X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/59e82a2a0e97f55f0e27323112116e01a06cb198..1d28cc061677bd07d9bed48dd84bd5c590247043:/src/src/child.c diff --git a/src/src/child.c b/src/src/child.c index 4a1a89887..359b791e8 100644 --- a/src/src/child.c +++ b/src/src/child.c @@ -1,11 +1,11 @@ -/* $Cambridge: exim/src/src/child.c,v 1.8 2006/02/07 14:05:17 ph10 Exp $ */ - /************************************************* * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2006 */ +/* Copyright (c) The Exim Maintainers 2020 - 2022 */ +/* Copyright (c) University of Cambridge 1995 - 2015 */ /* See the file NOTICE for conditions of use and distribution. */ +/* SPDX-License-Identifier: GPL-2.0-or-later */ #include "exim.h" @@ -28,7 +28,7 @@ Arguments: Returns: nothing */ -static void +void force_fd(int oldfd, int newfd) { if (oldfd == newfd) return; @@ -74,24 +74,22 @@ child_exec_exim(int exec_type, BOOL kill_v, int *pcount, BOOL minimal, { int first_special = -1; int n = 0; -int extra = (pcount != NULL)? *pcount : 0; -uschar **argv = - store_get((extra + acount + MAX_CLMACROS + 16) * sizeof(char *)); +int extra = pcount ? *pcount : 0; +uschar **argv; + +argv = store_get((extra + acount + MAX_CLMACROS + 24) * sizeof(char *), GET_UNTAINTED); /* In all case, the list starts out with the path, any macros, and a changed config file. */ -argv[n++] = exim_path; +argv[n++] = exim_path; /* assume untainted */ if (clmacro_count > 0) { memcpy(argv + n, clmacros, clmacro_count * sizeof(uschar *)); n += clmacro_count; } -if (config_changed) - { - argv[n++] = US"-C"; - argv[n++] = config_main_filename; - } +if (f.config_changed) + { argv[n++] = US"-C"; argv[n++] = config_main_filename; } /* These values are added only for non-minimal cases. If debug_selector is precisely D_v, we have to assume this was started by a non-admin user, and @@ -108,13 +106,35 @@ if (!minimal) else { if (debug_selector != 0) + { argv[n++] = string_sprintf("-d=0x%x", debug_selector); + if (debug_fd > 2) + { + int flags = fcntl(debug_fd, F_GETFD); + if (flags != -1) (void)fcntl(debug_fd, F_SETFD, flags & ~FD_CLOEXEC); + close(2); + dup2(debug_fd, 2); + close(debug_fd); + } + } } - if (dont_deliver) argv[n++] = US"-N"; - if (queue_smtp) argv[n++] = US"-odqs"; - if (synchronous_delivery) argv[n++] = US"-odi"; + if (debug_pretrigger_buf) + { argv[n++] = US"-dp"; argv[n++] = string_sprintf("0x%x", debug_pretrigger_bsize); } + if (dtrigger_selector != 0) + argv[n++] = string_sprintf("-dt=0x%x", dtrigger_selector); + DEBUG(D_any) + { + argv[n++] = US"-MCd"; + argv[n++] = US process_purpose; + } + if (!f.testsuite_delays) argv[n++] = US"-odd"; + if (f.dont_deliver) argv[n++] = US"-N"; + if (f.queue_smtp) argv[n++] = US"-odqs"; + if (f.synchronous_delivery) argv[n++] = US"-odi"; if (connection_max_messages >= 0) argv[n++] = string_sprintf("-oB%d", connection_max_messages); + if (*queue_name) + { argv[n++] = US"-MCG"; argv[n++] = queue_name; } } /* Now add in any others that are in the call. Remember which they were, @@ -135,7 +155,7 @@ if (acount > 0) argv[n] = NULL; if (exec_type == CEE_RETURN_ARGV) { - if (pcount != NULL) *pcount = n; + if (pcount) *pcount = n; return argv; } @@ -143,12 +163,12 @@ if (exec_type == CEE_RETURN_ARGV) failure. We know that there will always be at least one extra option in the call when exec() is done here, so it can be used to add to the panic data. */ -DEBUG(D_exec) debug_print_argv(argv); +DEBUG(D_exec) debug_print_argv(CUSS argv); exim_nullstd(); /* Make sure std{in,out,err} exist */ execv(CS argv[0], (char *const *)argv); log_write(0, - LOG_MAIN | ((exec_type == CEE_EXEC_EXIT)? LOG_PANIC : LOG_PANIC_DIE), + LOG_MAIN | (exec_type == CEE_EXEC_EXIT ? LOG_PANIC : LOG_PANIC_DIE), "re-exec of exim (%s) with %s failed: %s", exim_path, argv[first_special], strerror(errno)); @@ -174,12 +194,39 @@ the new process, and returns that to the caller via fdptr. The function returns the pid of the new process, or -1 if things go wrong. If debug_fd is non-negative, it is passed as stderr. +This interface is now a just wrapper for the more complicated function +child_open_exim2(), which has additional arguments. The wrapper must continue +to exist, even if all calls from within Exim are changed, because it is +documented for use from local_scan(). + Argument: fdptr pointer to int for the stdin fd + purpose of the child process, for debug +Returns: pid of the created process or -1 if anything has gone wrong +*/ + +pid_t +child_open_exim_function(int * fdptr, const uschar * purpose) +{ +return child_open_exim2_function(fdptr, US"<>", bounce_sender_authentication, + purpose); +} + + +/* This is a more complicated function for creating a child Exim process, with +more arguments. + +Arguments: + fdptr pointer to int for the stdin fd + sender for a sender address (data for -f) + sender_authentication authenticated sender address or NULL + purpose of the child process, for debug + Returns: pid of the created process or -1 if anything has gone wrong */ pid_t -child_open_exim(int *fdptr) +child_open_exim2_function(int * fdptr, uschar * sender, + uschar * sender_authentication, const uschar * purpose) { int pfd[2]; int save_errno; @@ -192,27 +239,47 @@ on the wait. */ if (pipe(pfd) != 0) return (pid_t)(-1); oldsignal = signal(SIGCHLD, SIG_DFL); -pid = fork(); +pid = exim_fork(purpose); /* Child process: make the reading end of the pipe into the standard input and close the writing end. If debugging, pass debug_fd as stderr. Then re-exec -Exim. Failure is signalled with EX_EXECFAILED, but this shouldn't occur! */ +Exim with appropriate options. In the test harness, use -odi unless queue_only +is set, so that the bounce is fully delivered before returning. Failure is +signalled with EX_EXECFAILED (specified by CEE_EXEC_EXIT), but this shouldn't +occur. */ if (pid == 0) { force_fd(pfd[pipe_read], 0); (void)close(pfd[pipe_write]); if (debug_fd > 0) force_fd(debug_fd, 2); - if (bounce_sender_authentication != NULL) - child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 8, - US"-t", US"-oem", US"-oi", US"-f", US"<>", US"-oMas", - bounce_sender_authentication, message_id_option); - else - child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 6, - US"-t", US"-oem", US"-oi", US"-f", US"<>", message_id_option); - /* Control does not return here. */ + if (f.running_in_test_harness && !queue_only) + { + if (sender_authentication) + child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 9, + US "-odi", US"-t", US"-oem", US"-oi", US"-f", sender, US"-oMas", + sender_authentication, message_id_option); + else + child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 7, + US "-odi", US"-t", US"-oem", US"-oi", US"-f", sender, + message_id_option); + /* Control does not return here. */ + } + else /* Not test harness */ + { + if (sender_authentication) + child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 8, + US"-t", US"-oem", US"-oi", US"-f", sender, US"-oMas", + sender_authentication, message_id_option); + else + child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 6, + US"-t", US"-oem", US"-oi", US"-f", sender, message_id_option); + /* Control does not return here. */ + } } +testharness_pause_ms(100); /* let child work even longer, for exec */ + /* Parent process. Save fork() errno and close the reading end of the stdin pipe. */ @@ -233,7 +300,7 @@ if (pid > 0) errno = save_errno; return (pid_t)(-1); } -#endif +#endif /* STAND_ALONE */ @@ -263,18 +330,27 @@ Arguments: process is placed wd if not NULL, a path to be handed to chdir() in the new process make_leader if TRUE, make the new process a process group leader + purpose for debug: reason for running the task Returns: the pid of the created process or -1 if anything has gone wrong */ pid_t -child_open_uid(uschar **argv, uschar **envp, int newumask, uid_t *newuid, - gid_t *newgid, int *infdptr, int *outfdptr, uschar *wd, BOOL make_leader) +child_open_uid(const uschar **argv, const uschar **envp, int newumask, + uid_t *newuid, gid_t *newgid, int *infdptr, int *outfdptr, uschar *wd, + BOOL make_leader, const uschar * purpose) { int save_errno; int inpfd[2], outpfd[2]; pid_t pid; +if (is_tainted(argv[0])) + { + log_write(0, LOG_MAIN | LOG_PANIC, "Attempt to exec tainted path: '%s'", argv[0]); + errno = EPERM; + return (pid_t)(-1); + } + /* Create the pipes. */ if (pipe(inpfd) != 0) return (pid_t)(-1); @@ -290,7 +366,7 @@ that the child process can be waited for. We sometimes get here with it set otherwise. Save the old state for resetting on the wait. */ oldsignal = signal(SIGCHLD, SIG_DFL); -pid = fork(); +pid = exim_fork(purpose); /* Handle the child process. First, set the required environment. We must do this before messing with the pipes, in order to be able to write debugging @@ -299,15 +375,16 @@ output when things go wrong. */ if (pid == 0) { signal(SIGUSR1, SIG_IGN); + signal(SIGPIPE, SIG_DFL); - if (newgid != NULL && setgid(*newgid) < 0) + if (newgid && setgid(*newgid) < 0) { DEBUG(D_any) debug_printf("failed to set gid=%ld in subprocess: %s\n", (long int)(*newgid), strerror(errno)); goto CHILD_FAILED; } - if (newuid != NULL && setuid(*newuid) < 0) + if (newuid && setuid(*newuid) < 0) { DEBUG(D_any) debug_printf("failed to set uid=%ld in subprocess: %s\n", (long int)(*newuid), strerror(errno)); @@ -316,7 +393,7 @@ if (pid == 0) (void)umask(newumask); - if (wd != NULL && Uchdir(wd) < 0) + if (wd && Uchdir(wd) < 0) { DEBUG(D_any) debug_printf("failed to chdir to %s: %s\n", wd, strerror(errno)); @@ -346,8 +423,8 @@ if (pid == 0) /* Now do the exec */ - if (envp == NULL) execv(CS argv[0], (char *const *)argv); - else execve(CS argv[0], (char *const *)argv, (char *const *)envp); + if (envp) execve(CS argv[0], (char *const *)argv, (char *const *)envp); + else execv(CS argv[0], (char *const *)argv); /* Failed to execv. Signal this failure using EX_EXECFAILED. We are losing the actual errno we got back, because there is no way to return @@ -402,16 +479,17 @@ Arguments: outfdptr pointer to int into which the fd of the stdout/stderr of the new process is placed make_leader if TRUE, make the new process a process group leader + purpose for debug: reason for running the task Returns: the pid of the created process or -1 if anything has gone wrong */ pid_t -child_open(uschar **argv, uschar **envp, int newumask, int *infdptr, - int *outfdptr, BOOL make_leader) +child_open_function(uschar **argv, uschar **envp, int newumask, int *infdptr, + int *outfdptr, BOOL make_leader, const uschar * purpose) { -return child_open_uid(argv, envp, newumask, NULL, NULL, infdptr, outfdptr, - NULL, make_leader); +return child_open_uid(CUSS argv, CUSS envp, newumask, NULL, NULL, + infdptr, outfdptr, NULL, make_leader, purpose); } @@ -444,7 +522,7 @@ int yield; if (timeout > 0) { sigalrm_seen = FALSE; - alarm(timeout); + ALARM(timeout); } for(;;) @@ -454,18 +532,23 @@ for(;;) if (rc == pid) { int lowbyte = status & 255; - if (lowbyte == 0) yield = (status >> 8) & 255; - else yield = -lowbyte; + yield = lowbyte == 0 ? (status >> 8) & 255 : -lowbyte; break; } if (rc < 0) { - yield = (errno == EINTR && sigalrm_seen)? -256 : -257; + /* This "shouldn't happen" test does happen on MacOS: for some reason + I do not understand we seems to get an alarm signal despite not having + an active alarm set. There seems to be only one, so just go round again. */ + + if (errno == EINTR && sigalrm_seen && timeout <= 0) continue; + + yield = (errno == EINTR && sigalrm_seen) ? -256 : -257; break; } } -if (timeout > 0) alarm(0); +if (timeout > 0) ALARM_CLR(0); signal(SIGCHLD, oldsignal); /* restore */ return yield;