(), exec(), symlink(), etc.
*/
static void
{
}
}
"privileges"));
}
}
/*
* Create the unix domain socket and call the zoneadmd server; handshake
* with it to determine whether it will allow us to connect.
*/
static int
{
int msglen;
int i = 0, err = 0;
return (-1);
}
sizeof (servaddr)) == -1) {
goto bad;
}
zerror("protocol error");
goto bad;
}
zerror("protocol error");
goto bad;
}
/*
* Take care not to accumulate more than our fill, and leave room for
* the NUL at the end.
*/
if (i >= (sizeof (handshake) - 1))
break;
if (c == '\n')
break;
handshake[i] = c;
i++;
}
/*
* If something went wrong during the handshake we bail; perhaps
* the server died off.
*/
if (err == -1) {
goto bad;
}
return (0);
bad:
masterfd = -1;
return (-1);
}
/*
* Routines to handle pty creation upon zone entry and to shuttle I/O back
* and forth between the two terminals. We also compute and store the
* name of the slave terminal associated with the master side.
*/
static int
{
return (-1);
}
return (-1);
}
return (0);
}
/*
* This is a bit tricky; normally a pts device will belong to the zone it
* is granted to. But in the case of "entering" a zone, we need to establish
* the pty before entering the zone so that we can vector I/O to and from it
* from the global zone.
*
* We use the zonept() call to let the ptm driver know what we are up to;
* the only other hairy bit is the setting of zoneslavename (which happens
* above, in get_master_pty()).
*/
static int
{
/*
* Set slave permissions, zone the pts, then unlock it.
*/
return (-1);
}
return (-1);
}
/*
* We must open the slave side before zoning this pty; otherwise
* the kernel would refuse us the open-- zoning a pty makes it
* inaccessible to the global zone. Note we are trying to open
*
* Later we'll close the slave out when once we've opened it again
* from within the target zone. Blarg.
*/
return (-1);
}
return (-1);
}
/*
* Push hardware emulation (ptem), line discipline (ldterm),
*/
if (!failsafe)
goto bad;
}
/*
* Anchor the stream to prevent malicious I_POPs; we prefer to do
* this prior to entering the zone so that we can detect any errors
* early, and so that we can set the anchor from the global zone.
*/
if (!failsafe)
goto bad;
}
if (!failsafe)
goto bad;
}
if (!failsafe)
goto bad;
}
/*
* Propagate terminal settings from the external term to the new one.
*/
if (!failsafe)
goto bad;
}
goto bad;
}
return (slavefd);
bad:
return (-1);
}
/*
* Place terminal into raw mode.
*/
static int
{
return (-1);
}
/* Stash for later, so we can revert back to previous mode */
save_termios = term;
/* disable NL->CR, CR->NL, ignore CR, UPPER->lower */
/* disable output post-processing */
/* disable canonical mode, signal chars, echo & extended functions */
return (-1);
}
/*
* We need to know the value of VEOF so that we can properly process for
* client-side ~<EOF>. But we have obliterated VEOF in term,
* because VMIN overloads the same array slot in non-canonical mode.
* Stupid @&^%!
*
* So here we construct the "effective" termios from the current
* terminal settings, and the corrected VEOF and VEOL settings.
*/
return (-1);
}
return (0);
}
/*
* Copy terminal window size from our terminal to the pts.
*/
/*ARGSUSED*/
static void
sigwinch(int s)
{
}
static void
/*ARGSUSED*/
sigcld(int s)
{
int status;
/*
* Peek at the exit status. If this isn't the process we cared
* about, then just reap it.
*/
dead = 1;
if (close_on_sig != -1) {
(void) close(close_on_sig);
close_on_sig = -1;
}
} else {
}
}
}
/*
* Some signals (currently, SIGINT) must be forwarded on to the process
* group of the child process.
*/
static void
sig_forward(int s)
{
if (child_pid != -1) {
}
}
/*
* reset terminal settings for global environment
*/
static void
{
}
/*
* Convert character to printable representation, for display with locally
* echoed command characters (like when we need to display ~^D)
*/
static void
{
if (isprint(c)) {
cc[0] = c;
} else if (c >= 0 && c <= 31) { /* ^@ through ^_ */
cc[0] = '^';
} else {
cc[0] = '\\';
}
}
/*
* process_user_input watches the input stream for the escape sequence for
* 'quit' (by default, tilde-period). Because we might be fed just one
* keystroke at a time, state associated with the user input (are we at the
* beginning of the line? are we locally echoing the next character?) is
* maintained by beginning_of_line and local_echo across calls to the routine.
* If the write to outfd fails, we'll try to read from infd in an attempt
* to prevent deadlock between the two processes.
*
* This routine returns -1 when the 'quit' escape sequence has been issued,
* or an error is encountered, 1 if stdin is EOF, and 0 otherwise.
*/
static int
{
int nbytes;
char c = *buf;
return (-1);
return (0);
/* 0 read means EOF, close the pipe to the child */
if (nbytes == 0)
return (1);
buf++;
if (beginning_of_line && !nocmdchar) {
if (c == cmdchar) {
local_echo = B_TRUE;
continue;
}
} else if (local_echo) {
return (-1);
}
}
/*
* Since the fd we are writing to is opened with
* O_NONBLOCK it is possible to get EAGAIN if the
* pipe is full. One way this could happen is if we
* are writing a lot of data into the pipe in this loop
* and the application on the other end is echoing that
* data back out to its stdout. The output pipe can
* fill up since we are stuck here in this loop and not
* draining the other pipe. We can try to read some of
* the data to see if we can drain the pipe so that the
* application can continue to make progress. The read
* is non-blocking so we won't hang here. We also wait
* a bit before retrying since there could be other
* reasons why the pipe is full and we don't want to
* continuously retry.
*/
int ln;
/* sleep for 10 milliseconds */
if (!dead)
goto retry;
}
return (-1);
}
}
return (0);
}
/*
* This function prevents deadlock between zlogin and the application in the
* zone that it is talking to. This can happen when we read from zlogin's
* stdin and write the data down the pipe to the application. If the pipe
* is full, we'll block in the write. Because zlogin could be blocked in
* application can then block on those writes (when the pipe fills up). If the
* the application gets blocked this way, it can never get around to reading
* its stdin so that zlogin can unblock from its write. Once in this state,
* the two processes are deadlocked.
*
* To prevent this, we want to verify that we can write into the pipe before we
* read from our stdin. If the pipe already is pretty full, we bypass the read
* for now. We'll circle back here again after the poll() so that we can
* try again. When this function is called, we already know there is data
* ready to read on STDIN_FILENO. We return -1 if there is a problem, 1 if
* stdin is EOF, and 0 if everything is ok (even though we might not have
*/
static int
{
int cc;
/* Check how much data is already in the pipe */
perror("stat failed");
return (-1);
}
if (dead)
return (-1);
/*
* The pipe already has a lot of data in it, don't write any more
* right now.
*/
return (0);
return (-1);
return (0);
/* 0 read means EOF, close the pipe to the child */
if (cc == 0)
return (1);
/*
* stdin_fd is stdin of the target; so, the thing we'll write the user
* data *to*.
*/
return (-1);
return (0);
}
/*
* Write the output from the application running in the zone. We can get
* a signal during the write (usually it would be SIGCHLD when the application
* has exited) so we loop to make sure we have written all of the data we read.
*/
static int
{
int wrote = 0;
int cc;
return (-1);
if (cc == 0) /* EOF */
return (-1);
return (0);
do {
int len;
return (-1);
if (len != -1)
return (0);
}
/*
* This is the main I/O loop, and is shared across all zlogin modes.
* Parameters:
* stdin_fd: The fd representing 'stdin' for the slave side; input to
* the zone will be written here.
*
* appin_fd: The fd representing the other end of the 'stdin' pipe (when
* we're running non-interactive); used in process_raw_input
* to ensure we don't fill up the application's stdin pipe.
*
* stdout_fd: The fd representing 'stdout' for the slave side; output
* from the zone will arrive here.
*
* stderr_fd: The fd representing 'stderr' for the slave side; output
* from the zone will arrive here.
*
* raw_mode: If TRUE, then no processing (for example, for '~.') will
* be performed on the input coming from STDIN.
*
* stderr_fd may be specified as -1 if there is no stderr (only non-interactive
* mode supplies a stderr).
*
*/
static void
{
/* read from stdout of zone and write to stdout of global zone */
/* read from stderr of zone and write to stderr of global zone */
/* read from stdin of global zone and write to stdin of zone */
/* read from signalling pipe so we know when child dies */
for (;;) {
if (dead)
break;
/*
* There is a race condition here where we can receive the
* child death signal, set the dead flag, but since we have
* passed the test above, we would go into poll and hang.
* To avoid this we use the sig_fd as an additional poll fd.
* The signal handler writes into the other end of this pipe
* when the child dies so that the poll will always see that
* input and proceed. We just loop around at that point and
* then notice the dead flag.
*/
perror("poll failed");
break;
}
break;
}
/* event from master side stdout */
!= 0)
break;
} else {
break;
}
}
/* event from master side stderr */
!= 0)
break;
} else {
break;
}
}
/* event from user STDIN side */
/*
* stdin fd is stdin of the target; so,
* the thing we'll write the user data *to*.
*
* Also, unlike on the output side, we
* close the pipe on a zero-length message.
*/
int res;
if (raw_mode)
appin_fd);
else
if (res < 0)
break;
if (res > 0) {
/* EOF (close) child's stdin_fd */
;
if (res != 0)
break;
}
/*
* It's OK to get a POLLHUP on STDIN-- it
* always happens if you do:
*
* echo foo | zlogin <zone> <command>
*
* We reset fd to -1 in this case to clear
* the condition and close the pipe (EOF) to
* the other side in order to wrap things up.
*/
int res;
;
if (res != 0)
break;
} else {
break;
}
}
}
/*
* We are in the midst of dying, but try to poll with a short
* timeout to see if we can catch the last bit of I/O from the
* children.
*/
goto retry;
}
}
goto retry;
}
}
}
/*
* Fetch the user_cmd brand hook for getting a user's passwd(4) entry.
*/
static const char *
{
return (NULL);
return (user_cmd);
}
/* From libc */
extern int str2passwd(const char *, int, void *, char *, int);
/*
* exec() the user_cmd brand hook, and convert the output string to a
* struct passwd. This is to be called after zone_enter().
*
*/
static struct passwd *
int pwbuflen)
{
int status;
return (NULL);
return (NULL);
}
return (NULL);
if (WEXITSTATUS(status) != 0)
return (NULL);
return (pwent);
else
return (NULL);
}
static char **
{
int n, a;
/* Get the login command for the target zone. */
if (forced_login) {
result_buf, sizeof (result_buf)) != 0)
return (NULL);
} else {
result_buf, sizeof (result_buf)) != 0)
return (NULL);
}
/*
* We got back a string that we'd like to execute. But since
* we're not doing the execution via a shell we'll need to convert
* the exec string to an array of strings. We'll do that here
* but we're going to be very simplistic about it and break stuff
* up based on spaces. We're not even going to support any kind
* of quoting or escape characters. It's truly amazing that
* there is no library function in OpenSolaris to do this for us.
*/
/*
* Be paranoid. Since we're deliniating based on spaces make
* sure there are no adjacent spaces.
*/
return (NULL);
/* Remove any trailing whitespace. */
n = strlen(result_buf);
/* Count how many elements there are in the exec string. */
ptr = result_buf;
;
/* Allocate the argv array that we're going to return. */
return (NULL);
/* Tokenize the exec string and return. */
a = 0;
new_argv[a++] = result_buf;
if (n > 2) {
;
} else {
}
assert(n == a);
return (new_argv);
}
/*
* Prepare argv array for exec'd process; if we're passing commands to the
* new process, then use su(1M) to do the invocation. Otherwise, use
* 'login -z <from_zonename> -f' (-z is an undocumented option which tells
* login that we're coming from another zone, and to disregard its CONSOLE
* checks).
*/
static char **
{
char **new_argv;
char *subshell;
argc++;
for (i = 0; i < argc; i++) {
}
return (NULL);
for (i = 0; i < argc; i++) {
}
if (failsafe) {
n = 4;
return (NULL);
new_argv[a++] = FAILSAFESHELL;
} else {
n = 5;
return (NULL);
new_argv[a++] = "-";
n++;
}
}
new_argv[a++] = "-c";
assert(a == n);
} else {
if (failsafe) {
n = 2;
return (NULL);
new_argv[a++] = FAILSAFESHELL;
assert(n == a);
} else {
}
}
return (new_argv);
}
/*
* Helper routine for prep_env below.
*/
static char *
{
char *str;
return (NULL);
return (str);
}
/*
* Prepare envp array for exec'd process.
*/
static char **
prep_env()
{
size++; /* for $PATH */
size++;
/*
* In failsafe mode we set $HOME, since '-l' isn't valid in this mode.
* We also set $SHELL, since neither login nor su will be around to do
* it.
*/
if (failsafe)
size += 2;
return (NULL);
return (NULL);
return (NULL);
}
if (failsafe) {
return (NULL);
return (NULL);
}
return (new_env);
}
/*
* Finish the preparation of the envp array for exec'd non-interactive
* zlogins. This is called in the child process *after* we zone_enter(), since
* it derives things we can only know within the zone, such as $HOME, $SHELL,
* etc. We need only do this in the non-interactive, mode, since otherwise
* login(1) will do it. We don't do this in failsafe mode, since it presents
* additional ways in which the command could fail, and we'd prefer to avoid
* that.
*/
static char **
{
char **new_env;
int e, i;
char *estr;
/*
* Exec the "user_cmd" brand hook to get a pwent for the
* login user. If this fails, HOME will be set to "/", SHELL
* will be set to $DEFAULTSHELL, and we will continue to exec
* SUPATH <login> -c <cmd>.
*/
/*
* Get existing envp size.
*/
;
e = size;
/*
* Finish filling out the environment; we duplicate the environment
* setup described in login(1), for lack of a better precedent.
*/
else
size++; /* always fill in SHELL */
size++; /* terminating NULL */
goto malloc_fail;
/*
* Copy existing elements of env into new_env.
*/
goto malloc_fail;
}
assert(e == i);
goto malloc_fail;
goto malloc_fail;
goto malloc_fail;
} else {
goto malloc_fail;
}
goto malloc_fail;
} else {
goto malloc_fail;
}
return (new_env);
return (NULL);
}
static int
{
return (0);
}
static void
{
char c;
long lc;
if ((c = *cmdcharstr) != '\\') {
cmdchar = c;
return;
}
c = cmdcharstr[1];
if (c == '\0' || c == '\\') {
cmdchar = '\\';
return;
}
if (c < '0' || c > '7') {
usage();
}
usage();
}
}
static int
{
return (-1);
}
return (0);
}
static void
{
}
static int
{
return (-1);
}
return (-1);
}
/*
* Lock the file to synchronize with other zoneadmds
*/
return (-1);
}
return (Z_OK);
}
static int
{
return (-1);
/*
* We must do the door check with the lock held. Otherwise, we
* up with two processes trying to start zoneadmd at the same
* time. zoneadmd will detect this, and fail, but we prefer this
* to be as seamless as is practical, from a user perspective.
*/
goto out;
}
} else {
/*
* Seems to be working ok.
*/
error = 0;
goto out;
}
}
goto out;
} else if (child_pid == 0) {
/* child process */
_exit(1);
}
/* parent process */
do {
if (WIFSIGNALED(pstatus) ||
goto out;
}
error = 0;
out:
return (error);
}
static int
init_template(void)
{
int fd;
int err = 0;
if (fd == -1)
return (-1);
/*
* zlogin doesn't do anything with the contract.
* Deliver no events, don't inherit, and allow it to be orphaned.
*/
return (-1);
}
return (fd);
}
static int
{
int child_status;
int tmpl_fd;
reset_tty();
return (1);
}
if (pipe(stdin_pipe) != 0) {
return (1);
}
/*
* When the user types ^D, we get a zero length message on STDIN.
* We need to echo that down the pipe to send it to the other side;
* but by default, pipes don't propagate zero-length messages. We
* toggle that behavior off using I_SWROPT. See streamio(7i).
*/
return (1);
}
if (pipe(stdout_pipe) != 0) {
return (1);
}
if (pipe(stderr_pipe) != 0) {
return (1);
}
if (pipe(dead_child_pipe) != 0) {
return (1);
}
close_on_sig = dead_child_pipe[0];
/*
* If any of the pipe FD's winds up being less than STDERR, then we
* have a mess on our hands-- and we are lacking some of the I/O
* streams we would expect anyway. So we bail.
*/
if (stdin_pipe[0] <= STDERR_FILENO ||
stdout_pipe[0] <= STDERR_FILENO ||
stderr_pipe[0] <= STDERR_FILENO ||
dead_child_pipe[0] <= STDERR_FILENO ||
return (1);
}
if (prefork_dropprivs() != 0) {
return (1);
}
(void) sigemptyset(&block_cld);
(void) ct_tmpl_clear(tmpl_fd);
return (1);
} else if (child_pid == 0) { /* child process */
(void) ct_tmpl_clear(tmpl_fd);
/*
* Do a dance to get the pipes hooked up as FD's 0, 1 and 2.
*/
(void) close(STDIN_FILENO);
(void) close(STDOUT_FILENO);
(void) close(STDERR_FILENO);
/*
* In case any of stdin, stdout or stderr are streams,
* anchor them to prevent malicious I_POPs.
*/
_exit(1);
}
/*
* For non-native zones, tell libc where it can find locale
* specific getttext() messages.
*/
(void) bindtextdomain(TEXT_DOMAIN,
"/.SUNWnative/usr/lib/locale");
(void) bindtextdomain(TEXT_DOMAIN,
if (!failsafe)
_exit(1);
}
/*
* Move into a new process group; the zone_enter will have
* placed us into zsched's session, and we want to be in
* a unique process group.
*/
/*
* The child needs to run as root to
* execute the su program.
*/
if (setuid(0) == -1) {
return (1);
}
_exit(1);
}
/* parent */
/* close pipe sides written by child */
(void) ct_tmpl_clear(tmpl_fd);
do {
if (retval == -1) {
child_status = 0;
}
return (WEXITSTATUS(child_status));
}
static char *
{
/*
* Authorizations are checked to restrict access based on the
* requested operation and zone name, It is assumed that the
* program is running with all privileges, but that the real
* user ID is that of the user or role on whose behalf we are
* operating. So we start by getting the username that will be
* used for subsequent authorization checks.
*/
_exit(1);
}
}
int
{
int lflag = 0;
int nflag = 0;
int tmpl_fd;
(void) textdomain(TEXT_DOMAIN);
username = get_username();
switch (arg) {
case 'C':
console = 1;
break;
case 'E':
nocmdchar = 1;
break;
case 'R': /* undocumented */
if (*optarg != '/') {
exit(2);
}
gettext("root path must be a directory."));
exit(2);
}
break;
case 'Q':
quiet = 1;
break;
case 'S':
failsafe = 1;
break;
case 'd':
disconnect = 1;
break;
case 'e':
break;
case 'l':
lflag = 1;
break;
case 'n':
nflag = 1;
break;
default:
usage();
}
}
if (console != 0) {
if (lflag != 0) {
"-l may not be specified for console login"));
usage();
}
if (nflag != 0) {
"-n may not be specified for console login"));
usage();
}
if (failsafe != 0) {
"-S may not be specified for console login"));
usage();
}
if (zonecfg_in_alt_root()) {
"-R may not be specified for console login"));
exit(2);
}
}
usage();
}
if (!console && disconnect != 0) {
"-d may only be specified with console login"));
usage();
}
/*
* zone name, no process name; this should be an interactive
* as long as STDIN is really a tty.
*/
if (nflag != 0) {
"-n may not be specified for interactive login"));
usage();
}
if (isatty(STDIN_FILENO))
interactive = 1;
if (console) {
"console login."));
usage();
}
/* zone name and process name, and possibly some args */
interactive = 0;
} else {
usage();
}
if (getzoneid() != GLOBAL_ZONEID) {
pname);
return (1);
}
pname);
return (1);
}
return (1);
}
if (st < ZONE_STATE_INSTALLED) {
zone_state_str(st));
return (1);
}
/*
* In both console and non-console cases, we require all privs.
* In the console case, because we may need to startup zoneadmd.
* In the non-console case in order to do zone_enter(2), zonept()
* and other tasks.
*/
return (1);
}
return (1);
}
"this command (all privs required)"));
return (1);
}
/*
* Check if user is authorized for requested usage of the zone
*/
if (console) {
"access to %s zone."),
return (1);
} else {
if (failsafe || !interactive) {
"failsafe or non-interactive login "
return (1);
" to login to %s zone."),
return (1);
}
}
} else {
}
/*
* The console is a separate case from the rest of the code; handle
* it first.
*/
if (console) {
/*
* Ensure that zoneadmd for this zone is running.
*/
return (1);
/*
* Make contact with zoneadmd.
*/
return (1);
if (!quiet)
(void) printf(
gettext("[Connected to zone '%s' console]\n"),
zonename);
reset_tty();
return (1);
}
(void) sigwinch(0);
/*
* Run the I/O loop until we get disconnected.
*/
reset_tty();
if (!quiet)
(void) printf(
gettext("\n[Connection to zone '%s' console "
"closed]\n"), zonename);
return (0);
}
return (1);
}
if (zonecfg_in_alt_root()) {
zonename);
return (1);
}
}
zonename);
return (1);
}
/*
* We need the zone root path only if we are setting up a pty.
*/
zonename);
return (1);
}
return (1);
}
/*
* In the alternate root environment, the only supported
* operations are mount and unmount. In this case, just treat
* the zone as native if it is cluster. Cluster zones can be
* native for the purpose of LU or upgrade, and the cluster
* brand may not exist in the miniroot (such as in net install
* upgrade).
*/
sizeof (default_brand)) != Z_OK) {
return (1);
}
if (zonecfg_in_alt_root() &&
}
return (1);
}
return (1);
}
/*
* Get the brand specific user_cmd. This command is used to get
* a passwd(4) entry for login.
*/
if (!interactive && !failsafe) {
zonename);
return (1);
}
}
return (1);
}
if (!interactive) {
if (nflag) {
int nfd;
return (1);
}
if (nfd != STDIN_FILENO) {
"failed to dup2 null device"));
return (1);
}
}
}
}
if (zonecfg_in_alt_root()) {
"zone"));
return (1);
}
/*
* Things are more complex in interactive mode; we get the
* master side of the pty, then place the user's terminal into
* raw mode.
*/
if (get_master_pty() == -1) {
return (1);
}
/*
*/
return (1);
}
sizeof (slaveshortname));
else
sizeof (slaveshortname));
if (!quiet)
reset_tty();
return (1);
}
if (prefork_dropprivs() != 0) {
reset_tty();
return (1);
}
/*
* We must mask SIGCLD until after we have coped with the fork
* sufficiently to deal with it; otherwise we can race and receive the
* signal before child_pid has been initialized (yes, this really
* happens).
*/
(void) sigemptyset(&block_cld);
/*
* We activate the contract template at the last minute to
* avoid intermediate functions that could be using fork(2)
* internally.
*/
reset_tty();
return (1);
}
(void) ct_tmpl_clear(tmpl_fd);
reset_tty();
return (1);
} else if (child_pid == 0) { /* child process */
(void) ct_tmpl_clear(tmpl_fd);
return (1);
/*
* Close all fds except for the slave pty.
*/
/*
* Temporarily dup slavefd to stderr; that way if we have
* to print out that zone_enter failed, the output will
* have somewhere to go.
*/
if (slavefd != STDERR_FILENO)
return (1);
}
if (slavefd != STDERR_FILENO)
(void) close(STDERR_FILENO);
/*
* We take pains to get this process into a new process
* group, and subsequently a new session. In this way,
* we'll have a session which doesn't yet have a controlling
* terminal. When we open the slave, it will become the
* controlling terminal; no PIDs concerning pgrps or sids
* will leak inappropriately into the zone.
*/
(void) setpgrp();
/*
* We need the slave pty to be referenced from the zone's
* /dev in order to ensure that the devt's, etc are all
* correct. Otherwise we break ttyname and the like.
*/
return (1);
}
/*
* dup the slave to the various FDs, so that when the
* pty.
*/
slavefd != STDERR_FILENO) {
}
/*
* In failsafe mode, we don't use login(1), so don't try
* setting up a utmpx entry.
*/
if (!failsafe)
return (1);
/*
* The child needs to run as root to
* execute the brand's login program.
*/
if (setuid(0) == -1) {
return (1);
}
return (1);
}
(void) ct_tmpl_clear(tmpl_fd);
/*
* The rest is only for the parent process.
*/
reset_tty();
if (!quiet)
gettext("\n[Connection to zone '%s' %s closed]\n"),
if (pollerr != 0) {
"to unexpected pollevents=0x%x.\n"), pollerr);
return (1);
}
return (0);
}