-/* $Cambridge: exim/src/src/child.c,v 1.3 2005/01/04 10:00:42 ph10 Exp $ */
-
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2005 */
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2015 */
/* See the file NOTICE for conditions of use and distribution. */
+/* SPDX-License-Identifier: GPL-2.0-or-later */
#include "exim.h"
Returns: nothing
*/
-static void
+void
force_fd(int oldfd, int newfd)
{
if (oldfd == newfd) return;
-close(newfd);
-dup2(oldfd, newfd);
-close(oldfd);
+(void)close(newfd);
+(void)dup2(oldfd, newfd);
+(void)close(oldfd);
}
-
+#ifndef STAND_ALONE
/*************************************************
* Build argv list and optionally re-exec Exim *
*************************************************/
{
int first_special = -1;
int n = 0;
-int extra = (pcount != NULL)? *pcount : 0;
-uschar **argv =
- store_get((extra + acount + MAX_CLMACROS + 16) * sizeof(char *));
+int extra = pcount ? *pcount : 0;
+uschar **argv;
+
+argv = store_get((extra + acount + MAX_CLMACROS + 24) * sizeof(char *), GET_UNTAINTED);
/* In all case, the list starts out with the path, any macros, and a changed
config file. */
-argv[n++] = exim_path;
+argv[n++] = exim_path; /* assume untainted */
if (clmacro_count > 0)
{
memcpy(argv + n, clmacros, clmacro_count * sizeof(uschar *));
n += clmacro_count;
}
-if (config_changed)
- {
- argv[n++] = US"-C";
- argv[n++] = config_main_filename;
- }
+if (f.config_changed)
+ { argv[n++] = US"-C"; argv[n++] = config_main_filename; }
/* These values are added only for non-minimal cases. If debug_selector is
precisely D_v, we have to assume this was started by a non-admin user, and
else
{
if (debug_selector != 0)
+ {
argv[n++] = string_sprintf("-d=0x%x", debug_selector);
+ if (debug_fd > 2)
+ {
+ int flags = fcntl(debug_fd, F_GETFD);
+ if (flags != -1) (void)fcntl(debug_fd, F_SETFD, flags & ~FD_CLOEXEC);
+ close(2);
+ dup2(debug_fd, 2);
+ close(debug_fd);
+ }
+ }
+ }
+ if (debug_pretrigger_buf)
+ { argv[n++] = US"-dp"; argv[n++] = string_sprintf("0x%x", debug_pretrigger_bsize); }
+ if (dtrigger_selector != 0)
+ argv[n++] = string_sprintf("-dt=0x%x", dtrigger_selector);
+ DEBUG(D_any)
+ {
+ argv[n++] = US"-MCd";
+ argv[n++] = US process_purpose;
}
- if (dont_deliver) argv[n++] = US"-N";
- if (queue_smtp) argv[n++] = US"-odqs";
- if (synchronous_delivery) argv[n++] = US"-odi";
+ if (!f.testsuite_delays) argv[n++] = US"-odd";
+ if (f.dont_deliver) argv[n++] = US"-N";
+ if (f.queue_smtp) argv[n++] = US"-odqs";
+ if (f.synchronous_delivery) argv[n++] = US"-odi";
if (connection_max_messages >= 0)
argv[n++] = string_sprintf("-oB%d", connection_max_messages);
+ if (*queue_name)
+ { argv[n++] = US"-MCG"; argv[n++] = queue_name; }
}
/* Now add in any others that are in the call. Remember which they were,
argv[n] = NULL;
if (exec_type == CEE_RETURN_ARGV)
{
- if (pcount != NULL) *pcount = n;
+ if (pcount) *pcount = n;
return argv;
}
failure. We know that there will always be at least one extra option in the
call when exec() is done here, so it can be used to add to the panic data. */
-DEBUG(D_exec) debug_print_argv(argv);
+DEBUG(D_exec) debug_print_argv(CUSS argv);
exim_nullstd(); /* Make sure std{in,out,err} exist */
execv(CS argv[0], (char *const *)argv);
log_write(0,
- LOG_MAIN | ((exec_type == CEE_EXEC_EXIT)? LOG_PANIC : LOG_PANIC_DIE),
+ LOG_MAIN | (exec_type == CEE_EXEC_EXIT ? LOG_PANIC : LOG_PANIC_DIE),
"re-exec of exim (%s) with %s failed: %s", exim_path, argv[first_special],
strerror(errno));
the pid of the new process, or -1 if things go wrong. If debug_fd is
non-negative, it is passed as stderr.
+This interface is now a just wrapper for the more complicated function
+child_open_exim2(), which has additional arguments. The wrapper must continue
+to exist, even if all calls from within Exim are changed, because it is
+documented for use from local_scan().
+
Argument: fdptr pointer to int for the stdin fd
+ purpose of the child process, for debug
+Returns: pid of the created process or -1 if anything has gone wrong
+*/
+
+pid_t
+child_open_exim_function(int * fdptr, const uschar * purpose)
+{
+return child_open_exim2_function(fdptr, US"<>", bounce_sender_authentication,
+ purpose);
+}
+
+
+/* This is a more complicated function for creating a child Exim process, with
+more arguments.
+
+Arguments:
+ fdptr pointer to int for the stdin fd
+ sender for a sender address (data for -f)
+ sender_authentication authenticated sender address or NULL
+ purpose of the child process, for debug
+
Returns: pid of the created process or -1 if anything has gone wrong
*/
pid_t
-child_open_exim(int *fdptr)
+child_open_exim2_function(int * fdptr, uschar * sender,
+ uschar * sender_authentication, const uschar * purpose)
{
int pfd[2];
int save_errno;
if (pipe(pfd) != 0) return (pid_t)(-1);
oldsignal = signal(SIGCHLD, SIG_DFL);
-pid = fork();
+pid = exim_fork(purpose);
/* Child process: make the reading end of the pipe into the standard input and
close the writing end. If debugging, pass debug_fd as stderr. Then re-exec
-Exim. Failure is signalled with EX_EXECFAILED, but this shouldn't occur! */
+Exim with appropriate options. In the test harness, use -odi unless queue_only
+is set, so that the bounce is fully delivered before returning. Failure is
+signalled with EX_EXECFAILED (specified by CEE_EXEC_EXIT), but this shouldn't
+occur. */
if (pid == 0)
{
force_fd(pfd[pipe_read], 0);
- close(pfd[pipe_write]);
+ (void)close(pfd[pipe_write]);
if (debug_fd > 0) force_fd(debug_fd, 2);
- if (bounce_sender_authentication != NULL)
- child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 8,
- US"-t", US"-oem", US"-oi", US"-f", US"<>", US"-oMas",
- bounce_sender_authentication, message_id_option);
- else
- child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 6,
- US"-t", US"-oem", US"-oi", US"-f", US"<>", message_id_option);
- /* Control does not return here. */
+ if (f.running_in_test_harness && !queue_only)
+ {
+ if (sender_authentication)
+ child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 9,
+ US "-odi", US"-t", US"-oem", US"-oi", US"-f", sender, US"-oMas",
+ sender_authentication, message_id_option);
+ else
+ child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 7,
+ US "-odi", US"-t", US"-oem", US"-oi", US"-f", sender,
+ message_id_option);
+ /* Control does not return here. */
+ }
+ else /* Not test harness */
+ {
+ if (sender_authentication)
+ child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 8,
+ US"-t", US"-oem", US"-oi", US"-f", sender, US"-oMas",
+ sender_authentication, message_id_option);
+ else
+ child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 6,
+ US"-t", US"-oem", US"-oi", US"-f", sender, message_id_option);
+ /* Control does not return here. */
+ }
}
+testharness_pause_ms(100); /* let child work even longer, for exec */
+
/* Parent process. Save fork() errno and close the reading end of the stdin
pipe. */
save_errno = errno;
-close(pfd[pipe_read]);
+(void)close(pfd[pipe_read]);
/* Fork succeeded */
/* Fork failed */
-close(pfd[pipe_write]);
+(void)close(pfd[pipe_write]);
errno = save_errno;
return (pid_t)(-1);
}
-
+#endif /* STAND_ALONE */
process is placed
wd if not NULL, a path to be handed to chdir() in the new process
make_leader if TRUE, make the new process a process group leader
-
+ purpose for debug: reason for running the task
+
Returns: the pid of the created process or -1 if anything has gone wrong
*/
pid_t
-child_open_uid(uschar **argv, uschar **envp, int newumask, uid_t *newuid,
- gid_t *newgid, int *infdptr, int *outfdptr, uschar *wd, BOOL make_leader)
+child_open_uid(const uschar **argv, const uschar **envp, int newumask,
+ uid_t *newuid, gid_t *newgid, int *infdptr, int *outfdptr, uschar *wd,
+ BOOL make_leader, const uschar * purpose)
{
int save_errno;
int inpfd[2], outpfd[2];
pid_t pid;
+if (is_tainted(argv[0]))
+ {
+ log_write(0, LOG_MAIN | LOG_PANIC, "Attempt to exec tainted path: '%s'", argv[0]);
+ errno = EPERM;
+ return (pid_t)(-1);
+ }
+
/* Create the pipes. */
if (pipe(inpfd) != 0) return (pid_t)(-1);
if (pipe(outpfd) != 0)
{
- close(inpfd[pipe_read]);
- close(inpfd[pipe_write]);
+ (void)close(inpfd[pipe_read]);
+ (void)close(inpfd[pipe_write]);
return (pid_t)(-1);
}
otherwise. Save the old state for resetting on the wait. */
oldsignal = signal(SIGCHLD, SIG_DFL);
-pid = fork();
+pid = exim_fork(purpose);
-/* The child process becomes a process group leader if requested, and then
-organizes the pipes. Any unexpected failure is signalled with EX_EXECFAILED;
-these are all "should never occur" failures, except perhaps for exec failing
-because the command doesn't exist. */
+/* Handle the child process. First, set the required environment. We must do
+this before messing with the pipes, in order to be able to write debugging
+output when things go wrong. */
if (pid == 0)
{
- if (make_leader && setpgid(0,0) < 0) goto CHILD_FAILED;
+ signal(SIGUSR1, SIG_IGN);
+ signal(SIGPIPE, SIG_DFL);
- close(inpfd[pipe_write]);
- force_fd(inpfd[pipe_read], 0);
+ if (newgid && setgid(*newgid) < 0)
+ {
+ DEBUG(D_any) debug_printf("failed to set gid=%ld in subprocess: %s\n",
+ (long int)(*newgid), strerror(errno));
+ goto CHILD_FAILED;
+ }
- close(outpfd[pipe_read]);
- force_fd(outpfd[pipe_write], 1);
+ if (newuid && setuid(*newuid) < 0)
+ {
+ DEBUG(D_any) debug_printf("failed to set uid=%ld in subprocess: %s\n",
+ (long int)(*newuid), strerror(errno));
+ goto CHILD_FAILED;
+ }
- close(2);
- dup2(1, 2);
+ (void)umask(newumask);
- /* Set the required environment. */
+ if (wd && Uchdir(wd) < 0)
+ {
+ DEBUG(D_any) debug_printf("failed to chdir to %s: %s\n", wd,
+ strerror(errno));
+ goto CHILD_FAILED;
+ }
- signal(SIGUSR1, SIG_IGN);
- if (newgid != NULL && setgid(*newgid) < 0) goto CHILD_FAILED;
- if (newuid != NULL && setuid(*newuid) < 0) goto CHILD_FAILED;
- (void)umask(newumask);
+ /* Becomes a process group leader if requested, and then organize the pipes.
+ Any unexpected failure is signalled with EX_EXECFAILED; these are all "should
+ never occur" failures, except for exec failing because the command doesn't
+ exist. */
+
+ if (make_leader && setpgid(0,0) < 0)
+ {
+ DEBUG(D_any) debug_printf("failed to set group leader in subprocess: %s\n",
+ strerror(errno));
+ goto CHILD_FAILED;
+ }
+
+ (void)close(inpfd[pipe_write]);
+ force_fd(inpfd[pipe_read], 0);
- /* Set the working directory if required */
+ (void)close(outpfd[pipe_read]);
+ force_fd(outpfd[pipe_write], 1);
- if (wd != NULL && Uchdir(wd) < 0) goto CHILD_FAILED;
+ (void)close(2);
+ (void)dup2(1, 2);
/* Now do the exec */
- if (envp == NULL) execv(CS argv[0], (char *const *)argv);
- else execve(CS argv[0], (char *const *)argv, (char *const *)envp);
+ if (envp) execve(CS argv[0], (char *const *)argv, (char *const *)envp);
+ else execv(CS argv[0], (char *const *)argv);
/* Failed to execv. Signal this failure using EX_EXECFAILED. We are
losing the actual errno we got back, because there is no way to return
- this. */
+ this information. */
CHILD_FAILED:
_exit(EX_EXECFAILED); /* Note: must be _exit(), NOT exit() */
stdin pipe, and the writing end of the stdout pipe. */
save_errno = errno;
-close(inpfd[pipe_read]);
-close(outpfd[pipe_write]);
+(void)close(inpfd[pipe_read]);
+(void)close(outpfd[pipe_write]);
/* Fork succeeded; return the input/output pipes and the pid */
/* Fork failed; reset fork errno before returning */
-close(inpfd[pipe_write]);
-close(outpfd[pipe_read]);
+(void)close(inpfd[pipe_write]);
+(void)close(outpfd[pipe_read]);
errno = save_errno;
return (pid_t)(-1);
}
outfdptr pointer to int into which the fd of the stdout/stderr of the new
process is placed
make_leader if TRUE, make the new process a process group leader
+ purpose for debug: reason for running the task
Returns: the pid of the created process or -1 if anything has gone wrong
*/
pid_t
-child_open(uschar **argv, uschar **envp, int newumask, int *infdptr,
- int *outfdptr, BOOL make_leader)
+child_open_function(uschar **argv, uschar **envp, int newumask, int *infdptr,
+ int *outfdptr, BOOL make_leader, const uschar * purpose)
{
-return child_open_uid(argv, envp, newumask, NULL, NULL, infdptr, outfdptr,
- NULL, make_leader);
+return child_open_uid(CUSS argv, CUSS envp, newumask, NULL, NULL,
+ infdptr, outfdptr, NULL, make_leader, purpose);
}
if (timeout > 0)
{
sigalrm_seen = FALSE;
- alarm(timeout);
+ ALARM(timeout);
}
for(;;)
if (rc == pid)
{
int lowbyte = status & 255;
- if (lowbyte == 0) yield = (status >> 8) & 255;
- else yield = -lowbyte;
+ yield = lowbyte == 0 ? (status >> 8) & 255 : -lowbyte;
break;
}
if (rc < 0)
{
- yield = (errno == EINTR && sigalrm_seen)? -256 : -257;
+ /* This "shouldn't happen" test does happen on MacOS: for some reason
+ I do not understand we seems to get an alarm signal despite not having
+ an active alarm set. There seems to be only one, so just go round again. */
+
+ if (errno == EINTR && sigalrm_seen && timeout <= 0) continue;
+
+ yield = (errno == EINTR && sigalrm_seen) ? -256 : -257;
break;
}
}
-if (timeout > 0) alarm(0);
+if (timeout > 0) ALARM_CLR(0);
signal(SIGCHLD, oldsignal); /* restore */
return yield;
git://git.exim.org / exim.git / blobdiff