1/* 2 * ntpd.c - main program for the fixed point NTP daemon 3 */ 4 5#ifdef HAVE_CONFIG_H 6# include <config.h> 7#endif 8 9#include "ntp_machine.h" 10#include "ntpd.h" 11#include "ntp_io.h" 12#include "ntp_stdlib.h" 13#include <ntp_random.h> 14 15#include "ntp_config.h" 16#include "ntp_syslog.h" 17#include "ntp_assert.h" 18#include "isc/error.h" 19#include "isc/strerror.h" 20#include "isc/formatcheck.h" 21#include "iosignal.h" 22 23#ifdef SIM 24# include "ntpsim.h" 25#endif 26 27#include "ntp_libopts.h" 28#include "ntpd-opts.h" 29 30/* there's a short treatise below what the thread stuff is for. 31 * [Bug 2954] enable the threading warm-up only for Linux. 32 */ 33#if defined(HAVE_PTHREADS) && HAVE_PTHREADS && !defined(NO_THREADS) 34# ifdef HAVE_PTHREAD_H 35# include <pthread.h> 36# endif 37# if defined(linux) 38# define NEED_PTHREAD_WARMUP 39# endif 40#endif 41 42#ifdef HAVE_UNISTD_H 43# include <unistd.h> 44#endif 45#ifdef HAVE_SYS_STAT_H 46# include <sys/stat.h> 47#endif 48#ifdef HAVE_SYS_WAIT_H 49# include <sys/wait.h> 50#endif 51#include <stdio.h> 52#ifdef HAVE_SYS_PARAM_H 53# include <sys/param.h> 54#endif 55#ifdef HAVE_SYS_SIGNAL_H 56# include <sys/signal.h> 57#else 58# include <signal.h> 59#endif 60#ifdef HAVE_SYS_IOCTL_H 61# include <sys/ioctl.h> 62#endif /* HAVE_SYS_IOCTL_H */ 63#if defined(HAVE_RTPRIO) 64# ifdef HAVE_SYS_LOCK_H 65# include <sys/lock.h> 66# endif 67# include <sys/rtprio.h> 68#else 69# ifdef HAVE_PLOCK 70# ifdef HAVE_SYS_LOCK_H 71# include <sys/lock.h> 72# endif 73# endif 74#endif 75#if defined(HAVE_SCHED_SETSCHEDULER) 76# ifdef HAVE_SCHED_H 77# include <sched.h> 78# else 79# ifdef HAVE_SYS_SCHED_H 80# include <sys/sched.h> 81# endif 82# endif 83#endif 84#if defined(HAVE_SYS_MMAN_H) 85# include <sys/mman.h> 86#endif 87 88#ifdef HAVE_SYSEXITS_H 89# include <sysexits.h> 90#endif 91 92#ifdef HAVE_TERMIOS_H 93# include <termios.h> 94#endif 95 96#ifdef SYS_DOMAINOS 97# include <apollo/base.h> 98#endif /* SYS_DOMAINOS */ 99 100 101#include "recvbuff.h" 102#include "ntp_cmdargs.h" 103 104#if 0 /* HMS: I don't think we need this. 961223 */ 105#ifdef LOCK_PROCESS 106# ifdef SYS_SOLARIS 107# include <sys/mman.h> 108# else 109# include <sys/lock.h> 110# endif 111#endif 112#endif 113 114#ifdef SYS_WINNT 115# include "ntservice.h" 116#endif 117 118#ifdef _AIX 119# include <ulimit.h> 120#endif /* _AIX */ 121 122#ifdef SCO5_CLOCK 123# include <sys/ci/ciioctl.h> 124#endif 125 126#ifdef HAVE_DROPROOT 127# include <ctype.h> 128# include <grp.h> 129# include <pwd.h> 130#ifdef HAVE_LINUX_CAPABILITIES 131# include <sys/capability.h> 132# include <sys/prctl.h> 133#endif /* HAVE_LINUX_CAPABILITIES */ 134#if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS) 135# include <priv.h> 136#endif /* HAVE_PRIV_H */ 137#if defined(HAVE_TRUSTEDBSD_MAC) 138# include <sys/mac.h> 139#endif /* HAVE_TRUSTEDBSD_MAC */ 140#endif /* HAVE_DROPROOT */ 141 142#if defined (LIBSECCOMP) && (KERN_SECCOMP) 143/* # include <sys/types.h> */ 144# include <sys/resource.h> 145# include <seccomp.h> 146#endif /* LIBSECCOMP and KERN_SECCOMP */ 147 148#ifdef __FreeBSD__ 149#include <sys/procctl.h> 150#ifndef PROC_STACKGAP_CTL 151/* 152 * Even if we compile on an older system we can still run on a newer one. 153 */ 154#define PROC_STACKGAP_CTL 17 155#define PROC_STACKGAP_DISABLE 0x0002 156#endif 157#endif 158 159#ifdef HAVE_DNSREGISTRATION 160# include <dns_sd.h> 161DNSServiceRef mdns; 162#endif 163 164/* In case 'sysexits.h' is unavailable, define some exit codes here: */ 165#ifndef EX_SOFTWARE 166# define EX_SOFTWARE 70 167#endif 168#ifndef EX_OSERR 169# define EX_OSERR 71 170#endif 171#ifndef EX_IOERR 172# define EX_IOERR 74 173#endif 174#ifndef EX_PROTOCOL 175#define EX_PROTOCOL 76 176#endif 177 178 179#ifdef HAVE_SETPGRP_0 180# define ntp_setpgrp(x, y) setpgrp() 181#else 182# define ntp_setpgrp(x, y) setpgrp(x, y) 183#endif 184 185#ifdef HAVE_SOLARIS_PRIVS 186# define LOWPRIVS "basic,sys_time,net_privaddr,proc_setid,!proc_info,!proc_session,!proc_exec" 187static priv_set_t *lowprivs = NULL; 188static priv_set_t *highprivs = NULL; 189#endif /* HAVE_SOLARIS_PRIVS */ 190/* 191 * Scheduling priority we run at 192 */ 193#define NTPD_PRIO (-12) 194 195int priority_done = 2; /* 0 - Set priority */ 196 /* 1 - priority is OK where it is */ 197 /* 2 - Don't set priority */ 198 /* 1 and 2 are pretty much the same */ 199 200int listen_to_virtual_ips = TRUE; 201 202/* 203 * No-fork flag. If set, we do not become a background daemon. 204 */ 205int nofork; /* Fork by default */ 206 207#ifdef HAVE_DNSREGISTRATION 208/* 209 * mDNS registration flag. If set, we attempt to register with the mDNS system, but only 210 * after we have synched the first time. If the attempt fails, then try again once per 211 * minute for up to 5 times. After all, we may be starting before mDNS. 212 */ 213int mdnsreg = FALSE; 214int mdnstries = 5; 215#endif /* HAVE_DNSREGISTRATION */ 216 217#ifdef HAVE_LINUX_CAPABILITIES 218int have_caps; /* runtime check whether capabilities work */ 219#endif /* HAVE_LINUX_CAPABILITIES */ 220 221#ifdef HAVE_DROPROOT 222int droproot; 223int root_dropped; 224char *user; /* User to switch to */ 225char *group; /* group to switch to */ 226const char *chrootdir; /* directory to chroot to */ 227uid_t sw_uid; 228gid_t sw_gid; 229struct group *gr; 230struct passwd *pw; 231#endif /* HAVE_DROPROOT */ 232 233#ifdef HAVE_WORKING_FORK 234int daemon_pipe[2] = { -1, -1 }; 235#endif 236 237/* 238 * Version declaration 239 */ 240extern const char *Version; 241 242char const *progname; 243 244int was_alarmed; 245 246#ifdef DECL_SYSCALL 247/* 248 * We put this here, since the argument profile is syscall-specific 249 */ 250extern int syscall (int, ...); 251#endif /* DECL_SYSCALL */ 252 253 254#if !defined(SIM) && defined(SIGDIE1) 255static volatile int signalled = 0; 256static volatile int signo = 0; 257 258/* In an ideal world, 'finish_safe()' would declared as noreturn... */ 259static void finish_safe (int); 260static RETSIGTYPE finish (int); 261#endif 262 263#if !defined(SIM) && defined(HAVE_WORKING_FORK) 264static int wait_child_sync_if (int, unsigned long); 265static int wait_child_exit_if (pid_t, int); 266#endif 267 268#if !defined(SIM) && !defined(SYS_WINNT) 269# ifdef DEBUG 270static RETSIGTYPE moredebug (int); 271static RETSIGTYPE lessdebug (int); 272# else /* !DEBUG follows */ 273static RETSIGTYPE no_debug (int); 274# endif /* !DEBUG */ 275#endif /* !SIM && !SYS_WINNT */ 276 277#ifndef WORK_FORK 278int saved_argc; 279char ** saved_argv; 280#endif 281 282#ifndef SIM 283int ntpdmain (int, char **); 284static void set_process_priority (void); 285static void assertion_failed (const char *, int, 286 isc_assertiontype_t, 287 const char *) 288 __attribute__ ((__noreturn__)); 289static void library_fatal_error (const char *, int, 290 const char *, va_list) 291 ISC_FORMAT_PRINTF(3, 0); 292static void library_unexpected_error(const char *, int, 293 const char *, va_list) 294 ISC_FORMAT_PRINTF(3, 0); 295#endif /* !SIM */ 296 297 298/* Bug2332 unearthed a problem in the interaction of reduced user 299 * privileges, the limits on memory usage and some versions of the 300 * pthread library on Linux systems. The 'pthread_cancel()' function and 301 * likely some others need to track the stack of the thread involved, 302 * and uses a function that comes from GCC (--> libgcc_s.so) to do 303 * this. Unfortunately the developers of glibc decided to load the 304 * library on demand, which speeds up program start but can cause 305 * trouble here: Due to all the things NTPD does to limit its resource 306 * usage, this deferred load of libgcc_s does not always work once the 307 * restrictions are in effect. 308 * 309 * One way out of this was attempting a forced link against libgcc_s 310 * when possible because it makes the library available immediately 311 * without deferred load. (The symbol resolution would still be dynamic 312 * and on demand, but the code would already be in the process image.) 313 * 314 * This is a tricky thing to do, since it's not necessary everywhere, 315 * not possible everywhere, has shown to break the build of other 316 * programs in the NTP suite and is now generally frowned upon. 317 * 318 * So we take a different approach here: We creat a worker thread that does 319 * actually nothing except waiting for cancellation and cancel it. If 320 * this is done before all the limitations are put in place, the 321 * machinery is pre-heated and all the runtime stuff should be in place 322 * and useable when needed. 323 * 324 * This uses only the standard pthread API and should work with all 325 * implementations of pthreads. It is not necessary everywhere, but it's 326 * cheap enough to go on nearly unnoticed. 327 * 328 * Addendum: Bug 2954 showed that the assumption that this should work 329 * with all OS is wrong -- at least FreeBSD bombs heavily. 330 */ 331#ifdef NEED_PTHREAD_WARMUP 332 333/* simple thread function: sleep until cancelled, just to exercise 334 * thread cancellation. 335 */ 336static void* 337my_pthread_warmup_worker( 338 void *thread_args) 339{ 340 (void)thread_args; 341 for (;;) 342 sleep(10); 343 return NULL; 344} 345 346/* pre-heat threading: create a thread and cancel it, just to exercise 347 * thread cancellation. 348 */ 349static void 350my_pthread_warmup(void) 351{ 352 pthread_t thread; 353 pthread_attr_t thr_attr; 354 int rc; 355 356 pthread_attr_init(&thr_attr); 357#if defined(HAVE_PTHREAD_ATTR_GETSTACKSIZE) && \ 358 defined(HAVE_PTHREAD_ATTR_SETSTACKSIZE) && \ 359 defined(PTHREAD_STACK_MIN) 360 { 361 size_t ssmin = 32*1024; /* 32kB should be minimum */ 362 if (ssmin < PTHREAD_STACK_MIN) 363 ssmin = PTHREAD_STACK_MIN; 364 rc = pthread_attr_setstacksize(&thr_attr, ssmin); 365 if (0 != rc) 366 msyslog(LOG_ERR, 367 "my_pthread_warmup: pthread_attr_setstacksize() -> %s", 368 strerror(rc)); 369 } 370#endif 371 rc = pthread_create( 372 &thread, &thr_attr, my_pthread_warmup_worker, NULL); 373 pthread_attr_destroy(&thr_attr); 374 if (0 != rc) { 375 msyslog(LOG_ERR, 376 "my_pthread_warmup: pthread_create() -> %s", 377 strerror(rc)); 378 } else { 379 pthread_cancel(thread); 380 pthread_join(thread, NULL); 381 } 382} 383 384#endif /*defined(NEED_PTHREAD_WARMUP)*/ 385 386#ifdef NEED_EARLY_FORK 387static void 388dummy_callback(void) { return; } 389 390static void 391fork_nonchroot_worker(void) { 392 getaddrinfo_sometime("localhost", "ntp", NULL, INITIAL_DNS_RETRY, 393 (gai_sometime_callback)&dummy_callback, NULL); 394} 395#endif /* NEED_EARLY_FORK */ 396 397void 398parse_cmdline_opts( 399 int * pargc, 400 char ***pargv 401 ) 402{ 403 static int parsed; 404 static int optct; 405 406 if (!parsed) 407 optct = ntpOptionProcess(&ntpdOptions, *pargc, *pargv); 408 409 parsed = 1; 410 411 *pargc -= optct; 412 *pargv += optct; 413} 414 415 416#ifdef SIM 417int 418main( 419 int argc, 420 char *argv[] 421 ) 422{ 423 progname = argv[0]; 424 parse_cmdline_opts(&argc, &argv); 425#ifdef DEBUG 426 debug = OPT_VALUE_SET_DEBUG_LEVEL; 427 DPRINTF(1, ("%s\n", Version)); 428#endif 429 430 return ntpsim(argc, argv); 431} 432#elif defined(NO_MAIN_ALLOWED) 433CALL(ntpd,"ntpd",ntpdmain); 434#elif !defined(SYS_WINNT) 435int 436main( 437 int argc, 438 char *argv[] 439 ) 440{ 441# ifdef __FreeBSD__ 442 { 443 /* 444 * We Must disable ASLR stack gap on FreeBSD to avoid a 445 * segfault. See PR/241421 and PR/241960. 446 */ 447 int aslr_var = PROC_STACKGAP_DISABLE; 448 449 pid_t my_pid = getpid(); 450 procctl(P_PID, my_pid, PROC_STACKGAP_CTL, &aslr_var); 451 } 452# endif 453 return ntpdmain(argc, argv); 454} 455#endif /* !SYS_WINNT */ 456 457#ifdef _AIX 458/* 459 * OK. AIX is different than solaris in how it implements plock(). 460 * If you do NOT adjust the stack limit, you will get the MAXIMUM 461 * stack size allocated and PINNED with you program. To check the 462 * value, use ulimit -a. 463 * 464 * To fix this, we create an automatic variable and set our stack limit 465 * to that PLUS 32KB of extra space (we need some headroom). 466 * 467 * This subroutine gets the stack address. 468 * 469 * Grover Davidson and Matt Ladendorf 470 * 471 */ 472static char * 473get_aix_stack(void) 474{ 475 char ch; 476 return (&ch); 477} 478 479/* 480 * Signal handler for SIGDANGER. 481 */ 482static void 483catch_danger(int signo) 484{ 485 msyslog(LOG_INFO, "ntpd: setpgid(): %m"); 486 /* Make the system believe we'll free something, but don't do it! */ 487 return; 488} 489#endif /* _AIX */ 490 491/* 492 * Set the process priority 493 */ 494#ifndef SIM 495static void 496set_process_priority(void) 497{ 498 499# ifdef DEBUG 500 if (debug > 1) 501 msyslog(LOG_DEBUG, "set_process_priority: %s: priority_done is <%d>", 502 ((priority_done) 503 ? "Leave priority alone" 504 : "Attempt to set priority" 505 ), 506 priority_done); 507# endif /* DEBUG */ 508 509# if defined(HAVE_SCHED_SETSCHEDULER) 510 if (!priority_done) { 511 extern int config_priority_override, config_priority; 512 int pmax, pmin; 513 struct sched_param sched; 514 515 pmax = sched_get_priority_max(SCHED_FIFO); 516 sched.sched_priority = pmax; 517 if ( config_priority_override ) { 518 pmin = sched_get_priority_min(SCHED_FIFO); 519 if ( config_priority > pmax ) 520 sched.sched_priority = pmax; 521 else if ( config_priority < pmin ) 522 sched.sched_priority = pmin; 523 else 524 sched.sched_priority = config_priority; 525 } 526 if ( sched_setscheduler(0, SCHED_FIFO, &sched) == -1 ) 527 msyslog(LOG_ERR, "sched_setscheduler(): %m"); 528 else 529 ++priority_done; 530 } 531# endif /* HAVE_SCHED_SETSCHEDULER */ 532# ifdef HAVE_RTPRIO 533# ifdef RTP_SET 534 if (!priority_done) { 535 struct rtprio srtp; 536 537 srtp.type = RTP_PRIO_REALTIME; /* was: RTP_PRIO_NORMAL */ 538 srtp.prio = 0; /* 0 (hi) -> RTP_PRIO_MAX (31,lo) */ 539 540 if (rtprio(RTP_SET, getpid(), &srtp) < 0) 541 msyslog(LOG_ERR, "rtprio() error: %m"); 542 else 543 ++priority_done; 544 } 545# else /* !RTP_SET follows */ 546 if (!priority_done) { 547 if (rtprio(0, 120) < 0) 548 msyslog(LOG_ERR, "rtprio() error: %m"); 549 else 550 ++priority_done; 551 } 552# endif /* !RTP_SET */ 553# endif /* HAVE_RTPRIO */ 554# if defined(NTPD_PRIO) && NTPD_PRIO != 0 555# ifdef HAVE_ATT_NICE 556 if (!priority_done) { 557 errno = 0; 558 if (-1 == nice (NTPD_PRIO) && errno != 0) 559 msyslog(LOG_ERR, "nice() error: %m"); 560 else 561 ++priority_done; 562 } 563# endif /* HAVE_ATT_NICE */ 564# ifdef HAVE_BSD_NICE 565 if (!priority_done) { 566 if (-1 == setpriority(PRIO_PROCESS, 0, NTPD_PRIO)) 567 msyslog(LOG_ERR, "setpriority() error: %m"); 568 else 569 ++priority_done; 570 } 571# endif /* HAVE_BSD_NICE */ 572# endif /* NTPD_PRIO && NTPD_PRIO != 0 */ 573 if (!priority_done) 574 msyslog(LOG_ERR, "set_process_priority: No way found to improve our priority"); 575} 576#endif /* !SIM */ 577 578#if !defined(SIM) && !defined(SYS_WINNT) 579/* 580 * Detach from terminal (much like daemon()) 581 * Nothe that this function calls exit() 582 */ 583# ifdef HAVE_WORKING_FORK 584static void 585detach_from_terminal( 586 int pipe[2], 587 long wait_sync, 588 const char *logfilename 589 ) 590{ 591 pid_t cpid; 592 int exit_code; 593# if !defined(HAVE_SETSID) && !defined (HAVE_SETPGID) && defined(TIOCNOTTY) 594 int fid; 595# endif 596# ifdef _AIX 597 struct sigaction sa; 598# endif 599 600 cpid = fork(); 601 if (0 != cpid) { 602 /* parent */ 603 if (-1 == cpid) { 604 msyslog(LOG_ERR, "fork: %m"); 605 exit_code = EX_OSERR; 606 } else { 607 close(pipe[1]); 608 pipe[1] = -1; 609 exit_code = wait_child_sync_if( 610 pipe[0], wait_sync); 611 DPRINTF(1, ("sync_if: rc=%d\n", exit_code)); 612 if (exit_code <= 0) { 613 /* probe daemon exit code -- wait for 614 * child process if we have an unexpected 615 * EOF on the monitor pipe. 616 */ 617 exit_code = wait_child_exit_if( 618 cpid, (exit_code < 0)); 619 DPRINTF(1, ("exit_if: rc=%d\n", exit_code)); 620 } 621 } 622 exit(exit_code); 623 } 624 625 /* 626 * child/daemon 627 * close all open files excepting waitsync_fd_to_close. 628 * msyslog() unreliable until after init_logging(). 629 */ 630 closelog(); 631 if (syslog_file != NULL) { 632 fclose(syslog_file); 633 syslog_file = NULL; 634 syslogit = TRUE; 635 } 636 close_all_except(pipe[1]); 637 pipe[0] = -1; 638 INSIST(0 == open("/dev/null", 0) && 1 == dup2(0, 1) \ 639 && 2 == dup2(0, 2)); 640 641 init_logging(progname, 0, TRUE); 642 /* we lost our logfile (if any) daemonizing */ 643 setup_logfile(logfilename); 644 645# ifdef SYS_DOMAINOS 646 { 647 uid_$t puid; 648 status_$t st; 649 650 proc2_$who_am_i(&puid); 651 proc2_$make_server(&puid, &st); 652 } 653# endif /* SYS_DOMAINOS */ 654# ifdef HAVE_SETSID 655 if (setsid() == (pid_t)-1) 656 msyslog(LOG_ERR, "setsid(): %m"); 657# elif defined(HAVE_SETPGID) 658 if (setpgid(0, 0) == -1) 659 msyslog(LOG_ERR, "setpgid(): %m"); 660# else /* !HAVE_SETSID && !HAVE_SETPGID follows */ 661# ifdef TIOCNOTTY 662 fid = open("/dev/tty", 2); 663 if (fid >= 0) { 664 ioctl(fid, (u_long)TIOCNOTTY, NULL); 665 close(fid); 666 } 667# endif /* TIOCNOTTY */ 668 ntp_setpgrp(0, getpid()); 669# endif /* !HAVE_SETSID && !HAVE_SETPGID */ 670# ifdef _AIX 671 /* Don't get killed by low-on-memory signal. */ 672 sa.sa_handler = catch_danger; 673 sigemptyset(&sa.sa_mask); 674 sa.sa_flags = SA_RESTART; 675 sigaction(SIGDANGER, &sa, NULL); 676# endif /* _AIX */ 677 678 return; 679} 680# endif /* HAVE_WORKING_FORK */ 681 682#ifdef HAVE_DROPROOT 683/* 684 * Map user name/number to user ID 685*/ 686static int 687map_user( 688 ) 689{ 690 char *endp; 691 692 if (isdigit((unsigned char)*user)) { 693 sw_uid = (uid_t)strtoul(user, &endp, 0); 694 if (*endp != '\0') 695 goto getuser; 696 697 if ((pw = getpwuid(sw_uid)) != NULL) { 698 free(user); 699 user = estrdup(pw->pw_name); 700 sw_gid = pw->pw_gid; 701 } else { 702 errno = 0; 703 msyslog(LOG_ERR, "Cannot find user ID %s", user); 704 return 0; 705 } 706 707 } else { 708getuser: 709 errno = 0; 710 if ((pw = getpwnam(user)) != NULL) { 711 sw_uid = pw->pw_uid; 712 sw_gid = pw->pw_gid; 713 } else { 714 if (errno) 715 msyslog(LOG_ERR, "getpwnam(%s) failed: %m", user); 716 else 717 msyslog(LOG_ERR, "Cannot find user `%s'", user); 718 return 0; 719 } 720 } 721 722 return 1; 723} 724 725/* 726 * Map group name/number to group ID 727*/ 728static int 729map_group(void) 730{ 731 char *endp; 732 733 if (isdigit((unsigned char)*group)) { 734 sw_gid = (gid_t)strtoul(group, &endp, 0); 735 if (*endp != '\0') 736 goto getgroup; 737 } else { 738getgroup: 739 if ((gr = getgrnam(group)) != NULL) { 740 sw_gid = gr->gr_gid; 741 } else { 742 errno = 0; 743 msyslog(LOG_ERR, "Cannot find group `%s'", group); 744 return 0; 745 } 746 } 747 748 return 1; 749} 750 751static int 752set_group_ids(void) 753{ 754 if (user && initgroups(user, sw_gid)) { 755 msyslog(LOG_ERR, "Cannot initgroups() to user `%s': %m", user); 756 return 0; 757 } 758 if (group && setgid(sw_gid)) { 759 msyslog(LOG_ERR, "Cannot setgid() to group `%s': %m", group); 760 return 0; 761 } 762 if (group && setegid(sw_gid)) { 763 msyslog(LOG_ERR, "Cannot setegid() to group `%s': %m", group); 764 return 0; 765 } 766 if (group) { 767 if (0 != setgroups(1, &sw_gid)) { 768 msyslog(LOG_ERR, "setgroups(1, %d) failed: %m", sw_gid); 769 return 0; 770 } 771 } 772 else if (pw) 773 if (0 != initgroups(pw->pw_name, pw->pw_gid)) { 774 msyslog(LOG_ERR, "initgroups(<%s>, %d) filed: %m", pw->pw_name, pw->pw_gid); 775 return 0; 776 } 777 return 1; 778} 779 780static int 781set_user_ids(void) 782{ 783 if (user && setuid(sw_uid)) { 784 msyslog(LOG_ERR, "Cannot setuid() to user `%s': %m", user); 785 return 0; 786 } 787 if (user && seteuid(sw_uid)) { 788 msyslog(LOG_ERR, "Cannot seteuid() to user `%s': %m", user); 789 return 0; 790 } 791 return 1; 792} 793 794/* 795 * Change (effective) user and group IDs, also initialize the supplementary group access list 796 */ 797int set_user_group_ids(void); 798int 799set_user_group_ids(void) 800{ 801 /* If the the user was already mapped, no need to map it again */ 802 if ((NULL != user) && (0 == sw_uid)) { 803 if (0 == map_user()) 804 exit (-1); 805 } 806 /* same applies for the group */ 807 if ((NULL != group) && (0 == sw_gid)) { 808 if (0 == map_group()) 809 exit (-1); 810 } 811 812 if (getegid() != sw_gid && 0 == set_group_ids()) 813 return 0; 814 if (geteuid() != sw_uid && 0 == set_user_ids()) 815 return 0; 816 817 return 1; 818} 819#endif /* HAVE_DROPROOT */ 820#endif /* !SIM */ 821 822/* 823 * Main program. Initialize us, disconnect us from the tty if necessary, 824 * and loop waiting for I/O and/or timer expiries. 825 */ 826#ifndef SIM 827int 828ntpdmain( 829 int argc, 830 char *argv[] 831 ) 832{ 833 l_fp now; 834 struct recvbuf *rbuf; 835 const char * logfilename; 836# ifdef HAVE_UMASK 837 mode_t uv; 838# endif 839# if defined(HAVE_GETUID) && !defined(MPE) /* MPE lacks the concept of root */ 840 uid_t uid; 841# endif 842# if defined(HAVE_WORKING_FORK) 843 long wait_sync = 0; 844# endif /* HAVE_WORKING_FORK*/ 845# ifdef SCO5_CLOCK 846 int fd; 847 int zero; 848# endif 849 850# ifdef NEED_PTHREAD_WARMUP 851 my_pthread_warmup(); 852# endif 853 854# ifdef HAVE_UMASK 855 uv = umask(0); 856 if (uv) 857 umask(uv); 858 else 859 umask(022); 860# endif 861 saved_argc = argc; 862 saved_argv = argv; 863 progname = argv[0]; 864 initializing = TRUE; /* mark that we are initializing */ 865 parse_cmdline_opts(&argc, &argv); 866# ifdef DEBUG 867 debug = OPT_VALUE_SET_DEBUG_LEVEL; 868# ifdef HAVE_SETLINEBUF 869 setlinebuf(stdout); 870# endif 871# endif 872 873 if (HAVE_OPT(NOFORK) || HAVE_OPT(QUIT) 874# ifdef DEBUG 875 || debug 876# endif 877 || HAVE_OPT(SAVECONFIGQUIT)) 878 nofork = TRUE; 879 880 init_logging(progname, NLOG_SYNCMASK, TRUE); 881 /* honor -l/--logfile option to log to a file */ 882 if (HAVE_OPT(LOGFILE)) { 883 logfilename = OPT_ARG(LOGFILE); 884 syslogit = FALSE; 885 change_logfile(logfilename, FALSE); 886 } else { 887 logfilename = NULL; 888 if (nofork) 889 msyslog_term = TRUE; 890 if (HAVE_OPT(SAVECONFIGQUIT)) 891 syslogit = FALSE; 892 } 893 msyslog(LOG_NOTICE, "%s: Starting", Version); 894 895 { 896 int i; 897 char buf[1024]; /* Secret knowledge of msyslog buf length */ 898 char *cp = buf; 899 900 /* Note that every arg has an initial space character */ 901 snprintf(cp, sizeof(buf), "Command line:"); 902 cp += strlen(cp); 903 904 for (i = 0; i < saved_argc ; ++i) { 905 snprintf(cp, sizeof(buf) - (cp - buf), 906 " %s", saved_argv[i]); 907 cp += strlen(cp); 908 } 909 msyslog(LOG_NOTICE, "%s", buf); 910 } 911 912 msyslog(LOG_NOTICE, "----------------------------------------------------"); 913 msyslog(LOG_NOTICE, "ntp-4 is maintained by Network Time Foundation,"); 914 msyslog(LOG_NOTICE, "Inc. (NTF), a non-profit 501(c)(3) public-benefit"); 915 msyslog(LOG_NOTICE, "corporation. Support and training for ntp-4 are"); 916 msyslog(LOG_NOTICE, "available at https://www.nwtime.org/support"); 917 msyslog(LOG_NOTICE, "----------------------------------------------------"); 918 919 /* 920 * Install trap handlers to log errors and assertion failures. 921 * Default handlers print to stderr which doesn't work if detached. 922 */ 923 isc_assertion_setcallback(assertion_failed); 924 isc_error_setfatal(library_fatal_error); 925 isc_error_setunexpected(library_unexpected_error); 926 927 /* MPE lacks the concept of root */ 928# if defined(HAVE_GETUID) && !defined(MPE) 929 uid = getuid(); 930 if (uid && !HAVE_OPT( SAVECONFIGQUIT ) 931# if defined(HAVE_TRUSTEDBSD_MAC) 932 /* We can run as non-root if the mac_ntpd policy is enabled. */ 933 && mac_is_present("ntpd") != 1 934# endif 935 ) { 936 msyslog_term = TRUE; 937 msyslog(LOG_ERR, 938 "must be run as root, not uid %ld", (long)uid); 939 exit(1); 940 } 941# endif 942 943/* 944 * Enable the Multi-Media Timer for Windows? 945 */ 946# ifdef SYS_WINNT 947 if (HAVE_OPT( MODIFYMMTIMER )) 948 set_mm_timer(MM_TIMER_HIRES); 949# endif 950 951#ifdef HAVE_DNSREGISTRATION 952/* 953 * Enable mDNS registrations? 954 */ 955 if (HAVE_OPT( MDNS )) { 956 mdnsreg = TRUE; 957 } 958#endif /* HAVE_DNSREGISTRATION */ 959 960 if (HAVE_OPT( NOVIRTUALIPS )) 961 listen_to_virtual_ips = 0; 962 963 /* 964 * --interface, listen on specified interfaces 965 */ 966 if (HAVE_OPT( INTERFACE )) { 967 int ifacect = STACKCT_OPT( INTERFACE ); 968 const char** ifaces = STACKLST_OPT( INTERFACE ); 969 sockaddr_u addr; 970 971 while (ifacect-- > 0) { 972 add_nic_rule( 973 is_ip_address(*ifaces, AF_UNSPEC, &addr) 974 ? MATCH_IFADDR 975 : MATCH_IFNAME, 976 *ifaces, -1, ACTION_LISTEN); 977 ifaces++; 978 } 979 } 980 981 if (HAVE_OPT( NICE )) 982 priority_done = 0; 983 984# ifdef HAVE_SCHED_SETSCHEDULER 985 if (HAVE_OPT( PRIORITY )) { 986 config_priority = OPT_VALUE_PRIORITY; 987 config_priority_override = 1; 988 priority_done = 0; 989 } 990# endif 991 992# ifdef HAVE_WORKING_FORK 993 /* make sure the FDs are initialised 994 * 995 * note: if WAIT_SYNC is requested, we *have* to fork. This will 996 * overide any '-n' (nofork) or '-d' (debug) option presented on 997 * the command line! 998 */ 999 if (HAVE_OPT(WAIT_SYNC)) { 1000 wait_sync = OPT_VALUE_WAIT_SYNC; 1001 if (wait_sync <= 0) 1002 wait_sync = 0; 1003 else 1004 nofork = FALSE; 1005 } 1006 if ( !nofork && pipe(daemon_pipe)) { 1007 msyslog(LOG_ERR, 1008 "Pipe creation failed for --wait-sync/daemon: %m"); 1009 exit(EX_OSERR); 1010 } 1011# endif /* HAVE_WORKING_FORK */ 1012 1013 init_lib(); 1014# ifdef SYS_WINNT 1015 /* 1016 * Make sure the service is initialized before we do anything else 1017 */ 1018 ntservice_init(); 1019 1020 /* 1021 * Start interpolation thread, must occur before first 1022 * get_systime() 1023 */ 1024 init_winnt_time(); 1025# endif 1026 /* 1027 * Initialize random generator and public key pair 1028 */ 1029 get_systime(&now); 1030 1031 ntp_srandom((int)(now.l_i * now.l_uf)); 1032 1033 /* 1034 * Detach us from the terminal. May need an #ifndef GIZMO. 1035 */ 1036# ifdef HAVE_WORKING_FORK 1037 if (!nofork) { 1038 detach_from_terminal(daemon_pipe, wait_sync, logfilename); 1039 } 1040# endif /* HAVE_WORKING_FORK */ 1041 1042# ifdef SCO5_CLOCK 1043 /* 1044 * SCO OpenServer's system clock offers much more precise timekeeping 1045 * on the base CPU than the other CPUs (for multiprocessor systems), 1046 * so we must lock to the base CPU. 1047 */ 1048 fd = open("/dev/at1", O_RDONLY); 1049 if (fd >= 0) { 1050 zero = 0; 1051 if (ioctl(fd, ACPU_LOCK, &zero) < 0) 1052 msyslog(LOG_ERR, "cannot lock to base CPU: %m"); 1053 close(fd); 1054 } 1055# endif 1056 1057 /* Setup stack size in preparation for locking pages in memory. */ 1058# if defined(HAVE_MLOCKALL) 1059# ifdef HAVE_SETRLIMIT 1060 ntp_rlimit(RLIMIT_STACK, DFLT_RLIMIT_STACK * 4096, 4096, "4k"); 1061# if defined(RLIMIT_MEMLOCK) && defined(DFLT_RLIMIT_MEMLOCK) && DFLT_RLIMIT_MEMLOCK != -1 1062 /* 1063 * The default RLIMIT_MEMLOCK is very low on Linux systems. 1064 * Unless we increase this limit malloc calls are likely to 1065 * fail if we drop root privilege. To be useful the value 1066 * has to be larger than the largest ntpd resident set size. 1067 */ 1068 ntp_rlimit(RLIMIT_MEMLOCK, DFLT_RLIMIT_MEMLOCK * 1024 * 1024, 1024 * 1024, "MB"); 1069# endif /* RLIMIT_MEMLOCK */ 1070# endif /* HAVE_SETRLIMIT */ 1071# else /* !HAVE_MLOCKALL follows */ 1072# ifdef HAVE_PLOCK 1073# ifdef PROCLOCK 1074# ifdef _AIX 1075 /* 1076 * set the stack limit for AIX for plock(). 1077 * see get_aix_stack() for more info. 1078 */ 1079 if (ulimit(SET_STACKLIM, (get_aix_stack() - 8 * 4096)) < 0) 1080 msyslog(LOG_ERR, 1081 "Cannot adjust stack limit for plock: %m"); 1082# endif /* _AIX */ 1083# endif /* PROCLOCK */ 1084# endif /* HAVE_PLOCK */ 1085# endif /* !HAVE_MLOCKALL */ 1086 1087 /* 1088 * Set up signals we pay attention to locally. 1089 */ 1090# ifdef SIGDIE1 1091 signal_no_reset(SIGDIE1, finish); 1092 signal_no_reset(SIGDIE2, finish); 1093 signal_no_reset(SIGDIE3, finish); 1094 signal_no_reset(SIGDIE4, finish); 1095# endif 1096# ifdef SIGBUS 1097 signal_no_reset(SIGBUS, finish); 1098# endif 1099 1100# if !defined(SYS_WINNT) && !defined(VMS) 1101# ifdef DEBUG 1102 (void) signal_no_reset(MOREDEBUGSIG, moredebug); 1103 (void) signal_no_reset(LESSDEBUGSIG, lessdebug); 1104# else 1105 (void) signal_no_reset(MOREDEBUGSIG, no_debug); 1106 (void) signal_no_reset(LESSDEBUGSIG, no_debug); 1107# endif /* DEBUG */ 1108# endif /* !SYS_WINNT && !VMS */ 1109 1110 /* 1111 * Set up signals we should never pay attention to. 1112 */ 1113# ifdef SIGPIPE 1114 signal_no_reset(SIGPIPE, SIG_IGN); 1115# endif 1116 1117 /* 1118 * Call the init_ routines to initialize the data structures. 1119 * 1120 * Exactly what command-line options are we expecting here? 1121 */ 1122 INIT_SSL(); 1123 init_auth(); 1124 init_util(); 1125 init_restrict(); 1126 init_mon(); 1127 init_timer(); 1128 init_request(); 1129 init_control(); 1130 init_peer(); 1131# ifdef REFCLOCK 1132 init_refclock(); 1133# endif 1134 set_process_priority(); 1135 init_proto(); /* Call at high priority */ 1136 init_io(); 1137 init_loopfilter(); 1138 mon_start(MON_ON); /* monitor on by default now */ 1139 /* turn off in config if unwanted */ 1140 1141 /* 1142 * Get the configuration. This is done in a separate module 1143 * since this will definitely be different for the gizmo board. 1144 */ 1145 getconfig(argc, argv); 1146 1147 if (-1 == cur_memlock) { 1148# if defined(HAVE_MLOCKALL) 1149 /* 1150 * lock the process into memory 1151 */ 1152 if ( !HAVE_OPT(SAVECONFIGQUIT) 1153# ifdef RLIMIT_MEMLOCK 1154 && -1 != DFLT_RLIMIT_MEMLOCK 1155# endif 1156 && 0 != mlockall(MCL_CURRENT|MCL_FUTURE)) 1157 msyslog(LOG_ERR, "mlockall(): %m"); 1158# else /* !HAVE_MLOCKALL follows */ 1159# ifdef HAVE_PLOCK 1160# ifdef PROCLOCK 1161 /* 1162 * lock the process into memory 1163 */ 1164 if (!HAVE_OPT(SAVECONFIGQUIT) && 0 != plock(PROCLOCK)) 1165 msyslog(LOG_ERR, "plock(PROCLOCK): %m"); 1166# else /* !PROCLOCK follows */ 1167# ifdef TXTLOCK 1168 /* 1169 * Lock text into ram 1170 */ 1171 if (!HAVE_OPT(SAVECONFIGQUIT) && 0 != plock(TXTLOCK)) 1172 msyslog(LOG_ERR, "plock(TXTLOCK) error: %m"); 1173# else /* !TXTLOCK follows */ 1174 msyslog(LOG_ERR, "plock() - don't know what to lock!"); 1175# endif /* !TXTLOCK */ 1176# endif /* !PROCLOCK */ 1177# endif /* HAVE_PLOCK */ 1178# endif /* !HAVE_MLOCKALL */ 1179 } 1180 1181 loop_config(LOOP_DRIFTINIT, 0); 1182 report_event(EVNT_SYSRESTART, NULL, NULL); 1183 initializing = FALSE; 1184 1185# ifdef HAVE_LINUX_CAPABILITIES 1186 { 1187 /* Check that setting capabilities actually works; we might be 1188 * run on a kernel with disabled capabilities. We must not 1189 * drop privileges in this case. 1190 */ 1191 cap_t caps; 1192 caps = cap_from_text("cap_sys_time,cap_setuid,cap_setgid,cap_sys_chroot,cap_net_bind_service=pe"); 1193 if ( ! caps) { 1194 msyslog( LOG_ERR, "cap_from_text() failed: %m" ); 1195 exit(-1); 1196 } 1197 have_caps = (cap_set_proc(caps) == 0); 1198 cap_free(caps); /* caps not NULL here! */ 1199 } 1200# endif /* HAVE_LINUX_CAPABILITIES */ 1201 1202# ifdef HAVE_DROPROOT 1203# ifdef HAVE_LINUX_CAPABILITIES 1204 if (droproot && have_caps) { 1205# else 1206 if (droproot) { 1207# endif /*HAVE_LINUX_CAPABILITIES*/ 1208 1209# ifdef NEED_EARLY_FORK 1210 fork_nonchroot_worker(); 1211# endif 1212 1213 /* Drop super-user privileges and chroot now if the OS supports this */ 1214 1215# ifdef HAVE_LINUX_CAPABILITIES 1216 /* set flag: keep privileges accross setuid() call (we only really need cap_sys_time): */ 1217 if (prctl( PR_SET_KEEPCAPS, 1L, 0L, 0L, 0L ) == -1) { 1218 msyslog( LOG_ERR, "prctl( PR_SET_KEEPCAPS, 1L ) failed: %m" ); 1219 exit(-1); 1220 } 1221# elif HAVE_SOLARIS_PRIVS 1222 /* Nothing to do here */ 1223# else 1224 /* we need a user to switch to */ 1225 if (user == NULL) { 1226 msyslog(LOG_ERR, "Need user name to drop root privileges (see -u flag!)" ); 1227 exit(-1); 1228 } 1229# endif /* HAVE_LINUX_CAPABILITIES || HAVE_SOLARIS_PRIVS */ 1230 1231 if (user != NULL) { 1232 if (0 == map_user()) 1233 exit (-1); 1234 } 1235 if (group != NULL) { 1236 if (0 == map_group()) 1237 exit (-1); 1238 } 1239 1240 if (chrootdir ) { 1241 /* make sure cwd is inside the jail: */ 1242 if (chdir(chrootdir)) { 1243 msyslog(LOG_ERR, "Cannot chdir() to `%s': %m", chrootdir); 1244 exit (-1); 1245 } 1246 if (chroot(chrootdir)) { 1247 msyslog(LOG_ERR, "Cannot chroot() to `%s': %m", chrootdir); 1248 exit (-1); 1249 } 1250 if (chdir("/")) { 1251 msyslog(LOG_ERR, "Cannot chdir() to`root after chroot(): %m"); 1252 exit (-1); 1253 } 1254 } 1255# ifdef HAVE_SOLARIS_PRIVS 1256 if ((lowprivs = priv_str_to_set(LOWPRIVS, ",", NULL)) == NULL) { 1257 msyslog(LOG_ERR, "priv_str_to_set() failed:%m"); 1258 exit(-1); 1259 } 1260 if ((highprivs = priv_allocset()) == NULL) { 1261 msyslog(LOG_ERR, "priv_allocset() failed:%m"); 1262 exit(-1); 1263 } 1264 (void) getppriv(PRIV_PERMITTED, highprivs); 1265 (void) priv_intersect(highprivs, lowprivs); 1266 if (setppriv(PRIV_SET, PRIV_PERMITTED, lowprivs) == -1) { 1267 msyslog(LOG_ERR, "setppriv() failed:%m"); 1268 exit(-1); 1269 } 1270# endif /* HAVE_SOLARIS_PRIVS */ 1271 if (0 == set_user_group_ids()) 1272 exit(-1); 1273 1274# if defined(HAVE_TRUSTEDBSD_MAC) 1275 /* 1276 * To manipulate system time and (re-)bind to NTP_PORT as needed 1277 * following interface changes, we must either run as uid 0 or 1278 * the mac_ntpd policy module must be enabled. 1279 */ 1280 if (sw_uid != 0 && mac_is_present("ntpd") != 1) { 1281 msyslog(LOG_ERR, "Need MAC 'ntpd' policy enabled to drop root privileges"); 1282 exit (-1); 1283 } 1284# elif !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) 1285 /* 1286 * for now assume that the privilege to bind to privileged ports 1287 * is associated with running with uid 0 - should be refined on 1288 * ports that allow binding to NTP_PORT with uid != 0 1289 */ 1290 disable_dynamic_updates |= (sw_uid != 0); /* also notifies routing message listener */ 1291# endif /* !HAVE_LINUX_CAPABILITIES && !HAVE_SOLARIS_PRIVS */ 1292 1293 if (disable_dynamic_updates && interface_interval) { 1294 interface_interval = 0; 1295 msyslog(LOG_INFO, "running as non-root disables dynamic interface tracking"); 1296 } 1297 1298# ifdef HAVE_LINUX_CAPABILITIES 1299 { 1300 /* 1301 * We may be running under non-root uid now, but we still hold full root privileges! 1302 * We drop all of them, except for the crucial one or two: cap_sys_time and 1303 * cap_net_bind_service if doing dynamic interface tracking. 1304 */ 1305 cap_t caps; 1306 char *captext; 1307 1308 captext = (0 != interface_interval) 1309 ? "cap_sys_time,cap_net_bind_service=pe" 1310 : "cap_sys_time=pe"; 1311 caps = cap_from_text(captext); 1312 if (!caps) { 1313 msyslog(LOG_ERR, 1314 "cap_from_text(%s) failed: %m", 1315 captext); 1316 exit(-1); 1317 } 1318 if (-1 == cap_set_proc(caps)) { 1319 msyslog(LOG_ERR, 1320 "cap_set_proc() failed to drop root privs: %m"); 1321 exit(-1); 1322 } 1323 cap_free(caps); 1324 } 1325# endif /* HAVE_LINUX_CAPABILITIES */ 1326# ifdef HAVE_SOLARIS_PRIVS 1327 if (priv_delset(lowprivs, "proc_setid") == -1) { 1328 msyslog(LOG_ERR, "priv_delset() failed:%m"); 1329 exit(-1); 1330 } 1331 if (setppriv(PRIV_SET, PRIV_PERMITTED, lowprivs) == -1) { 1332 msyslog(LOG_ERR, "setppriv() failed:%m"); 1333 exit(-1); 1334 } 1335 priv_freeset(lowprivs); 1336 priv_freeset(highprivs); 1337# endif /* HAVE_SOLARIS_PRIVS */ 1338 root_dropped = TRUE; 1339 fork_deferred_worker(); 1340 } /* if (droproot) */ 1341# endif /* HAVE_DROPROOT */ 1342 1343/* libssecomp sandboxing */ 1344#if defined (LIBSECCOMP) && (KERN_SECCOMP) 1345 scmp_filter_ctx ctx; 1346 1347 if ((ctx = seccomp_init(SCMP_ACT_KILL)) < 0) 1348 msyslog(LOG_ERR, "%s: seccomp_init(SCMP_ACT_KILL) failed: %m", __func__); 1349 else { 1350 msyslog(LOG_DEBUG, "%s: seccomp_init(SCMP_ACT_KILL) succeeded", __func__); 1351 } 1352 1353#ifdef __x86_64__ 1354int scmp_sc[] = { 1355 SCMP_SYS(adjtimex), 1356 SCMP_SYS(bind), 1357 SCMP_SYS(brk), 1358 SCMP_SYS(chdir), 1359 SCMP_SYS(clock_gettime), 1360 SCMP_SYS(clock_settime), 1361 SCMP_SYS(close), 1362 SCMP_SYS(connect), 1363 SCMP_SYS(exit_group), 1364 SCMP_SYS(fstat), 1365 SCMP_SYS(fsync), 1366 SCMP_SYS(futex), 1367 SCMP_SYS(getitimer), 1368 SCMP_SYS(getsockname), 1369 SCMP_SYS(ioctl), 1370 SCMP_SYS(lseek), 1371 SCMP_SYS(madvise), 1372 SCMP_SYS(mmap), 1373 SCMP_SYS(munmap), 1374 SCMP_SYS(open), 1375 SCMP_SYS(poll), 1376 SCMP_SYS(read), 1377 SCMP_SYS(recvmsg), 1378 SCMP_SYS(rename), 1379 SCMP_SYS(rt_sigaction), 1380 SCMP_SYS(rt_sigprocmask), 1381 SCMP_SYS(rt_sigreturn), 1382 SCMP_SYS(select), 1383 SCMP_SYS(sendto), 1384 SCMP_SYS(setitimer), 1385 SCMP_SYS(setsid), 1386 SCMP_SYS(socket), 1387 SCMP_SYS(stat), 1388 SCMP_SYS(time), 1389 SCMP_SYS(write), 1390}; 1391#endif 1392#ifdef __i386__ 1393int scmp_sc[] = { 1394 SCMP_SYS(_newselect), 1395 SCMP_SYS(adjtimex), 1396 SCMP_SYS(brk), 1397 SCMP_SYS(chdir), 1398 SCMP_SYS(clock_gettime), 1399 SCMP_SYS(clock_settime), 1400 SCMP_SYS(close), 1401 SCMP_SYS(exit_group), 1402 SCMP_SYS(fsync), 1403 SCMP_SYS(futex), 1404 SCMP_SYS(getitimer), 1405 SCMP_SYS(madvise), 1406 SCMP_SYS(mmap), 1407 SCMP_SYS(mmap2), 1408 SCMP_SYS(munmap), 1409 SCMP_SYS(open), 1410 SCMP_SYS(poll), 1411 SCMP_SYS(read), 1412 SCMP_SYS(rename), 1413 SCMP_SYS(rt_sigaction), 1414 SCMP_SYS(rt_sigprocmask), 1415 SCMP_SYS(select), 1416 SCMP_SYS(setitimer), 1417 SCMP_SYS(setsid), 1418 SCMP_SYS(sigprocmask), 1419 SCMP_SYS(sigreturn), 1420 SCMP_SYS(socketcall), 1421 SCMP_SYS(stat64), 1422 SCMP_SYS(time), 1423 SCMP_SYS(write), 1424}; 1425#endif 1426 { 1427 int i; 1428 1429 for (i = 0; i < COUNTOF(scmp_sc); i++) { 1430 if (seccomp_rule_add(ctx, 1431 SCMP_ACT_ALLOW, scmp_sc[i], 0) < 0) { 1432 msyslog(LOG_ERR, 1433 "%s: seccomp_rule_add() failed: %m", 1434 __func__); 1435 } 1436 } 1437 } 1438 1439 if (seccomp_load(ctx) < 0) 1440 msyslog(LOG_ERR, "%s: seccomp_load() failed: %m", 1441 __func__); 1442 else { 1443 msyslog(LOG_DEBUG, "%s: seccomp_load() succeeded", __func__); 1444 } 1445#endif /* LIBSECCOMP and KERN_SECCOMP */ 1446 1447#if defined(SYS_WINNT) 1448 ntservice_isup(); 1449#elif defined(HAVE_WORKING_FORK) 1450 if (daemon_pipe[1] != -1) { 1451 write(daemon_pipe[1], "R\n", 2); 1452 } 1453#endif /* HAVE_WORKING_FORK */ 1454 1455# ifndef HAVE_IO_COMPLETION_PORT 1456 BLOCK_IO_AND_ALARM(); 1457 was_alarmed = FALSE; 1458# endif 1459 1460 for (;;) { 1461#if !defined(SIM) && defined(SIGDIE1) 1462 if (signalled) 1463 finish_safe(signo); 1464#endif 1465# ifdef HAVE_IO_COMPLETION_PORT 1466 GetReceivedBuffers(); 1467 1468# else /* normal I/O */ 1469 if (alarm_flag) { /* alarmed? */ 1470 was_alarmed = TRUE; 1471 alarm_flag = FALSE; 1472 } 1473 1474 /* collect async name/addr results */ 1475 if (!was_alarmed) 1476 harvest_blocking_responses(); 1477 1478 if (!was_alarmed && !has_full_recv_buffer()) { 1479 /* 1480 * Nothing to do. Wait for something. 1481 */ 1482 io_handler(); 1483 } 1484 1485 if (alarm_flag) { /* alarmed? */ 1486 was_alarmed = TRUE; 1487 alarm_flag = FALSE; 1488 } 1489 1490 if (was_alarmed) { 1491 UNBLOCK_IO_AND_ALARM(); 1492 /* 1493 * Out here, signals are unblocked. Call timer routine 1494 * to process expiry. 1495 */ 1496 timer(); 1497 was_alarmed = FALSE; 1498 BLOCK_IO_AND_ALARM(); 1499 } 1500 1501# endif /* !HAVE_IO_COMPLETION_PORT */ 1502 1503# ifdef DEBUG_TIMING 1504 { 1505 l_fp pts; 1506 l_fp tsa, tsb; 1507 int bufcount = 0; 1508 1509 get_systime(&pts); 1510 tsa = pts; 1511# endif 1512 rbuf = get_full_recv_buffer(); 1513 while (rbuf != NULL) { 1514 if (alarm_flag) { 1515 was_alarmed = TRUE; 1516 alarm_flag = FALSE; 1517 } 1518 UNBLOCK_IO_AND_ALARM(); 1519 1520 if (was_alarmed) { 1521 /* avoid timer starvation during lengthy I/O handling */ 1522 timer(); 1523 was_alarmed = FALSE; 1524 } 1525 1526 /* 1527 * Call the data procedure to handle each received 1528 * packet. 1529 */ 1530 if (rbuf->receiver != NULL) { 1531# ifdef DEBUG_TIMING 1532 l_fp dts = pts; 1533 1534 L_SUB(&dts, &rbuf->recv_time); 1535 DPRINTF(2, ("processing timestamp delta %s (with prec. fuzz)\n", lfptoa(&dts, 9))); 1536 collect_timing(rbuf, "buffer processing delay", 1, &dts); 1537 bufcount++; 1538# endif 1539 (*rbuf->receiver)(rbuf); 1540 } else { 1541 msyslog(LOG_ERR, "fatal: receive buffer callback NULL"); 1542 abort(); 1543 } 1544 1545 BLOCK_IO_AND_ALARM(); 1546 freerecvbuf(rbuf); 1547 rbuf = get_full_recv_buffer(); 1548 } 1549# ifdef DEBUG_TIMING 1550 get_systime(&tsb); 1551 L_SUB(&tsb, &tsa); 1552 if (bufcount) { 1553 collect_timing(NULL, "processing", bufcount, &tsb); 1554 DPRINTF(2, ("processing time for %d buffers %s\n", bufcount, lfptoa(&tsb, 9))); 1555 } 1556 } 1557# endif 1558 1559 /* 1560 * Go around again 1561 */ 1562 1563# ifdef HAVE_DNSREGISTRATION 1564 if (mdnsreg && (current_time - mdnsreg ) > 60 && mdnstries && sys_leap != LEAP_NOTINSYNC) { 1565 mdnsreg = current_time; 1566 msyslog(LOG_INFO, "Attempting to register mDNS"); 1567 if ( DNSServiceRegister (&mdns, 0, 0, NULL, "_ntp._udp", NULL, NULL, 1568 htons(NTP_PORT), 0, NULL, NULL, NULL) != kDNSServiceErr_NoError ) { 1569 if (!--mdnstries) { 1570 msyslog(LOG_ERR, "Unable to register mDNS, giving up."); 1571 } else { 1572 msyslog(LOG_INFO, "Unable to register mDNS, will try later."); 1573 } 1574 } else { 1575 msyslog(LOG_INFO, "mDNS service registered."); 1576 mdnsreg = FALSE; 1577 } 1578 } 1579# endif /* HAVE_DNSREGISTRATION */ 1580 1581 } 1582 UNBLOCK_IO_AND_ALARM(); 1583 return 1; 1584} 1585#endif /* !SIM */ 1586 1587 1588#if !defined(SIM) && defined(SIGDIE1) 1589/* 1590 * finish - exit gracefully 1591 */ 1592static void 1593finish_safe( 1594 int sig 1595 ) 1596{ 1597 const char *sig_desc; 1598 1599 sig_desc = NULL; 1600#ifdef HAVE_STRSIGNAL 1601 sig_desc = strsignal(sig); 1602#endif 1603 if (sig_desc == NULL) 1604 sig_desc = ""; 1605 msyslog(LOG_NOTICE, "%s exiting on signal %d (%s)", progname, 1606 sig, sig_desc); 1607 /* See Bug 2513 and Bug 2522 re the unlink of PIDFILE */ 1608# ifdef HAVE_DNSREGISTRATION 1609 if (mdns != NULL) 1610 DNSServiceRefDeallocate(mdns); 1611# endif 1612 peer_cleanup(); 1613 exit(0); 1614} 1615 1616static RETSIGTYPE 1617finish( 1618 int sig 1619 ) 1620{ 1621 signalled = 1; 1622 signo = sig; 1623} 1624 1625#endif /* !SIM && SIGDIE1 */ 1626 1627 1628#ifndef SIM 1629/* 1630 * wait_child_sync_if - implements parent side of -w/--wait-sync 1631 */ 1632# ifdef HAVE_WORKING_FORK 1633 1634static int 1635wait_child_sync_if( 1636 int pipe_read_fd, 1637 unsigned long wait_sync 1638 ) 1639{ 1640 int rc; 1641 char ch; 1642 time_t wait_end_time; 1643 time_t cur_time; 1644 time_t wait_rem; 1645 fd_set readset; 1646 struct timeval wtimeout; 1647 1648 /* we wait a bit for the child in *any* case, because on failure 1649 * of the child we have to get and inspect the exit code! 1650 */ 1651 wait_end_time = time(NULL); 1652 if (wait_sync) 1653 wait_end_time += wait_sync; 1654 else 1655 wait_end_time += 30; 1656 1657 do { 1658 cur_time = time(NULL); 1659 wait_rem = (wait_end_time > cur_time) 1660 ? (wait_end_time - cur_time) 1661 : 0; 1662 wtimeout.tv_sec = wait_rem; 1663 wtimeout.tv_usec = 0; 1664 FD_ZERO(&readset); 1665 FD_SET(pipe_read_fd, &readset); 1666 rc = select(pipe_read_fd + 1, &readset, NULL, NULL, 1667 &wtimeout); 1668 if (-1 == rc) { 1669 if (EINTR == errno) 1670 continue; 1671 msyslog(LOG_ERR, 1672 "daemon startup: select failed: %m"); 1673 return EX_IOERR; 1674 } 1675 if (0 == rc) { 1676 /* 1677 * select() indicated a timeout, but in case 1678 * its timeouts are affected by a step of the 1679 * system clock, select() again with a zero 1680 * timeout to confirm. 1681 */ 1682 FD_ZERO(&readset); 1683 FD_SET(pipe_read_fd, &readset); 1684 wtimeout.tv_sec = 0; 1685 wtimeout.tv_usec = 0; 1686 rc = select(pipe_read_fd + 1, &readset, NULL, 1687 NULL, &wtimeout); 1688 if (0 == rc) /* select() timeout */ 1689 break; 1690 } 1691 rc = read(pipe_read_fd, &ch, 1); 1692 if (rc == 0) { 1693 DPRINTF(2, ("daemon control: got EOF\n")); 1694 return -1; /* unexpected EOF, check daemon */ 1695 } else if (rc == 1) { 1696 DPRINTF(2, ("daemon control: got '%c'\n", 1697 (ch >= ' ' ? ch : '.'))); 1698 if (ch == 'R' && !wait_sync) 1699 return 0; 1700 if (ch == 'S' && wait_sync) 1701 return 0; 1702 } else { 1703 DPRINTF(2, ("daemon control: read 1 char failed: %s\n", 1704 strerror(errno))); 1705 return EX_IOERR; 1706 } 1707 } while (wait_rem > 0); 1708 1709 if (wait_sync) { 1710 fprintf(stderr, "%s: -w/--wait-sync %ld timed out.\n", 1711 progname, wait_sync); 1712 return EX_PROTOCOL; 1713 } else { 1714 fprintf(stderr, "%s: daemon startup monitoring timed out.\n", 1715 progname); 1716 return 0; 1717 } 1718} 1719 1720 1721static int 1722wait_child_exit_if( 1723 pid_t cpid, 1724 int blocking 1725 ) 1726{ 1727# ifdef HAVE_WAITPID 1728 int rc = 0; 1729 int wstatus; 1730 if (cpid == waitpid(cpid, &wstatus, (blocking ? 0 : WNOHANG))) { 1731 DPRINTF(1, ("child (pid=%d) dead now\n", cpid)); 1732 if (WIFEXITED(wstatus)) { 1733 rc = WEXITSTATUS(wstatus); 1734 msyslog(LOG_ERR, "daemon child exited with code %d", 1735 rc); 1736 } else if (WIFSIGNALED(wstatus)) { 1737 rc = EX_SOFTWARE; 1738 msyslog(LOG_ERR, "daemon child died with signal %d", 1739 WTERMSIG(wstatus)); 1740 } else { 1741 rc = EX_SOFTWARE; 1742 msyslog(LOG_ERR, "daemon child died with unknown cause"); 1743 } 1744 } else { 1745 DPRINTF(1, ("child (pid=%d) still alive\n", cpid)); 1746 } 1747 return rc; 1748# else 1749 UNUSED_ARG(cpid); 1750 return 0; 1751# endif 1752} 1753 1754# endif /* HAVE_WORKING_FORK */ 1755 1756 1757/* 1758 * assertion_failed - Redirect assertion failures to msyslog(). 1759 */ 1760static void 1761assertion_failed( 1762 const char *file, 1763 int line, 1764 isc_assertiontype_t type, 1765 const char *cond 1766 ) 1767{ 1768 isc_assertion_setcallback(NULL); /* Avoid recursion */ 1769 1770 msyslog(LOG_ERR, "%s:%d: %s(%s) failed", 1771 file, line, isc_assertion_typetotext(type), cond); 1772 msyslog(LOG_ERR, "exiting (due to assertion failure)"); 1773 1774#if defined(DEBUG) && defined(SYS_WINNT) 1775 if (debug) 1776 DebugBreak(); 1777#endif 1778 1779 abort(); 1780} 1781 1782 1783/* 1784 * library_fatal_error - Handle fatal errors from our libraries. 1785 */ 1786static void 1787library_fatal_error( 1788 const char *file, 1789 int line, 1790 const char *format, 1791 va_list args 1792 ) 1793{ 1794 char errbuf[256]; 1795 1796 isc_error_setfatal(NULL); /* Avoid recursion */ 1797 1798 msyslog(LOG_ERR, "%s:%d: fatal error:", file, line); 1799 vsnprintf(errbuf, sizeof(errbuf), format, args); 1800 msyslog(LOG_ERR, "%s", errbuf); 1801 msyslog(LOG_ERR, "exiting (due to fatal error in library)"); 1802 1803#if defined(DEBUG) && defined(SYS_WINNT) 1804 if (debug) 1805 DebugBreak(); 1806#endif 1807 1808 abort(); 1809} 1810 1811 1812/* 1813 * library_unexpected_error - Handle non fatal errors from our libraries. 1814 */ 1815# define MAX_UNEXPECTED_ERRORS 100 1816int unexpected_error_cnt = 0; 1817static void 1818library_unexpected_error( 1819 const char *file, 1820 int line, 1821 const char *format, 1822 va_list args 1823 ) 1824{ 1825 char errbuf[256]; 1826 1827 if (unexpected_error_cnt >= MAX_UNEXPECTED_ERRORS) 1828 return; /* avoid clutter in log */ 1829 1830 msyslog(LOG_ERR, "%s:%d: unexpected error:", file, line); 1831 vsnprintf(errbuf, sizeof(errbuf), format, args); 1832 msyslog(LOG_ERR, "%s", errbuf); 1833 1834 if (++unexpected_error_cnt == MAX_UNEXPECTED_ERRORS) 1835 msyslog(LOG_ERR, "Too many errors. Shutting up."); 1836 1837} 1838#endif /* !SIM */ 1839 1840#if !defined(SIM) && !defined(SYS_WINNT) 1841# ifdef DEBUG 1842 1843/* 1844 * moredebug - increase debugging verbosity 1845 */ 1846static RETSIGTYPE 1847moredebug( 1848 int sig 1849 ) 1850{ 1851 int saved_errno = errno; 1852 1853 if (debug < 255) 1854 { 1855 debug++; 1856 msyslog(LOG_DEBUG, "debug raised to %d", debug); 1857 } 1858 errno = saved_errno; 1859} 1860 1861 1862/* 1863 * lessdebug - decrease debugging verbosity 1864 */ 1865static RETSIGTYPE 1866lessdebug( 1867 int sig 1868 ) 1869{ 1870 int saved_errno = errno; 1871 1872 if (debug > 0) 1873 { 1874 debug--; 1875 msyslog(LOG_DEBUG, "debug lowered to %d", debug); 1876 } 1877 errno = saved_errno; 1878} 1879 1880# else /* !DEBUG follows */ 1881 1882 1883/* 1884 * no_debug - We don't do the debug here. 1885 */ 1886static RETSIGTYPE 1887no_debug( 1888 int sig 1889 ) 1890{ 1891 int saved_errno = errno; 1892 1893 msyslog(LOG_DEBUG, "ntpd not compiled for debugging (signal %d)", sig); 1894 errno = saved_errno; 1895} 1896# endif /* !DEBUG */ 1897#endif /* !SIM && !SYS_WINNT */ 1898