aboutsummaryrefslogtreecommitdiffstats
path: root/pseudo_client.h
AgeCommit message (Collapse)Author
2016-03-09make bash stop bullying mePeter Seebach
So we had this really strange problem where, sometimes but not always, pseudo would have strange problems on startup, where the pseudo server would end up running under pseudo. And this produced the most fascinating thing, which was: unsetenv("LD_PRELOAD"); assert(getenv("LD_PRELOAD") == NULL); for (int i = 0; environ[i]; ++i) { assert(strncmp(environ[i], "LD_PRELOAD=", 11)); } (pseudocode untested) This would crash on the environ search. Because getenv() was not searching environ. WHAT. So it turns out, *bash overrides getenv, setenv, and so on*. Under those names. Hiding the glibc ones. And this creates horrible problems if you assumed that your code could call those functions and expect them to work. So as a workaround, pseudo now uses dlsym to find getenv, etc., from glibc, and invokes those directly if possible. Also the client now uses unwrapped fork/exec for spawning the server, which cleans up the behavior of that code quite a bit.
2015-09-03Finish (I hope) working around 0700 umasks.Peter Seebach
There's some changes to allow things to work even if umask is 0700; originally this was just regarded as a broken state, but it became necessary to fix it in order for the xattrdb code to work, only the fix could result in files having a raw filesystem mode that lacked execute bits it should have had. Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2015-08-21Clean up some const stuffPeter Seebach
Dropping the alloc from file paths meant that pseudo_exec_path could end up just returning its original argument, which was const-qualified, meaning its return should also be const-qualified. Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
2014-05-27Honor umaskPeter Seebach
We used to rely on filesystem operations to apply the umask when appropriate, but when we started masking out 022, that stopped working. Start watching umask.
2014-05-16Mask 022 back in for database.Peter Seebach
PSEUDO_DB_MODE restores a proposed mode's 0700 bits, but now that we're masking 022 out, it should also restore those. Change it to restore 0722 from a proposed mode before sending to database.
2014-05-16Permissions handling tweaks (fchmodat, mask out write bits)Peter Seebach
Change the handling of fchmodat(AT_SYMLINK_NOFOLLOW) to reject it if the host system does, so we preserve host system behavior. Mask out group/other write bits when actually creating files to reduce risks to filesystem integrity.
2012-08-09Fix up chroot damage caused by PSEUDO_STATBUF fixpseudo-1.4.1PSEUDO_1_4_1Peter Seebach
The PSEUDO_STATBUF change (allowing operations on files over 2GB even on 32-bit systems) introduced a subtle bug; by calling stat64() rather than real_stat(), pseudo stopped handling chrooted paths well. In most cases, this was fine, but in the specific case of a rename, where the stat buffers for the various parts were actually used, it wasn't. Of particular note, pseudo could end up creating links which had stack garbage for their stat buffs, because it assumed that if the rename operation succeeded, the stat operations must have succeeded. Of course, there is no real_stat64 in the Linux port, because there's no need for it; most code is calling __xstat64 or some relative thereof, and even if you did really call stat64, it'd end up routed there anyway. So we add that so that it can be used for calls and we don't have to encode Linux-specific magic about __xstat into the generic header.
2012-08-02Remove the _plain thing, use PSEUDO_STATBUF everywhere.Peter Seebach
The _plain thing was added because of clashes between Linux ("struct stat64 for 64-bit file sizes") and Darwin ("struct stat is already 64 bits"). But it turns out not to be enough, because stat will *fail* if it cannot represent a file size, so when something like unlinkat() calls a non-64-bit stat in order to determine whether a file exists, it gets the wrong answer if the file is over 2GB in size. Solution: Continue using PSEUDO_STATBUF, and also provide defines for base_stat() which can be either real_stat() or real_stat64(), etcetera. This eliminates any reason to need the _plain functions. It also suggests that the other real___fxstatat() calls should someday go away because that is an ugly, ugly, implementation detail. As part of testing this, fix up some bitrot which affected Darwin (such as the continue outside of a loop, but inside an #ifdef; that was left over from the conversion of init_one_wrapper to a separate function).
2011-05-31Change logic on file creation/chmod so that we only secretly mask inPeter Seebach
the 0100 bit for directories. The reason is that otherwise we create plain files which are 0700 on disk, which means they're non-zero &0111, which breaks euidaccess(X_OK).
2011-05-25Make ulckpwdf() report failuresSeebs
2011-03-25Merge in ports workPeter Seebach
This is a spiffied-up rebase of a bunch of intermediate changes, presented as a whole because it is, surprisingly, less confusing that way. The basic idea is to separate the guts code into categories ranging from generic stuff that can be the same everywhere and specific variants. The big scary one is the Darwin support, which actually seems to run okay on 64-bit OS X 10.6. (No other variants were tested.) The other example given is support for the old clone() syscall on RHEL 4, which affects some wrlinux use cases. There's a few minor cleanup bits here, such as a function with inconsistent calling conventions, but nothing really exciting.
2011-02-08Expand paths on exec.Peter Seebach
This is fussy, because we have to actually do the path search ourselves as best we can to handle unqualified paths. The result, though, is more meaningful logs. Along the way, fix some bitrot in the comments in pseudo_fix_path and friends.
2010-12-13Further amend the system to enable/disable sudo during fork/exec.Mark Hatle
2010-12-09: * (mhatle) Add doc/program_flow to attempt to explain startup/running * (mhatle) guts/* minor cleanup * (mhatle) Reorganize into a new constructor for libpseudo ONLY pseudo main() now manually calls the util init new / revised init for client, wrappers and utils * (mhatle) Add central "reinit" function * (mhatle) Add manul execv* functions * (mhatle) rename pseudo_populate_wrappers to pseudo_check_wrappers Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
2010-12-132010-12-08:Mark Hatle
* (mhatle) Add guts/clone.c to cleanup the clone support * (mhatle) guts/clone.c only run setupenv and reinit when NOT PSEUDO_RELOADED * (mhatle) guts/execve.c whitespace fixe * (mhatle) guts/fork.c similar to guts/clone.c change * (mhatle) pseudo_client.c add reinit function * (mhatle) pseudo_client.c revise client reset, include code from pseudo_wrappers.c * (mhatle) pseudo_server.c move the pid writing to the parent * (mhatle) pseudo_wrappers.c clone cleanup and populate cleanup Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
2010-11-30Major shift: All the id_t types have been reworked so that theyPeter Seebach
are generated from text files and templates, making it now (we hope) impossible for the list of strings to get out of sync with the enum.
2010-08-04Add new environment values to allow easy override of default locationsMark Hatle
Add PSEUDO_BINDIR, PSEUDO_LIBDIR, and PSEUDO_LOCALSTATEDIR to allow for more easy customization of PSEUDO components at run-time. If these are not set they will be automatically generated based on the existing PSEUDO_PREFIX path. PSEUDO_BINDIR = PSEUDO_PREFIX /bin PSEUDO_LIBDIR = PSEUDO_PREFIX /lib PSEUDO_LOCALSTATEDIR = PSEUDO_PREFIX /var/pseudo Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
2010-06-02Provide a hook to disable symlink "fixing".Peter Seebach
In fakechroot, which pseudo tries to match the functionality of, the default behavior when creating a symlink with an absolute target is to prepend the chroot path, so that underlying syscalls will get the right file. It is necessary to be able to disable this behavior to create target filesystems in some cases. To that end, support a new environment variable, PSEUDO_NOSYMLINKEXP, which disables that behavior.
2010-04-26Add lckpwdf()/ulckpwdf().Peter Seebach
It's not enough to rely on the usual chroot() stuff affecting the file open, not least because these use the glibc-internal __open which is not currently intercepted, but also because we want to use the PSEUDO_PASSWD path when that's set but there's no chroot(). There's some extra magic in pseudo_etc_file to support these operations, since they can legitimately create a file rather than opening an existing one.
2010-03-29Add password/group call emulation.Peter Seebach
This is a first pass at handling password/group calls, allowing the use of custom password/group files. In particular, when chroot()ed to a particular directory, pseudo picks files in that directory by default, to improve support for the typical use case where pseudo uses chroot() only to jump into a virtual target filesystem.
2010-03-26Track file open flagsPeter Seebach
This patch adds support for checking whether a file was opened for reading, writing, or both, as well as tracking append flags. It is not very well tested. This is preparation for improved host contamination checking.
2010-03-26Updates: Enable additional warnings, fix a number of things.Peter Seebach
None of them seem to have been genuine problems, but it's prettier now, and some were questionable.
2010-03-25initial chroot() supportPeter Seebach
Add chroot() and a large number of things needed to make it work. The list of intercepted calls is large but not exhaustive.
2010-03-24Prep for chroot handling:Peter Seebach
* Improve makewrappers handling of function pointer arguments. * Regenerate wrappers when makewrappers is touched. * Move path resolution from pseudo_client_op into wrapper functions. * Eliminate dependency on PATH_MAX. * Related cleanup, such as tracking CWD better, and using the tracked value for getcwd().
2010-03-16initial public releasePeter Seebach