X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/73ec116f6e17189e5a8b284ec9a4433a581adefc..5fd673807d3cbe09b68c7e2631184d929905949b:/src/src/daemon.c diff --git a/src/src/daemon.c b/src/src/daemon.c index 1ef28a156..7decc7223 100644 --- a/src/src/daemon.c +++ b/src/src/daemon.c @@ -3,6 +3,7 @@ *************************************************/ /* Copyright (c) University of Cambridge 1995 - 2018 */ +/* Copyright (c) The Exim Maintainers 2020 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions concerned with running Exim as a daemon */ @@ -31,6 +32,7 @@ static smtp_slot empty_smtp_slot = { .pid = 0, .host_address = NULL }; static SIGNAL_BOOL sigchld_seen; static SIGNAL_BOOL sighup_seen; +static SIGNAL_BOOL sigterm_seen; static int accept_retry_count = 0; static int accept_retry_errno; @@ -57,7 +59,6 @@ Returns: nothing static void sighup_handler(int sig) { -sig = sig; /* Keep picky compilers happy */ sighup_seen = TRUE; signal(SIGHUP, sighup_handler); } @@ -81,12 +82,21 @@ Returns: nothing static void main_sigchld_handler(int sig) { -sig = sig; /* Keep picky compilers happy */ os_non_restarting_signal(SIGCHLD, SIG_DFL); sigchld_seen = TRUE; } +/* SIGTERM handler. Try to get the damon pif file removed +before exiting. */ + +static void +main_sigterm_handler(int sig) +{ +sigterm_seen = TRUE; +} + + /************************************************* @@ -115,6 +125,37 @@ if (smtp_out) smtp_printf("421 %s\r\n", FALSE, smtp_msg); +/************************************************* +*************************************************/ + +#ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS +static void +unlink_notifier_socket(void) +{ +uschar * s = expand_string(notifier_socket); +DEBUG(D_any) debug_printf("unlinking notifier socket %s\n", s); +Uunlink(s); +} +#endif + + +static void +close_daemon_sockets(int daemon_notifier_fd, + int * listen_sockets, int listen_socket_count) +{ +if (daemon_notifier_fd >= 0) + { + (void) close(daemon_notifier_fd); + daemon_notifier_fd = -1; +#ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS + unlink_notifier_socket(); +#endif + } + +for (int i = 0; i < listen_socket_count; i++) (void) close(listen_sockets[i]); +} + + /************************************************* * Handle a connected SMTP call * *************************************************/ @@ -254,10 +295,10 @@ to provide host-specific limits according to $sender_host address, but because this is in the daemon mainline, only fast expansions (such as inline address checks) should be used. The documentation is full of warnings. */ -if (smtp_accept_max_per_host != NULL) +if (smtp_accept_max_per_host) { uschar *expanded = expand_string(smtp_accept_max_per_host); - if (expanded == NULL) + if (!expanded) { if (!f.expand_string_forcedfail) log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host " @@ -269,7 +310,7 @@ if (smtp_accept_max_per_host != NULL) uschar *s = expanded; while (isdigit(*s)) max_for_this_host = max_for_this_host * 10 + *s++ - '0'; - if (*s != 0) + if (*s) log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host " "for %s contains non-digit: %s", whofrom->s, expanded); } @@ -279,8 +320,7 @@ if (smtp_accept_max_per_host != NULL) per host_address checks. Note that at this stage smtp_accept_count contains the count of *other* connections, not including this one. */ -if ((max_for_this_host > 0) && - (smtp_accept_count >= max_for_this_host)) +if (max_for_this_host > 0 && smtp_accept_count >= max_for_this_host) { int host_accept_count = 0; int other_host_count = 0; /* keep a count of non matches to optimise */ @@ -297,8 +337,8 @@ if ((max_for_this_host > 0) && early, either by hitting the target, or finding there are not enough connections left to make the target. */ - if ((host_accept_count >= max_for_this_host) || - ((smtp_accept_count - other_host_count) < max_for_this_host)) + if ( host_accept_count >= max_for_this_host + || smtp_accept_count - other_host_count < max_for_this_host) break; } @@ -312,6 +352,7 @@ if ((max_for_this_host > 0) && log_write(L_connection_reject, LOG_MAIN, "Connection from %s refused: too many connections " "from that IP address", whofrom->s); + search_tidyup(); goto ERROR_RETURN; } } @@ -344,13 +385,12 @@ if (LOGGING(smtp_connection)) expansion above did a lookup. */ search_tidyup(); -pid = fork(); +pid = exim_fork(US"daemon-accept"); /* Handle the child process */ if (pid == 0) { - int i; int queue_only_reason = 0; int old_pool = store_pool; int save_debug_selector = debug_selector; @@ -413,7 +453,7 @@ if (pid == 0) extensive comment before the reception loop in exim.c for a fuller explanation of this logic. */ - for (i = 0; i < listen_socket_count; i++) (void)close(listen_sockets[i]); + close_daemon_sockets(daemon_notifier_fd, listen_sockets, listen_socket_count); /* Set FD_CLOEXEC on the SMTP socket. We don't want any rogue child processes to be able to communicate with them, under any circumstances. */ @@ -422,14 +462,16 @@ if (pid == 0) (void)fcntl(dup_accept_socket, F_SETFD, fcntl(dup_accept_socket, F_GETFD) | FD_CLOEXEC); - #ifdef SA_NOCLDWAIT +#ifdef SA_NOCLDWAIT act.sa_handler = SIG_IGN; sigemptyset(&(act.sa_mask)); act.sa_flags = SA_NOCLDWAIT; sigaction(SIGCHLD, &act, NULL); - #else +#else signal(SIGCHLD, SIG_IGN); - #endif +#endif + signal(SIGTERM, SIG_DFL); + signal(SIGINT, SIG_DFL); /* Attempt to get an id from the sending machine via the RFC 1413 protocol. We do this in the sub-process in order not to hold up the @@ -513,7 +555,7 @@ if (pid == 0) } if (message_id[0] == 0) continue; /* No message was accepted */ } - else + else /* bad smtp_setup_msg() */ { if (smtp_out) { @@ -628,19 +670,20 @@ if (pid == 0) If we are not root, we have to re-exec exim unless deliveries are being done unprivileged. */ - else if (!f.queue_only_policy && !f.deliver_freeze) + else if ( (!f.queue_only_policy || f.queue_smtp) + && !f.deliver_freeze) { pid_t dpid; - /* Before forking, ensure that the C output buffer is flushed. Otherwise - anything that it in it will get duplicated, leading to duplicate copies - of the pending output. */ + /* We used to flush smtp_out before forking so that buffered data was not + duplicated, but now we want to pipeline the responses for data and quit. + Instead, hard-close the fd underlying smtp_out right after fork to discard + the data buffer. */ - mac_smtp_fflush(); - - if ((dpid = fork()) == 0) + if ((dpid = exim_fork(US"daemon-accept-delivery")) == 0) { (void)fclose(smtp_in); + (void)close(fileno(smtp_out)); (void)fclose(smtp_out); /* Don't ever molest the parent's SSL connection, but do clean up @@ -654,6 +697,8 @@ if (pid == 0) signal(SIGHUP, SIG_DFL); signal(SIGCHLD, SIG_DFL); + signal(SIGTERM, SIG_DFL); + signal(SIGINT, SIG_DFL); if (geteuid() != root_uid && !deliver_drop_privilege) { @@ -887,6 +932,378 @@ while ((pid = waitpid(-1, &status, WNOHANG)) > 0) } +static void +set_pid_file_path(void) +{ +if (override_pid_file_path) + pid_file_path = override_pid_file_path; + +if (!*pid_file_path) + pid_file_path = string_sprintf("%s/exim-daemon.pid", spool_directory); + +if (pid_file_path[0] != '/') + log_write(0, LOG_PANIC_DIE, "pid file path %s must be absolute\n", pid_file_path); +} + + +enum pid_op { PID_WRITE, PID_CHECK, PID_DELETE }; + +/* Do various pid file operations as safe as possible. Ideally we'd just +drop the privileges for creation of the pid file and not care at all about removal of +the file. FIXME. +Returns: true on success, false + errno==EACCES otherwise +*/ + +static BOOL +operate_on_pid_file(const enum pid_op operation, const pid_t pid) +{ +char pid_line[sizeof(int) * 3 + 2]; +const int pid_len = snprintf(pid_line, sizeof(pid_line), "%d\n", (int)pid); +BOOL lines_match = FALSE; +uschar * path, * base, * dir; + +const int dir_flags = O_RDONLY | O_NONBLOCK; +const int base_flags = O_NOFOLLOW | O_NONBLOCK; +const mode_t base_mode = 0644; +struct stat sb; +int cwd_fd, dir_fd, base_fd; +BOOL success = FALSE; +errno = EACCES; + +set_pid_file_path(); +if (!f.running_in_test_harness && real_uid != root_uid && real_uid != exim_uid) goto cleanup; +if (pid_len < 2 || pid_len >= (int)sizeof(pid_line)) goto cleanup; + +path = string_copy(pid_file_path); +if ((base = Ustrrchr(path, '/')) == NULL) /* should not happen, but who knows */ + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid file path \"%s\" does not contain a '/'", pid_file_path); + +dir = base != path ? path : US"/"; +*base++ = '\0'; + +if (!dir || !*dir || *dir != '/') goto cleanup; +if (!base || !*base || Ustrchr(base, '/') != NULL) goto cleanup; + +cwd_fd = open(".", dir_flags); +if (cwd_fd < 0 || fstat(cwd_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup; +dir_fd = open(CS dir, dir_flags); +if (dir_fd < 0 || fstat(dir_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup; + +/* emulate openat */ +if (fchdir(dir_fd) != 0) goto cleanup; +base_fd = open(CS base, O_RDONLY | base_flags); +if (fchdir(cwd_fd) != 0) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno)); + +if (base_fd >= 0) + { + char line[sizeof(pid_line)]; + ssize_t len = -1; + + if (fstat(base_fd, &sb) != 0 || !S_ISREG(sb.st_mode)) goto cleanup; + if ((sb.st_mode & 07777) != base_mode || sb.st_nlink != 1) goto cleanup; + if (sb.st_size < 2 || sb.st_size >= (off_t)sizeof(line)) goto cleanup; + + len = read(base_fd, line, sizeof(line)); + if (len != (ssize_t)sb.st_size) goto cleanup; + line[len] = '\0'; + + if (strspn(line, "0123456789") != (size_t)len-1) goto cleanup; + if (line[len-1] != '\n') goto cleanup; + lines_match = len == pid_len && strcmp(line, pid_line) == 0; + } + +if (operation == PID_WRITE) + { + if (!lines_match) + { + if (base_fd >= 0) + { + int error = -1; + /* emulate unlinkat */ + if (fchdir(dir_fd) != 0) goto cleanup; + error = unlink(CS base); + if (fchdir(cwd_fd) != 0) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno)); + if (error) goto cleanup; + (void)close(base_fd); + base_fd = -1; + } + /* emulate openat */ + if (fchdir(dir_fd) != 0) goto cleanup; + base_fd = open(CS base, O_WRONLY | O_CREAT | O_EXCL | base_flags, base_mode); + if (fchdir(cwd_fd) != 0) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno)); + if (base_fd < 0) goto cleanup; + if (fchmod(base_fd, base_mode) != 0) goto cleanup; + if (write(base_fd, pid_line, pid_len) != pid_len) goto cleanup; + DEBUG(D_any) debug_printf("pid written to %s\n", pid_file_path); + } + } +else + { + if (!lines_match) goto cleanup; + if (operation == PID_DELETE) + { + int error = -1; + /* emulate unlinkat */ + if (fchdir(dir_fd) != 0) goto cleanup; + error = unlink(CS base); + if (fchdir(cwd_fd) != 0) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno)); + if (error) goto cleanup; + } + } + +success = TRUE; +errno = 0; + +cleanup: +if (cwd_fd >= 0) (void)close(cwd_fd); +if (dir_fd >= 0) (void)close(dir_fd); +if (base_fd >= 0) (void)close(base_fd); +return success; +} + + +/* Remove the daemon's pidfile. Note: runs with root privilege, +as a direct child of the daemon. Does not return. */ + +void +delete_pid_file(void) +{ +const BOOL success = operate_on_pid_file(PID_DELETE, getppid()); + +DEBUG(D_any) + debug_printf("delete pid file %s %s: %s\n", pid_file_path, + success ? "success" : "failure", strerror(errno)); + +exim_exit(EXIT_SUCCESS); +} + + +/* Called by the daemon; exec a child to get the pid file deleted +since we may require privs for the containing directory */ + +static void +daemon_die(void) +{ +int pid; + +DEBUG(D_any) debug_printf("SIGTERM/SIGINT seen\n"); +#if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)) +tls_watch_invalidate(); +#endif + +if (daemon_notifier_fd >= 0) + { + close(daemon_notifier_fd); + daemon_notifier_fd = -1; +#ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS + unlink_notifier_socket(); +#endif + } + +if (f.running_in_test_harness || write_pid) + { + if ((pid = exim_fork(US"daemon-del-pidfile")) == 0) + { + if (override_pid_file_path) + (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 3, + "-oP", override_pid_file_path, "-oPX"); + else + (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 1, "-oPX"); + + /* Control never returns here. */ + } + if (pid > 0) + child_close(pid, 1); + } +exim_exit(EXIT_SUCCESS); +} + + +/************************************************* +* Listener socket for local work prompts * +*************************************************/ + +static void +daemon_notifier_socket(void) +{ +int fd; +const uschar * where; +struct sockaddr_un sa_un = {.sun_family = AF_UNIX}; +int len; + +if (!notifier_socket || !*notifier_socket) + { + DEBUG(D_any) debug_printf("-oY used so not creating notifier socket\n"); + return; + } +if (override_local_interfaces && !override_pid_file_path) + { + DEBUG(D_any) + debug_printf("-oX used without -oP so not creating notifier socket\n"); + return; + } + +DEBUG(D_any) debug_printf("creating notifier socket\n"); + +#ifdef SOCK_CLOEXEC +if ((fd = socket(PF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0)) < 0) + { where = US"socket"; goto bad; } +#else +if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) < 0) + { where = US"socket"; goto bad; } +(void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC); +#endif + +#ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS +sa_un.sun_path[0] = 0; /* Abstract local socket addr - Linux-specific? */ +len = offsetof(struct sockaddr_un, sun_path) + 1 + + snprintf(sa_un.sun_path+1, sizeof(sa_un.sun_path)-1, "%s", + expand_string(notifier_socket)); +DEBUG(D_any) debug_printf(" @%s\n", sa_un.sun_path+1); +#else /* filesystem-visible and persistent; will neeed removal */ +len = offsetof(struct sockaddr_un, sun_path) + + snprintf(sa_un.sun_path, sizeof(sa_un.sun_path), "%s", + expand_string(notifier_socket)); +DEBUG(D_any) debug_printf(" %s\n", sa_un.sun_path); +#endif + +if (bind(fd, (const struct sockaddr *)&sa_un, len) < 0) + { where = US"bind"; goto bad; } + +#ifdef SO_PASSCRED /* Linux */ +if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &on, sizeof(on)) < 0) + { where = US"SO_PASSCRED"; goto bad2; } +#elif defined(LOCAL_CREDS) /* FreeBSD-ish */ +if (setsockopt(fd, 0, LOCAL_CREDS, &on, sizeof(on)) < 0) + { where = US"LOCAL_CREDS"; goto bad2; } +#endif + +/* debug_printf("%s: fd %d\n", __FUNCTION__, fd); */ +daemon_notifier_fd = fd; +return; + +bad2: +#ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS + Uunlink(sa_un.sun_path); +#endif +bad: + log_write(0, LOG_MAIN|LOG_PANIC, "%s %s: %s", + __FUNCTION__, where, strerror(errno)); + close(fd); + return; +} + + +static uschar queuerun_msgid[MESSAGE_ID_LENGTH+1]; + +/* Return TRUE if a sigalrm should be emulated */ +static BOOL +daemon_notification(void) +{ +uschar buf[256], cbuf[256]; +struct sockaddr_un sa_un; +struct iovec iov = {.iov_base = buf, .iov_len = sizeof(buf)-1}; +struct msghdr msg = { .msg_name = &sa_un, + .msg_namelen = sizeof(sa_un), + .msg_iov = &iov, + .msg_iovlen = 1, + .msg_control = cbuf, + .msg_controllen = sizeof(cbuf) + }; +ssize_t sz; + +buf[sizeof(buf)-1] = 0; +if ((sz = recvmsg(daemon_notifier_fd, &msg, 0)) <= 0) return FALSE; +if (sz >= sizeof(buf)) return FALSE; + +#ifdef notdef +debug_printf("addrlen %d\n", msg.msg_namelen); +#endif +DEBUG(D_queue_run) debug_printf("%s from addr '%s%.*s'\n", __FUNCTION__, + *sa_un.sun_path ? "" : "@", + (int)msg.msg_namelen - (*sa_un.sun_path ? 0 : 1), + sa_un.sun_path + (*sa_un.sun_path ? 0 : 1)); + +/* Refuse to handle the item unless the peer has good credentials */ +#ifdef SCM_CREDENTIALS +# define EXIM_SCM_CR_TYPE SCM_CREDENTIALS +#elif defined(LOCAL_CREDS) && defined(SCM_CREDS) +# define EXIM_SCM_CR_TYPE SCM_CREDS +#else + /* The OS has no way to get the creds of the caller (for a unix/datagram socket. + Punt; don't try to check. */ +#endif + +#ifdef EXIM_SCM_CR_TYPE +for (struct cmsghdr * cp = CMSG_FIRSTHDR(&msg); + cp; + cp = CMSG_NXTHDR(&msg, cp)) + if (cp->cmsg_level == SOL_SOCKET && cp->cmsg_type == EXIM_SCM_CR_TYPE) + { +# ifdef SCM_CREDENTIALS /* Linux */ + struct ucred * cr = (struct ucred *) CMSG_DATA(cp); + if (cr->uid && cr->uid != exim_uid) + { + DEBUG(D_queue_run) debug_printf("%s: sender creds pid %d uid %d gid %d\n", + __FUNCTION__, (int)cr->pid, (int)cr->uid, (int)cr->gid); + return FALSE; + } +# elif defined(LOCAL_CREDS) /* BSD-ish */ + struct sockcred * cr = (struct sockcred *) CMSG_DATA(cp); + if (cr->sc_uid && cr->sc_uid != exim_uid) + { + DEBUG(D_queue_run) debug_printf("%s: sender creds pid ??? uid %d gid %d\n", + __FUNCTION__, (int)cr->sc_uid, (int)cr->sc_gid); + return FALSE; + } +# endif + break; + } +#endif + +buf[sz] = 0; +switch (buf[0]) + { +#ifndef DISABLE_QUEUE_RAMP + case NOTIFY_MSG_QRUN: + /* this should be a message_id */ + DEBUG(D_queue_run) + debug_printf("%s: qrunner trigger: %s\n", __FUNCTION__, buf+1); + memcpy(queuerun_msgid, buf+1, MESSAGE_ID_LENGTH+1); + return TRUE; +#endif + + case NOTIFY_QUEUE_SIZE_REQ: + { + uschar buf[16]; + int len = snprintf(CS buf, sizeof(buf), "%u", queue_count_cached()); + + DEBUG(D_queue_run) + debug_printf("%s: queue size request: %s\n", __FUNCTION__, buf); + + if (sendto(daemon_notifier_fd, buf, len, 0, + (const struct sockaddr *)&sa_un, msg.msg_namelen) < 0) + log_write(0, LOG_MAIN|LOG_PANIC, + "%s: sendto: %s\n", __FUNCTION__, strerror(errno)); + return FALSE; + } + } +return FALSE; +} + + + + +static void +add_listener_socket(int fd, fd_set * fds, int * fd_max) +{ +FD_SET(fd, fds); +if (fd > *fd_max) *fd_max = fd; +} /************************************************* * Exim Daemon Mainline * @@ -914,18 +1331,22 @@ There are no arguments to this function, and it never returns. */ void daemon_go(void) { -struct passwd *pw; -int *listen_sockets = NULL; -int listen_socket_count = 0; -ip_address_item *addresses = NULL; +struct passwd * pw; +int * listen_sockets = NULL; +int listen_socket_count = 0, listen_fd_max = 0; +fd_set select_listen; +ip_address_item * addresses = NULL; time_t last_connection_time = (time_t)0; int local_queue_run_max = atoi(CS expand_string(queue_run_max)); +process_purpose = US"daemon"; + /* If any debugging options are set, turn on the D_pid bit so that all debugging lines get the pid added. */ DEBUG(D_any|D_v) debug_selector |= D_pid; +FD_ZERO(&select_listen); if (f.inetd_wait_mode) { listen_socket_count = 1; @@ -962,6 +1383,9 @@ if (f.inetd_wait_mode) if (setsockopt(3, IPPROTO_TCP, TCP_NODELAY, US &on, sizeof(on))) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to set socket NODELAY: %s", strerror(errno)); + + FD_SET(3, &select_listen); + listen_fd_max = 3; } @@ -972,11 +1396,11 @@ if (f.inetd_wait_mode || f.daemon_listen) for those OS for which this is necessary the first time it is called (in order to perform an "open" on the kernel memory file). */ - #ifdef LOAD_AVG_NEEDS_ROOT +#ifdef LOAD_AVG_NEEDS_ROOT if (queue_only_load >= 0 || smtp_load_reserve >= 0 || (deliver_queue_load_max >= 0 && deliver_drop_privilege)) (void)os_getloadavg(); - #endif +#endif } @@ -1068,19 +1492,14 @@ if (f.daemon_listen && !f.inetd_wait_mode) gstring * new_smtp_port = NULL; gstring * new_local_interfaces = NULL; - if (override_pid_file_path == NULL) write_pid = FALSE; + if (!override_pid_file_path) write_pid = FALSE; list = override_local_interfaces; sep = 0; - while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))) + while ((s = string_nextinlist(&list, &sep, NULL, 0))) { uschar joinstr[4]; - gstring ** gp; - - if (Ustrpbrk(s, ".:") == NULL) - gp = &new_smtp_port; - else - gp = &new_local_interfaces; + gstring ** gp = Ustrpbrk(s, ".:") ? &new_local_interfaces : &new_smtp_port; if (!*gp) { @@ -1115,13 +1534,13 @@ if (f.daemon_listen && !f.inetd_wait_mode) list = daemon_smtp_port; sep = 0; - while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))) + while ((s = string_nextinlist(&list, &sep, NULL, 0))) pct++; default_smtp_port = store_get((pct+1) * sizeof(int), FALSE); list = daemon_smtp_port; sep = 0; for (pct = 0; - (s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)); + (s = string_nextinlist(&list, &sep, NULL, 0)); pct++) { if (isdigit(*s)) @@ -1145,6 +1564,7 @@ if (f.daemon_listen && !f.inetd_wait_mode) list = tls_in.on_connect_ports; sep = 0; + /* the list isn't expanded so cannot be tainted. If it ever is we will trap here */ while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))) if (!isdigit(*s)) { @@ -1327,7 +1747,7 @@ if (f.background_daemon) if (getppid() != 1) { - pid_t pid = fork(); + pid_t pid = exim_fork(US"daemon"); if (pid < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork() failed when starting daemon: %s", strerror(errno)); if (pid > 0) exit(EXIT_SUCCESS); /* in parent process, just exit */ @@ -1338,6 +1758,8 @@ if (f.background_daemon) /* We are now in the disconnected, daemon process (unless debugging). Set up the listening sockets if required. */ +daemon_notifier_socket(); + if (f.daemon_listen && !f.inetd_wait_mode) { int sk; @@ -1352,8 +1774,8 @@ if (f.daemon_listen && !f.inetd_wait_mode) for (ipa = addresses, sk = 0; sk < listen_socket_count; ipa = ipa->next, sk++) { BOOL wildcard; - ip_address_item *ipa2; - int af; + ip_address_item * ipa2; + int fd, af; if (Ustrchr(ipa->address, ':') != NULL) { @@ -1366,7 +1788,7 @@ if (f.daemon_listen && !f.inetd_wait_mode) wildcard = ipa->address[0] == 0; } - if ((listen_sockets[sk] = ip_socket(SOCK_STREAM, af)) < 0) + if ((listen_sockets[sk] = fd = ip_socket(SOCK_STREAM, af)) < 0) { if (check_special_case(0, addresses, ipa, FALSE)) { @@ -1384,7 +1806,7 @@ if (f.daemon_listen && !f.inetd_wait_mode) #ifdef IPV6_V6ONLY if (af == AF_INET6 && wildcard && - setsockopt(listen_sockets[sk], IPPROTO_IPV6, IPV6_V6ONLY, CS (&on), + setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, CS (&on), sizeof(on)) < 0) log_write(0, LOG_MAIN, "Setting IPV6_V6ONLY on daemon's IPv6 wildcard " "socket failed (%s): carrying on without it", strerror(errno)); @@ -1394,7 +1816,7 @@ if (f.daemon_listen && !f.inetd_wait_mode) is being handled. Without this, a connection will prevent reuse of the smtp port for listening. */ - if (setsockopt(listen_sockets[sk], SOL_SOCKET, SO_REUSEADDR, + if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, US (&on), sizeof(on)) < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "setting SO_REUSEADDR on socket " "failed when starting daemon: %s", strerror(errno)); @@ -1402,7 +1824,7 @@ if (f.daemon_listen && !f.inetd_wait_mode) /* Set TCP_NODELAY; Exim does its own buffering. There is a switch to disable this because it breaks some broken clients. */ - if (tcp_nodelay) setsockopt(listen_sockets[sk], IPPROTO_TCP, TCP_NODELAY, + if (tcp_nodelay) setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, US (&on), sizeof(on)); /* Now bind the socket to the required port; if Exim is being restarted @@ -1421,12 +1843,12 @@ if (f.daemon_listen && !f.inetd_wait_mode) for(;;) { uschar *msg, *addr; - if (ip_bind(listen_sockets[sk], af, ipa->address, ipa->port) >= 0) break; + if (ip_bind(fd, af, ipa->address, ipa->port) >= 0) break; if (check_special_case(errno, addresses, ipa, TRUE)) { DEBUG(D_any) debug_printf("wildcard IPv4 bind() failed after IPv6 " "listen() success; EADDRINUSE ignored\n"); - (void)close(listen_sockets[sk]); + (void)close(fd); goto SKIP_SOCKET; } msg = US strerror(errno); @@ -1454,30 +1876,31 @@ if (f.daemon_listen && !f.inetd_wait_mode) else debug_printf("listening on %s port %d\n", ipa->address, ipa->port); + /* Start listening on the bound socket, establishing the maximum backlog of + connections that is allowed. On success, add to the set of sockets for select + and continue to the next address. */ + #if defined(TCP_FASTOPEN) && !defined(__APPLE__) if ( f.tcp_fastopen_ok - && setsockopt(listen_sockets[sk], IPPROTO_TCP, TCP_FASTOPEN, + && setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &smtp_connect_backlog, sizeof(smtp_connect_backlog))) { DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno)); f.tcp_fastopen_ok = FALSE; } #endif - - /* Start listening on the bound socket, establishing the maximum backlog of - connections that is allowed. On success, continue to the next address. */ - - if (listen(listen_sockets[sk], smtp_connect_backlog) >= 0) + if (listen(fd, smtp_connect_backlog) >= 0) { #if defined(TCP_FASTOPEN) && defined(__APPLE__) if ( f.tcp_fastopen_ok - && setsockopt(listen_sockets[sk], IPPROTO_TCP, TCP_FASTOPEN, - &on, sizeof(on))) + && setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &on, sizeof(on))) { DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno)); f.tcp_fastopen_ok = FALSE; } #endif + + add_listener_socket(fd, &select_listen, &listen_fd_max); continue; } @@ -1495,7 +1918,7 @@ if (f.daemon_listen && !f.inetd_wait_mode) DEBUG(D_any) debug_printf("wildcard IPv4 listen() failed after IPv6 " "listen() success; EADDRINUSE ignored\n"); - (void)close(listen_sockets[sk]); + (void)close(fd); /* Come here if there has been a problem with the socket which we are going to ignore. We remove the address from the chain, and back up the @@ -1536,25 +1959,23 @@ The variable daemon_write_pid is used to control this. */ if (f.running_in_test_harness || write_pid) { - FILE *f; + const enum pid_op operation = (f.running_in_test_harness + || real_uid == root_uid + || (real_uid == exim_uid && !override_pid_file_path)) ? PID_WRITE : PID_CHECK; + if (!operate_on_pid_file(operation, getpid())) + DEBUG(D_any) debug_printf("%s pid file %s: %s\n", (operation == PID_WRITE) ? "write" : "check", pid_file_path, strerror(errno)); + } - if (override_pid_file_path) - pid_file_path = override_pid_file_path; +/* Add ancillary sockets to the set for select */ - if (pid_file_path[0] == 0) - pid_file_path = string_sprintf("%s/exim-daemon.pid", spool_directory); +#ifndef DISABLE_TLS +if (tls_watch_fd >= 0) + add_listener_socket(tls_watch_fd, &select_listen, &listen_fd_max); +#endif +if (daemon_notifier_fd >= 0) + add_listener_socket(daemon_notifier_fd, &select_listen, &listen_fd_max); - if ((f = modefopen(pid_file_path, "wb", 0644))) - { - (void)fprintf(f, "%d\n", (int)getpid()); - (void)fclose(f); - DEBUG(D_any) debug_printf("pid written to %s\n", pid_file_path); - } - else - DEBUG(D_any) - debug_printf("%s\n", string_open_failed(errno, "pid file %s", - pid_file_path)); - } +listen_fd_max++; /* Set up the handler for SIGHUP, which causes a restart of the daemon. */ @@ -1586,11 +2007,16 @@ if (queue_interval > 0 && local_queue_run_max > 0) for (int i = 0; i < local_queue_run_max; i++) queue_pid_slots[i] = 0; } -/* Set up the handler for termination of child processes. */ +/* Set up the handler for termination of child processes, and the one +telling us to die. */ sigchld_seen = FALSE; os_non_restarting_signal(SIGCHLD, main_sigchld_handler); +sigterm_seen = FALSE; +os_non_restarting_signal(SIGTERM, main_sigterm_handler); +os_non_restarting_signal(SIGINT, main_sigterm_handler); + /* If we are to run the queue periodically, pretend the alarm has just gone off. This will cause the first queue-runner to get kicked off straight away. */ @@ -1614,7 +2040,7 @@ if (f.inetd_wait_mode) set_process_info("daemon(%s): pre-listening socket", version_string); /* set up the timeout logic */ - sigalrm_seen = 1; + sigalrm_seen = TRUE; } else if (f.daemon_listen) @@ -1624,7 +2050,8 @@ else if (f.daemon_listen) ip_address_item * ipa; uschar * p; uschar * qinfo = queue_interval > 0 - ? string_sprintf("-q%s", readconf_printtime(queue_interval)) + ? string_sprintf("-q%s%s", + f.queue_2stage ? "q" : "", readconf_printtime(queue_interval)) : US"no queue runs"; /* Build a list of listening addresses in big_buffer, but limit it to 10 @@ -1740,6 +2167,20 @@ else (eg: compile regex) */ dns_pattern_init(); +smtp_deliver_init(); /* Used for callouts */ + +#ifndef DISABLE_DKIM + { +# ifdef MEASURE_TIMING + struct timeval t0; + gettimeofday(&t0, NULL); +# endif + dkim_exim_init(); +# ifdef MEASURE_TIMING + report_time_since(&t0, US"dkim_exim_init (delta)"); +# endif + } +#endif #ifdef WITH_CONTENT_SCAN malware_init(); @@ -1747,6 +2188,9 @@ malware_init(); #ifdef SUPPORT_SPF spf_init(); #endif +#ifndef DISABLE_TLS +tls_daemon_init(); +#endif /* Close the log so it can be renamed and moved. In the few cases below where this long-running process writes to the log (always exceptional conditions), it @@ -1760,6 +2204,10 @@ DEBUG(D_any) debug_print_ids(US"daemon running with"); smtp_input = TRUE; +#ifdef MEASURE_TIMING +report_time_since(×tamp_startup, US"daemon loop start"); /* testcase 0022 */ +#endif + /* Enter the never-ending loop... */ for (;;) @@ -1773,6 +2221,9 @@ for (;;) EXIM_SOCKLEN_T len; pid_t pid; + if (sigterm_seen) + daemon_die(); /* Does not return */ + /* This code is placed first in the loop, so that it gets obeyed at the start, before the first wait, for the queue-runner case, so that the first one can be started immediately. @@ -1821,20 +2272,21 @@ for (;;) else { - DEBUG(D_any) debug_printf("SIGALRM received\n"); + DEBUG(D_any) debug_printf("%s received\n", +#ifndef DISABLE_QUEUE_RAMP + *queuerun_msgid ? "qrun notification" : +#endif + "SIGALRM"); /* Do a full queue run in a child process, if required, unless we already have enough queue runners on the go. If we are not running as root, a re-exec is required. */ - if (queue_interval > 0 && - (local_queue_run_max <= 0 || queue_run_count < local_queue_run_max)) + if ( queue_interval > 0 + && (local_queue_run_max <= 0 || queue_run_count < local_queue_run_max)) { - if ((pid = fork()) == 0) + if ((pid = exim_fork(US"queue-runner")) == 0) { - DEBUG(D_any) debug_printf("Starting queue-runner: pid %d\n", - (int)getpid()); - /* Disable debugging if it's required only for the daemon process. We leave the above message, because it ties up with the "child ended" debugging messages. */ @@ -1843,13 +2295,15 @@ for (;;) /* Close any open listening sockets in the child */ - for (int sk = 0; sk < listen_socket_count; sk++) - (void)close(listen_sockets[sk]); + close_daemon_sockets(daemon_notifier_fd, + listen_sockets, listen_socket_count); /* Reset SIGHUP and SIGCHLD in the child in both cases. */ signal(SIGHUP, SIG_DFL); signal(SIGCHLD, SIG_DFL); + signal(SIGTERM, SIG_DFL); + signal(SIGINT, SIG_DFL); /* Re-exec if privilege has been given up, unless deliver_drop_ privilege is set. Reset SIGALRM before exec(). */ @@ -1858,21 +2312,34 @@ for (;;) { uschar opt[8]; uschar *p = opt; - uschar *extra[5]; + uschar *extra[7]; int extracount = 1; signal(SIGALRM, SIG_DFL); *p++ = '-'; *p++ = 'q'; - if (f.queue_2stage) *p++ = 'q'; + if ( f.queue_2stage +#ifndef DISABLE_QUEUE_RAMP + && !*queuerun_msgid +#endif + ) *p++ = 'q'; if (f.queue_run_first_delivery) *p++ = 'i'; if (f.queue_run_force) *p++ = 'f'; if (f.deliver_force_thaw) *p++ = 'f'; if (f.queue_run_local) *p++ = 'l'; *p = 0; - extra[0] = queue_name + extra[0] = *queue_name ? string_sprintf("%sG%s", opt, queue_name) : opt; +#ifndef DISABLE_QUEUE_RAMP + if (*queuerun_msgid) + { + log_write(0, LOG_MAIN, "notify triggered queue run"); + extra[extracount++] = queuerun_msgid; /* Trigger only the */ + extra[extracount++] = queuerun_msgid; /* one message */ + } +#endif + /* If -R or -S were on the original command line, ensure they get passed on. */ @@ -1891,15 +2358,24 @@ for (;;) /* Overlay this process with a new execution. */ - (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, TRUE, extracount, - extra[0], extra[1], extra[2], extra[3], extra[4]); + (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, extracount, + extra[0], extra[1], extra[2], extra[3], extra[4], extra[5], extra[6]); /* Control never returns here. */ } /* No need to re-exec; SIGALRM remains set to the default handler */ - queue_run(NULL, NULL, FALSE); +#ifndef DISABLE_QUEUE_RAMP + if (*queuerun_msgid) + { + log_write(0, LOG_MAIN, "notify triggered queue run"); + f.queue_2stage = FALSE; + queue_run(queuerun_msgid, queuerun_msgid, FALSE); + } + else +#endif + queue_run(NULL, NULL, FALSE); exim_underbar_exit(EXIT_SUCCESS); } @@ -1926,7 +2402,12 @@ for (;;) /* Reset the alarm clock */ sigalrm_seen = FALSE; - ALARM(queue_interval); +#ifndef DISABLE_QUEUE_RAMP + if (*queuerun_msgid) + *queuerun_msgid = 0; + else +#endif + ALARM(queue_interval); } } /* sigalrm_seen */ @@ -1943,17 +2424,9 @@ for (;;) if (f.daemon_listen) { - int lcount, select_errno; - int max_socket = 0; + int lcount; BOOL select_failed = FALSE; - fd_set select_listen; - - FD_ZERO(&select_listen); - for (int sk = 0; sk < listen_socket_count; sk++) - { - FD_SET(listen_sockets[sk], &select_listen); - if (listen_sockets[sk] > max_socket) max_socket = listen_sockets[sk]; - } + fd_set fds = select_listen; DEBUG(D_any) debug_printf("Listening...\n"); @@ -1970,7 +2443,7 @@ for (;;) errno = EINTR; } else - lcount = select(max_socket + 1, (SELECT_ARG2_TYPE *)&select_listen, + lcount = select(listen_fd_max, (SELECT_ARG2_TYPE *)&fds, NULL, NULL, NULL); if (lcount < 0) @@ -1986,14 +2459,16 @@ for (;;) old one had just finished. Preserve the errno from any select() failure for the use of the common select/accept error processing below. */ - select_errno = errno; - handle_ending_processes(); - errno = select_errno; + { + int select_errno = errno; + handle_ending_processes(); #ifndef DISABLE_TLS - /* Create or rotate any required keys */ - tls_daemon_init(); + /* Create or rotate any required keys; handle (delayed) filewatch event */ + tls_daemon_tick(); #endif + errno = select_errno; + } /* Loop for all the sockets that are currently ready to go. If select actually failed, we have set the count to 1 and select_failed=TRUE, so as @@ -2004,15 +2479,32 @@ for (;;) int accept_socket = -1; if (!select_failed) + { +#if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)) + if (tls_watch_fd >= 0 && FD_ISSET(tls_watch_fd, &fds)) + { + FD_CLR(tls_watch_fd, &fds); + tls_watch_trigger_time = time(NULL); /* Set up delayed event */ + tls_watch_discard_event(tls_watch_fd); + break; /* to top of daemon loop */ + } +#endif + if (daemon_notifier_fd >= 0 && FD_ISSET(daemon_notifier_fd, &fds)) + { + FD_CLR(daemon_notifier_fd, &fds); + sigalrm_seen = daemon_notification(); + break; /* to top of daemon loop */ + } for (int sk = 0; sk < listen_socket_count; sk++) - if (FD_ISSET(listen_sockets[sk], &select_listen)) + if (FD_ISSET(listen_sockets[sk], &fds)) { len = sizeof(accepted); accept_socket = accept(listen_sockets[sk], (struct sockaddr *)&accepted, &len); - FD_CLR(listen_sockets[sk], &select_listen); + FD_CLR(listen_sockets[sk], &fds); break; } + } /* If select or accept has failed and this was not caused by an interruption, log the incident and try again. With asymmetric TCP/IP @@ -2031,45 +2523,43 @@ for (;;) accept_retry_errno = errno; accept_retry_select_failed = select_failed; } - else - { - if (errno != accept_retry_errno || - select_failed != accept_retry_select_failed || - accept_retry_count >= 50) + else if ( errno != accept_retry_errno + || select_failed != accept_retry_select_failed + || accept_retry_count >= 50) { - log_write(0, LOG_MAIN | ((accept_retry_count >= 50)? LOG_PANIC : 0), + log_write(0, LOG_MAIN | (accept_retry_count >= 50 ? LOG_PANIC : 0), "%d %s() failure%s: %s", accept_retry_count, - accept_retry_select_failed? "select" : "accept", - (accept_retry_count == 1)? "" : "s", + accept_retry_select_failed ? "select" : "accept", + accept_retry_count == 1 ? "" : "s", strerror(accept_retry_errno)); log_close_all(); accept_retry_count = 0; accept_retry_errno = errno; accept_retry_select_failed = select_failed; } - } accept_retry_count++; } - - else - { - if (accept_retry_count > 0) - { - log_write(0, LOG_MAIN, "%d %s() failure%s: %s", - accept_retry_count, - accept_retry_select_failed? "select" : "accept", - (accept_retry_count == 1)? "" : "s", - strerror(accept_retry_errno)); - log_close_all(); - accept_retry_count = 0; - } - } + else if (accept_retry_count > 0) + { + log_write(0, LOG_MAIN, "%d %s() failure%s: %s", + accept_retry_count, + accept_retry_select_failed ? "select" : "accept", + accept_retry_count == 1 ? "" : "s", + strerror(accept_retry_errno)); + log_close_all(); + accept_retry_count = 0; + } /* If select/accept succeeded, deal with the connection. */ if (accept_socket >= 0) { +#ifdef TCP_QUICKACK /* Avoid pure-ACKs while in tls protocol pingpong phase */ + /* Unfortunately we cannot be certain to do this before a TLS-on-connect + Client Hello arrives and is acked. We do it as early as possible. */ + (void) setsockopt(accept_socket, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off)); +#endif if (inetd_wait_timeout) last_connection_time = time(NULL); handle_smtp_call(listen_sockets, listen_socket_count, accept_socket, @@ -2115,8 +2605,8 @@ for (;;) { log_write(0, LOG_MAIN, "pid %d: SIGHUP received: re-exec daemon", getpid()); - for (int sk = 0; sk < listen_socket_count; sk++) - (void)close(listen_sockets[sk]); + close_daemon_sockets(daemon_notifier_fd, + listen_sockets, listen_socket_count); ALARM_CLR(0); signal(SIGHUP, SIG_IGN); sighup_argv[0] = exim_path;