search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Unleashed v1.4
[unleashed.git] / usr / src / cmd / vt / vtdaemon.c
blobeb479fa6e70ad4bc0cf721032985d4122362477d
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 /*
27 * vtdaemon is responsible for the session secure switch via hotkeys.
28 *
29 * vtdaemon itself, like ttymon(8), is also running on a virtual
30 * console device (/dev/vt/1), and provides a text console session
31 * for password input and authentication. The /dev/vt/1 special text
32 * console is reserved and end users cannot switch to it via hotkeys.
33 *
34 *
35 * The hotkey event request can come from either kernel or Xserver,
36 * and a door server is setup to handle the request:
37 *
38 * 1) All text console hotkeys (e.g. "Alt + F#") are intercepted by
39 * the kernel console driver which sends a door upcall to the
40 * vtdaemon via door_upcall (target_vt).
41 *
42 * 2) All Xserver hotkeys ("Alt + Ctrl + F#") are intercepted by
43 * Xserver which sends a door call to the vtdaemon via
44 * door_call (target_vt).
45 *
46 *
47 * server_for_door receives and handles any door server requests:
48 *
49 * Firstly, check source session:
50 *
51 * . If it's from kernel for a text console source session,
52 * then directly go to check the target session.
53 *
54 * . If it's from Xserver for a graphical source session and the vt
55 * associated with the Xserver is currently active:
56 * check if a user has logged in, if true, issue an internal
57 * VT_EV_LOCK event to the main thread to request lock for
58 * the graphical source session; else, directly go to check
59 * the target session.
60 *
61 * . otherwise, discard this request.
62 *
63 *
64 * Secondly, check the target session
65 *
66 * . if the target session is a text one that no one has logged in
67 * or a graphical one, issue an internal VT_EV_ACTIVATE event to
68 * the main thread to request the actual VT switch.
69 *
70 * . otherwise, the target session is a text one that someone has
71 * logged in, issue an internal VT_EV_AUTH event to the main
72 * thread to request authentication for the target session.
73 *
74 *
75 * The main thread of vtdaemon is a loop waiting for internal events
76 * which come from door call threads:
77 *
78 * 1) VT_EV_AUTH to authenticate for target session:
79 *
80 * firstly switch to the vtdaemon special text console;
81 * then prompt for password (target_owner on target_vt),
82 * e.g. "User Bob's password on vt/#: ".
83 *
84 * if the password is correct (authentication succeeds),
85 * then actually issue the VT switch; otherwise, ignore
86 * the request.
87 *
88 * 2) VT_EV_LOCK to lock the graphical source session:
89 *
90 * activate screenlock for this graphical session.
91 * vtdaemon just invokes existing front-end command line
92 * tools (e.g. xscreensaver-command -lock for JDS) to
93 * lock the display.
94 *
95 * 3) VT_EV_ACTIVATE to directly switch to the target session
96 *
97 *
98 * There is a system/vtdaemon:default SMF service for vtdaemon.
99 *
100 * There's a "hotkeys" property (BOOLEAN) in the
101 * system/vtdaemon:default SMF service, which allows authorized
102 * users to dynamically enable or disable VT switch via hotkeys.
103 * Its default value is TRUE (enabled).
104 *
105 * There's a "secure" property (BOOLEAN) in the
106 * system/vtdaemon:default SMF service, which allows authorized
107 * users to dynamically enable or disable hotkeys are secure.
108 * If disabled, the user can freely switch to any session without
109 * authentication. Its default value is TRUE (enabled).
110 *
111 *
112 * By default, there's only 16 virtual console device nodes (from
113 * /dev/vt/0 to /dev/vt/15). There's a property "nodecount"
114 * (default value is 16) in the system/vtdaemon:default SMF
115 * service, so authorized users can configure it to have more
116 * or less virtual console device nodes.
117 *
118 * Xserver needs to switch back to previous active vt via VT_EV_X_EXIT
119 * door event request when it's exiting, so vtdaemon always needs to
120 * be there even if the hotkeys switch is disabled, otherwise the screen
121 * will be just blank when Xserver exits.
122 */
123
124 #include <sys/param.h>
125 #include <sys/mman.h>
126 #include <sys/types.h>
127 #include <sys/wait.h>
128 #include <sys/stat.h>
129 #include <sys/sysmacros.h>
130 #include <syslog.h>
131 #include <deflt.h>
132
133 #include <alloca.h>
134 #include <assert.h>
135 #include <errno.h>
136 #include <door.h>
137 #include <fcntl.h>
138 #include <signal.h>
139 #include <stdarg.h>
140 #include <stdio.h>
141 #include <stdlib.h>
142 #include <string.h>
143 #include <strings.h>
144 #include <synch.h>
145 #include <thread.h>
146 #include <unistd.h>
147 #include <wait.h>
148 #include <limits.h>
149 #include <zone.h>
150 #include <priv.h>
151 #include <pwd.h>
152 #include <utmpx.h>
153 #include <procfs.h>
154 #include <poll.h>
155 #include <termio.h>
156 #include <security/pam_appl.h>
157 #include <time.h>
158 #include <sys/console.h>
159 #include <assert.h>
160 #include <syslog.h>
161
162 #include <sys/vt.h>
163 #include <sys/vtdaemon.h>
164
165 /*
166 * The door file /var/run/vt/vtdaemon_door
167 */
168 #define VT_TMPDIR "/var/run/vt"
169
170 #define VT_DAEMON_ARG 0
171 #define VT_DAEMON_CONSOLE_FILE "/dev/vt/1"
172
173 #define VT_IS_SYSTEM_CONSOLE(vtno) ((vtno) == 1)
174
175 /* Defaults for updating expired passwords */
176 #define DEF_ATTEMPTS 3
177
178 int daemonfd;
179
180 static boolean_t vt_hotkeys = B_TRUE; /* '-k' option to disable */
181 static boolean_t vt_secure = B_TRUE; /* '-s' option to disable */
182
183 static char vt_door_path[MAXPATHLEN];
184 static int vt_door = -1;
185
186 /* protecting vt_hotkeys_pending and vt_auth_doing */
187 static mutex_t vt_mutex = DEFAULTMUTEX;
188
189 static boolean_t vt_hotkeys_pending = B_FALSE;
190 static boolean_t vt_auth_doing = B_FALSE;
191
192 static int vtnodecount = 0;
193
194 static int
195 vt_setup_signal(int signo, int mask)
196 {
197 sigset_t set;
198
199 (void) sigemptyset(&set);
200 (void) sigaddset(&set, signo);
201
202 if (mask)
203 return (sigprocmask(SIG_BLOCK, &set, NULL));
204 else
205 return (sigprocmask(SIG_UNBLOCK, &set, NULL));
206 }
207
208 static void
209 do_activate_screenlock(int display_num)
210 {
211 char dpy[16];
212
213 (void) snprintf(dpy, sizeof (dpy), "%d", display_num);
214 (void) execl("/usr/lib/vtxlock", "vtxlock", dpy, NULL);
215 }
216
217 static void
218 vt_activate_screenlock(int display)
219 {
220 pid_t pid;
221
222 if ((pid = fork()) == -1)
223 return;
224
225 if (pid == 0) { /* child */
226 do_activate_screenlock(display);
227 exit(0);
228 }
229
230 /* parent */
231 while (waitpid(pid, (int *)0, 0) != pid)
232 continue;
233 }
234
235 /*
236 * Find the login process and user logged in on the target vt.
237 */
238 static void
239 vt_read_utx(int target_vt, pid_t *pid, char name[])
240 {
241 struct utmpx *u;
242 char ttyntail[sizeof (u->ut_line)];
243
244 *pid = (pid_t)-1;
245
246 if (VT_IS_SYSTEM_CONSOLE(target_vt)) /* system console */
247 (void) snprintf(ttyntail, sizeof (ttyntail),
248 "%s", "console");
249 else
250 (void) snprintf(ttyntail, sizeof (ttyntail),
251 "%s%d", "vt/", target_vt);
252
253 setutxent();
254 while ((u = getutxent()) != NULL)
255 /* see if this is the entry we want */
256 if ((u->ut_type == USER_PROCESS) &&
257 (!nonuserx(*u)) &&
258 (u->ut_host[0] == '\0') &&
259 (strncmp(u->ut_line, ttyntail, sizeof (u->ut_line)) == 0)) {
260
261 *pid = u->ut_pid;
262 if (name != NULL) {
263 (void) strncpy(name, u->ut_user,
264 sizeof (u->ut_user));
265 name[sizeof (u->ut_user)] = '\0';
266 }
267 break;
268 }
269
270 endutxent();
271 }
272
273 static boolean_t
274 vt_is_tipline(void)
275 {
276 static int is_tipline = 0;
277 int fd;
278 static char termbuf[MAX_TERM_TYPE_LEN];
279 static struct cons_getterm cons_term = { sizeof (termbuf), termbuf};
280
281 if (is_tipline != 0)
282 return (is_tipline == 1);
283
284 if ((fd = open("/dev/console", O_RDONLY)) < 0)
285 return (B_FALSE);
286
287 if (ioctl(fd, CONS_GETTERM, &cons_term) != 0 &&
288 errno == ENODEV) {
289 is_tipline = 1;
290 } else {
291 is_tipline = -1;
292 }
293
294 (void) close(fd);
295 return (is_tipline == 1);
296 }
297
298 static int
299 validate_target_vt(int target_vt)
300 {
301 int fd;
302 struct vt_stat state;
303
304 if (target_vt < 1)
305 return (-1);
306
307 if ((fd = open(VT_DAEMON_CONSOLE_FILE, O_WRONLY)) < 0)
308 return (-1);
309
310 if (ioctl(fd, VT_GETSTATE, &state) != 0) {
311 (void) close(fd);
312 return (-1);
313 }
314
315 (void) close(fd);
316
317 if (state.v_active == target_vt) {
318 return (1); /* it's current active vt */
319 }
320
321 if (target_vt == 1) {
322 /*
323 * In tipline case, the system console is always
324 * available, so ignore this request.
325 */
326 if (vt_is_tipline())
327 return (-1);
328
329 target_vt = 0;
330 }
331
332 /*
333 * The hotkey request and corresponding target_vt number can come
334 * from either kernel or Xserver (or other user applications).
335 * In kernel we've validated the hotkey request, but Xserver (or
336 * other user applications) cannot do it, so here we still try
337 * to validate it.
338 *
339 * VT_GETSTATE is only valid for first 16 VTs for historical reasons.
340 * Fortunately, in practice, Xserver can only send the hotkey
341 * request of target_vt number from 1 to 12 (Ctrl + Alt + F1 to F2).
342 */
343 if (target_vt < 8 * sizeof (state.v_state)) {
344 if ((state.v_state & (1 << target_vt)) != 0) {
345 return (0);
346 } else {
347 return (-1);
348 }
349 }
350
351 return (0);
352 }
353
354 static void
355 vt_do_activate(int target_vt)
356 {
357 (void) ioctl(daemonfd, VT_ACTIVATE, target_vt);
358 (void) mutex_lock(&vt_mutex);
359 vt_hotkeys_pending = B_FALSE;
360 (void) mutex_unlock(&vt_mutex);
361 }
362
363 /* events written to fd 0 and read from fd 1 */
364 #define VT_EV_AUTH 1
365 #define VT_EV_LOCK 2
366 #define VT_EV_ACTIVATE 3
367
368 /* events written to fd 1 and read from fd 0 */
369 #define VT_EV_TERMINATE_AUTH 4
370
371 typedef struct vt_evt {
372 int ve_cmd;
373 int ve_info; /* vtno or display num */
374 } vt_evt_t;
375
376 static int eventstream[2];
377
378 boolean_t
379 eventstream_init(void)
380 {
381 if (pipe(eventstream) == -1)
382 return (B_FALSE);
383 return (B_TRUE);
384 }
385
386 void
387 eventstream_write(int channel, vt_evt_t *pevt)
388 {
389 (void) write(eventstream[channel], pevt, sizeof (vt_evt_t));
390 }
391
392 static boolean_t
393 eventstream_read(int channel, vt_evt_t *pevt)
394 {
395 ssize_t rval;
396
397 rval = read(eventstream[channel], pevt, sizeof (vt_evt_t));
398 return (rval > 0);
399 }
400
401 static void
402 vt_ev_request(int cmd, int info)
403 {
404 int channel;
405 vt_evt_t ve;
406
407 ve.ve_cmd = cmd;
408 ve.ve_info = info;
409
410 channel = (cmd == VT_EV_TERMINATE_AUTH) ? 1 : 0;
411 eventstream_write(channel, &ve);
412 }
413
414 static void
415 vt_clear_events(void)
416 {
417 int rval = 0;
418 struct stat buf;
419 vt_evt_t evt;
420
421 while (rval == 0) {
422 rval = fstat(eventstream[0], &buf);
423 if (rval != -1 && buf.st_size > 0)
424 (void) eventstream_read(0, &evt);
425 else
426 break;
427 }
428 }
429
430 static int vt_conv(int, struct pam_message **,
431 struct pam_response **, void *);
432
433 /*ARGSUSED*/
434 static void
435 catch(int x)
436 {
437 (void) signal(SIGINT, catch);
438 }
439
440 /*
441 * The SIGINT (ctl_c) will restart the authentication, and re-prompt
442 * the end user to input the password.
443 */
444 static int
445 vt_poll()
446 {
447 struct pollfd pollfds[2];
448 vt_evt_t ve;
449 int ret;
450
451 pollfds[0].fd = eventstream[0];
452 pollfds[1].fd = daemonfd;
453 pollfds[0].events = pollfds[1].events =
454 POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI;
455
456 for (;;) {
457 pollfds[0].revents = pollfds[1].revents = 0;
458
459 ret = poll(pollfds,
460 sizeof (pollfds) / sizeof (struct pollfd), -1);
461 if (ret == -1 && errno != EINTR) {
462 continue;
463 }
464
465 if (ret == -1 && errno == EINTR)
466 return (-1);
467
468 if (pollfds[0].revents) {
469 (void) eventstream_read(0, &ve);
470 return (0);
471 }
472
473 if (pollfds[1].revents)
474 return (1);
475
476 return (0);
477
478 }
479 }
480
481 static char
482 vt_getchar(int fd)
483 {
484 char c;
485 int cnt;
486
487 cnt = read(fd, &c, 1);
488 if (cnt > 0) {
489 return (c);
490 }
491
492 return (EOF);
493 }
494
495 static char *
496 vt_getinput(int noecho)
497 {
498 int c;
499 int i = 0;
500 struct termio tty;
501 tcflag_t tty_flags;
502 char input[PAM_MAX_RESP_SIZE];
503
504 if (noecho) {
505 (void) ioctl(daemonfd, TCGETA, &tty);
506 tty_flags = tty.c_lflag;
507 tty.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL);
508 (void) ioctl(daemonfd, TCSETAF, &tty);
509 }
510
511 while ((vt_poll()) == 1) {
512 if ((c = vt_getchar(daemonfd)) != '\n' && c != '\r' &&
513 c != EOF && (i < PAM_MAX_RESP_SIZE - 1))
514 input[i++] = (char)c;
515 else
516 break;
517 }
518
519 input[i] = '\0';
520
521 if (noecho) {
522 tty.c_lflag = tty_flags;
523 (void) ioctl(daemonfd, TCSETAW, &tty);
524 (void) fputc('\n', stdout);
525 }
526
527 return (strdup(input));
528 }
529
530 /*
531 * vt_conv: vtdaemon PAM conversation function.
532 * SIGINT/EINTR is handled in vt_getinput()/vt_poll().
533 */
534
535 /*ARGSUSED*/
536 static int
537 vt_conv(int num_msg, struct pam_message **msg,
538 struct pam_response **response, void *appdata_ptr)
539 {
540 struct pam_message *m;
541 struct pam_response *r;
542 int i, k;
543
544 if (num_msg >= PAM_MAX_NUM_MSG) {
545 syslog(LOG_ERR, "too many messages %d >= %d",
546 num_msg, PAM_MAX_NUM_MSG);
547 *response = NULL;
548 return (PAM_CONV_ERR);
549 }
550
551 *response = calloc(num_msg, sizeof (struct pam_response));
552 if (*response == NULL)
553 return (PAM_BUF_ERR);
554
555 m = *msg;
556 r = *response;
557 for (i = 0; i < num_msg; i++) {
558 int echo_off = 0;
559
560 /* Bad message */
561 if (m->msg == NULL) {
562 syslog(LOG_ERR, "message[%d]: %d/NULL\n",
563 i, m->msg_style);
564 goto err;
565 }
566
567 /*
568 * Fix up final newline:
569 * remove from prompts, add back for messages.
570 */
571 if (m->msg[strlen(m->msg)] == '\n')
572 m->msg[strlen(m->msg)] = '\0';
573
574 r->resp = NULL;
575 r->resp_retcode = 0;
576
577 switch (m->msg_style) {
578
579 case PAM_PROMPT_ECHO_OFF:
580 echo_off = 1;
581 /* FALLTHROUGH */
582
583 case PAM_PROMPT_ECHO_ON:
584 (void) fputs(m->msg, stdout);
585
586 r->resp = vt_getinput(echo_off);
587 break;
588
589 case PAM_ERROR_MSG:
590 /* the user may want to see this */
591 (void) fputs(m->msg, stdout);
592 (void) fputs("\n", stdout);
593 break;
594
595 case PAM_TEXT_INFO:
596 (void) fputs(m->msg, stdout);
597 (void) fputs("\n", stdout);
598 break;
599
600 default:
601 syslog(LOG_ERR, "message[%d]: unknown type"
602 "%d/val=\"%s\"", i, m->msg_style, m->msg);
603
604 /* error, service module won't clean up */
605 goto err;
606 }
607
608 /* Next message/response */
609 m++;
610 r++;
611
612 }
613 return (PAM_SUCCESS);
614
615 err:
616 /*
617 * Service modules don't clean up responses if an error is returned.
618 * Free responses here.
619 */
620 r = *response;
621 for (k = 0; k < i; k++, r++) {
622 if (r->resp) {
623 /* Clear before freeing -- maybe a password */
624 bzero(r->resp, strlen(r->resp));
625 free(r->resp);
626 r->resp = NULL;
627 }
628 }
629
630 free(*response);
631 *response = NULL;
632 return (PAM_CONV_ERR);
633 }
634
635 #define DEF_FILE "/etc/default/login"
636
637 /* Get PASSREQ from default file */
638 static boolean_t
639 vt_default(void)
640 {
641 int flags;
642 char *ptr;
643 boolean_t retval = B_FALSE;
644
645 if ((defopen(DEF_FILE)) == 0) {
646 /* ignore case */
647 flags = defcntl(DC_GETFLAGS, 0);
648 TURNOFF(flags, DC_CASE);
649 (void) defcntl(DC_SETFLAGS, flags);
650
651 if ((ptr = defread("PASSREQ=")) != NULL &&
652 strcasecmp("YES", ptr) == 0)
653 retval = B_TRUE;
654
655 (void) defopen(NULL);
656 }
657
658 return (retval);
659 }
660
661 /*
662 * VT_CLEAR_SCREEN_STR is the console terminal escape sequence used to
663 * clear the current screen. The vt special console (/dev/vt/1) is
664 * just reserved for vtdaemon, and the TERM/termcap of it is always
665 * the local sun-color, which is always supported by our kernel terminal
666 * emulator.
667 */
668 #define VT_CLEAR_SCREEN_STR "\033[2J\033[1;1H"
669
670 static void
671 vt_do_auth(int target_vt)
672 {
673 char user_name[sizeof (((struct utmpx *)0)->ut_line) + 1] = {'\0'};
674 pam_handle_t *vt_pamh;
675 int err;
676 int pam_flag = 0;
677 int chpasswd_tries;
678 struct pam_conv pam_conv = {vt_conv, NULL};
679 pid_t pid;
680
681 vt_read_utx(target_vt, &pid, user_name);
682
683 if (pid == (pid_t)-1 || user_name[0] == '\0')
684 return;
685
686 if ((err = pam_start("vtdaemon", user_name, &pam_conv,
687 &vt_pamh)) != PAM_SUCCESS)
688 return;
689
690 /*
691 * firstly switch to the vtdaemon special console
692 * and clear the current screen
693 */
694 (void) ioctl(daemonfd, VT_ACTIVATE, VT_DAEMON_ARG);
695 (void) write(daemonfd, VT_CLEAR_SCREEN_STR,
696 strlen(VT_CLEAR_SCREEN_STR));
697 (void) ioctl(daemonfd, VT_SET_TARGET, target_vt);
698
699 (void) mutex_lock(&vt_mutex);
700 vt_auth_doing = B_TRUE;
701 vt_hotkeys_pending = B_FALSE;
702 (void) mutex_unlock(&vt_mutex);
703
704 if (vt_default())
705 pam_flag = PAM_DISALLOW_NULL_AUTHTOK;
706
707 do {
708 if (VT_IS_SYSTEM_CONSOLE(target_vt))
709 (void) fprintf(stdout,
710 "\nUnlock user %s on the system console\n",
711 user_name);
712 else
713 (void) fprintf(stdout,
714 "\nUnlock user %s on vt/%d\n", user_name,
715 target_vt);
716
717 err = pam_authenticate(vt_pamh, pam_flag);
718
719 (void) mutex_lock(&vt_mutex);
720 if (vt_hotkeys_pending) {
721 (void) mutex_unlock(&vt_mutex);
722 break;
723 }
724 (void) mutex_unlock(&vt_mutex);
725
726 if (err == PAM_SUCCESS) {
727 err = pam_acct_mgmt(vt_pamh, pam_flag);
728
729 (void) mutex_lock(&vt_mutex);
730 if (vt_hotkeys_pending) {
731 (void) mutex_unlock(&vt_mutex);
732 break;
733 }
734 (void) mutex_unlock(&vt_mutex);
735
736 if (err == PAM_NEW_AUTHTOK_REQD) {
737 chpasswd_tries = 0;
738
739 do {
740 err = pam_chauthtok(vt_pamh,
741 PAM_CHANGE_EXPIRED_AUTHTOK);
742 chpasswd_tries++;
743
744 (void) mutex_lock(&vt_mutex);
745 if (vt_hotkeys_pending) {
746 (void) mutex_unlock(&vt_mutex);
747 break;
748 }
749 (void) mutex_unlock(&vt_mutex);
750
751 } while ((err == PAM_AUTHTOK_ERR ||
752 err == PAM_TRY_AGAIN) &&
753 chpasswd_tries < DEF_ATTEMPTS);
754
755 (void) mutex_lock(&vt_mutex);
756 if (vt_hotkeys_pending) {
757 (void) mutex_unlock(&vt_mutex);
758 break;
759 }
760 (void) mutex_unlock(&vt_mutex);
761 }
762 }
763
764 if (err != PAM_SUCCESS) {
765 (void) fprintf(stdout, "%s",
766 pam_strerror(vt_pamh, err));
767 }
768
769 (void) mutex_lock(&vt_mutex);
770 if (vt_hotkeys_pending) {
771 (void) mutex_unlock(&vt_mutex);
772 break;
773 }
774 (void) mutex_unlock(&vt_mutex);
775
776 } while (err != PAM_SUCCESS);
777
778 (void) mutex_lock(&vt_mutex);
779 if (!vt_hotkeys_pending) {
780 /*
781 * Should be PAM_SUCCESS to reach here.
782 */
783 (void) ioctl(daemonfd, VT_ACTIVATE, target_vt);
784 }
785 (void) mutex_unlock(&vt_mutex);
786
787 (void) pam_end(vt_pamh, err);
788
789 (void) mutex_lock(&vt_mutex);
790 vt_auth_doing = B_FALSE;
791 vt_clear_events();
792 (void) mutex_unlock(&vt_mutex);
793 }
794
795 /* main thread (lock and auth) */
796 static void __NORETURN
797 vt_serve_events(void)
798 {
799 struct pollfd pollfds[1];
800 int ret;
801 vt_evt_t ve;
802
803 pollfds[0].fd = eventstream[1];
804 pollfds[0].events = POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI;
805
806 for (;;) {
807 pollfds[0].revents = 0;
808 ret = poll(pollfds,
809 sizeof (pollfds) / sizeof (struct pollfd), -1);
810 if (ret == -1 && errno == EINTR) {
811 continue;
812 }
813
814 if (pollfds[0].revents && eventstream_read(1, &ve)) {
815 /* new request */
816 switch (ve.ve_cmd) {
817 case VT_EV_AUTH:
818 vt_do_auth(ve.ve_info);
819 break;
820
821 case VT_EV_LOCK:
822 vt_activate_screenlock(ve.ve_info);
823 break;
824
825 case VT_EV_ACTIVATE:
826 /* directly activate target vt */
827 vt_do_activate(ve.ve_info);
828 break;
829 }
830 }
831 }
832 }
833
834 static void
835 vt_check_target_session(uint32_t target_vt)
836 {
837 pid_t pid = (pid_t)-1;
838
839 if (!vt_secure) {
840 vt_ev_request(VT_EV_ACTIVATE, target_vt);
841 return;
842 }
843
844 /* check the target session */
845 vt_read_utx(target_vt, &pid, NULL);
846 if (pid == (pid_t)-1) {
847 vt_ev_request(VT_EV_ACTIVATE, target_vt);
848 return;
849 }
850
851 vt_ev_request(VT_EV_AUTH, target_vt);
852 }
853
854 static boolean_t
855 vt_get_active_disp_info(struct vt_dispinfo *vd)
856 {
857 int fd;
858 struct vt_stat state;
859 char vtname[16];
860
861 if ((fd = open(VT_DAEMON_CONSOLE_FILE, O_RDONLY)) < 0)
862 return (B_FALSE);
863
864 if (ioctl(fd, VT_GETSTATE, &state) != 0) {
865 (void) close(fd);
866 return (B_FALSE);
867 }
868 (void) close(fd);
869
870 (void) snprintf(vtname, sizeof (vtname), "/dev/vt/%d", state.v_active);
871 if ((fd = open(vtname, O_RDONLY)) < 0)
872 return (B_FALSE);
873
874 if (ioctl(fd, VT_GETDISPINFO, vd) != 0) {
875 (void) close(fd);
876 return (B_FALSE);
877 }
878
879 (void) close(fd);
880 return (B_TRUE);
881 }
882
883 /*
884 * Xserver registers its pid into kernel to associate it with
885 * its vt upon startup for each graphical display. So here we can
886 * check if the pid is of the Xserver for the current active
887 * display when we receive a special VT_EV_X_EXIT request from
888 * a process. If the request does not come from the current
889 * active Xserver, it is discarded.
890 */
891 static boolean_t
892 vt_check_disp_active(pid_t x_pid)
893 {
894 struct vt_dispinfo vd;
895
896 if (vt_get_active_disp_info(&vd) &&
897 vd.v_pid == x_pid)
898 return (B_TRUE);
899
900 return (B_FALSE);
901 }
902
903 /*
904 * check if the pid is of the Xserver for the current active display,
905 * return true when it is, and then also return other associated
906 * information with the Xserver.
907 */
908 static boolean_t
909 vt_get_disp_info(pid_t x_pid, int *logged_in, int *display_num)
910 {
911 struct vt_dispinfo vd;
912
913 if (!vt_get_active_disp_info(&vd) ||
914 vd.v_pid != x_pid)
915 return (B_FALSE);
916
917 *logged_in = vd.v_login;
918 *display_num = vd.v_dispnum;
919 return (B_TRUE);
920 }
921
922 static void
923 vt_terminate_auth(void)
924 {
925 struct timespec sleeptime;
926
927 sleeptime.tv_sec = 0;
928 sleeptime.tv_nsec = 1000000; /* 1ms */
929
930 (void) mutex_lock(&vt_mutex);
931 while (vt_auth_doing) {
932 vt_ev_request(VT_EV_TERMINATE_AUTH, 0);
933
934 if (vt_auth_doing) {
935 (void) mutex_unlock(&vt_mutex);
936 (void) nanosleep(&sleeptime, NULL);
937 sleeptime.tv_nsec *= 2;
938 (void) mutex_lock(&vt_mutex);
939 }
940 }
941 (void) mutex_unlock(&vt_mutex);
942 }
943
944 static void
945 vt_do_hotkeys(pid_t pid, uint32_t target_vt)
946 {
947 int logged_in;
948 int display_num;
949
950 if (validate_target_vt(target_vt) != 0)
951 return;
952
953 /*
954 * Maybe last switch action is being taken and the lock is ongoing,
955 * here we must reject the newly request.
956 */
957 (void) mutex_lock(&vt_mutex);
958 if (vt_hotkeys_pending) {
959 (void) mutex_unlock(&vt_mutex);
960 return;
961 }
962
963 /* cleared in vt_do_active and vt_do_auth */
964 vt_hotkeys_pending = B_TRUE;
965 (void) mutex_unlock(&vt_mutex);
966
967 vt_terminate_auth();
968
969 /* check source session for this hotkeys request */
970 if (pid == 0) {
971 /* then only need to check target session */
972 vt_check_target_session(target_vt);
973 return;
974 }
975
976 /*
977 * check if it comes from current active X graphical session,
978 * if not, ignore this request.
979 */
980 if (!vt_get_disp_info(pid, &logged_in, &display_num)) {
981 (void) mutex_lock(&vt_mutex);
982 vt_hotkeys_pending = B_FALSE;
983 (void) mutex_unlock(&vt_mutex);
984 return;
985 }
986
987 if (logged_in && vt_secure)
988 vt_ev_request(VT_EV_LOCK, display_num);
989
990 vt_check_target_session(target_vt);
991 }
992
993 /*
994 * The main routine for the door server that deals with secure hotkeys
995 */
996 /* ARGSUSED */
997 static void
998 server_for_door(void *cookie, char *args, size_t alen, door_desc_t *dp,
999 uint_t n_desc)
1000 {
1001 ucred_t *uc = NULL;
1002 vt_cmd_arg_t *vtargp;
1003
1004 /* LINTED E_BAD_PTR_CAST_ALIGN */
1005 vtargp = (vt_cmd_arg_t *)args;
1006
1007 if (vtargp == NULL ||
1008 alen != sizeof (vt_cmd_arg_t) ||
1009 door_ucred(&uc) != 0) {
1010 (void) door_return(NULL, 0, NULL, 0);
1011 return;
1012 }
1013
1014 switch (vtargp->vt_ev) {
1015 case VT_EV_X_EXIT:
1016 /*
1017 * Xserver will issue this event requesting to switch back
1018 * to previous active vt when it's exiting and the associated
1019 * vt is currently active.
1020 */
1021 if (vt_check_disp_active(ucred_getpid(uc)))
1022 vt_do_hotkeys(0, vtargp->vt_num);
1023 break;
1024
1025 case VT_EV_HOTKEYS:
1026 if (!vt_hotkeys) /* hotkeys are disabled? */
1027 break;
1028
1029 vt_do_hotkeys(ucred_getpid(uc), vtargp->vt_num);
1030 break;
1031
1032 default:
1033 break;
1034 }
1035
1036 ucred_free(uc);
1037 (void) door_return(NULL, 0, NULL, 0);
1038 }
1039
1040 static boolean_t
1041 setup_door(void)
1042 {
1043 if ((vt_door = door_create(server_for_door, NULL,
1044 DOOR_UNREF | DOOR_REFUSE_DESC | DOOR_NO_CANCEL)) < 0) {
1045 syslog(LOG_ERR, "door_create failed: %s", strerror(errno));
1046 return (B_FALSE);
1047 }
1048
1049 (void) fdetach(vt_door_path);
1050
1051 if (fattach(vt_door, vt_door_path) != 0) {
1052 syslog(LOG_ERR, "fattach to %s failed: %s",
1053 vt_door_path, strerror(errno));
1054 (void) door_revoke(vt_door);
1055 (void) fdetach(vt_door_path);
1056 vt_door = -1;
1057 return (B_FALSE);
1058 }
1059
1060 return (B_TRUE);
1061 }
1062
1063 /*
1064 * check to see if vtdaemon is already running.
1065 *
1066 * The idea here is that we want to open the path to which we will
1067 * attach our door, lock it, and then make sure that no-one has beat us
1068 * to fattach(3c)ing onto it.
1069 *
1070 * fattach(3c) is really a mount, so there are actually two possible
1071 * vnodes we could be dealing with. Our strategy is as follows:
1072 *
1073 * - If the file we opened is a regular file (common case):
1074 * There is no fattach(3c)ed door, so we have a chance of becoming
1075 * the running vtdaemon. We attempt to lock the file: if it is
1076 * already locked, that means someone else raced us here, so we
1077 * lose and give up.
1078 *
1079 * - If the file we opened is a namefs file:
1080 * This means there is already an established door fattach(3c)'ed
1081 * to the rendezvous path. We've lost the race, so we give up.
1082 * Note that in this case we also try to grab the file lock, and
1083 * will succeed in acquiring it since the vnode locked by the
1084 * "winning" vtdaemon was a regular one, and the one we locked was
1085 * the fattach(3c)'ed door node. At any rate, no harm is done.
1086 */
1087 static boolean_t
1088 make_daemon_exclusive(void)
1089 {
1090 int doorfd = -1;
1091 boolean_t ret = B_FALSE;
1092 struct stat st;
1093 struct flock flock;
1094
1095 top:
1096 if ((doorfd = open(vt_door_path, O_CREAT|O_RDWR,
1097 S_IREAD|S_IWRITE|S_IRGRP|S_IROTH)) < 0) {
1098 syslog(LOG_ERR, "failed to open %s", vt_door_path);
1099 goto out;
1100 }
1101 if (fstat(doorfd, &st) < 0) {
1102 syslog(LOG_ERR, "failed to stat %s", vt_door_path);
1103 goto out;
1104 }
1105 /*
1106 * Lock the file to synchronize
1107 */
1108 flock.l_type = F_WRLCK;
1109 flock.l_whence = SEEK_SET;
1110 flock.l_start = (off_t)0;
1111 flock.l_len = (off_t)0;
1112 if (fcntl(doorfd, F_SETLK, &flock) < 0) {
1113 /*
1114 * Someone else raced us here and grabbed the lock file
1115 * first. A warning here and exit.
1116 */
1117 syslog(LOG_ERR, "vtdaemon is already running!");
1118 goto out;
1119 }
1120
1121 if (strcmp(st.st_fstype, "namefs") == 0) {
1122 struct door_info info;
1123
1124 /*
1125 * There is already something fattach()'ed to this file.
1126 * Lets see what the door is up to.
1127 */
1128 if (door_info(doorfd, &info) == 0 && info.di_target != -1) {
1129 syslog(LOG_ERR, "vtdaemon is already running!");
1130 goto out;
1131 }
1132
1133 (void) fdetach(vt_door_path);
1134 (void) close(doorfd);
1135 goto top;
1136 }
1137
1138 ret = setup_door();
1139
1140 out:
1141 (void) close(doorfd);
1142 return (ret);
1143 }
1144
1145 static boolean_t
1146 mkvtdir(void)
1147 {
1148 struct stat st;
1149 /*
1150 * We must create and lock everyone but root out of VT_TMPDIR
1151 * since anyone can open any UNIX domain socket, regardless of
1152 * its file system permissions.
1153 */
1154 if (mkdir(VT_TMPDIR, S_IRWXU|S_IROTH|S_IXOTH|S_IRGRP|S_IXGRP) < 0 &&
1155 errno != EEXIST) {
1156 syslog(LOG_ERR, "could not mkdir '%s'", VT_TMPDIR);
1157 return (B_FALSE);
1158 }
1159 /* paranoia */
1160 if ((stat(VT_TMPDIR, &st) < 0) || !S_ISDIR(st.st_mode)) {
1161 syslog(LOG_ERR, "'%s' is not a directory", VT_TMPDIR);
1162 return (B_FALSE);
1163 }
1164 (void) chmod(VT_TMPDIR, S_IRWXU|S_IROTH|S_IXOTH|S_IRGRP|S_IXGRP);
1165 return (B_TRUE);
1166 }
1167
1168 int
1169 main(int argc, char *argv[])
1170 {
1171 int i;
1172 int opt;
1173 priv_set_t *privset;
1174 int active;
1175
1176 openlog("vtdaemon", LOG_PID | LOG_CONS, 0);
1177
1178 /*
1179 * Check that we have all privileges. It would be nice to pare
1180 * this down, but this is at least a first cut.
1181 */
1182 if ((privset = priv_allocset()) == NULL) {
1183 syslog(LOG_ERR, "priv_allocset failed");
1184 return (1);
1185 }
1186
1187 if (getppriv(PRIV_EFFECTIVE, privset) != 0) {
1188 syslog(LOG_ERR, "getppriv failed", "getppriv");
1189 priv_freeset(privset);
1190 return (1);
1191 }
1192
1193 if (priv_isfullset(privset) == B_FALSE) {
1194 syslog(LOG_ERR, "You lack sufficient privilege "
1195 "to run this command (all privs required)");
1196 priv_freeset(privset);
1197 return (1);
1198 }
1199 priv_freeset(privset);
1200
1201 while ((opt = getopt(argc, argv, "ksrc:")) != EOF) {
1202 switch (opt) {
1203 case 'k':
1204 vt_hotkeys = B_FALSE;
1205 break;
1206 case 's':
1207 vt_secure = B_FALSE;
1208 break;
1209 case 'c':
1210 vtnodecount = atoi(optarg);
1211 break;
1212 default:
1213 break;
1214 }
1215 }
1216
1217 (void) vt_setup_signal(SIGINT, 1);
1218
1219 if (!mkvtdir())
1220 return (1);
1221
1222 if (!eventstream_init())
1223 return (1);
1224
1225 (void) snprintf(vt_door_path, sizeof (vt_door_path),
1226 VT_TMPDIR "/vtdaemon_door");
1227
1228 if (!make_daemon_exclusive())
1229 return (1);
1230
1231 /* only the main thread accepts SIGINT */
1232 (void) vt_setup_signal(SIGINT, 0);
1233 (void) sigset(SIGPIPE, SIG_IGN);
1234 (void) signal(SIGQUIT, SIG_IGN);
1235 (void) signal(SIGINT, catch);
1236
1237 for (i = 0; i < 3; i++)
1238 (void) close(i);
1239 (void) setsid();
1240
1241 if ((daemonfd = open(VT_DAEMON_CONSOLE_FILE, O_RDWR)) < 0) {
1242 return (1);
1243 }
1244
1245 if (daemonfd != 0)
1246 (void) dup2(daemonfd, STDIN_FILENO);
1247 if (daemonfd != 1)
1248 (void) dup2(daemonfd, STDOUT_FILENO);
1249
1250 if (vtnodecount >= 2)
1251 (void) ioctl(daemonfd, VT_CONFIG, vtnodecount);
1252
1253 (void) ioctl(daemonfd, VT_GETACTIVE, &active);
1254
1255 if (active == 1) {
1256 /*
1257 * This is for someone who restarts vtdaemon while vtdaemon
1258 * is doing authentication on /dev/vt/1.
1259 * A better way is to continue the authentication, but there
1260 * are chances that the status of the target VT has changed.
1261 * So we just clear the screen here.
1262 */
1263 (void) write(daemonfd, VT_CLEAR_SCREEN_STR,
1264 strlen(VT_CLEAR_SCREEN_STR));
1265 }
1266
1267 vt_serve_events();
1268 /*NOTREACHED*/
1269 }
Unleashed OS