kadmin/kadm_conn.c

   1 /*
   2  * Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "kadmin_locl.h"
  35 #ifdef HAVE_SYS_WAIT_H
  36 #include <sys/wait.h>
  37 #endif
  38
  39 extern int daemon_child;
  40
  41 struct kadm_port {
  42     char *port;
  43     unsigned short def_port;
  44     struct kadm_port *next;
  45 } *kadm_ports;
  46
  47 static void
  48 add_kadm_port(krb5_context contextp, const char *service, unsigned int port)
  49 {
  50     struct kadm_port *p;
  51     p = malloc(sizeof(*p));
  52     if(p == NULL) {
  53         krb5_warnx(contextp, "failed to allocate %lu bytes\n",
  54                    (unsigned long)sizeof(*p));
  55         return;
  56     }
  57
  58     p->port = strdup(service);
  59     p->def_port = port;
  60
  61     p->next = kadm_ports;
  62     kadm_ports = p;
  63 }
  64
  65 static void
  66 add_standard_ports (krb5_context contextp)
  67 {
  68     if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
  69             NULL))
  70         add_kadm_port(contextp, "749", 749);
  71     else
  72         add_kadm_port(contextp, "kerberos-adm", 749);
  73 }
  74
  75 /*
  76  * parse the set of space-delimited ports in `str' and add them.
  77  * "+" => all the standard ones
  78  * otherwise it's port|service[/protocol]
  79  */
  80
  81 void
  82 parse_ports(krb5_context contextp, const char *str)
  83 {
  84     char p[128];
  85
  86     while(strsep_copy(&str, " \t", p, sizeof(p)) != -1) {
  87         if(strcmp(p, "+") == 0)
  88             add_standard_ports(contextp);
  89         else
  90             add_kadm_port(contextp, p, 0);
  91     }
  92 }
  93
  94 static pid_t pgrp;
  95 sig_atomic_t term_flag, doing_useful_work;
  96
  97 static RETSIGTYPE
  98 sigchld(int sig)
  99 {
 100     int status;
 101     /*
 102      * waitpid() is async safe. will return -1 or 0 on no more zombie
 103      * children
 104      */
 105     while ((waitpid(-1, &status, WNOHANG)) > 0)
 106         ;
 107     SIGRETURN(0);
 108 }
 109
 110 static RETSIGTYPE
 111 terminate(int sig)
 112 {
 113     if(getpid() == pgrp) {
 114         /* parent */
 115         term_flag = 1;
 116         signal(sig, SIG_IGN);
 117         killpg(pgrp, sig);
 118     } else {
 119         /* child */
 120         if(doing_useful_work)
 121             term_flag = 1;
 122         else
 123             exit(0);
 124     }
 125     SIGRETURN(0);
 126 }
 127
 128 static int
 129 spawn_child(krb5_context contextp, int *socks,
 130             unsigned int num_socks, int this_sock)
 131 {
 132     int e;
 133     size_t i;
 134     struct sockaddr_storage __ss;
 135     struct sockaddr *sa = (struct sockaddr *)&__ss;
 136     socklen_t sa_size = sizeof(__ss);
 137     krb5_socket_t s;
 138     pid_t pid;
 139     krb5_address addr;
 140     char buf[128];
 141     size_t buf_len;
 142
 143     s = accept(socks[this_sock], sa, &sa_size);
 144     if(rk_IS_BAD_SOCKET(s)) {
 145         krb5_warn(contextp, rk_SOCK_ERRNO, "accept");
 146         return 1;
 147     }
 148     e = krb5_sockaddr2address(contextp, sa, &addr);
 149     if(e)
 150         krb5_warn(contextp, e, "krb5_sockaddr2address");
 151     else {
 152         e = krb5_print_address (&addr, buf, sizeof(buf),
 153                                 &buf_len);
 154         if(e)
 155             krb5_warn(contextp, e, "krb5_print_address");
 156         else
 157             krb5_warnx(contextp, "connection from %s", buf);
 158         krb5_free_address(contextp, &addr);
 159     }
 160
 161     pid = fork();
 162     if(pid == 0) {
 163         for(i = 0; i < num_socks; i++)
 164             rk_closesocket(socks[i]);
 165         dup2(s, STDIN_FILENO);
 166         dup2(s, STDOUT_FILENO);
 167         if(s != STDIN_FILENO && s != STDOUT_FILENO)
 168             rk_closesocket(s);
 169         return 0;
 170     } else {
 171         rk_closesocket(s);
 172     }
 173     return 1;
 174 }
 175
 176 static void
 177 wait_for_connection(krb5_context contextp,
 178                     krb5_socket_t *socks, unsigned int num_socks)
 179 {
 180     unsigned int i;
 181     int e;
 182     fd_set orig_read_set, read_set;
 183     int status, max_fd = -1;
 184
 185     FD_ZERO(&orig_read_set);
 186
 187     for(i = 0; i < num_socks; i++) {
 188 #ifdef FD_SETSIZE
 189         if (socks[i] >= FD_SETSIZE)
 190             errx (1, "fd too large");
 191 #endif
 192         FD_SET(socks[i], &orig_read_set);
 193         max_fd = max(max_fd, socks[i]);
 194     }
 195
 196     pgrp = getpid();
 197
 198     /* systemd may cause setpgid to fail with EPERM */
 199     if(setpgid(0, pgrp) < 0 && errno != EPERM)
 200         err(1, "setpgid");
 201
 202     signal(SIGTERM, terminate);
 203     signal(SIGINT, terminate);
 204     signal(SIGCHLD, sigchld);
 205
 206     while (term_flag == 0) {
 207         read_set = orig_read_set;
 208         e = select(max_fd + 1, &read_set, NULL, NULL, NULL);
 209         if(rk_IS_SOCKET_ERROR(e)) {
 210             if(rk_SOCK_ERRNO != EINTR)
 211                 krb5_warn(contextp, rk_SOCK_ERRNO, "select");
 212         } else if(e == 0)
 213             krb5_warnx(contextp, "select returned 0");
 214         else {
 215             for(i = 0; i < num_socks; i++) {
 216                 if(FD_ISSET(socks[i], &read_set))
 217                     if(spawn_child(contextp, socks, num_socks, i) == 0)
 218                         return;
 219             }
 220         }
 221     }
 222     signal(SIGCHLD, SIG_IGN);
 223
 224     while ((waitpid(-1, &status, WNOHANG)) > 0)
 225         ;
 226
 227     exit(0);
 228 }
 229
 230
 231 void
 232 start_server(krb5_context contextp, const char *port_str)
 233 {
 234     int e;
 235     struct kadm_port *p;
 236
 237     krb5_socket_t *socks = NULL, *tmp;
 238     unsigned int num_socks = 0;
 239     int i;
 240
 241     if (port_str == NULL)
 242         port_str = "+";
 243
 244     parse_ports(contextp, port_str);
 245
 246     for(p = kadm_ports; p; p = p->next) {
 247         struct addrinfo hints, *ai, *ap;
 248         char portstr[32];
 249         memset (&hints, 0, sizeof(hints));
 250         hints.ai_flags    = AI_PASSIVE;
 251         hints.ai_socktype = SOCK_STREAM;
 252
 253         if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
 254                 NULL)) {
 255             hints.ai_flags &= ~AI_CANONNAME;
 256             hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
 257         }
 258         e = getaddrinfo(NULL, p->port, &hints, &ai);
 259         if(e) {
 260             snprintf(portstr, sizeof(portstr), "%u", p->def_port);
 261             e = getaddrinfo(NULL, portstr, &hints, &ai);
 262         }
 263
 264         if(e) {
 265             krb5_warn(contextp, krb5_eai_to_heim_errno(e, errno),
 266                       "%s", portstr);
 267             continue;
 268         }
 269         i = 0;
 270         for(ap = ai; ap; ap = ap->ai_next)
 271             i++;
 272         tmp = realloc(socks, (num_socks + i) * sizeof(*socks));
 273         if(tmp == NULL)
 274             krb5_err(contextp, 1, errno, "failed to reallocate %lu bytes",
 275                      (unsigned long)(num_socks + i) * sizeof(*socks));
 276         socks = tmp;
 277         for(ap = ai; ap; ap = ap->ai_next) {
 278             krb5_socket_t s = socket(ap->ai_family, ap->ai_socktype, ap->ai_protocol);
 279             if(rk_IS_BAD_SOCKET(s)) {
 280                 krb5_warn(contextp, rk_SOCK_ERRNO, "socket");
 281                 continue;
 282             }
 283
 284             socket_set_reuseaddr(s, 1);
 285             socket_set_ipv6only(s, 1);
 286
 287             if (rk_IS_SOCKET_ERROR(bind (s, ap->ai_addr, ap->ai_addrlen))) {
 288                 krb5_warn(contextp, rk_SOCK_ERRNO, "bind");
 289                 rk_closesocket(s);
 290                 continue;
 291             }
 292             if (rk_IS_SOCKET_ERROR(listen (s, SOMAXCONN))) {
 293                 krb5_warn(contextp, rk_SOCK_ERRNO, "listen");
 294                 rk_closesocket(s);
 295                 continue;
 296             }
 297
 298             socket_set_keepalive(s, 1);
 299             socks[num_socks++] = s;
 300         }
 301         freeaddrinfo (ai);
 302     }
 303     if(num_socks == 0)
 304         krb5_errx(contextp, 1, "no sockets to listen to - exiting");
 305
 306     roken_detach_finish(NULL, daemon_child);
 307
 308     wait_for_connection(contextp, socks, num_socks);
 309     free(socks);
 310 }