1 /* Copyright 1988,1990,1993,1994 by Paul Vixie
4 * Distribute freely, except: don't remove my name from the source or
5 * documentation (don't take credit for my work), mark your changes (don't
6 * get me blamed for your possible bugs), don't alter or remove this
7 * notice. May be sold if buildable source is provided to buyer. No
8 * warrantee of any kind, express or implied, is included with this
9 * software; use at your own risk, responsibility for damages (if any) to
10 * anyone resulting from the use of this software rests entirely with the
13 * Send bug reports, bug fixes, enhancements, requests, flames, etc., and
14 * I'll try to keep a version up to date. I can be reached as follows:
15 * Paul Vixie <paul@vix.com> uunet!decwrl!vixie!paul
17 * $FreeBSD: src/usr.sbin/cron/cron/do_command.c,v 1.27 2007/06/17 17:25:53 yar Exp $
18 * $DragonFly: src/usr.sbin/cron/cron/do_command.c,v 1.8 2008/01/07 14:11:23 matthias Exp $
22 #include <sys/signal.h>
24 # include <sys/universe.h>
29 #if defined(LOGIN_CAP)
30 # include <login_cap.h>
33 # include <security/pam_appl.h>
34 # include <security/openpam.h>
37 static void child_process(entry *, user *),
42 do_command(entry *e, user *u)
44 Debug(DPROC, ("[%d] do_command(%s, (%s,%d,%d))\n",
45 getpid(), e->cmd, u->name, e->uid, e->gid))
47 /* fork to become asynchronous -- parent process is done immediately,
48 * and continues to run the normal cron code, which means return to
49 * tick(). the child and grandchild don't leave this function, alive.
51 * vfork() is unsuitable, since we have much to do, and the parent
52 * needs to be able to run off and fork other processes.
56 log_it("CRON",getpid(),"error","can't fork");
60 acquire_daemonlock(1);
62 Debug(DPROC, ("[%d] child process done, exiting\n", getpid()))
69 Debug(DPROC, ("[%d] main process returning to work\n", getpid()))
74 child_process(entry *e, user *u)
76 int stdin_pipe[2], stdout_pipe[2];
79 char *usernm, *mailto;
81 # if defined(LOGIN_CAP)
86 Debug(DPROC, ("[%d] child_process('%s')\n", getpid(), e->cmd))
88 /* mark ourselves as different to PS command watchers by upshifting
89 * our program name. This has no effect on some kernels.
91 setproctitle("running job");
93 /* discover some useful and important environment settings
95 usernm = env_get("LOGNAME", e->envp);
96 mailto = env_get("MAILTO", e->envp);
99 /* use PAM to see if the user's account is available,
100 * i.e., not locked or expired or whatever. skip this
101 * for system tasks from /etc/crontab -- they can run
104 if (strcmp(u->name, SYS_NAME)) { /* not equal */
105 pam_handle_t *pamh = NULL;
107 struct pam_conv pamc = {
108 .conv = openpam_nullconv,
112 Debug(DPROC, ("[%d] checking account with PAM\n", getpid()))
114 /* u->name keeps crontab owner name while LOGNAME is the name
115 * of user to run command on behalf of. they should be the
116 * same for a task from a per-user crontab.
118 if (strcmp(u->name, usernm)) {
119 log_it(usernm, getpid(), "username ambiguity", u->name);
123 pam_err = pam_start("cron", usernm, &pamc, &pamh);
124 if (pam_err != PAM_SUCCESS) {
125 log_it("CRON", getpid(), "error", "can't start PAM");
129 pam_err = pam_acct_mgmt(pamh, PAM_SILENT);
130 /* Expired password shouldn't prevent the job from running. */
131 if (pam_err != PAM_SUCCESS && pam_err != PAM_NEW_AUTHTOK_REQD) {
132 log_it(usernm, getpid(), "USER", "account unavailable");
136 pam_end(pamh, pam_err);
141 /* our parent is watching for our death by catching SIGCHLD. we
142 * do not care to watch for our children's deaths this way -- we
143 * use wait() explictly. so we have to disable the signal (which
144 * was inherited from the parent).
146 signal(SIGCHLD, SIG_DFL);
148 /* on system-V systems, we are ignoring SIGCLD. we have to stop
149 * ignoring it now or the wait() in cron_pclose() won't work.
150 * because of this, we have to wait() for our children here, as well.
152 signal(SIGCLD, SIG_DFL);
155 /* create some pipes to talk to our future child
157 pipe(stdin_pipe); /* child's stdin */
158 pipe(stdout_pipe); /* child's stdout */
160 /* since we are a forked process, we can diddle the command string
161 * we were passed -- nobody else is going to use it again, right?
163 * if a % is present in the command, previous characters are the
164 * command, and subsequent characters are the additional input to
165 * the command. Subsequent %'s will be transformed into newlines,
166 * but that happens later.
168 * If there are escaped %'s, remove the escape character.
175 for (input_data = p = e->cmd; (ch = *input_data);
180 if (ch == '%' || ch == '\\')
190 *input_data++ = '\0';
197 /* fork again, this time so we can exec the user's command.
201 log_it("CRON",getpid(),"error","can't vfork");
205 Debug(DPROC, ("[%d] grandchild process Vfork()'ed\n",
208 jitter = (e->uid == ROOT_UID) ? RootJitter : Jitter;
211 sleep(random() % jitter);
214 /* write a log message. we've waited this long to do it
215 * because it was not until now that we knew the PID that
216 * the actual user command shell was going to get and the
217 * PID is part of the log message.
220 char *x = mkprints((u_char *)e->cmd, strlen(e->cmd));
222 log_it(usernm, getpid(), "CMD", x);
226 /* that's the last thing we'll log. close the log files.
232 /* get new pgrp, void tty, etc.
236 /* close the pipe ends that we won't use. this doesn't affect
237 * the parent, who has to read and write them; it keeps the
238 * kernel from recording us as a potential client TWICE --
239 * which would keep it from sending SIGPIPE in otherwise
240 * appropriate circumstances.
242 close(stdin_pipe[WRITE_PIPE]);
243 close(stdout_pipe[READ_PIPE]);
245 /* grandchild process. make std{in,out} be the ends of
246 * pipes opened by our daddy; make stderr go to stdout.
248 close(STDIN); dup2(stdin_pipe[READ_PIPE], STDIN);
249 close(STDOUT); dup2(stdout_pipe[WRITE_PIPE], STDOUT);
250 close(STDERR); dup2(STDOUT, STDERR);
252 /* close the pipes we just dup'ed. The resources will remain.
254 close(stdin_pipe[READ_PIPE]);
255 close(stdout_pipe[WRITE_PIPE]);
257 /* set our login universe. Do this in the grandchild
258 * so that the child can invoke /usr/lib/sendmail
263 # if defined(LOGIN_CAP)
264 /* Set user's entire context, but skip the environment
265 * as cron provides a separate interface for this
267 if ((pwd = getpwnam(usernm)) == NULL)
268 pwd = getpwuid(e->uid);
271 pwd->pw_gid = e->gid;
272 if (e->class != NULL)
273 lc = login_getclass(e->class);
276 setusercontext(lc, pwd, e->uid,
277 LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETENV)) == 0)
280 /* fall back to the old method */
283 /* set our directory, uid and gid. Set gid first,
284 * since once we set uid, we've lost root privledges.
288 initgroups(usernm, e->gid);
291 setuid(e->uid); /* we aren't root after this..*/
292 #if defined(LOGIN_CAP)
297 chdir(env_get("HOME", e->envp));
302 char *shell = env_get("SHELL", e->envp);
305 if (DebugFlags & DTEST) {
307 "debug DTEST is on, not exec'ing command.\n");
309 "\tcmd='%s' shell='%s'\n", e->cmd, shell);
312 # endif /*DEBUGGING*/
313 execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);
314 warn("execl: couldn't exec `%s'", shell);
325 /* middle process, child of original cron, parent of process running
326 * the user's command.
329 Debug(DPROC, ("[%d] child continues, closing pipes\n", getpid()))
331 /* close the ends of the pipe that will only be referenced in the
332 * grandchild process...
334 close(stdin_pipe[READ_PIPE]);
335 close(stdout_pipe[WRITE_PIPE]);
338 * write, to the pipe connected to child's stdin, any input specified
339 * after a % in the crontab entry. while we copy, convert any
340 * additional %'s to newlines. when done, if some characters were
341 * written and the last one wasn't a newline, write a newline.
343 * Note that if the input data won't fit into one pipe buffer (2K
344 * or 4K on most BSD systems), and the child doesn't read its stdin,
345 * we would block here. thus we must fork again.
348 if (*input_data && fork() == 0) {
350 int need_newline = FALSE;
354 out = fdopen(stdin_pipe[WRITE_PIPE], "w");
356 warn("fdopen failed in child2");
360 Debug(DPROC, ("[%d] child2 sending data to grandchild\n", getpid()))
362 /* close the pipe we don't use, since we inherited it and
363 * are part of its reference count now.
365 close(stdout_pipe[READ_PIPE]);
370 * \x -> \x for all x != %
372 while ((ch = *input_data++)) {
381 if (!(escaped = (ch == '\\'))) {
383 need_newline = (ch != '\n');
391 /* close the pipe, causing an EOF condition. fclose causes
392 * stdin_pipe[WRITE_PIPE] to be closed, too.
396 Debug(DPROC, ("[%d] child2 done sending to grandchild\n", getpid()))
400 /* close the pipe to the grandkiddie's stdin, since its wicked uncle
401 * ernie back there has it open and will close it when he's done.
403 close(stdin_pipe[WRITE_PIPE]);
408 * read output from the grandchild. it's stderr has been redirected to
409 * it's stdout, which has been redirected to our pipe. if there is any
410 * output, we'll be mailing it to the user whose crontab this is...
411 * when the grandchild exits, we'll get EOF.
414 Debug(DPROC, ("[%d] child reading output from grandchild\n", getpid()))
420 in = fdopen(stdout_pipe[READ_PIPE], "r");
422 warn("fdopen failed in child");
433 ("[%d] got data (%x:%c) from grandchild\n",
436 /* get name of recipient. this is MAILTO if set to a
437 * valid local username; USER otherwise.
440 /* MAILTO was present in the environment
443 /* ... but it's empty. set to NULL
448 /* MAILTO not present, set to USER.
453 /* if we are supposed to be mailing, MAILTO will
454 * be non-NULL. only in this case should we set
455 * up the mail command and subjects and stuff...
460 char mailcmd[MAX_COMMAND];
461 char hostname[MAXHOSTNAMELEN];
463 gethostname(hostname, MAXHOSTNAMELEN);
464 snprintf(mailcmd, sizeof(mailcmd),
466 if (!(mail = cron_popen(mailcmd, "w", e))) {
470 fprintf(mail, "From: %s (Cron Daemon)\n", usernm);
471 fprintf(mail, "To: %s\n", mailto);
472 fprintf(mail, "Subject: Cron <%s@%s> %s\n",
473 usernm, first_word(hostname, "."),
475 # if defined(MAIL_DATE)
476 fprintf(mail, "Date: %s\n",
477 arpadate(&TargetTime));
478 # endif /* MAIL_DATE */
479 for (env = e->envp; *env; env++)
480 fprintf(mail, "X-Cron-Env: <%s>\n",
484 /* this was the first char from the pipe
489 /* we have to read the input pipe no matter whether
490 * we mail or not, but obviously we only write to
491 * mail pipe if we ARE mailing.
494 while (EOF != (ch = getc(in))) {
500 /* only close pipe if we opened it -- i.e., we're
505 Debug(DPROC, ("[%d] closing pipe to mail\n",
507 /* Note: the pclose will probably see
508 * the termination of the grandchild
509 * in addition to the mail process, since
510 * it (the grandchild) is likely to exit
511 * after closing its stdout.
513 status = cron_pclose(mail);
516 /* if there was output and we could not mail it,
517 * log the facts so the poor user can figure out
520 if (mailto && status) {
521 char buf[MAX_TEMPSTR];
523 snprintf(buf, sizeof(buf),
524 "mailed %d byte%s of output but got status 0x%04x\n",
525 bytes, (bytes==1)?"":"s",
527 log_it(usernm, getpid(), "MAIL", buf);
530 } /*if data from grandchild*/
532 Debug(DPROC, ("[%d] got EOF from grandchild\n", getpid()))
534 fclose(in); /* also closes stdout_pipe[READ_PIPE] */
537 /* wait for children to die.
539 for (; children > 0; children--)
544 Debug(DPROC, ("[%d] waiting for grandchild #%d to finish\n",
548 Debug(DPROC, ("[%d] no more grandchildren--mail written?\n",
552 Debug(DPROC, ("[%d] grandchild #%d finished, status=%04x",
553 getpid(), pid, WEXITSTATUS(waiter)))
554 if (WIFSIGNALED(waiter) && WCOREDUMP(waiter))
555 Debug(DPROC, (", dumped core"))
565 /* Dynix (Sequent) hack to put the user associated with
566 * the passed user structure into the ATT universe if
567 * necessary. We have to dig the gecos info out of
568 * the user's password entry to see if the magic
569 * "universe(att)" string is present.
576 p = getpwuid(u->uid);
584 for (i = 0; i < 4; i++)
586 if ((s = strchr(s, ',')) == NULL)
590 if (strcmp(s, "universe(att)"))
uqs's projects / games.git / blob