diff options
Diffstat (limited to 'REORG.TODO/nscd/connections.c')
-rw-r--r-- | REORG.TODO/nscd/connections.c | 2558 |
1 files changed, 2558 insertions, 0 deletions
diff --git a/REORG.TODO/nscd/connections.c b/REORG.TODO/nscd/connections.c new file mode 100644 index 0000000000..cc1ed72077 --- /dev/null +++ b/REORG.TODO/nscd/connections.c @@ -0,0 +1,2558 @@ +/* Inner loops of cache daemon. + Copyright (C) 1998-2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + Contributed by Ulrich Drepper <drepper@cygnus.com>, 1998. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published + by the Free Software Foundation; version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, see <http://www.gnu.org/licenses/>. */ + +#include <alloca.h> +#include <assert.h> +#include <atomic.h> +#include <error.h> +#include <errno.h> +#include <fcntl.h> +#include <grp.h> +#include <ifaddrs.h> +#include <libintl.h> +#include <pthread.h> +#include <pwd.h> +#include <resolv.h> +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <stdint.h> +#include <arpa/inet.h> +#ifdef HAVE_NETLINK +# include <linux/netlink.h> +# include <linux/rtnetlink.h> +#endif +#ifdef HAVE_EPOLL +# include <sys/epoll.h> +#endif +#ifdef HAVE_INOTIFY +# include <sys/inotify.h> +#endif +#include <sys/mman.h> +#include <sys/param.h> +#include <sys/poll.h> +#ifdef HAVE_SENDFILE +# include <sys/sendfile.h> +#endif +#include <sys/socket.h> +#include <sys/stat.h> +#include <sys/un.h> + +#include "nscd.h" +#include "dbg_log.h" +#include "selinux.h" +#include <resolv/resolv.h> + +#include <kernel-features.h> +#include <libc-diag.h> + + +/* Support to run nscd as an unprivileged user */ +const char *server_user; +static uid_t server_uid; +static gid_t server_gid; +const char *stat_user; +uid_t stat_uid; +static gid_t *server_groups; +#ifndef NGROUPS +# define NGROUPS 32 +#endif +static int server_ngroups; + +static pthread_attr_t attr; + +static void begin_drop_privileges (void); +static void finish_drop_privileges (void); + +/* Map request type to a string. */ +const char *const serv2str[LASTREQ] = +{ + [GETPWBYNAME] = "GETPWBYNAME", + [GETPWBYUID] = "GETPWBYUID", + [GETGRBYNAME] = "GETGRBYNAME", + [GETGRBYGID] = "GETGRBYGID", + [GETHOSTBYNAME] = "GETHOSTBYNAME", + [GETHOSTBYNAMEv6] = "GETHOSTBYNAMEv6", + [GETHOSTBYADDR] = "GETHOSTBYADDR", + [GETHOSTBYADDRv6] = "GETHOSTBYADDRv6", + [SHUTDOWN] = "SHUTDOWN", + [GETSTAT] = "GETSTAT", + [INVALIDATE] = "INVALIDATE", + [GETFDPW] = "GETFDPW", + [GETFDGR] = "GETFDGR", + [GETFDHST] = "GETFDHST", + [GETAI] = "GETAI", + [INITGROUPS] = "INITGROUPS", + [GETSERVBYNAME] = "GETSERVBYNAME", + [GETSERVBYPORT] = "GETSERVBYPORT", + [GETFDSERV] = "GETFDSERV", + [GETNETGRENT] = "GETNETGRENT", + [INNETGR] = "INNETGR", + [GETFDNETGR] = "GETFDNETGR" +}; + +/* The control data structures for the services. */ +struct database_dyn dbs[lastdb] = +{ + [pwddb] = { + .lock = PTHREAD_RWLOCK_WRITER_NONRECURSIVE_INITIALIZER_NP, + .prune_lock = PTHREAD_MUTEX_INITIALIZER, + .prune_run_lock = PTHREAD_MUTEX_INITIALIZER, + .enabled = 0, + .check_file = 1, + .persistent = 0, + .propagate = 1, + .shared = 0, + .max_db_size = DEFAULT_MAX_DB_SIZE, + .suggested_module = DEFAULT_SUGGESTED_MODULE, + .db_filename = _PATH_NSCD_PASSWD_DB, + .disabled_iov = &pwd_iov_disabled, + .postimeout = 3600, + .negtimeout = 20, + .wr_fd = -1, + .ro_fd = -1, + .mmap_used = false + }, + [grpdb] = { + .lock = PTHREAD_RWLOCK_WRITER_NONRECURSIVE_INITIALIZER_NP, + .prune_lock = PTHREAD_MUTEX_INITIALIZER, + .prune_run_lock = PTHREAD_MUTEX_INITIALIZER, + .enabled = 0, + .check_file = 1, + .persistent = 0, + .propagate = 1, + .shared = 0, + .max_db_size = DEFAULT_MAX_DB_SIZE, + .suggested_module = DEFAULT_SUGGESTED_MODULE, + .db_filename = _PATH_NSCD_GROUP_DB, + .disabled_iov = &grp_iov_disabled, + .postimeout = 3600, + .negtimeout = 60, + .wr_fd = -1, + .ro_fd = -1, + .mmap_used = false + }, + [hstdb] = { + .lock = PTHREAD_RWLOCK_WRITER_NONRECURSIVE_INITIALIZER_NP, + .prune_lock = PTHREAD_MUTEX_INITIALIZER, + .prune_run_lock = PTHREAD_MUTEX_INITIALIZER, + .enabled = 0, + .check_file = 1, + .persistent = 0, + .propagate = 0, /* Not used. */ + .shared = 0, + .max_db_size = DEFAULT_MAX_DB_SIZE, + .suggested_module = DEFAULT_SUGGESTED_MODULE, + .db_filename = _PATH_NSCD_HOSTS_DB, + .disabled_iov = &hst_iov_disabled, + .postimeout = 3600, + .negtimeout = 20, + .wr_fd = -1, + .ro_fd = -1, + .mmap_used = false + }, + [servdb] = { + .lock = PTHREAD_RWLOCK_WRITER_NONRECURSIVE_INITIALIZER_NP, + .prune_lock = PTHREAD_MUTEX_INITIALIZER, + .prune_run_lock = PTHREAD_MUTEX_INITIALIZER, + .enabled = 0, + .check_file = 1, + .persistent = 0, + .propagate = 0, /* Not used. */ + .shared = 0, + .max_db_size = DEFAULT_MAX_DB_SIZE, + .suggested_module = DEFAULT_SUGGESTED_MODULE, + .db_filename = _PATH_NSCD_SERVICES_DB, + .disabled_iov = &serv_iov_disabled, + .postimeout = 28800, + .negtimeout = 20, + .wr_fd = -1, + .ro_fd = -1, + .mmap_used = false + }, + [netgrdb] = { + .lock = PTHREAD_RWLOCK_WRITER_NONRECURSIVE_INITIALIZER_NP, + .prune_lock = PTHREAD_MUTEX_INITIALIZER, + .prune_run_lock = PTHREAD_MUTEX_INITIALIZER, + .enabled = 0, + .check_file = 1, + .persistent = 0, + .propagate = 0, /* Not used. */ + .shared = 0, + .max_db_size = DEFAULT_MAX_DB_SIZE, + .suggested_module = DEFAULT_SUGGESTED_MODULE, + .db_filename = _PATH_NSCD_NETGROUP_DB, + .disabled_iov = &netgroup_iov_disabled, + .postimeout = 28800, + .negtimeout = 20, + .wr_fd = -1, + .ro_fd = -1, + .mmap_used = false + } +}; + + +/* Mapping of request type to database. */ +static struct +{ + bool data_request; + struct database_dyn *db; +} const reqinfo[LASTREQ] = +{ + [GETPWBYNAME] = { true, &dbs[pwddb] }, + [GETPWBYUID] = { true, &dbs[pwddb] }, + [GETGRBYNAME] = { true, &dbs[grpdb] }, + [GETGRBYGID] = { true, &dbs[grpdb] }, + [GETHOSTBYNAME] = { true, &dbs[hstdb] }, + [GETHOSTBYNAMEv6] = { true, &dbs[hstdb] }, + [GETHOSTBYADDR] = { true, &dbs[hstdb] }, + [GETHOSTBYADDRv6] = { true, &dbs[hstdb] }, + [SHUTDOWN] = { false, NULL }, + [GETSTAT] = { false, NULL }, + [SHUTDOWN] = { false, NULL }, + [GETFDPW] = { false, &dbs[pwddb] }, + [GETFDGR] = { false, &dbs[grpdb] }, + [GETFDHST] = { false, &dbs[hstdb] }, + [GETAI] = { true, &dbs[hstdb] }, + [INITGROUPS] = { true, &dbs[grpdb] }, + [GETSERVBYNAME] = { true, &dbs[servdb] }, + [GETSERVBYPORT] = { true, &dbs[servdb] }, + [GETFDSERV] = { false, &dbs[servdb] }, + [GETNETGRENT] = { true, &dbs[netgrdb] }, + [INNETGR] = { true, &dbs[netgrdb] }, + [GETFDNETGR] = { false, &dbs[netgrdb] } +}; + + +/* Initial number of threads to use. */ +int nthreads = -1; +/* Maximum number of threads to use. */ +int max_nthreads = 32; + +/* Socket for incoming connections. */ +static int sock; + +#ifdef HAVE_INOTIFY +/* Inotify descriptor. */ +int inotify_fd = -1; +#endif + +#ifdef HAVE_NETLINK +/* Descriptor for netlink status updates. */ +static int nl_status_fd = -1; +#endif + +/* Number of times clients had to wait. */ +unsigned long int client_queued; + + +ssize_t +writeall (int fd, const void *buf, size_t len) +{ + size_t n = len; + ssize_t ret; + do + { + ret = TEMP_FAILURE_RETRY (send (fd, buf, n, MSG_NOSIGNAL)); + if (ret <= 0) + break; + buf = (const char *) buf + ret; + n -= ret; + } + while (n > 0); + return ret < 0 ? ret : len - n; +} + + +#ifdef HAVE_SENDFILE +ssize_t +sendfileall (int tofd, int fromfd, off_t off, size_t len) +{ + ssize_t n = len; + ssize_t ret; + + do + { + ret = TEMP_FAILURE_RETRY (sendfile (tofd, fromfd, &off, n)); + if (ret <= 0) + break; + n -= ret; + } + while (n > 0); + return ret < 0 ? ret : len - n; +} +#endif + + +enum usekey + { + use_not = 0, + /* The following three are not really used, they are symbolic constants. */ + use_first = 16, + use_begin = 32, + use_end = 64, + + use_he = 1, + use_he_begin = use_he | use_begin, + use_he_end = use_he | use_end, + use_data = 3, + use_data_begin = use_data | use_begin, + use_data_end = use_data | use_end, + use_data_first = use_data_begin | use_first + }; + + +static int +check_use (const char *data, nscd_ssize_t first_free, uint8_t *usemap, + enum usekey use, ref_t start, size_t len) +{ + assert (len >= 2); + + if (start > first_free || start + len > first_free + || (start & BLOCK_ALIGN_M1)) + return 0; + + if (usemap[start] == use_not) + { + /* Add the start marker. */ + usemap[start] = use | use_begin; + use &= ~use_first; + + while (--len > 0) + if (usemap[++start] != use_not) + return 0; + else + usemap[start] = use; + + /* Add the end marker. */ + usemap[start] = use | use_end; + } + else if ((usemap[start] & ~use_first) == ((use | use_begin) & ~use_first)) + { + /* Hash entries can't be shared. */ + if (use == use_he) + return 0; + + usemap[start] |= (use & use_first); + use &= ~use_first; + + while (--len > 1) + if (usemap[++start] != use) + return 0; + + if (usemap[++start] != (use | use_end)) + return 0; + } + else + /* Points to a wrong object or somewhere in the middle. */ + return 0; + + return 1; +} + + +/* Verify data in persistent database. */ +static int +verify_persistent_db (void *mem, struct database_pers_head *readhead, int dbnr) +{ + assert (dbnr == pwddb || dbnr == grpdb || dbnr == hstdb || dbnr == servdb + || dbnr == netgrdb); + + time_t now = time (NULL); + + struct database_pers_head *head = mem; + struct database_pers_head head_copy = *head; + + /* Check that the header that was read matches the head in the database. */ + if (memcmp (head, readhead, sizeof (*head)) != 0) + return 0; + + /* First some easy tests: make sure the database header is sane. */ + if (head->version != DB_VERSION + || head->header_size != sizeof (*head) + /* We allow a timestamp to be one hour ahead of the current time. + This should cover daylight saving time changes. */ + || head->timestamp > now + 60 * 60 + 60 + || (head->gc_cycle & 1) + || head->module == 0 + || (size_t) head->module > INT32_MAX / sizeof (ref_t) + || (size_t) head->data_size > INT32_MAX - head->module * sizeof (ref_t) + || head->first_free < 0 + || head->first_free > head->data_size + || (head->first_free & BLOCK_ALIGN_M1) != 0 + || head->maxnentries < 0 + || head->maxnsearched < 0) + return 0; + + uint8_t *usemap = calloc (head->first_free, 1); + if (usemap == NULL) + return 0; + + const char *data = (char *) &head->array[roundup (head->module, + ALIGN / sizeof (ref_t))]; + + nscd_ssize_t he_cnt = 0; + for (nscd_ssize_t cnt = 0; cnt < head->module; ++cnt) + { + ref_t trail = head->array[cnt]; + ref_t work = trail; + int tick = 0; + + while (work != ENDREF) + { + if (! check_use (data, head->first_free, usemap, use_he, work, + sizeof (struct hashentry))) + goto fail; + + /* Now we know we can dereference the record. */ + struct hashentry *here = (struct hashentry *) (data + work); + + ++he_cnt; + + /* Make sure the record is for this type of service. */ + if (here->type >= LASTREQ + || reqinfo[here->type].db != &dbs[dbnr]) + goto fail; + + /* Validate boolean field value. */ + if (here->first != false && here->first != true) + goto fail; + + if (here->len < 0) + goto fail; + + /* Now the data. */ + if (here->packet < 0 + || here->packet > head->first_free + || here->packet + sizeof (struct datahead) > head->first_free) + goto fail; + + struct datahead *dh = (struct datahead *) (data + here->packet); + + if (! check_use (data, head->first_free, usemap, + use_data | (here->first ? use_first : 0), + here->packet, dh->allocsize)) + goto fail; + + if (dh->allocsize < sizeof (struct datahead) + || dh->recsize > dh->allocsize + || (dh->notfound != false && dh->notfound != true) + || (dh->usable != false && dh->usable != true)) + goto fail; + + if (here->key < here->packet + sizeof (struct datahead) + || here->key > here->packet + dh->allocsize + || here->key + here->len > here->packet + dh->allocsize) + goto fail; + + work = here->next; + + if (work == trail) + /* A circular list, this must not happen. */ + goto fail; + if (tick) + trail = ((struct hashentry *) (data + trail))->next; + tick = 1 - tick; + } + } + + if (he_cnt != head->nentries) + goto fail; + + /* See if all data and keys had at least one reference from + he->first == true hashentry. */ + for (ref_t idx = 0; idx < head->first_free; ++idx) + { + if (usemap[idx] == use_data_begin) + goto fail; + } + + /* Finally, make sure the database hasn't changed since the first test. */ + if (memcmp (mem, &head_copy, sizeof (*head)) != 0) + goto fail; + + free (usemap); + return 1; + +fail: + free (usemap); + return 0; +} + + +/* Initialize database information structures. */ +void +nscd_init (void) +{ + /* Look up unprivileged uid/gid/groups before we start listening on the + socket */ + if (server_user != NULL) + begin_drop_privileges (); + + if (nthreads == -1) + /* No configuration for this value, assume a default. */ + nthreads = 4; + + for (size_t cnt = 0; cnt < lastdb; ++cnt) + if (dbs[cnt].enabled) + { + pthread_rwlock_init (&dbs[cnt].lock, NULL); + pthread_mutex_init (&dbs[cnt].memlock, NULL); + + if (dbs[cnt].persistent) + { + /* Try to open the appropriate file on disk. */ + int fd = open (dbs[cnt].db_filename, O_RDWR | O_CLOEXEC); + if (fd != -1) + { + char *msg = NULL; + struct stat64 st; + void *mem; + size_t total; + struct database_pers_head head; + ssize_t n = TEMP_FAILURE_RETRY (read (fd, &head, + sizeof (head))); + if (n != sizeof (head) || fstat64 (fd, &st) != 0) + { + fail_db_errno: + /* The code is single-threaded at this point so + using strerror is just fine. */ + msg = strerror (errno); + fail_db: + dbg_log (_("invalid persistent database file \"%s\": %s"), + dbs[cnt].db_filename, msg); + unlink (dbs[cnt].db_filename); + } + else if (head.module == 0 && head.data_size == 0) + { + /* The file has been created, but the head has not + been initialized yet. */ + msg = _("uninitialized header"); + goto fail_db; + } + else if (head.header_size != (int) sizeof (head)) + { + msg = _("header size does not match"); + goto fail_db; + } + else if ((total = (sizeof (head) + + roundup (head.module * sizeof (ref_t), + ALIGN) + + head.data_size)) + > st.st_size + || total < sizeof (head)) + { + msg = _("file size does not match"); + goto fail_db; + } + /* Note we map with the maximum size allowed for the + database. This is likely much larger than the + actual file size. This is OK on most OSes since + extensions of the underlying file will + automatically translate more pages available for + memory access. */ + else if ((mem = mmap (NULL, dbs[cnt].max_db_size, + PROT_READ | PROT_WRITE, + MAP_SHARED, fd, 0)) + == MAP_FAILED) + goto fail_db_errno; + else if (!verify_persistent_db (mem, &head, cnt)) + { + munmap (mem, total); + msg = _("verification failed"); + goto fail_db; + } + else + { + /* Success. We have the database. */ + dbs[cnt].head = mem; + dbs[cnt].memsize = total; + dbs[cnt].data = (char *) + &dbs[cnt].head->array[roundup (dbs[cnt].head->module, + ALIGN / sizeof (ref_t))]; + dbs[cnt].mmap_used = true; + + if (dbs[cnt].suggested_module > head.module) + dbg_log (_("suggested size of table for database %s larger than the persistent database's table"), + dbnames[cnt]); + + dbs[cnt].wr_fd = fd; + fd = -1; + /* We also need a read-only descriptor. */ + if (dbs[cnt].shared) + { + dbs[cnt].ro_fd = open (dbs[cnt].db_filename, + O_RDONLY | O_CLOEXEC); + if (dbs[cnt].ro_fd == -1) + dbg_log (_("\ +cannot create read-only descriptor for \"%s\"; no mmap"), + dbs[cnt].db_filename); + } + + // XXX Shall we test whether the descriptors actually + // XXX point to the same file? + } + + /* Close the file descriptors in case something went + wrong in which case the variable have not been + assigned -1. */ + if (fd != -1) + close (fd); + } + else if (errno == EACCES) + do_exit (EXIT_FAILURE, 0, _("cannot access '%s'"), + dbs[cnt].db_filename); + } + + if (dbs[cnt].head == NULL) + { + /* No database loaded. Allocate the data structure, + possibly on disk. */ + struct database_pers_head head; + size_t total = (sizeof (head) + + roundup (dbs[cnt].suggested_module + * sizeof (ref_t), ALIGN) + + (dbs[cnt].suggested_module + * DEFAULT_DATASIZE_PER_BUCKET)); + + /* Try to create the database. If we do not need a + persistent database create a temporary file. */ + int fd; + int ro_fd = -1; + if (dbs[cnt].persistent) + { + fd = open (dbs[cnt].db_filename, + O_RDWR | O_CREAT | O_EXCL | O_TRUNC | O_CLOEXEC, + S_IRUSR | S_IWUSR); + if (fd != -1 && dbs[cnt].shared) + ro_fd = open (dbs[cnt].db_filename, + O_RDONLY | O_CLOEXEC); + } + else + { + char fname[] = _PATH_NSCD_XYZ_DB_TMP; + fd = mkostemp (fname, O_CLOEXEC); + + /* We do not need the file name anymore after we + opened another file descriptor in read-only mode. */ + if (fd != -1) + { + if (dbs[cnt].shared) + ro_fd = open (fname, O_RDONLY | O_CLOEXEC); + + unlink (fname); + } + } + + if (fd == -1) + { + if (errno == EEXIST) + { + dbg_log (_("database for %s corrupted or simultaneously used; remove %s manually if necessary and restart"), + dbnames[cnt], dbs[cnt].db_filename); + do_exit (1, 0, NULL); + } + + if (dbs[cnt].persistent) + dbg_log (_("cannot create %s; no persistent database used"), + dbs[cnt].db_filename); + else + dbg_log (_("cannot create %s; no sharing possible"), + dbs[cnt].db_filename); + + dbs[cnt].persistent = 0; + // XXX remember: no mmap + } + else + { + /* Tell the user if we could not create the read-only + descriptor. */ + if (ro_fd == -1 && dbs[cnt].shared) + dbg_log (_("\ +cannot create read-only descriptor for \"%s\"; no mmap"), + dbs[cnt].db_filename); + + /* Before we create the header, initialize the hash + table. That way if we get interrupted while writing + the header we can recognize a partially initialized + database. */ + size_t ps = sysconf (_SC_PAGESIZE); + char tmpbuf[ps]; + assert (~ENDREF == 0); + memset (tmpbuf, '\xff', ps); + + size_t remaining = dbs[cnt].suggested_module * sizeof (ref_t); + off_t offset = sizeof (head); + + size_t towrite; + if (offset % ps != 0) + { + towrite = MIN (remaining, ps - (offset % ps)); + if (pwrite (fd, tmpbuf, towrite, offset) != towrite) + goto write_fail; + offset += towrite; + remaining -= towrite; + } + + while (remaining > ps) + { + if (pwrite (fd, tmpbuf, ps, offset) == -1) + goto write_fail; + offset += ps; + remaining -= ps; + } + + if (remaining > 0 + && pwrite (fd, tmpbuf, remaining, offset) != remaining) + goto write_fail; + + /* Create the header of the file. */ + struct database_pers_head head = + { + .version = DB_VERSION, + .header_size = sizeof (head), + .module = dbs[cnt].suggested_module, + .data_size = (dbs[cnt].suggested_module + * DEFAULT_DATASIZE_PER_BUCKET), + .first_free = 0 + }; + void *mem; + + if ((TEMP_FAILURE_RETRY (write (fd, &head, sizeof (head))) + != sizeof (head)) + || (TEMP_FAILURE_RETRY_VAL (posix_fallocate (fd, 0, total)) + != 0) + || (mem = mmap (NULL, dbs[cnt].max_db_size, + PROT_READ | PROT_WRITE, + MAP_SHARED, fd, 0)) == MAP_FAILED) + { + write_fail: + unlink (dbs[cnt].db_filename); + dbg_log (_("cannot write to database file %s: %s"), + dbs[cnt].db_filename, strerror (errno)); + dbs[cnt].persistent = 0; + } + else + { + /* Success. */ + dbs[cnt].head = mem; + dbs[cnt].data = (char *) + &dbs[cnt].head->array[roundup (dbs[cnt].head->module, + ALIGN / sizeof (ref_t))]; + dbs[cnt].memsize = total; + dbs[cnt].mmap_used = true; + + /* Remember the descriptors. */ + dbs[cnt].wr_fd = fd; + dbs[cnt].ro_fd = ro_fd; + fd = -1; + ro_fd = -1; + } + + if (fd != -1) + close (fd); + if (ro_fd != -1) + close (ro_fd); + } + } + + if (dbs[cnt].head == NULL) + { + /* We do not use the persistent database. Just + create an in-memory data structure. */ + assert (! dbs[cnt].persistent); + + dbs[cnt].head = xmalloc (sizeof (struct database_pers_head) + + (dbs[cnt].suggested_module + * sizeof (ref_t))); + memset (dbs[cnt].head, '\0', sizeof (struct database_pers_head)); + assert (~ENDREF == 0); + memset (dbs[cnt].head->array, '\xff', + dbs[cnt].suggested_module * sizeof (ref_t)); + dbs[cnt].head->module = dbs[cnt].suggested_module; + dbs[cnt].head->data_size = (DEFAULT_DATASIZE_PER_BUCKET + * dbs[cnt].head->module); + dbs[cnt].data = xmalloc (dbs[cnt].head->data_size); + dbs[cnt].head->first_free = 0; + + dbs[cnt].shared = 0; + assert (dbs[cnt].ro_fd == -1); + } + } + + /* Create the socket. */ + sock = socket (AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC | SOCK_NONBLOCK, 0); + if (sock < 0) + { + dbg_log (_("cannot open socket: %s"), strerror (errno)); + do_exit (errno == EACCES ? 4 : 1, 0, NULL); + } + /* Bind a name to the socket. */ + struct sockaddr_un sock_addr; + sock_addr.sun_family = AF_UNIX; + strcpy (sock_addr.sun_path, _PATH_NSCDSOCKET); + if (bind (sock, (struct sockaddr *) &sock_addr, sizeof (sock_addr)) < 0) + { + dbg_log ("%s: %s", _PATH_NSCDSOCKET, strerror (errno)); + do_exit (errno == EACCES ? 4 : 1, 0, NULL); + } + + /* Set permissions for the socket. */ + chmod (_PATH_NSCDSOCKET, DEFFILEMODE); + + /* Set the socket up to accept connections. */ + if (listen (sock, SOMAXCONN) < 0) + { + dbg_log (_("cannot enable socket to accept connections: %s"), + strerror (errno)); + do_exit (1, 0, NULL); + } + +#ifdef HAVE_NETLINK + if (dbs[hstdb].enabled) + { + /* Try to open netlink socket to monitor network setting changes. */ + nl_status_fd = socket (AF_NETLINK, + SOCK_RAW | SOCK_CLOEXEC | SOCK_NONBLOCK, + NETLINK_ROUTE); + if (nl_status_fd != -1) + { + struct sockaddr_nl snl; + memset (&snl, '\0', sizeof (snl)); + snl.nl_family = AF_NETLINK; + /* XXX Is this the best set to use? */ + snl.nl_groups = (RTMGRP_IPV4_IFADDR | RTMGRP_TC | RTMGRP_IPV4_MROUTE + | RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_RULE + | RTMGRP_IPV6_IFADDR | RTMGRP_IPV6_MROUTE + | RTMGRP_IPV6_ROUTE | RTMGRP_IPV6_IFINFO + | RTMGRP_IPV6_PREFIX); + + if (bind (nl_status_fd, (struct sockaddr *) &snl, sizeof (snl)) != 0) + { + close (nl_status_fd); + nl_status_fd = -1; + } + else + { + /* Start the timestamp process. */ + dbs[hstdb].head->extra_data[NSCD_HST_IDX_CONF_TIMESTAMP] + = __bump_nl_timestamp (); + } + } + } +#endif + + /* Change to unprivileged uid/gid/groups if specified in config file */ + if (server_user != NULL) + finish_drop_privileges (); +} + +#ifdef HAVE_INOTIFY +#define TRACED_FILE_MASK (IN_DELETE_SELF | IN_CLOSE_WRITE | IN_MOVE_SELF) +#define TRACED_DIR_MASK (IN_DELETE_SELF | IN_CREATE | IN_MOVED_TO | IN_MOVE_SELF) +void +install_watches (struct traced_file *finfo) +{ + /* Use inotify support if we have it. */ + if (finfo->inotify_descr[TRACED_FILE] < 0) + finfo->inotify_descr[TRACED_FILE] = inotify_add_watch (inotify_fd, + finfo->fname, + TRACED_FILE_MASK); + if (finfo->inotify_descr[TRACED_FILE] < 0) + { + dbg_log (_("disabled inotify-based monitoring for file `%s': %s"), + finfo->fname, strerror (errno)); + return; + } + dbg_log (_("monitoring file `%s` (%d)"), + finfo->fname, finfo->inotify_descr[TRACED_FILE]); + /* Additionally listen for events in the file's parent directory. + We do this because the file to be watched might be + deleted and then added back again. When it is added back again + we must re-add the watch. We must also cover IN_MOVED_TO to + detect a file being moved into the directory. */ + if (finfo->inotify_descr[TRACED_DIR] < 0) + finfo->inotify_descr[TRACED_DIR] = inotify_add_watch (inotify_fd, + finfo->dname, + TRACED_DIR_MASK); + if (finfo->inotify_descr[TRACED_DIR] < 0) + { + dbg_log (_("disabled inotify-based monitoring for directory `%s': %s"), + finfo->fname, strerror (errno)); + return; + } + dbg_log (_("monitoring directory `%s` (%d)"), + finfo->dname, finfo->inotify_descr[TRACED_DIR]); +} +#endif + +/* Register the file in FINFO as a traced file for the database DBS[DBIX]. + + We support registering multiple files per database. Each call to + register_traced_file adds to the list of registered files. + + When we prune the database, either through timeout or a request to + invalidate, we will check to see if any of the registered files has changed. + When we accept new connections to handle a cache request we will also + check to see if any of the registered files has changed. + + If we have inotify support then we install an inotify fd to notify us of + file deletion or modification, both of which will require we invalidate + the cache for the database. Without inotify support we stat the file and + store st_mtime to determine if the file has been modified. */ +void +register_traced_file (size_t dbidx, struct traced_file *finfo) +{ + /* If the database is disabled or file checking is disabled + then ignore the registration. */ + if (! dbs[dbidx].enabled || ! dbs[dbidx].check_file) + return; + + if (__glibc_unlikely (debug_level > 0)) + dbg_log (_("monitoring file %s for database %s"), + finfo->fname, dbnames[dbidx]); + +#ifdef HAVE_INOTIFY + install_watches (finfo); +#endif + struct stat64 st; + if (stat64 (finfo->fname, &st) < 0) + { + /* We cannot stat() the file. Set mtime to zero and try again later. */ + dbg_log (_("stat failed for file `%s'; will try again later: %s"), + finfo->fname, strerror (errno)); + finfo->mtime = 0; + } + else + finfo->mtime = st.st_mtime; + + /* Queue up the file name. */ + finfo->next = dbs[dbidx].traced_files; + dbs[dbidx].traced_files = finfo; +} + + +/* Close the connections. */ +void +close_sockets (void) +{ + close (sock); +} + + +static void +invalidate_cache (char *key, int fd) +{ + dbtype number; + int32_t resp; + + for (number = pwddb; number < lastdb; ++number) + if (strcmp (key, dbnames[number]) == 0) + { + struct traced_file *runp = dbs[number].traced_files; + while (runp != NULL) + { + /* Make sure we reload from file when checking mtime. */ + runp->mtime = 0; +#ifdef HAVE_INOTIFY + /* During an invalidation we try to reload the traced + file watches. This allows the user to re-sync if + inotify events were lost. Similar to what we do during + pruning. */ + install_watches (runp); +#endif + if (runp->call_res_init) + { + res_init (); + break; + } + runp = runp->next; + } + break; + } + + if (number == lastdb) + { + resp = EINVAL; + writeall (fd, &resp, sizeof (resp)); + return; + } + + if (dbs[number].enabled) + { + pthread_mutex_lock (&dbs[number].prune_run_lock); + prune_cache (&dbs[number], LONG_MAX, fd); + pthread_mutex_unlock (&dbs[number].prune_run_lock); + } + else + { + resp = 0; + writeall (fd, &resp, sizeof (resp)); + } +} + + +#ifdef SCM_RIGHTS +static void +send_ro_fd (struct database_dyn *db, char *key, int fd) +{ + /* If we do not have an read-only file descriptor do nothing. */ + if (db->ro_fd == -1) + return; + + /* We need to send some data along with the descriptor. */ + uint64_t mapsize = (db->head->data_size + + roundup (db->head->module * sizeof (ref_t), ALIGN) + + sizeof (struct database_pers_head)); + struct iovec iov[2]; + iov[0].iov_base = key; + iov[0].iov_len = strlen (key) + 1; + iov[1].iov_base = &mapsize; + iov[1].iov_len = sizeof (mapsize); + + /* Prepare the control message to transfer the descriptor. */ + union + { + struct cmsghdr hdr; + char bytes[CMSG_SPACE (sizeof (int))]; + } buf; + struct msghdr msg = { .msg_iov = iov, .msg_iovlen = 2, + .msg_control = buf.bytes, + .msg_controllen = sizeof (buf) }; + struct cmsghdr *cmsg = CMSG_FIRSTHDR (&msg); + + cmsg->cmsg_level = SOL_SOCKET; + cmsg->cmsg_type = SCM_RIGHTS; + cmsg->cmsg_len = CMSG_LEN (sizeof (int)); + + int *ip = (int *) CMSG_DATA (cmsg); + *ip = db->ro_fd; + + msg.msg_controllen = cmsg->cmsg_len; + + /* Send the control message. We repeat when we are interrupted but + everything else is ignored. */ +#ifndef MSG_NOSIGNAL +# define MSG_NOSIGNAL 0 +#endif + (void) TEMP_FAILURE_RETRY (sendmsg (fd, &msg, MSG_NOSIGNAL)); + + if (__glibc_unlikely (debug_level > 0)) + dbg_log (_("provide access to FD %d, for %s"), db->ro_fd, key); +} +#endif /* SCM_RIGHTS */ + + +/* Handle new request. */ +static void +handle_request (int fd, request_header *req, void *key, uid_t uid, pid_t pid) +{ + if (__builtin_expect (req->version, NSCD_VERSION) != NSCD_VERSION) + { + if (debug_level > 0) + dbg_log (_("\ +cannot handle old request version %d; current version is %d"), + req->version, NSCD_VERSION); + return; + } + + /* Perform the SELinux check before we go on to the standard checks. */ + if (selinux_enabled && nscd_request_avc_has_perm (fd, req->type) != 0) + { + if (debug_level > 0) + { +#ifdef SO_PEERCRED +# ifdef PATH_MAX + char buf[PATH_MAX]; +# else + char buf[4096]; +# endif + + snprintf (buf, sizeof (buf), "/proc/%ld/exe", (long int) pid); + ssize_t n = readlink (buf, buf, sizeof (buf) - 1); + + if (n <= 0) + dbg_log (_("\ +request from %ld not handled due to missing permission"), (long int) pid); + else + { + buf[n] = '\0'; + dbg_log (_("\ +request from '%s' [%ld] not handled due to missing permission"), + buf, (long int) pid); + } +#else + dbg_log (_("request not handled due to missing permission")); +#endif + } + return; + } + + struct database_dyn *db = reqinfo[req->type].db; + + /* See whether we can service the request from the cache. */ + if (__builtin_expect (reqinfo[req->type].data_request, true)) + { + if (__builtin_expect (debug_level, 0) > 0) + { + if (req->type == GETHOSTBYADDR || req->type == GETHOSTBYADDRv6) + { + char buf[INET6_ADDRSTRLEN]; + + dbg_log ("\t%s (%s)", serv2str[req->type], + inet_ntop (req->type == GETHOSTBYADDR + ? AF_INET : AF_INET6, + key, buf, sizeof (buf))); + } + else + dbg_log ("\t%s (%s)", serv2str[req->type], (char *) key); + } + + /* Is this service enabled? */ + if (__glibc_unlikely (!db->enabled)) + { + /* No, sent the prepared record. */ + if (TEMP_FAILURE_RETRY (send (fd, db->disabled_iov->iov_base, + db->disabled_iov->iov_len, + MSG_NOSIGNAL)) + != (ssize_t) db->disabled_iov->iov_len + && __builtin_expect (debug_level, 0) > 0) + { + /* We have problems sending the result. */ + char buf[256]; + dbg_log (_("cannot write result: %s"), + strerror_r (errno, buf, sizeof (buf))); + } + + return; + } + + /* Be sure we can read the data. */ + if (__glibc_unlikely (pthread_rwlock_tryrdlock (&db->lock) != 0)) + { + ++db->head->rdlockdelayed; + pthread_rwlock_rdlock (&db->lock); + } + + /* See whether we can handle it from the cache. */ + struct datahead *cached; + cached = (struct datahead *) cache_search (req->type, key, req->key_len, + db, uid); + if (cached != NULL) + { + /* Hurray it's in the cache. */ + ssize_t nwritten; + +#ifdef HAVE_SENDFILE + if (__glibc_likely (db->mmap_used)) + { + assert (db->wr_fd != -1); + assert ((char *) cached->data > (char *) db->data); + assert ((char *) cached->data - (char *) db->head + + cached->recsize + <= (sizeof (struct database_pers_head) + + db->head->module * sizeof (ref_t) + + db->head->data_size)); + nwritten = sendfileall (fd, db->wr_fd, + (char *) cached->data + - (char *) db->head, cached->recsize); +# ifndef __ASSUME_SENDFILE + if (nwritten == -1 && errno == ENOSYS) + goto use_write; +# endif + } + else +# ifndef __ASSUME_SENDFILE + use_write: +# endif +#endif + nwritten = writeall (fd, cached->data, cached->recsize); + + if (nwritten != cached->recsize + && __builtin_expect (debug_level, 0) > 0) + { + /* We have problems sending the result. */ + char buf[256]; + dbg_log (_("cannot write result: %s"), + strerror_r (errno, buf, sizeof (buf))); + } + + pthread_rwlock_unlock (&db->lock); + + return; + } + + pthread_rwlock_unlock (&db->lock); + } + else if (__builtin_expect (debug_level, 0) > 0) + { + if (req->type == INVALIDATE) + dbg_log ("\t%s (%s)", serv2str[req->type], (char *) key); + else + dbg_log ("\t%s", serv2str[req->type]); + } + + /* Handle the request. */ + switch (req->type) + { + case GETPWBYNAME: + addpwbyname (db, fd, req, key, uid); + break; + + case GETPWBYUID: + addpwbyuid (db, fd, req, key, uid); + break; + + case GETGRBYNAME: + addgrbyname (db, fd, req, key, uid); + break; + + case GETGRBYGID: + addgrbygid (db, fd, req, key, uid); + break; + + case GETHOSTBYNAME: + addhstbyname (db, fd, req, key, uid); + break; + + case GETHOSTBYNAMEv6: + addhstbynamev6 (db, fd, req, key, uid); + break; + + case GETHOSTBYADDR: + addhstbyaddr (db, fd, req, key, uid); + break; + + case GETHOSTBYADDRv6: + addhstbyaddrv6 (db, fd, req, key, uid); + break; + + case GETAI: + addhstai (db, fd, req, key, uid); + break; + + case INITGROUPS: + addinitgroups (db, fd, req, key, uid); + break; + + case GETSERVBYNAME: + addservbyname (db, fd, req, key, uid); + break; + + case GETSERVBYPORT: + addservbyport (db, fd, req, key, uid); + break; + + case GETNETGRENT: + addgetnetgrent (db, fd, req, key, uid); + break; + + case INNETGR: + addinnetgr (db, fd, req, key, uid); + break; + + case GETSTAT: + case SHUTDOWN: + case INVALIDATE: + { + /* Get the callers credentials. */ +#ifdef SO_PEERCRED + struct ucred caller; + socklen_t optlen = sizeof (caller); + + if (getsockopt (fd, SOL_SOCKET, SO_PEERCRED, &caller, &optlen) < 0) + { + char buf[256]; + + dbg_log (_("error getting caller's id: %s"), + strerror_r (errno, buf, sizeof (buf))); + break; + } + + uid = caller.uid; +#else + /* Some systems have no SO_PEERCRED implementation. They don't + care about security so we don't as well. */ + uid = 0; +#endif + } + + /* Accept shutdown, getstat and invalidate only from root. For + the stat call also allow the user specified in the config file. */ + if (req->type == GETSTAT) + { + if (uid == 0 || uid == stat_uid) + send_stats (fd, dbs); + } + else if (uid == 0) + { + if (req->type == INVALIDATE) + invalidate_cache (key, fd); + else + termination_handler (0); + } + break; + + case GETFDPW: + case GETFDGR: + case GETFDHST: + case GETFDSERV: + case GETFDNETGR: +#ifdef SCM_RIGHTS + send_ro_fd (reqinfo[req->type].db, key, fd); +#endif + break; + + default: + /* Ignore the command, it's nothing we know. */ + break; + } +} + + +/* Restart the process. */ +static void +restart (void) +{ + /* First determine the parameters. We do not use the parameters + passed to main() since in case nscd is started by running the + dynamic linker this will not work. Yes, this is not the usual + case but nscd is part of glibc and we occasionally do this. */ + size_t buflen = 1024; + char *buf = alloca (buflen); + size_t readlen = 0; + int fd = open ("/proc/self/cmdline", O_RDONLY); + if (fd == -1) + { + dbg_log (_("\ +cannot open /proc/self/cmdline: %s; disabling paranoia mode"), + strerror (errno)); + + paranoia = 0; + return; + } + + while (1) + { + ssize_t n = TEMP_FAILURE_RETRY (read (fd, buf + readlen, + buflen - readlen)); + if (n == -1) + { + dbg_log (_("\ +cannot read /proc/self/cmdline: %s; disabling paranoia mode"), + strerror (errno)); + + close (fd); + paranoia = 0; + return; + } + + readlen += n; + + if (readlen < buflen) + break; + + /* We might have to extend the buffer. */ + size_t old_buflen = buflen; + char *newp = extend_alloca (buf, buflen, 2 * buflen); + buf = memmove (newp, buf, old_buflen); + } + + close (fd); + + /* Parse the command line. Worst case scenario: every two + characters form one parameter (one character plus NUL). */ + char **argv = alloca ((readlen / 2 + 1) * sizeof (argv[0])); + int argc = 0; + + char *cp = buf; + while (cp < buf + readlen) + { + argv[argc++] = cp; + cp = (char *) rawmemchr (cp, '\0') + 1; + } + argv[argc] = NULL; + + /* Second, change back to the old user if we changed it. */ + if (server_user != NULL) + { + if (setresuid (old_uid, old_uid, old_uid) != 0) + { + dbg_log (_("\ +cannot change to old UID: %s; disabling paranoia mode"), + strerror (errno)); + + paranoia = 0; + return; + } + + if (setresgid (old_gid, old_gid, old_gid) != 0) + { + dbg_log (_("\ +cannot change to old GID: %s; disabling paranoia mode"), + strerror (errno)); + + ignore_value (setuid (server_uid)); + paranoia = 0; + return; + } + } + + /* Next change back to the old working directory. */ + if (chdir (oldcwd) == -1) + { + dbg_log (_("\ +cannot change to old working directory: %s; disabling paranoia mode"), + strerror (errno)); + + if (server_user != NULL) + { + ignore_value (setuid (server_uid)); + ignore_value (setgid (server_gid)); + } + paranoia = 0; + return; + } + + /* Synchronize memory. */ + int32_t certainly[lastdb]; + for (int cnt = 0; cnt < lastdb; ++cnt) + if (dbs[cnt].enabled) + { + /* Make sure nobody keeps using the database. */ + dbs[cnt].head->timestamp = 0; + certainly[cnt] = dbs[cnt].head->nscd_certainly_running; + dbs[cnt].head->nscd_certainly_running = 0; + + if (dbs[cnt].persistent) + // XXX async OK? + msync (dbs[cnt].head, dbs[cnt].memsize, MS_ASYNC); + } + + /* The preparations are done. */ +#ifdef PATH_MAX + char pathbuf[PATH_MAX]; +#else + char pathbuf[256]; +#endif + /* Try to exec the real nscd program so the process name (as reported + in /proc/PID/status) will be 'nscd', but fall back to /proc/self/exe + if readlink or the exec with the result of the readlink call fails. */ + ssize_t n = readlink ("/proc/self/exe", pathbuf, sizeof (pathbuf) - 1); + if (n != -1) + { + pathbuf[n] = '\0'; + execv (pathbuf, argv); + } + execv ("/proc/self/exe", argv); + + /* If we come here, we will never be able to re-exec. */ + dbg_log (_("re-exec failed: %s; disabling paranoia mode"), + strerror (errno)); + + if (server_user != NULL) + { + ignore_value (setuid (server_uid)); + ignore_value (setgid (server_gid)); + } + if (chdir ("/") != 0) + dbg_log (_("cannot change current working directory to \"/\": %s"), + strerror (errno)); + paranoia = 0; + + /* Reenable the databases. */ + time_t now = time (NULL); + for (int cnt = 0; cnt < lastdb; ++cnt) + if (dbs[cnt].enabled) + { + dbs[cnt].head->timestamp = now; + dbs[cnt].head->nscd_certainly_running = certainly[cnt]; + } +} + + +/* List of file descriptors. */ +struct fdlist +{ + int fd; + struct fdlist *next; +}; +/* Memory allocated for the list. */ +static struct fdlist *fdlist; +/* List of currently ready-to-read file descriptors. */ +static struct fdlist *readylist; + +/* Conditional variable and mutex to signal availability of entries in + READYLIST. The condvar is initialized dynamically since we might + use a different clock depending on availability. */ +static pthread_cond_t readylist_cond = PTHREAD_COND_INITIALIZER; +static pthread_mutex_t readylist_lock = PTHREAD_MUTEX_INITIALIZER; + +/* The clock to use with the condvar. */ +static clockid_t timeout_clock = CLOCK_REALTIME; + +/* Number of threads ready to handle the READYLIST. */ +static unsigned long int nready; + + +/* Function for the clean-up threads. */ +static void * +__attribute__ ((__noreturn__)) +nscd_run_prune (void *p) +{ + const long int my_number = (long int) p; + assert (dbs[my_number].enabled); + + int dont_need_update = setup_thread (&dbs[my_number]); + + time_t now = time (NULL); + + /* We are running. */ + dbs[my_number].head->timestamp = now; + + struct timespec prune_ts; + if (__glibc_unlikely (clock_gettime (timeout_clock, &prune_ts) == -1)) + /* Should never happen. */ + abort (); + + /* Compute the initial timeout time. Prevent all the timers to go + off at the same time by adding a db-based value. */ + prune_ts.tv_sec += CACHE_PRUNE_INTERVAL + my_number; + dbs[my_number].wakeup_time = now + CACHE_PRUNE_INTERVAL + my_number; + + pthread_mutex_t *prune_lock = &dbs[my_number].prune_lock; + pthread_mutex_t *prune_run_lock = &dbs[my_number].prune_run_lock; + pthread_cond_t *prune_cond = &dbs[my_number].prune_cond; + + pthread_mutex_lock (prune_lock); + while (1) + { + /* Wait, but not forever. */ + int e = 0; + if (! dbs[my_number].clear_cache) + e = pthread_cond_timedwait (prune_cond, prune_lock, &prune_ts); + assert (__builtin_expect (e == 0 || e == ETIMEDOUT, 1)); + + time_t next_wait; + now = time (NULL); + if (e == ETIMEDOUT || now >= dbs[my_number].wakeup_time + || dbs[my_number].clear_cache) + { + /* We will determine the new timout values based on the + cache content. Should there be concurrent additions to + the cache which are not accounted for in the cache + pruning we want to know about it. Therefore set the + timeout to the maximum. It will be descreased when adding + new entries to the cache, if necessary. */ + dbs[my_number].wakeup_time = MAX_TIMEOUT_VALUE; + + /* Unconditionally reset the flag. */ + time_t prune_now = dbs[my_number].clear_cache ? LONG_MAX : now; + dbs[my_number].clear_cache = 0; + + pthread_mutex_unlock (prune_lock); + + /* We use a separate lock for running the prune function (instead + of keeping prune_lock locked) because this enables concurrent + invocations of cache_add which might modify the timeout value. */ + pthread_mutex_lock (prune_run_lock); + next_wait = prune_cache (&dbs[my_number], prune_now, -1); + pthread_mutex_unlock (prune_run_lock); + + next_wait = MAX (next_wait, CACHE_PRUNE_INTERVAL); + /* If clients cannot determine for sure whether nscd is running + we need to wake up occasionally to update the timestamp. + Wait 90% of the update period. */ +#define UPDATE_MAPPING_TIMEOUT (MAPPING_TIMEOUT * 9 / 10) + if (__glibc_unlikely (! dont_need_update)) + { + next_wait = MIN (UPDATE_MAPPING_TIMEOUT, next_wait); + dbs[my_number].head->timestamp = now; + } + + pthread_mutex_lock (prune_lock); + + /* Make it known when we will wake up again. */ + if (now + next_wait < dbs[my_number].wakeup_time) + dbs[my_number].wakeup_time = now + next_wait; + else + next_wait = dbs[my_number].wakeup_time - now; + } + else + /* The cache was just pruned. Do not do it again now. Just + use the new timeout value. */ + next_wait = dbs[my_number].wakeup_time - now; + + if (clock_gettime (timeout_clock, &prune_ts) == -1) + /* Should never happen. */ + abort (); + + /* Compute next timeout time. */ + prune_ts.tv_sec += next_wait; + } +} + + +/* This is the main loop. It is replicated in different threads but + the use of the ready list makes sure only one thread handles an + incoming connection. */ +static void * +__attribute__ ((__noreturn__)) +nscd_run_worker (void *p) +{ + char buf[256]; + + /* Initial locking. */ + pthread_mutex_lock (&readylist_lock); + + /* One more thread available. */ + ++nready; + + while (1) + { + while (readylist == NULL) + pthread_cond_wait (&readylist_cond, &readylist_lock); + + struct fdlist *it = readylist->next; + if (readylist->next == readylist) + /* Just one entry on the list. */ + readylist = NULL; + else + readylist->next = it->next; + + /* Extract the information and mark the record ready to be used + again. */ + int fd = it->fd; + it->next = NULL; + + /* One more thread available. */ + --nready; + + /* We are done with the list. */ + pthread_mutex_unlock (&readylist_lock); + + /* Now read the request. */ + request_header req; + if (__builtin_expect (TEMP_FAILURE_RETRY (read (fd, &req, sizeof (req))) + != sizeof (req), 0)) + { + /* We failed to read data. Note that this also might mean we + failed because we would have blocked. */ + if (debug_level > 0) + dbg_log (_("short read while reading request: %s"), + strerror_r (errno, buf, sizeof (buf))); + goto close_and_out; + } + + /* Check whether this is a valid request type. */ + if (req.type < GETPWBYNAME || req.type >= LASTREQ) + goto close_and_out; + + /* Some systems have no SO_PEERCRED implementation. They don't + care about security so we don't as well. */ + uid_t uid = -1; +#ifdef SO_PEERCRED + pid_t pid = 0; + + if (__glibc_unlikely (debug_level > 0)) + { + struct ucred caller; + socklen_t optlen = sizeof (caller); + + if (getsockopt (fd, SOL_SOCKET, SO_PEERCRED, &caller, &optlen) == 0) + pid = caller.pid; + } +#else + const pid_t pid = 0; +#endif + + /* It should not be possible to crash the nscd with a silly + request (i.e., a terribly large key). We limit the size to 1kb. */ + if (__builtin_expect (req.key_len, 1) < 0 + || __builtin_expect (req.key_len, 1) > MAXKEYLEN) + { + if (debug_level > 0) + dbg_log (_("key length in request too long: %d"), req.key_len); + } + else + { + /* Get the key. */ + char keybuf[MAXKEYLEN + 1]; + + if (__builtin_expect (TEMP_FAILURE_RETRY (read (fd, keybuf, + req.key_len)) + != req.key_len, 0)) + { + /* Again, this can also mean we would have blocked. */ + if (debug_level > 0) + dbg_log (_("short read while reading request key: %s"), + strerror_r (errno, buf, sizeof (buf))); + goto close_and_out; + } + keybuf[req.key_len] = '\0'; + + if (__builtin_expect (debug_level, 0) > 0) + { +#ifdef SO_PEERCRED + if (pid != 0) + dbg_log (_("\ +handle_request: request received (Version = %d) from PID %ld"), + req.version, (long int) pid); + else +#endif + dbg_log (_("\ +handle_request: request received (Version = %d)"), req.version); + } + + /* Phew, we got all the data, now process it. */ + handle_request (fd, &req, keybuf, uid, pid); + } + + close_and_out: + /* We are done. */ + close (fd); + + /* Re-locking. */ + pthread_mutex_lock (&readylist_lock); + + /* One more thread available. */ + ++nready; + } + /* NOTREACHED */ +} + + +static unsigned int nconns; + +static void +fd_ready (int fd) +{ + pthread_mutex_lock (&readylist_lock); + + /* Find an empty entry in FDLIST. */ + size_t inner; + for (inner = 0; inner < nconns; ++inner) + if (fdlist[inner].next == NULL) + break; + assert (inner < nconns); + + fdlist[inner].fd = fd; + + if (readylist == NULL) + readylist = fdlist[inner].next = &fdlist[inner]; + else + { + fdlist[inner].next = readylist->next; + readylist = readylist->next = &fdlist[inner]; + } + + bool do_signal = true; + if (__glibc_unlikely (nready == 0)) + { + ++client_queued; + do_signal = false; + + /* Try to start another thread to help out. */ + pthread_t th; + if (nthreads < max_nthreads + && pthread_create (&th, &attr, nscd_run_worker, + (void *) (long int) nthreads) == 0) + { + /* We got another thread. */ + ++nthreads; + /* The new thread might need a kick. */ + do_signal = true; + } + + } + + pthread_mutex_unlock (&readylist_lock); + + /* Tell one of the worker threads there is work to do. */ + if (do_signal) + pthread_cond_signal (&readylist_cond); +} + + +/* Check whether restarting should happen. */ +static bool +restart_p (time_t now) +{ + return (paranoia && readylist == NULL && nready == nthreads + && now >= restart_time); +} + + +/* Array for times a connection was accepted. */ +static time_t *starttime; + +#ifdef HAVE_INOTIFY +/* Inotify event for changed file. */ +union __inev +{ + struct inotify_event i; +# ifndef PATH_MAX +# define PATH_MAX 1024 +# endif + char buf[sizeof (struct inotify_event) + PATH_MAX]; +}; + +/* Returns 0 if the file is there otherwise -1. */ +int +check_file (struct traced_file *finfo) +{ + struct stat64 st; + /* We could check mtime and if different re-add + the watches, and invalidate the database, but we + don't because we are called from inotify_check_files + which should be doing that work. If sufficient inotify + events were lost then the next pruning or invalidation + will do the stat and mtime check. We don't do it here to + keep the logic simple. */ + if (stat64 (finfo->fname, &st) < 0) + return -1; + return 0; +} + +/* Process the inotify event in INEV. If the event matches any of the files + registered with a database then mark that database as requiring its cache + to be cleared. We indicate the cache needs clearing by setting + TO_CLEAR[DBCNT] to true for the matching database. */ +static void +inotify_check_files (bool *to_clear, union __inev *inev) +{ + /* Check which of the files changed. */ + for (size_t dbcnt = 0; dbcnt < lastdb; ++dbcnt) + { + struct traced_file *finfo = dbs[dbcnt].traced_files; + + while (finfo != NULL) + { + /* The configuration file was moved or deleted. + We stop watching it at that point, and reinitialize. */ + if (finfo->inotify_descr[TRACED_FILE] == inev->i.wd + && ((inev->i.mask & IN_MOVE_SELF) + || (inev->i.mask & IN_DELETE_SELF) + || (inev->i.mask & IN_IGNORED))) + { + int ret; + bool moved = (inev->i.mask & IN_MOVE_SELF) != 0; + + if (check_file (finfo) == 0) + { + dbg_log (_("ignored inotify event for `%s` (file exists)"), + finfo->fname); + return; + } + + dbg_log (_("monitored file `%s` was %s, removing watch"), + finfo->fname, moved ? "moved" : "deleted"); + /* File was moved out, remove the watch. Watches are + automatically removed when the file is deleted. */ + if (moved) + { + ret = inotify_rm_watch (inotify_fd, inev->i.wd); + if (ret < 0) + dbg_log (_("failed to remove file watch `%s`: %s"), + finfo->fname, strerror (errno)); + } + finfo->inotify_descr[TRACED_FILE] = -1; + to_clear[dbcnt] = true; + if (finfo->call_res_init) + res_init (); + return; + } + /* The configuration file was open for writing and has just closed. + We reset the cache and reinitialize. */ + if (finfo->inotify_descr[TRACED_FILE] == inev->i.wd + && inev->i.mask & IN_CLOSE_WRITE) + { + /* Mark cache as needing to be cleared and reinitialize. */ + dbg_log (_("monitored file `%s` was written to"), finfo->fname); + to_clear[dbcnt] = true; + if (finfo->call_res_init) + res_init (); + return; + } + /* The parent directory was moved or deleted. We trigger one last + invalidation. At the next pruning or invalidation we may add + this watch back if the file is present again. */ + if (finfo->inotify_descr[TRACED_DIR] == inev->i.wd + && ((inev->i.mask & IN_DELETE_SELF) + || (inev->i.mask & IN_MOVE_SELF) + || (inev->i.mask & IN_IGNORED))) + { + bool moved = (inev->i.mask & IN_MOVE_SELF) != 0; + /* The directory watch may have already been removed + but we don't know so we just remove it again and + ignore the error. Then we remove the file watch. + Note: watches are automatically removed for deleted + files. */ + if (moved) + inotify_rm_watch (inotify_fd, inev->i.wd); + if (finfo->inotify_descr[TRACED_FILE] != -1) + { + dbg_log (_("monitored parent directory `%s` was %s, removing watch on `%s`"), + finfo->dname, moved ? "moved" : "deleted", finfo->fname); + if (inotify_rm_watch (inotify_fd, finfo->inotify_descr[TRACED_FILE]) < 0) + dbg_log (_("failed to remove file watch `%s`: %s"), + finfo->dname, strerror (errno)); + } + finfo->inotify_descr[TRACED_FILE] = -1; + finfo->inotify_descr[TRACED_DIR] = -1; + to_clear[dbcnt] = true; + if (finfo->call_res_init) + res_init (); + /* Continue to the next entry since this might be the + parent directory for multiple registered files and + we want to remove watches for all registered files. */ + continue; + } + /* The parent directory had a create or moved to event. */ + if (finfo->inotify_descr[TRACED_DIR] == inev->i.wd + && ((inev->i.mask & IN_MOVED_TO) + || (inev->i.mask & IN_CREATE)) + && strcmp (inev->i.name, finfo->sfname) == 0) + { + /* We detected a directory change. We look for the creation + of the file we are tracking or the move of the same file + into the directory. */ + int ret; + dbg_log (_("monitored file `%s` was %s, adding watch"), + finfo->fname, + inev->i.mask & IN_CREATE ? "created" : "moved into place"); + /* File was moved in or created. Regenerate the watch. */ + if (finfo->inotify_descr[TRACED_FILE] != -1) + inotify_rm_watch (inotify_fd, + finfo->inotify_descr[TRACED_FILE]); + + ret = inotify_add_watch (inotify_fd, + finfo->fname, + TRACED_FILE_MASK); + if (ret < 0) + dbg_log (_("failed to add file watch `%s`: %s"), + finfo->fname, strerror (errno)); + + finfo->inotify_descr[TRACED_FILE] = ret; + + /* The file is new or moved so mark cache as needing to + be cleared and reinitialize. */ + to_clear[dbcnt] = true; + if (finfo->call_res_init) + res_init (); + + /* Done re-adding the watch. Don't return, we may still + have other files in this same directory, same watch + descriptor, and need to process them. */ + } + /* Other events are ignored, and we move on to the next file. */ + finfo = finfo->next; + } + } +} + +/* If an entry in the array of booleans TO_CLEAR is TRUE then clear the cache + for the associated database, otherwise do nothing. The TO_CLEAR array must + have LASTDB entries. */ +static inline void +clear_db_cache (bool *to_clear) +{ + for (size_t dbcnt = 0; dbcnt < lastdb; ++dbcnt) + if (to_clear[dbcnt]) + { + pthread_mutex_lock (&dbs[dbcnt].prune_lock); + dbs[dbcnt].clear_cache = 1; + pthread_mutex_unlock (&dbs[dbcnt].prune_lock); + pthread_cond_signal (&dbs[dbcnt].prune_cond); + } +} + +int +handle_inotify_events (void) +{ + bool to_clear[lastdb] = { false, }; + union __inev inev; + + /* Read all inotify events for files registered via + register_traced_file(). */ + while (1) + { + /* Potentially read multiple events into buf. */ + ssize_t nb = TEMP_FAILURE_RETRY (read (inotify_fd, + &inev.buf, + sizeof (inev))); + if (nb < (ssize_t) sizeof (struct inotify_event)) + { + /* Not even 1 event. */ + if (__glibc_unlikely (nb == -1 && errno != EAGAIN)) + return -1; + /* Done reading events that are ready. */ + break; + } + /* Process all events. The normal inotify interface delivers + complete events on a read and never a partial event. */ + char *eptr = &inev.buf[0]; + ssize_t count; + while (1) + { + /* Check which of the files changed. */ + inotify_check_files (to_clear, &inev); + count = sizeof (struct inotify_event) + inev.i.len; + eptr += count; + nb -= count; + if (nb >= (ssize_t) sizeof (struct inotify_event)) + memcpy (&inev, eptr, nb); + else + break; + } + continue; + } + /* Actually perform the cache clearing. */ + clear_db_cache (to_clear); + return 0; +} + +#endif + +static void +__attribute__ ((__noreturn__)) +main_loop_poll (void) +{ + struct pollfd *conns = (struct pollfd *) xmalloc (nconns + * sizeof (conns[0])); + + conns[0].fd = sock; + conns[0].events = POLLRDNORM; + size_t nused = 1; + size_t firstfree = 1; + +#ifdef HAVE_INOTIFY + if (inotify_fd != -1) + { + conns[1].fd = inotify_fd; + conns[1].events = POLLRDNORM; + nused = 2; + firstfree = 2; + } +#endif + +#ifdef HAVE_NETLINK + size_t idx_nl_status_fd = 0; + if (nl_status_fd != -1) + { + idx_nl_status_fd = nused; + conns[nused].fd = nl_status_fd; + conns[nused].events = POLLRDNORM; + ++nused; + firstfree = nused; + } +#endif + + while (1) + { + /* Wait for any event. We wait at most a couple of seconds so + that we can check whether we should close any of the accepted + connections since we have not received a request. */ +#define MAX_ACCEPT_TIMEOUT 30 +#define MIN_ACCEPT_TIMEOUT 5 +#define MAIN_THREAD_TIMEOUT \ + (MAX_ACCEPT_TIMEOUT * 1000 \ + - ((MAX_ACCEPT_TIMEOUT - MIN_ACCEPT_TIMEOUT) * 1000 * nused) / (2 * nconns)) + + int n = poll (conns, nused, MAIN_THREAD_TIMEOUT); + + time_t now = time (NULL); + + /* If there is a descriptor ready for reading or there is a new + connection, process this now. */ + if (n > 0) + { + if (conns[0].revents != 0) + { + /* We have a new incoming connection. Accept the connection. */ + int fd = TEMP_FAILURE_RETRY (accept4 (sock, NULL, NULL, + SOCK_NONBLOCK)); + + /* Use the descriptor if we have not reached the limit. */ + if (fd >= 0) + { + if (firstfree < nconns) + { + conns[firstfree].fd = fd; + conns[firstfree].events = POLLRDNORM; + starttime[firstfree] = now; + if (firstfree >= nused) + nused = firstfree + 1; + + do + ++firstfree; + while (firstfree < nused && conns[firstfree].fd != -1); + } + else + /* We cannot use the connection so close it. */ + close (fd); + } + + --n; + } + + size_t first = 1; +#ifdef HAVE_INOTIFY + if (inotify_fd != -1 && conns[1].fd == inotify_fd) + { + if (conns[1].revents != 0) + { + int ret; + ret = handle_inotify_events (); + if (ret == -1) + { + /* Something went wrong when reading the inotify + data. Better disable inotify. */ + dbg_log (_("disabled inotify-based monitoring after read error %d"), errno); + conns[1].fd = -1; + firstfree = 1; + if (nused == 2) + nused = 1; + close (inotify_fd); + inotify_fd = -1; + } + --n; + } + + first = 2; + } +#endif + +#ifdef HAVE_NETLINK + if (idx_nl_status_fd != 0 && conns[idx_nl_status_fd].revents != 0) + { + char buf[4096]; + /* Read all the data. We do not interpret it here. */ + while (TEMP_FAILURE_RETRY (read (nl_status_fd, buf, + sizeof (buf))) != -1) + ; + + dbs[hstdb].head->extra_data[NSCD_HST_IDX_CONF_TIMESTAMP] + = __bump_nl_timestamp (); + } +#endif + + for (size_t cnt = first; cnt < nused && n > 0; ++cnt) + if (conns[cnt].revents != 0) + { + fd_ready (conns[cnt].fd); + + /* Clean up the CONNS array. */ + conns[cnt].fd = -1; + if (cnt < firstfree) + firstfree = cnt; + if (cnt == nused - 1) + do + --nused; + while (conns[nused - 1].fd == -1); + + --n; + } + } + + /* Now find entries which have timed out. */ + assert (nused > 0); + + /* We make the timeout length depend on the number of file + descriptors currently used. */ +#define ACCEPT_TIMEOUT \ + (MAX_ACCEPT_TIMEOUT \ + - ((MAX_ACCEPT_TIMEOUT - MIN_ACCEPT_TIMEOUT) * nused) / nconns) + time_t laststart = now - ACCEPT_TIMEOUT; + + for (size_t cnt = nused - 1; cnt > 0; --cnt) + { + if (conns[cnt].fd != -1 && starttime[cnt] < laststart) + { + /* Remove the entry, it timed out. */ + (void) close (conns[cnt].fd); + conns[cnt].fd = -1; + + if (cnt < firstfree) + firstfree = cnt; + if (cnt == nused - 1) + do + --nused; + while (conns[nused - 1].fd == -1); + } + } + + if (restart_p (now)) + restart (); + } +} + + +#ifdef HAVE_EPOLL +static void +main_loop_epoll (int efd) +{ + struct epoll_event ev = { 0, }; + int nused = 1; + size_t highest = 0; + + /* Add the socket. */ + ev.events = EPOLLRDNORM; + ev.data.fd = sock; + if (epoll_ctl (efd, EPOLL_CTL_ADD, sock, &ev) == -1) + /* We cannot use epoll. */ + return; + +# ifdef HAVE_INOTIFY + if (inotify_fd != -1) + { + ev.events = EPOLLRDNORM; + ev.data.fd = inotify_fd; + if (epoll_ctl (efd, EPOLL_CTL_ADD, inotify_fd, &ev) == -1) + /* We cannot use epoll. */ + return; + nused = 2; + } +# endif + +# ifdef HAVE_NETLINK + if (nl_status_fd != -1) + { + ev.events = EPOLLRDNORM; + ev.data.fd = nl_status_fd; + if (epoll_ctl (efd, EPOLL_CTL_ADD, nl_status_fd, &ev) == -1) + /* We cannot use epoll. */ + return; + } +# endif + + while (1) + { + struct epoll_event revs[100]; +# define nrevs (sizeof (revs) / sizeof (revs[0])) + + int n = epoll_wait (efd, revs, nrevs, MAIN_THREAD_TIMEOUT); + + time_t now = time (NULL); + + for (int cnt = 0; cnt < n; ++cnt) + if (revs[cnt].data.fd == sock) + { + /* A new connection. */ + int fd = TEMP_FAILURE_RETRY (accept4 (sock, NULL, NULL, + SOCK_NONBLOCK)); + + /* Use the descriptor if we have not reached the limit. */ + if (fd >= 0) + { + /* Try to add the new descriptor. */ + ev.data.fd = fd; + if (fd >= nconns + || epoll_ctl (efd, EPOLL_CTL_ADD, fd, &ev) == -1) + /* The descriptor is too large or something went + wrong. Close the descriptor. */ + close (fd); + else + { + /* Remember when we accepted the connection. */ + starttime[fd] = now; + + if (fd > highest) + highest = fd; + + ++nused; + } + } + } +# ifdef HAVE_INOTIFY + else if (revs[cnt].data.fd == inotify_fd) + { + int ret; + ret = handle_inotify_events (); + if (ret == -1) + { + /* Something went wrong when reading the inotify + data. Better disable inotify. */ + dbg_log (_("disabled inotify-based monitoring after read error %d"), errno); + (void) epoll_ctl (efd, EPOLL_CTL_DEL, inotify_fd, NULL); + close (inotify_fd); + inotify_fd = -1; + break; + } + } +# endif +# ifdef HAVE_NETLINK + else if (revs[cnt].data.fd == nl_status_fd) + { + char buf[4096]; + /* Read all the data. We do not interpret it here. */ + while (TEMP_FAILURE_RETRY (read (nl_status_fd, buf, + sizeof (buf))) != -1) + ; + + __bump_nl_timestamp (); + } +# endif + else + { + /* Remove the descriptor from the epoll descriptor. */ + (void) epoll_ctl (efd, EPOLL_CTL_DEL, revs[cnt].data.fd, NULL); + + /* Get a worker to handle the request. */ + fd_ready (revs[cnt].data.fd); + + /* Reset the time. */ + starttime[revs[cnt].data.fd] = 0; + if (revs[cnt].data.fd == highest) + do + --highest; + while (highest > 0 && starttime[highest] == 0); + + --nused; + } + + /* Now look for descriptors for accepted connections which have + no reply in too long of a time. */ + time_t laststart = now - ACCEPT_TIMEOUT; + assert (starttime[sock] == 0); +# ifdef HAVE_INOTIFY + assert (inotify_fd == -1 || starttime[inotify_fd] == 0); +# endif + assert (nl_status_fd == -1 || starttime[nl_status_fd] == 0); + for (int cnt = highest; cnt > STDERR_FILENO; --cnt) + if (starttime[cnt] != 0 && starttime[cnt] < laststart) + { + /* We are waiting for this one for too long. Close it. */ + (void) epoll_ctl (efd, EPOLL_CTL_DEL, cnt, NULL); + + (void) close (cnt); + + starttime[cnt] = 0; + if (cnt == highest) + --highest; + } + else if (cnt != sock && starttime[cnt] == 0 && cnt == highest) + --highest; + + if (restart_p (now)) + restart (); + } +} +#endif + + +/* Start all the threads we want. The initial process is thread no. 1. */ +void +start_threads (void) +{ + /* Initialize the conditional variable we will use. The only + non-standard attribute we might use is the clock selection. */ + pthread_condattr_t condattr; + pthread_condattr_init (&condattr); + +#if defined _POSIX_CLOCK_SELECTION && _POSIX_CLOCK_SELECTION >= 0 \ + && defined _POSIX_MONOTONIC_CLOCK && _POSIX_MONOTONIC_CLOCK >= 0 + /* Determine whether the monotonous clock is available. */ + struct timespec dummy; +# if _POSIX_MONOTONIC_CLOCK == 0 + if (sysconf (_SC_MONOTONIC_CLOCK) > 0) +# endif +# if _POSIX_CLOCK_SELECTION == 0 + if (sysconf (_SC_CLOCK_SELECTION) > 0) +# endif + if (clock_getres (CLOCK_MONOTONIC, &dummy) == 0 + && pthread_condattr_setclock (&condattr, CLOCK_MONOTONIC) == 0) + timeout_clock = CLOCK_MONOTONIC; +#endif + + /* Create the attribute for the threads. They are all created + detached. */ + pthread_attr_init (&attr); + pthread_attr_setdetachstate (&attr, PTHREAD_CREATE_DETACHED); + /* Use 1MB stacks, twice as much for 64-bit architectures. */ + pthread_attr_setstacksize (&attr, NSCD_THREAD_STACKSIZE); + + /* We allow less than LASTDB threads only for debugging. */ + if (debug_level == 0) + nthreads = MAX (nthreads, lastdb); + + /* Create the threads which prune the databases. */ + // XXX Ideally this work would be done by some of the worker threads. + // XXX But this is problematic since we would need to be able to wake + // XXX them up explicitly as well as part of the group handling the + // XXX ready-list. This requires an operation where we can wait on + // XXX two conditional variables at the same time. This operation + // XXX does not exist (yet). + for (long int i = 0; i < lastdb; ++i) + { + /* Initialize the conditional variable. */ + if (pthread_cond_init (&dbs[i].prune_cond, &condattr) != 0) + { + dbg_log (_("could not initialize conditional variable")); + do_exit (1, 0, NULL); + } + + pthread_t th; + if (dbs[i].enabled + && pthread_create (&th, &attr, nscd_run_prune, (void *) i) != 0) + { + dbg_log (_("could not start clean-up thread; terminating")); + do_exit (1, 0, NULL); + } + } + + pthread_condattr_destroy (&condattr); + + for (long int i = 0; i < nthreads; ++i) + { + pthread_t th; + if (pthread_create (&th, &attr, nscd_run_worker, NULL) != 0) + { + if (i == 0) + { + dbg_log (_("could not start any worker thread; terminating")); + do_exit (1, 0, NULL); + } + + break; + } + } + + /* Now it is safe to let the parent know that we're doing fine and it can + exit. */ + notify_parent (0); + + /* Determine how much room for descriptors we should initially + allocate. This might need to change later if we cap the number + with MAXCONN. */ + const long int nfds = sysconf (_SC_OPEN_MAX); +#define MINCONN 32 +#define MAXCONN 16384 + if (nfds == -1 || nfds > MAXCONN) + nconns = MAXCONN; + else if (nfds < MINCONN) + nconns = MINCONN; + else + nconns = nfds; + + /* We need memory to pass descriptors on to the worker threads. */ + fdlist = (struct fdlist *) xcalloc (nconns, sizeof (fdlist[0])); + /* Array to keep track when connection was accepted. */ + starttime = (time_t *) xcalloc (nconns, sizeof (starttime[0])); + + /* In the main thread we execute the loop which handles incoming + connections. */ +#ifdef HAVE_EPOLL + int efd = epoll_create (100); + if (efd != -1) + { + main_loop_epoll (efd); + close (efd); + } +#endif + + main_loop_poll (); +} + + +/* Look up the uid, gid, and supplementary groups to run nscd as. When + this function is called, we are not listening on the nscd socket yet so + we can just use the ordinary lookup functions without causing a lockup */ +static void +begin_drop_privileges (void) +{ + struct passwd *pwd = getpwnam (server_user); + + if (pwd == NULL) + { + dbg_log (_("Failed to run nscd as user '%s'"), server_user); + do_exit (EXIT_FAILURE, 0, + _("Failed to run nscd as user '%s'"), server_user); + } + + server_uid = pwd->pw_uid; + server_gid = pwd->pw_gid; + + /* Save the old UID/GID if we have to change back. */ + if (paranoia) + { + old_uid = getuid (); + old_gid = getgid (); + } + + if (getgrouplist (server_user, server_gid, NULL, &server_ngroups) == 0) + { + /* This really must never happen. */ + dbg_log (_("Failed to run nscd as user '%s'"), server_user); + do_exit (EXIT_FAILURE, errno, + _("initial getgrouplist failed")); + } + + server_groups = (gid_t *) xmalloc (server_ngroups * sizeof (gid_t)); + + if (getgrouplist (server_user, server_gid, server_groups, &server_ngroups) + == -1) + { + dbg_log (_("Failed to run nscd as user '%s'"), server_user); + do_exit (EXIT_FAILURE, errno, _("getgrouplist failed")); + } +} + + +/* Call setgroups(), setgid(), and setuid() to drop root privileges and + run nscd as the user specified in the configuration file. */ +static void +finish_drop_privileges (void) +{ +#if defined HAVE_LIBAUDIT && defined HAVE_LIBCAP + /* We need to preserve the capabilities to connect to the audit daemon. */ + cap_t new_caps = preserve_capabilities (); +#endif + + if (setgroups (server_ngroups, server_groups) == -1) + { + dbg_log (_("Failed to run nscd as user '%s'"), server_user); + do_exit (EXIT_FAILURE, errno, _("setgroups failed")); + } + + int res; + if (paranoia) + res = setresgid (server_gid, server_gid, old_gid); + else + res = setgid (server_gid); + if (res == -1) + { + dbg_log (_("Failed to run nscd as user '%s'"), server_user); + do_exit (4, errno, "setgid"); + } + + if (paranoia) + res = setresuid (server_uid, server_uid, old_uid); + else + res = setuid (server_uid); + if (res == -1) + { + dbg_log (_("Failed to run nscd as user '%s'"), server_user); + do_exit (4, errno, "setuid"); + } + +#if defined HAVE_LIBAUDIT && defined HAVE_LIBCAP + /* Remove the temporary capabilities. */ + install_real_capabilities (new_caps); +#endif +} |