SHA256
1
0
forked from pool/systemd
Dr. Werner Fink 2015-10-06 15:10:56 +00:00 committed by Git OBS Bridge
parent a4039e218f
commit cbe2e76c4f
3 changed files with 247 additions and 128 deletions

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Tue Oct 6 15:09:56 UTC 2015 - werner@suse.de
- Modifiy patch tty-ask-password-agent-on-console.patch to reflect
latest status of pull request 1432
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Sep 25 14:20:41 UTC 2015 - werner@suse.de Fri Sep 25 14:20:41 UTC 2015 - werner@suse.de

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Tue Oct 6 15:09:56 UTC 2015 - werner@suse.de
- Modifiy patch tty-ask-password-agent-on-console.patch to reflect
latest status of pull request 1432
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Sep 25 14:20:41 UTC 2015 - werner@suse.de Fri Sep 25 14:20:41 UTC 2015 - werner@suse.de

View File

@ -1,6 +1,6 @@
From 633a5904c1c4e363a7147f47e2d9fdb1925f7b9f Mon Sep 17 00:00:00 2001 From 907bc2aa36f58c6050cd4b7b290e0992a4373e49 Mon Sep 17 00:00:00 2001
From: Werner Fink <werner@suse.de> From: Werner Fink <werner@suse.de>
Date: Fri, 25 Sep 2015 14:28:58 +0200 Date: Wed, 30 Sep 2015 15:00:41 +0200
Subject: [PATCH] Ask for passphrases not only on the first console of Subject: [PATCH] Ask for passphrases not only on the first console of
/dev/console /dev/console
@ -9,22 +9,45 @@ where often a serial console together with other consoles are
used. Even rack based servers attachted to both a serial console used. Even rack based servers attachted to both a serial console
as well as having a virtual console do sometimes miss a connected as well as having a virtual console do sometimes miss a connected
monitor. monitor.
To be able to ask on all terminal devices of /dev/console the devices
are collected. If more than one device are found, then on each of the
terminals a inquiring task for passphrase is forked and do not return
to the caller.
Every task has its own session and its own controlling terminal.
If one of the tasks does handle a password, the remaining tasks
will be terminated.
Also let contradictory options on the command of
systemd-tty-ask-password-agent fail.
Spwan for each device of the system console /dev/console a own process.
Replace the system call wait() with with system call waitid().
--- ---
src/tty-ask-password-agent/tty-ask-password-agent.c | 191 ++++++++++++++++++++- src/tty-ask-password-agent.c | 264 ++++++++++++++++++++-
1 file changed, 186 insertions(+), 5 deletions(-) 1 file changed, 255 insertions(+), 9 deletions(-)
diff --git src/tty-ask-password-agent/tty-ask-password-agent.c src/tty-ask-password-agent/tty-ask-password-agent.c diff --git src/tty-ask-password-agent/tty-ask-password-agent.c src/tty-ask-password-agent/tty-ask-password-agent.c
index 82cbf95..928a5e8 100644 index 4630eb9..df4bada 100644
--- a/src/tty-ask-password-agent/tty-ask-password-agent.c --- a/src/tty-ask-password-agent/tty-ask-password-agent.c
+++ b/src/tty-ask-password-agent/tty-ask-password-agent.c +++ b/src/tty-ask-password-agent/tty-ask-password-agent.c
@@ -31,6 +31,10 @@ @@ -4,6 +4,7 @@
This file is part of systemd.
Copyright 2010 Lennart Poettering
+ Copyright 2015 Werner Fink
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
@@ -31,6 +32,9 @@
#include <getopt.h> #include <getopt.h>
#include <sys/signalfd.h> #include <sys/signalfd.h>
#include <fcntl.h> #include <fcntl.h>
+#include <sys/prctl.h> +#include <sys/prctl.h>
+#include <signal.h> +#include <signal.h>
+#include <sys/wait.h> +#include <sys/wait.h>
+#include <sys/mman.h>
#include "util.h" #include "util.h"
#include "mkdir.h" #include "mkdir.h"
@ -37,7 +60,7 @@ index 82cbf95..928a5e8 100644
static enum { static enum {
ACTION_LIST, ACTION_LIST,
@@ -53,6 +59,19 @@ static enum { @@ -53,8 +59,21 @@ static enum {
ACTION_WALL ACTION_WALL
} arg_action = ACTION_QUERY; } arg_action = ACTION_QUERY;
@ -46,88 +69,101 @@ index 82cbf95..928a5e8 100644
+ char *tty; + char *tty;
+}; +};
+ +
+static volatile unsigned long *usemask;
+static volatile sig_atomic_t sigchild; +static volatile sig_atomic_t sigchild;
+static void chld_handler(int sig) +
+{ +static void chld_handler(int sig) {
+ (void)sig;
+ ++sigchild; + ++sigchild;
+} +}
+ +
static bool arg_plymouth = false; static bool arg_plymouth = false;
static bool arg_console = false; static bool arg_console = false;
+static bool arg_device = false;
+static const char *current_dev = "/dev/console";
@@ -210,6 +229,69 @@ static int ask_password_plymouth( static int ask_password_plymouth(
const char *message,
@@ -211,6 +230,80 @@ static int ask_password_plymouth(
return 0; return 0;
} }
+static void free_consoles(struct console *con, const unsigned int num) { +static void free_consoles(struct console *con, unsigned int num) {
+ unsigned int n; + unsigned int n;
+ if (!con || !num) +
+ if (!con || num == 0)
+ return; + return;
+
+ for (n = 0; n < num; n++) + for (n = 0; n < num; n++)
+ free(con[n].tty); + free(con[n].tty);
+
+ free(con); + free(con);
+} +}
+ +
+static const char *current_dev = "/dev/console"; +static int collect_consoles(struct console **consoles, unsigned int *num) {
+static struct console* collect_consoles(unsigned int * num) {
+ _cleanup_free_ char *active = NULL; + _cleanup_free_ char *active = NULL;
+ const char *word, *state; + const char *word, *state;
+ struct console *con = NULL; + struct console *con = NULL;
+ size_t con_len = 0, len; + size_t con_len = 0, len;
+ unsigned int count = 0;
+ int ret; + int ret;
+ +
+ assert(num); + assert(num);
+ assert(*num == 0); + assert(consoles);
+ +
+ ret = read_one_line_file("/sys/class/tty/console/active", &active); + ret = read_one_line_file("/sys/class/tty/console/active", &active);
+ if (ret < 0) + if (ret < 0)
+ return con; + return log_error_errno(ret, "Failed to read /sys/class/tty/console/active: %m");
+
+ FOREACH_WORD(word, len, active, state) { + FOREACH_WORD(word, len, active, state) {
+ _cleanup_free_ char *tty = NULL; + _cleanup_free_ char *tty = NULL;
+ +
+ if (strneq(word, "tty0", len) && + if (len == 4 && strneq(word, "tty0", 4)) {
+ read_one_line_file("/sys/class/tty/tty0/active", &tty) >= 0) { +
+ ret = read_one_line_file("/sys/class/tty/tty0/active", &tty);
+ if (ret < 0)
+ return log_error_errno(ret, "Failed to read /sys/class/tty/tty0/active: %m");
+
+ word = tty; + word = tty;
+ len = strlen(tty); + len = strlen(tty);
+ } + }
+ con = greedy_realloc((void**)&con, &con_len, 1+(*num), sizeof(struct console)); +
+ if (con == NULL) { + con = GREEDY_REALLOC(con, con_len, 1+count);
+ log_oom(); + if (!con)
+ return NULL; + return log_oom();
+
+ if (asprintf(&con[count].tty, "/dev/%.*s", (int)len, word) < 0) {
+ free_consoles(con, count);
+ return log_oom();
+ } + }
+ if (asprintf(&con[*num].tty, "/dev/%.*s", (int)len, word) < 0) { +
+ free_consoles(con, *num); + con[count].pid = 0;
+ log_oom(); + count++;
+ *num = 0;
+ return NULL;
+ }
+ con[*num].pid = 0;
+ (*num)++;
+ } + }
+ if (con == NULL) { +
+ con = greedy_realloc((void**)&con, &con_len, 1, sizeof(struct console)); + if (!con) {
+ if (con == NULL) { + con = GREEDY_REALLOC(con, con_len, 1);
+ log_oom(); + if (!con)
+ return NULL; + return log_oom();
+ } +
+ con[0].tty = strdup(current_dev); + con[0].tty = strdup(current_dev);
+ if (con[0].tty == NULL) { + if (!con[0].tty) {
+ free_consoles(con, 1); + free_consoles(con, 1);
+ log_oom(); + return log_oom();
+ return NULL;
+ } + }
+
+ con[0].pid = 0; + con[0].pid = 0;
+ (*num)++; + count++;
+ } + }
+ return con; +
+ *num = count;
+ *consoles = con;
+
+ return 0;
+} +}
+ +
static int parse_password(const char *filename, char **wall) { static int parse_password(const char *filename, char **wall) {
_cleanup_free_ char *socket_name = NULL, *message = NULL, *packet = NULL; _cleanup_free_ char *socket_name = NULL, *message = NULL, *packet = NULL;
uint64_t not_after = 0; uint64_t not_after = 0;
@@ -310,7 +392,7 @@ static int parse_password(const char *filename, char **wall) { @@ -311,7 +404,7 @@ static int parse_password(const char *fi
_cleanup_free_ char *password = NULL; _cleanup_free_ char *password = NULL;
if (arg_console) { if (arg_console) {
@ -136,137 +172,208 @@ index 82cbf95..928a5e8 100644
if (tty_fd < 0) if (tty_fd < 0)
return tty_fd; return tty_fd;
} }
@@ -614,8 +696,90 @@ static int parse_argv(int argc, char *argv[]) { @@ -554,7 +647,7 @@ static int parse_argv(int argc, char *ar
{ "watch", no_argument, NULL, ARG_WATCH },
{ "wall", no_argument, NULL, ARG_WALL },
{ "plymouth", no_argument, NULL, ARG_PLYMOUTH },
- { "console", no_argument, NULL, ARG_CONSOLE },
+ { "console", optional_argument, NULL, ARG_CONSOLE },
{}
};
@@ -598,6 +691,10 @@ static int parse_argv(int argc, char *ar
case ARG_CONSOLE:
arg_console = true;
+ if (optarg && *optarg) {
+ current_dev = optarg;
+ arg_device = true;
+ }
break;
case '?':
@@ -612,9 +709,143 @@ static int parse_argv(int argc, char *ar
return -EINVAL;
}
+ if (arg_plymouth || arg_console) {
+
+ if (!IN_SET(arg_action, ACTION_QUERY, ACTION_WATCH)) {
+ log_error("%s conflicting options --query and --watch.", program_invocation_short_name);
+ return -EINVAL;
+ }
+
+ if (arg_plymouth && arg_console) {
+ log_error("%s conflicting options --plymouth and --console.", program_invocation_short_name);
+ return -EINVAL;
+ }
+ }
+
return 1; return 1;
} }
+static unsigned int wfa_child(const struct console * con, const unsigned int id) +/*
+{ + * To be able to ask on all terminal devices of /dev/console
+ setsid(); + * the devices are collected. If more than one device are found,
+ release_terminal(); + * then on each of the terminals a inquiring task is forked.
+ *usemask |= 1 << id; /* shared memory area */ + * Every task has its own session and its own controlling terminal.
+ current_dev = con[id].tty; + * If one of the tasks does handle a password, the remaining tasks
+ return id; + * will be terminated.
+} + */
+ +static int ask_on_consoles(int argc, char *argv[]) {
+static unsigned int wait_for_answer(void) + struct console *consoles = NULL;
+{
+ struct console *consoles;
+ struct sigaction sig = { + struct sigaction sig = {
+ .sa_handler = chld_handler, + .sa_handler = chld_handler,
+ .sa_flags = SA_NOCLDSTOP | SA_RESTART, + .sa_flags = SA_NOCLDSTOP | SA_RESTART,
+ }; + };
+ struct sigaction oldsig; + struct sigaction oldsig;
+ sigset_t set, oldset; + sigset_t oldset;
+ unsigned int num = 0, id; + unsigned int num = 0, id;
+ int status = 0, ret; + siginfo_t status = {};
+ pid_t job; + int ret;
+ +
+ consoles = collect_consoles(&num); + ret = collect_consoles(&consoles, &num);
+ if (!consoles) { + if (ret < 0)
+ log_error("Failed to query password: %m"); + return log_error_errno(ret, "Failed to query password: %m");
+ exit(EXIT_FAILURE); +
+ } + assert_se(sigprocmask_many(SIG_UNBLOCK, &oldset, SIGHUP, SIGCHLD, -1) >= 0);
+ if (num < 2) +
+ return wfa_child(consoles, 0); + assert_se(sigemptyset(&sig.sa_mask) >= 0);
+ assert_se(sigaction(SIGCHLD, &sig, &oldsig) >= 0);
+ +
+ assert_se(sigemptyset(&set) == 0);
+ assert_se(sigaddset(&set, SIGHUP) == 0);
+ assert_se(sigaddset(&set, SIGCHLD) == 0);
+ assert_se(sigemptyset(&sig.sa_mask) == 0);
+ assert_se(sigprocmask(SIG_UNBLOCK, &set, &oldset) == 0);
+ assert_se(sigaction(SIGCHLD, &sig, &oldsig) == 0);
+ sig.sa_handler = SIG_DFL; + sig.sa_handler = SIG_DFL;
+ assert_se(sigaction(SIGHUP, &sig, NULL) == 0); + assert_se(sigaction(SIGHUP, &sig, NULL) >= 0);
+ +
+ for (id = 0; id < num; id++) { + for (id = 0; id < num; id++) {
+ consoles[id].pid = fork(); + consoles[id].pid = fork();
+ +
+ if (consoles[id].pid < 0) { + if (consoles[id].pid < 0)
+ log_error("Failed to query password: %m"); + return log_error_errno(errno, "Failed to query password: %m");
+ exit(EXIT_FAILURE);
+ }
+ +
+ if (consoles[id].pid == 0) { + if (consoles[id].pid == 0) {
+ if (prctl(PR_SET_PDEATHSIG, SIGHUP) < 0) + char *conarg;
+ _exit(EXIT_FAILURE); + int ac;
+
+ conarg = strjoina("--console=", consoles[id].tty);
+ if (!conarg)
+ return log_oom();
+
+ free_consoles(consoles, num); /* not used anymore */
+
+ assert_se(prctl(PR_SET_PDEATHSIG, SIGHUP) >= 0);
+
+ zero(sig); + zero(sig);
+ assert_se(sigprocmask(SIG_UNBLOCK, &oldset, NULL) == 0); + assert_se(sigprocmask(SIG_UNBLOCK, &oldset, NULL) >= 0);
+ assert_se(sigaction(SIGCHLD, &oldsig, NULL) == 0); + assert_se(sigaction(SIGCHLD, &oldsig, NULL) >= 0);
+ return wfa_child(consoles, id); +
+ for (ac = 0; ac < argc; ac++) {
+ if (streq(argv[ac], "--console")) {
+ argv[ac] = conarg;
+ break;
+ }
+ }
+
+ execv(SYSTEMD_TTY_ASK_PASSWORD_AGENT_BINARY_PATH, argv);
+
+ return log_error_errno(errno, "Failed to execute %s: %m", program_invocation_name);
+ } + }
+ } + }
+ +
+ ret = 0; + ret = 0;
+ while ((job = wait(&status)) != 0) { + while (true) {
+ if (job < 0) { +
+ if (errno != EINTR) + if ((ret = waitid(P_ALL, 0, &status, WEXITED)) < 0) {
+
+ if (errno != EINTR) {
+ ret = -errno;
+ if (errno == ECHILD)
+ ret = EXIT_SUCCESS;
+ break; + break;
+ }
+ continue; + continue;
+ } + }
+
+ for (id = 0; id < num; id++) { + for (id = 0; id < num; id++) {
+ if (consoles[id].pid == job || kill(consoles[id].pid, 0) < 0) { + struct timespec timeout;
+ *usemask &= ~(1 << id); /* shared memory area */ + sigset_t set;
+ continue; + int signum;
+ } +
+ if (*usemask & (1 << id)) /* shared memory area */ + if (consoles[id].pid == status.si_pid || kill(consoles[id].pid, 0) < 0)
+ consoles[id].pid = -1;
+
+ if (consoles[id].pid < 0)
+ continue; + continue;
+
+ kill(consoles[id].pid, SIGHUP); + kill(consoles[id].pid, SIGHUP);
+ usleep(50000); +
+ assert_se(sigemptyset(&set) >= 0);
+ assert_se(sigaddset(&set, SIGCHLD) >= 0);
+
+ timespec_store(&timeout, 50 * USEC_PER_MSEC);
+ signum = sigtimedwait(&set, NULL, &timeout);
+
+ if (signum != SIGCHLD) {
+
+ if (signum < 0 && errno != EAGAIN)
+ return log_error_errno(errno, "sigtimedwait() failed: %m");
+
+ if (signum >= 0)
+ log_warning("sigtimedwait() returned unexpected signal.");
+ }
+
+ kill(consoles[id].pid, SIGKILL); + kill(consoles[id].pid, SIGKILL);
+ } + }
+ if (WIFEXITED(status) && ret == 0) +
+ ret = WEXITSTATUS(status); + if (WIFEXITED(status.si_status) && ret == 0)
+ ret = WEXITSTATUS(status.si_status);
+ } + }
+
+ free_consoles(consoles, num); + free_consoles(consoles, num);
+ exit(ret != 0 ? EXIT_FAILURE : EXIT_SUCCESS); /* parent */ +
+ return ret;
+} +}
+ +
int main(int argc, char *argv[]) { int main(int argc, char *argv[]) {
- int r; int r;
+ int r, id = 0;
log_set_target(LOG_TARGET_AUTO); @@ -628,15 +859,28 @@ int main(int argc, char *argv[]) {
log_parse_environment();
@@ -627,11 +791,27 @@ int main(int argc, char *argv[]) {
if (r <= 0) if (r <= 0)
goto finish; goto finish;
+ /* - if (arg_console) {
+ * Use this shared memory area to be able to synchronize the
+ * workers asking for password with the main process.
+ * This allows to continue if one of the consoles had been
+ * used as afterwards the remaining asking processes will
+ * be terminated. The wait_for_terminate() does not help
+ * for this use case.
+ */
+ usemask = mmap(NULL, sizeof(*usemask), PROT_READ | PROT_WRITE,
+ MAP_ANONYMOUS | MAP_SHARED, -1, 0);
+ assert_se(usemask != NULL);
+
if (arg_console) {
- setsid(); - setsid();
- release_terminal(); - release_terminal();
+ if (!arg_plymouth && + if (arg_console && !arg_device)
+ !IN_SET(arg_action, ACTION_WALL, ACTION_LIST)) { + /*
+ id = wait_for_answer(); + * Spwan for each console device a own process
+ } else { + */
+ setsid(); + r = ask_on_consoles(argc, argv);
+ release_terminal(); + else {
+
+ if (arg_device) {
+ /*
+ * Later on a controlling terminal will be will be acquired,
+ * therefore the current process has to become a session
+ * leader and should not have a controlling terminal already.
+ */
+ (void) setsid();
+ (void) release_terminal();
+ } + }
+
+ if (IN_SET(arg_action, ACTION_WATCH, ACTION_WALL))
+ r = watch_passwords();
+ else
+ r = show_passwords();
} }
- -
if (IN_SET(arg_action, ACTION_WATCH, ACTION_WALL)) - if (IN_SET(arg_action, ACTION_WATCH, ACTION_WALL))
r = watch_passwords(); - r = watch_passwords();
else - else
@@ -640,6 +820,7 @@ int main(int argc, char *argv[]) { - r = show_passwords();
if (r < 0) if (r < 0)
log_error_errno(r, "Error: %m"); log_error_errno(r, "Error: %m");
+ *usemask &= ~(1 << id); /* shared memory area */
finish:
return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
}
-- --
2.2.0 2.2.0