do_command.c revision 1.60 
1/*	$OpenBSD: do_command.c,v 1.60 2019/06/28 13:32:47 deraadt Exp $	*/
2
3/* Copyright 1988,1990,1993,1994 by Paul Vixie
4 * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
5 * Copyright (c) 1997,2000 by Internet Software Consortium, Inc.
6 * Copyright (c) 2018 Job Snijders <job@openbsd.org>
7 *
8 * Permission to use, copy, modify, and distribute this software for any
9 * purpose with or without fee is hereby granted, provided that the above
10 * copyright notice and this permission notice appear in all copies.
11 *
12 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
13 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
14 * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
15 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
16 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
18 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 */
20
21#include <sys/types.h>
22#include <sys/wait.h>
23
24#include <bitstring.h>		/* for structs.h */
25#include <bsd_auth.h>
26#include <ctype.h>
27#include <err.h>
28#include <errno.h>
29#include <fcntl.h>
30#include <limits.h>
31#include <login_cap.h>
32#include <pwd.h>
33#include <signal.h>
34#include <stdio.h>
35#include <stdlib.h>
36#include <string.h>
37#include <syslog.h>
38#include <time.h>		/* for structs.h */
39#include <unistd.h>
40#include <vis.h>
41
42#include "config.h"
43#include "pathnames.h"
44#include "macros.h"
45#include "structs.h"
46#include "funcs.h"
47
48static void		child_process(entry *, user *);
49
50void
51do_command(entry *e, user *u)
52{
53
54	/* fork to become asynchronous -- parent process is done immediately,
55	 * and continues to run the normal cron code, which means return to
56	 * tick().  the child and grandchild don't leave this function, alive.
57	 *
58	 * vfork() is unsuitable, since we have much to do, and the parent
59	 * needs to be able to run off and fork other processes.
60	 */
61	switch (fork()) {
62	case -1:
63		syslog(LOG_ERR, "(CRON) CAN'T FORK (%m)");
64		break;
65	case 0:
66		/* child process */
67		child_process(e, u);
68		_exit(EXIT_SUCCESS);
69		break;
70	default:
71		/* parent process */
72		break;
73	}
74}
75
76static void
77child_process(entry *e, user *u)
78{
79	FILE *in;
80	int stdin_pipe[2], stdout_pipe[2];
81	char **p, *input_data, *usernm;
82	auth_session_t *as;
83	login_cap_t *lc;
84	extern char **environ;
85
86	/* mark ourselves as different to PS command watchers */
87	setproctitle("running job");
88
89	/* close sockets from parent (i.e. cronSock) */
90	closefrom(3);
91
92	/* discover some useful and important environment settings
93	 */
94	usernm = e->pwd->pw_name;
95
96	/* our parent is watching for our death by catching SIGCHLD.  we
97	 * do not care to watch for our children's deaths this way -- we
98	 * use wait() explicitly.  so we have to reset the signal (which
99	 * was inherited from the parent).
100	 */
101	(void) signal(SIGCHLD, SIG_DFL);
102
103	/* create some pipes to talk to our future child
104	 */
105	if (pipe(stdin_pipe) != 0 || pipe(stdout_pipe) != 0) {
106		syslog(LOG_ERR, "(CRON) PIPE (%m)");
107		_exit(EXIT_FAILURE);
108	}
109
110	/* since we are a forked process, we can diddle the command string
111	 * we were passed -- nobody else is going to use it again, right?
112	 *
113	 * if a % is present in the command, previous characters are the
114	 * command, and subsequent characters are the additional input to
115	 * the command.  An escaped % will have the escape character stripped
116	 * from it.  Subsequent %'s will be transformed into newlines,
117	 * but that happens later.
118	 */
119	/*local*/{
120		int escaped = FALSE;
121		int ch;
122		char *p;
123
124		for (input_data = p = e->cmd;
125		     (ch = *input_data) != '\0';
126		     input_data++, p++) {
127			if (p != input_data)
128				*p = ch;
129			if (escaped) {
130				if (ch == '%')
131					*--p = ch;
132				escaped = FALSE;
133				continue;
134			}
135			if (ch == '\\') {
136				escaped = TRUE;
137				continue;
138			}
139			if (ch == '%') {
140				*input_data++ = '\0';
141				break;
142			}
143		}
144		*p = '\0';
145	}
146
147	/* fork again, this time so we can exec the user's command.
148	 */
149
150	pid_t	jobpid;
151	switch (jobpid = fork()) {
152	case -1:
153		syslog(LOG_ERR, "(CRON) CAN'T FORK (%m)");
154		_exit(EXIT_FAILURE);
155		/*NOTREACHED*/
156	case 0:
157		/* write a log message.  we've waited this long to do it
158		 * because it was not until now that we knew the PID that
159		 * the actual user command shell was going to get and the
160		 * PID is part of the log message.
161		 */
162		if ((e->flags & DONT_LOG) == 0) {
163			char *x;
164			if (stravis(&x, e->cmd, 0) != -1) {
165				syslog(LOG_INFO, "(%s) CMD (%s)", usernm, x);
166				free(x);
167			}
168		}
169
170		/* get new pgrp, void tty, etc.
171		 */
172		(void) setsid();
173
174		/* close the pipe ends that we won't use.  this doesn't affect
175		 * the parent, who has to read and write them; it keeps the
176		 * kernel from recording us as a potential client TWICE --
177		 * which would keep it from sending SIGPIPE in otherwise
178		 * appropriate circumstances.
179		 */
180		close(stdin_pipe[WRITE_PIPE]);
181		close(stdout_pipe[READ_PIPE]);
182
183		/* grandchild process.  make std{in,out} be the ends of
184		 * pipes opened by our daddy; make stderr go to stdout.
185		 */
186		if (stdin_pipe[READ_PIPE] != STDIN_FILENO) {
187			dup2(stdin_pipe[READ_PIPE], STDIN_FILENO);
188			close(stdin_pipe[READ_PIPE]);
189		}
190		if (stdout_pipe[WRITE_PIPE] != STDOUT_FILENO) {
191			dup2(stdout_pipe[WRITE_PIPE], STDOUT_FILENO);
192			close(stdout_pipe[WRITE_PIPE]);
193		}
194		dup2(STDOUT_FILENO, STDERR_FILENO);
195
196		/*
197		 * From this point on, anything written to stderr will be
198		 * mailed to the user as output.
199		 */
200
201		/* XXX - should just pass in a login_cap_t * */
202		if ((lc = login_getclass(e->pwd->pw_class)) == NULL) {
203			warnx("unable to get login class for %s",
204			    e->pwd->pw_name);
205			syslog(LOG_ERR, "(CRON) CAN'T GET LOGIN CLASS (%s)",
206			    e->pwd->pw_name);
207			_exit(EXIT_FAILURE);
208		}
209		if (setusercontext(lc, e->pwd, e->pwd->pw_uid, LOGIN_SETALL) == -1) {
210			warn("setusercontext failed for %s", e->pwd->pw_name);
211			syslog(LOG_ERR, "(%s) SETUSERCONTEXT FAILED (%m)",
212			    e->pwd->pw_name);
213			_exit(EXIT_FAILURE);
214		}
215		as = auth_open();
216		if (as == NULL || auth_setpwd(as, e->pwd) != 0) {
217			warn("auth_setpwd");
218			syslog(LOG_ERR, "(%s) AUTH_SETPWD FAILED (%m)",
219			    e->pwd->pw_name);
220			_exit(EXIT_FAILURE);
221		}
222		if (auth_approval(as, lc, usernm, "cron") <= 0) {
223			warnx("approval failed for %s", e->pwd->pw_name);
224			syslog(LOG_ERR, "(%s) APPROVAL FAILED (cron)",
225			    e->pwd->pw_name);
226			_exit(EXIT_FAILURE);
227		}
228		auth_close(as);
229		login_close(lc);
230
231		/* If no PATH specified in crontab file but
232		 * we just added one via login.conf, add it to
233		 * the crontab environment.
234		 */
235		if (env_get("PATH", e->envp) == NULL && environ != NULL) {
236			for (p = environ; *p; p++) {
237				if (strncmp(*p, "PATH=", 5) == 0) {
238					e->envp = env_set(e->envp, *p);
239					break;
240				}
241			}
242		}
243		chdir(env_get("HOME", e->envp));
244
245		(void) signal(SIGPIPE, SIG_DFL);
246
247		/*
248		 * Exec the command.
249		 */
250		{
251			char	*shell = env_get("SHELL", e->envp);
252
253			execle(shell, shell, "-c", e->cmd, (char *)NULL, e->envp);
254			warn("unable to execute %s", shell);
255			syslog(LOG_ERR, "(%s) CAN'T EXEC (%s: %m)",
256			    e->pwd->pw_name, shell);
257			_exit(EXIT_FAILURE);
258		}
259		break;
260	default:
261		/* parent process */
262		break;
263	}
264
265	/* middle process, child of original cron, parent of process running
266	 * the user's command.
267	 */
268
269	/* close the ends of the pipe that will only be referenced in the
270	 * grandchild process...
271	 */
272	close(stdin_pipe[READ_PIPE]);
273	close(stdout_pipe[WRITE_PIPE]);
274
275	/*
276	 * write, to the pipe connected to child's stdin, any input specified
277	 * after a % in the crontab entry.  while we copy, convert any
278	 * additional %'s to newlines.  when done, if some characters were
279	 * written and the last one wasn't a newline, write a newline.
280	 *
281	 * Note that if the input data won't fit into one pipe buffer (2K
282	 * or 4K on most BSD systems), and the child doesn't read its stdin,
283	 * we would block here.  thus we must fork again.
284	 */
285
286	pid_t	stdinjob;
287	if (*input_data && (stdinjob = fork()) == 0) {
288		FILE *out = fdopen(stdin_pipe[WRITE_PIPE], "w");
289		int need_newline = FALSE;
290		int escaped = FALSE;
291		int ch;
292
293		/* close the pipe we don't use, since we inherited it and
294		 * are part of its reference count now.
295		 */
296		close(stdout_pipe[READ_PIPE]);
297
298		/* translation:
299		 *	\% -> %
300		 *	%  -> \n
301		 *	\x -> \x	for all x != %
302		 */
303		while ((ch = *input_data++) != '\0') {
304			if (escaped) {
305				if (ch != '%')
306					putc('\\', out);
307			} else {
308				if (ch == '%')
309					ch = '\n';
310			}
311
312			if (!(escaped = (ch == '\\'))) {
313				putc(ch, out);
314				need_newline = (ch != '\n');
315			}
316		}
317		if (escaped)
318			putc('\\', out);
319		if (need_newline)
320			putc('\n', out);
321
322		/* close the pipe, causing an EOF condition.  fclose causes
323		 * stdin_pipe[WRITE_PIPE] to be closed, too.
324		 */
325		fclose(out);
326
327		_exit(EXIT_SUCCESS);
328	}
329
330	/* close the pipe to the grandkiddie's stdin, since its wicked uncle
331	 * ernie back there has it open and will close it when he's done.
332	 */
333	close(stdin_pipe[WRITE_PIPE]);
334
335	/*
336	 * read output from the grandchild.  it's stderr has been redirected to
337	 * it's stdout, which has been redirected to our pipe.  if there is any
338	 * output, we'll be mailing it to the user whose crontab this is...
339	 * when the grandchild exits, we'll get EOF.
340	 */
341
342	(void) signal(SIGPIPE, SIG_IGN);
343	in = fdopen(stdout_pipe[READ_PIPE], "r");
344
345	char	*mailto;
346	FILE	*mail = NULL;
347	int	status = 0;
348	pid_t	mailpid;
349	size_t	bytes = 1;
350
351	if (in != NULL) {
352		int	ch = getc(in);
353
354		if (ch != EOF) {
355
356			/* get name of recipient.  this is MAILTO if set to a
357			 * valid local username; USER otherwise.
358			 */
359			mailto = env_get("MAILTO", e->envp);
360			if (!mailto) {
361				/* MAILTO not present, set to USER.
362				 */
363				mailto = usernm;
364			} else if (!*mailto || !safe_p(usernm, mailto)) {
365				mailto = NULL;
366			}
367
368			/* if we are supposed to be mailing, MAILTO will
369			 * be non-NULL.  only in this case should we set
370			 * up the mail command and subjects and stuff...
371			 */
372
373			if (mailto) {
374				char	**env;
375				char	mailcmd[MAX_COMMAND];
376				char	hostname[HOST_NAME_MAX + 1];
377
378				gethostname(hostname, sizeof(hostname));
379				if (snprintf(mailcmd, sizeof mailcmd,  MAILFMT,
380				    MAILARG) >= sizeof mailcmd) {
381					syslog(LOG_ERR,
382					    "(%s) ERROR (mailcmd too long)",
383					    e->pwd->pw_name);
384					(void) _exit(EXIT_FAILURE);
385				}
386				if (!(mail = cron_popen(mailcmd, "w", e->pwd,
387				    &mailpid))) {
388					syslog(LOG_ERR, "(%s) POPEN (%s)",
389					    e->pwd->pw_name, mailcmd);
390					(void) _exit(EXIT_FAILURE);
391				}
392				fprintf(mail, "From: root (Cron Daemon)\n");
393				fprintf(mail, "To: %s\n", mailto);
394				fprintf(mail, "Subject: Cron <%s@%s> %s\n",
395					usernm, first_word(hostname, "."),
396					e->cmd);
397				fprintf(mail, "Auto-Submitted: auto-generated\n");
398				for (env = e->envp;  *env;  env++)
399					fprintf(mail, "X-Cron-Env: <%s>\n",
400						*env);
401				fprintf(mail, "\n");
402
403				/* this was the first char from the pipe
404				 */
405				fputc(ch, mail);
406			}
407
408			/* we have to read the input pipe no matter whether
409			 * we mail or not, but obviously we only write to
410			 * mail pipe if we ARE mailing.
411			 */
412
413			while (EOF != (ch = getc(in))) {
414				bytes++;
415				if (mail)
416					fputc(ch, mail);
417			}
418
419		} /*if data from grandchild*/
420
421		fclose(in);	/* also closes stdout_pipe[READ_PIPE] */
422	}
423
424	/* wait for children to die.
425	 */
426	int waiter;
427	if (jobpid > 0) {
428		while (waitpid(jobpid, &waiter, 0) == -1 && errno == EINTR)
429			;
430
431		/* If everything went well, and -n was set, _and_ we have mail,
432		 * we won't be mailing... so shoot the messenger!
433		 */
434		if (WIFEXITED(waiter) && WEXITSTATUS(waiter) == 0
435		    && (e->flags & MAIL_WHEN_ERR) == MAIL_WHEN_ERR
436		    && mail) {
437			kill(mailpid, SIGKILL);
438			(void)fclose(mail);
439			mail = NULL;
440		}
441
442		/* only close pipe if we opened it -- i.e., we're mailing... */
443		if (mail) {
444			/*
445			 * Note: the pclose will probably see the termination
446			 * of the grandchild in addition to the mail process,
447			 * since it (the grandchild) is likely to exit after
448			 * closing its stdout.
449			 */
450			status = cron_pclose(mail, mailpid);
451		}
452
453		/* if there was output and we could not mail it,
454		 * log the facts so the poor user can figure out
455		 * what's going on.
456		 */
457		if (mail && status) {
458			syslog(LOG_NOTICE, "(%s) MAIL (mailed %zu byte"
459			    "%s of output but got status 0x%04x)", usernm,
460			    bytes, (bytes == 1) ? "" : "s", status);
461		}
462	}
463
464	if (stdinjob > 0)
465		while (waitpid(stdinjob, &waiter, 0) == -1 && errno == EINTR)
466			;
467}
468
469int
470safe_p(const char *usernm, const char *s)
471{
472	static const char safe_delim[] = "@!:%+-.,";     /* conservative! */
473	const char *t;
474	int ch, first;
475
476	for (t = s, first = 1; (ch = (unsigned char)*t++) != '\0'; first = 0) {
477		if (isascii(ch) && isprint(ch) &&
478		    (isalnum(ch) || ch == '_' ||
479		    (!first && strchr(safe_delim, ch))))
480			continue;
481		syslog(LOG_WARNING, "(%s) UNSAFE (%s)", usernm, s);
482		return (FALSE);
483	}
484	return (TRUE);
485}
486