1 /*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1991, 1993
5 * The Regents of the University of California. All rights reserved.
6 *
7 * This code is derived from software contributed to Berkeley by
8 * Donn Seeley at Berkeley Software Design, Inc.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the University nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 #ifndef lint
36 static const char copyright[] =
37 "@(#) Copyright (c) 1991, 1993\n\
38 The Regents of the University of California. All rights reserved.\n";
39 #endif /* not lint */
40
41 #ifndef lint
42 #if 0
43 static char sccsid[] = "@(#)init.c 8.1 (Berkeley) 7/15/93";
44 #endif
45 #endif /* not lint */
46
47 #include <sys/param.h>
48 #include <sys/boottrace.h>
49 #include <sys/ioctl.h>
50 #include <sys/mman.h>
51 #include <sys/mount.h>
52 #include <sys/reboot.h>
53 #include <sys/stat.h>
54 #include <sys/sysctl.h>
55 #include <sys/uio.h>
56 #include <sys/wait.h>
57
58 #include <db.h>
59 #include <err.h>
60 #include <errno.h>
61 #include <fcntl.h>
62 #include <kenv.h>
63 #include <libutil.h>
64 #include <paths.h>
65 #include <signal.h>
66 #include <stdarg.h>
67 #include <stdbool.h>
68 #include <stdio.h>
69 #include <stdlib.h>
70 #include <string.h>
71 #include <syslog.h>
72 #include <time.h>
73 #include <ttyent.h>
74 #include <unistd.h>
75
76 #ifdef SECURE
77 #include <pwd.h>
78 #endif
79
80 #ifdef LOGIN_CAP
81 #include <login_cap.h>
82 #endif
83
84 #include "mntopts.h"
85 #include "pathnames.h"
86
87 /*
88 * Sleep times; used to prevent thrashing.
89 */
90 #define GETTY_SPACING 5 /* N secs minimum getty spacing */
91 #define GETTY_SLEEP 30 /* sleep N secs after spacing problem */
92 #define GETTY_NSPACE 3 /* max. spacing count to bring reaction */
93 #define WINDOW_WAIT 3 /* wait N secs after starting window */
94 #define STALL_TIMEOUT 30 /* wait N secs after warning */
95 #define DEATH_WATCH 10 /* wait N secs for procs to die */
96 #define DEATH_SCRIPT 120 /* wait for 2min for /etc/rc.shutdown */
97 #define RESOURCE_RC "daemon"
98 #define RESOURCE_WINDOW "default"
99 #define RESOURCE_GETTY "default"
100 #define SCRIPT_ARGV_SIZE 3 /* size of argv passed to execute_script, can be increased if needed */
101
102 static void handle(sig_t, ...);
103 static void delset(sigset_t *, ...);
104
105 static void stall(const char *, ...) __printflike(1, 2);
106 static void warning(const char *, ...) __printflike(1, 2);
107 static void emergency(const char *, ...) __printflike(1, 2);
108 static void disaster(int);
109 static void revoke_ttys(void);
110 static int runshutdown(void);
111 static char *strk(char *);
112 static void runfinal(void);
113
114 /*
115 * We really need a recursive typedef...
116 * The following at least guarantees that the return type of (*state_t)()
117 * is sufficiently wide to hold a function pointer.
118 */
119 typedef long (*state_func_t)(void);
120 typedef state_func_t (*state_t)(void);
121
122 static state_func_t single_user(void);
123 static state_func_t runcom(void);
124 static state_func_t read_ttys(void);
125 static state_func_t multi_user(void);
126 static state_func_t clean_ttys(void);
127 static state_func_t catatonia(void);
128 static state_func_t death(void);
129 static state_func_t death_single(void);
130 static state_func_t reroot(void);
131 static state_func_t reroot_phase_two(void);
132
133 static state_func_t run_script(const char *);
134
135 static enum { AUTOBOOT, FASTBOOT } runcom_mode = AUTOBOOT;
136
137 static bool Reboot = false;
138 static int howto = RB_AUTOBOOT;
139
140 static bool devfs = false;
141 static char *init_path_argv0;
142
143 static void transition(state_t);
144 static state_t requested_transition;
145 static state_t current_state = death_single;
146
147 static void execute_script(char *argv[]);
148 static void open_console(void);
149 static const char *get_shell(void);
150 static void replace_init(char *path);
151 static void write_stderr(const char *message);
152
153 typedef struct init_session {
154 pid_t se_process; /* controlling process */
155 time_t se_started; /* used to avoid thrashing */
156 int se_flags; /* status of session */
157 #define SE_SHUTDOWN 0x1 /* session won't be restarted */
158 #define SE_PRESENT 0x2 /* session is in /etc/ttys */
159 #define SE_IFEXISTS 0x4 /* session defined as "onifexists" */
160 #define SE_IFCONSOLE 0x8 /* session defined as "onifconsole" */
161 int se_nspace; /* spacing count */
162 char *se_device; /* filename of port */
163 char *se_getty; /* what to run on that port */
164 char *se_getty_argv_space; /* pre-parsed argument array space */
165 char **se_getty_argv; /* pre-parsed argument array */
166 char *se_window; /* window system (started only once) */
167 char *se_window_argv_space; /* pre-parsed argument array space */
168 char **se_window_argv; /* pre-parsed argument array */
169 char *se_type; /* default terminal type */
170 struct init_session *se_prev;
171 struct init_session *se_next;
172 } session_t;
173
174 static void free_session(session_t *);
175 static session_t *new_session(session_t *, struct ttyent *);
176 static session_t *sessions;
177
178 static char **construct_argv(char *);
179 static void start_window_system(session_t *);
180 static void collect_child(pid_t);
181 static pid_t start_getty(session_t *);
182 static void transition_handler(int);
183 static void alrm_handler(int);
184 static void setsecuritylevel(int);
185 static int getsecuritylevel(void);
186 static int setupargv(session_t *, struct ttyent *);
187 #ifdef LOGIN_CAP
188 static void setprocresources(const char *);
189 #endif
190 static bool clang;
191
192 static int start_session_db(void);
193 static void add_session(session_t *);
194 static void del_session(session_t *);
195 static session_t *find_session(pid_t);
196 static DB *session_db;
197
198 /*
199 * The mother of all processes.
200 */
201 int
main(int argc,char * argv[])202 main(int argc, char *argv[])
203 {
204 state_t initial_transition = runcom;
205 char kenv_value[PATH_MAX];
206 int c, error;
207 struct sigaction sa;
208 sigset_t mask;
209
210 /* Dispose of random users. */
211 if (getuid() != 0)
212 errx(1, "%s", strerror(EPERM));
213
214 BOOTTRACE("init(8) starting...");
215
216 /* System V users like to reexec init. */
217 if (getpid() != 1) {
218 #ifdef COMPAT_SYSV_INIT
219 /* So give them what they want */
220 if (argc > 1) {
221 if (strlen(argv[1]) == 1) {
222 char runlevel = *argv[1];
223 int sig;
224
225 switch (runlevel) {
226 case '0': /* halt + poweroff */
227 sig = SIGUSR2;
228 break;
229 case '1': /* single-user */
230 sig = SIGTERM;
231 break;
232 case '6': /* reboot */
233 sig = SIGINT;
234 break;
235 case 'c': /* block further logins */
236 sig = SIGTSTP;
237 break;
238 case 'q': /* rescan /etc/ttys */
239 sig = SIGHUP;
240 break;
241 case 'r': /* remount root */
242 sig = SIGEMT;
243 break;
244 default:
245 goto invalid;
246 }
247 kill(1, sig);
248 _exit(0);
249 } else
250 invalid:
251 errx(1, "invalid run-level ``%s''", argv[1]);
252 } else
253 #endif
254 errx(1, "already running");
255 }
256
257 init_path_argv0 = strdup(argv[0]);
258 if (init_path_argv0 == NULL)
259 err(1, "strdup");
260
261 /*
262 * Note that this does NOT open a file...
263 * Does 'init' deserve its own facility number?
264 */
265 openlog("init", LOG_CONS, LOG_AUTH);
266
267 /*
268 * Create an initial session.
269 */
270 if (setsid() < 0 && (errno != EPERM || getsid(0) != 1))
271 warning("initial setsid() failed: %m");
272
273 /*
274 * Establish an initial user so that programs running
275 * single user do not freak out and die (like passwd).
276 */
277 if (setlogin("root") < 0)
278 warning("setlogin() failed: %m");
279
280 /*
281 * This code assumes that we always get arguments through flags,
282 * never through bits set in some random machine register.
283 */
284 while ((c = getopt(argc, argv, "dsfr")) != -1)
285 switch (c) {
286 case 'd':
287 devfs = true;
288 break;
289 case 's':
290 initial_transition = single_user;
291 break;
292 case 'f':
293 runcom_mode = FASTBOOT;
294 break;
295 case 'r':
296 initial_transition = reroot_phase_two;
297 break;
298 default:
299 warning("unrecognized flag '-%c'", c);
300 break;
301 }
302
303 if (optind != argc)
304 warning("ignoring excess arguments");
305
306 /*
307 * We catch or block signals rather than ignore them,
308 * so that they get reset on exec.
309 */
310 handle(disaster, SIGABRT, SIGFPE, SIGILL, SIGSEGV, SIGBUS, SIGSYS,
311 SIGXCPU, SIGXFSZ, 0);
312 handle(transition_handler, SIGHUP, SIGINT, SIGEMT, SIGTERM, SIGTSTP,
313 SIGUSR1, SIGUSR2, SIGWINCH, 0);
314 handle(alrm_handler, SIGALRM, 0);
315 sigfillset(&mask);
316 delset(&mask, SIGABRT, SIGFPE, SIGILL, SIGSEGV, SIGBUS, SIGSYS,
317 SIGXCPU, SIGXFSZ, SIGHUP, SIGINT, SIGEMT, SIGTERM, SIGTSTP,
318 SIGALRM, SIGUSR1, SIGUSR2, SIGWINCH, 0);
319 sigprocmask(SIG_SETMASK, &mask, NULL);
320 sigemptyset(&sa.sa_mask);
321 sa.sa_flags = 0;
322 sa.sa_handler = SIG_IGN;
323 sigaction(SIGTTIN, &sa, NULL);
324 sigaction(SIGTTOU, &sa, NULL);
325
326 /*
327 * Paranoia.
328 */
329 close(0);
330 close(1);
331 close(2);
332
333 if (kenv(KENV_GET, "init_exec", kenv_value, sizeof(kenv_value)) > 0) {
334 replace_init(kenv_value);
335 _exit(0); /* reboot */
336 }
337
338 if (kenv(KENV_GET, "init_script", kenv_value, sizeof(kenv_value)) > 0) {
339 state_func_t next_transition;
340
341 if ((next_transition = run_script(kenv_value)) != NULL)
342 initial_transition = (state_t) next_transition;
343 }
344
345 if (kenv(KENV_GET, "init_chroot", kenv_value, sizeof(kenv_value)) > 0) {
346 if (chdir(kenv_value) != 0 || chroot(".") != 0)
347 warning("Can't chroot to %s: %m", kenv_value);
348 }
349
350 /*
351 * Additional check if devfs needs to be mounted:
352 * If "/" and "/dev" have the same device number,
353 * then it hasn't been mounted yet.
354 */
355 if (!devfs) {
356 struct stat stst;
357 dev_t root_devno;
358
359 stat("/", &stst);
360 root_devno = stst.st_dev;
361 if (stat("/dev", &stst) != 0)
362 warning("Can't stat /dev: %m");
363 else if (stst.st_dev == root_devno)
364 devfs = true;
365 }
366
367 if (devfs) {
368 struct iovec iov[4];
369 char *s;
370 int i;
371
372 char _fstype[] = "fstype";
373 char _devfs[] = "devfs";
374 char _fspath[] = "fspath";
375 char _path_dev[]= _PATH_DEV;
376
377 iov[0].iov_base = _fstype;
378 iov[0].iov_len = sizeof(_fstype);
379 iov[1].iov_base = _devfs;
380 iov[1].iov_len = sizeof(_devfs);
381 iov[2].iov_base = _fspath;
382 iov[2].iov_len = sizeof(_fspath);
383 /*
384 * Try to avoid the trailing slash in _PATH_DEV.
385 * Be *very* defensive.
386 */
387 s = strdup(_PATH_DEV);
388 if (s != NULL) {
389 i = strlen(s);
390 if (i > 0 && s[i - 1] == '/')
391 s[i - 1] = '\0';
392 iov[3].iov_base = s;
393 iov[3].iov_len = strlen(s) + 1;
394 } else {
395 iov[3].iov_base = _path_dev;
396 iov[3].iov_len = sizeof(_path_dev);
397 }
398 nmount(iov, 4, 0);
399 if (s != NULL)
400 free(s);
401 }
402
403 if (initial_transition != reroot_phase_two) {
404 /*
405 * Unmount reroot leftovers. This runs after init(8)
406 * gets reexecuted after reroot_phase_two() is done.
407 */
408 error = unmount(_PATH_REROOT, MNT_FORCE);
409 if (error != 0 && errno != EINVAL)
410 warning("Cannot unmount %s: %m", _PATH_REROOT);
411 }
412
413 /*
414 * Start the state machine.
415 */
416 transition(initial_transition);
417
418 /*
419 * Should never reach here.
420 */
421 return 1;
422 }
423
424 /*
425 * Associate a function with a signal handler.
426 */
427 static void
handle(sig_t handler,...)428 handle(sig_t handler, ...)
429 {
430 int sig;
431 struct sigaction sa;
432 sigset_t mask_everything;
433 va_list ap;
434 va_start(ap, handler);
435
436 sa.sa_handler = handler;
437 sigfillset(&mask_everything);
438
439 while ((sig = va_arg(ap, int)) != 0) {
440 sa.sa_mask = mask_everything;
441 /* XXX SA_RESTART? */
442 sa.sa_flags = sig == SIGCHLD ? SA_NOCLDSTOP : 0;
443 sigaction(sig, &sa, NULL);
444 }
445 va_end(ap);
446 }
447
448 /*
449 * Delete a set of signals from a mask.
450 */
451 static void
delset(sigset_t * maskp,...)452 delset(sigset_t *maskp, ...)
453 {
454 int sig;
455 va_list ap;
456 va_start(ap, maskp);
457
458 while ((sig = va_arg(ap, int)) != 0)
459 sigdelset(maskp, sig);
460 va_end(ap);
461 }
462
463 /*
464 * Log a message and sleep for a while (to give someone an opportunity
465 * to read it and to save log or hardcopy output if the problem is chronic).
466 * NB: should send a message to the session logger to avoid blocking.
467 */
468 static void
stall(const char * message,...)469 stall(const char *message, ...)
470 {
471 va_list ap;
472 va_start(ap, message);
473
474 vsyslog(LOG_ALERT, message, ap);
475 va_end(ap);
476 sleep(STALL_TIMEOUT);
477 }
478
479 /*
480 * Like stall(), but doesn't sleep.
481 * If cpp had variadic macros, the two functions could be #defines for another.
482 * NB: should send a message to the session logger to avoid blocking.
483 */
484 static void
warning(const char * message,...)485 warning(const char *message, ...)
486 {
487 va_list ap;
488 va_start(ap, message);
489
490 vsyslog(LOG_ALERT, message, ap);
491 va_end(ap);
492 }
493
494 /*
495 * Log an emergency message.
496 * NB: should send a message to the session logger to avoid blocking.
497 */
498 static void
emergency(const char * message,...)499 emergency(const char *message, ...)
500 {
501 va_list ap;
502 va_start(ap, message);
503
504 vsyslog(LOG_EMERG, message, ap);
505 va_end(ap);
506 }
507
508 /*
509 * Catch an unexpected signal.
510 */
511 static void
disaster(int sig)512 disaster(int sig)
513 {
514
515 emergency("fatal signal: %s",
516 (unsigned)sig < NSIG ? sys_siglist[sig] : "unknown signal");
517
518 sleep(STALL_TIMEOUT);
519 _exit(sig); /* reboot */
520 }
521
522 /*
523 * Get the security level of the kernel.
524 */
525 static int
getsecuritylevel(void)526 getsecuritylevel(void)
527 {
528 #ifdef KERN_SECURELVL
529 int name[2], curlevel;
530 size_t len;
531
532 name[0] = CTL_KERN;
533 name[1] = KERN_SECURELVL;
534 len = sizeof curlevel;
535 if (sysctl(name, 2, &curlevel, &len, NULL, 0) == -1) {
536 emergency("cannot get kernel security level: %m");
537 return (-1);
538 }
539 return (curlevel);
540 #else
541 return (-1);
542 #endif
543 }
544
545 /*
546 * Set the security level of the kernel.
547 */
548 static void
setsecuritylevel(int newlevel)549 setsecuritylevel(int newlevel)
550 {
551 #ifdef KERN_SECURELVL
552 int name[2], curlevel;
553
554 curlevel = getsecuritylevel();
555 if (newlevel == curlevel)
556 return;
557 name[0] = CTL_KERN;
558 name[1] = KERN_SECURELVL;
559 if (sysctl(name, 2, NULL, NULL, &newlevel, sizeof newlevel) == -1) {
560 emergency(
561 "cannot change kernel security level from %d to %d: %m",
562 curlevel, newlevel);
563 return;
564 }
565 #ifdef SECURE
566 warning("kernel security level changed from %d to %d",
567 curlevel, newlevel);
568 #endif
569 #endif
570 }
571
572 /*
573 * Change states in the finite state machine.
574 * The initial state is passed as an argument.
575 */
576 static void
transition(state_t s)577 transition(state_t s)
578 {
579
580 current_state = s;
581 for (;;)
582 current_state = (state_t) (*current_state)();
583 }
584
585 /*
586 * Start a session and allocate a controlling terminal.
587 * Only called by children of init after forking.
588 */
589 static void
open_console(void)590 open_console(void)
591 {
592 int fd;
593
594 /*
595 * Try to open /dev/console. Open the device with O_NONBLOCK to
596 * prevent potential blocking on a carrier.
597 */
598 revoke(_PATH_CONSOLE);
599 if ((fd = open(_PATH_CONSOLE, O_RDWR | O_NONBLOCK)) != -1) {
600 (void)fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) & ~O_NONBLOCK);
601 if (login_tty(fd) == 0)
602 return;
603 close(fd);
604 }
605
606 /* No luck. Log output to file if possible. */
607 if ((fd = open(_PATH_DEVNULL, O_RDWR)) == -1) {
608 stall("cannot open null device.");
609 _exit(1);
610 }
611 if (fd != STDIN_FILENO) {
612 dup2(fd, STDIN_FILENO);
613 close(fd);
614 }
615 fd = open(_PATH_INITLOG, O_WRONLY | O_APPEND | O_CREAT, 0644);
616 if (fd == -1)
617 dup2(STDIN_FILENO, STDOUT_FILENO);
618 else if (fd != STDOUT_FILENO) {
619 dup2(fd, STDOUT_FILENO);
620 close(fd);
621 }
622 dup2(STDOUT_FILENO, STDERR_FILENO);
623 }
624
625 static const char *
get_shell(void)626 get_shell(void)
627 {
628 static char kenv_value[PATH_MAX];
629
630 if (kenv(KENV_GET, "init_shell", kenv_value, sizeof(kenv_value)) > 0)
631 return kenv_value;
632 else
633 return _PATH_BSHELL;
634 }
635
636 static void
write_stderr(const char * message)637 write_stderr(const char *message)
638 {
639
640 write(STDERR_FILENO, message, strlen(message));
641 }
642
643 static int
read_file(const char * path,void ** bufp,size_t * bufsizep)644 read_file(const char *path, void **bufp, size_t *bufsizep)
645 {
646 struct stat sb;
647 size_t bufsize;
648 void *buf;
649 ssize_t nbytes;
650 int error, fd;
651
652 fd = open(path, O_RDONLY);
653 if (fd < 0) {
654 emergency("%s: %m", path);
655 return (-1);
656 }
657
658 error = fstat(fd, &sb);
659 if (error != 0) {
660 emergency("fstat: %m");
661 close(fd);
662 return (error);
663 }
664
665 bufsize = sb.st_size;
666 buf = malloc(bufsize);
667 if (buf == NULL) {
668 emergency("malloc: %m");
669 close(fd);
670 return (error);
671 }
672
673 nbytes = read(fd, buf, bufsize);
674 if (nbytes != (ssize_t)bufsize) {
675 emergency("read: %m");
676 close(fd);
677 free(buf);
678 return (error);
679 }
680
681 error = close(fd);
682 if (error != 0) {
683 emergency("close: %m");
684 free(buf);
685 return (error);
686 }
687
688 *bufp = buf;
689 *bufsizep = bufsize;
690
691 return (0);
692 }
693
694 static int
create_file(const char * path,const void * buf,size_t bufsize)695 create_file(const char *path, const void *buf, size_t bufsize)
696 {
697 ssize_t nbytes;
698 int error, fd;
699
700 fd = open(path, O_WRONLY | O_CREAT | O_EXCL, 0700);
701 if (fd < 0) {
702 emergency("%s: %m", path);
703 return (-1);
704 }
705
706 nbytes = write(fd, buf, bufsize);
707 if (nbytes != (ssize_t)bufsize) {
708 emergency("write: %m");
709 close(fd);
710 return (-1);
711 }
712
713 error = close(fd);
714 if (error != 0) {
715 emergency("close: %m");
716 return (-1);
717 }
718
719 return (0);
720 }
721
722 static int
mount_tmpfs(const char * fspath)723 mount_tmpfs(const char *fspath)
724 {
725 struct iovec *iov;
726 char errmsg[255];
727 int error, iovlen;
728
729 iov = NULL;
730 iovlen = 0;
731 memset(errmsg, 0, sizeof(errmsg));
732 build_iovec(&iov, &iovlen, "fstype",
733 __DECONST(void *, "tmpfs"), (size_t)-1);
734 build_iovec(&iov, &iovlen, "fspath",
735 __DECONST(void *, fspath), (size_t)-1);
736 build_iovec(&iov, &iovlen, "errmsg",
737 errmsg, sizeof(errmsg));
738
739 error = nmount(iov, iovlen, 0);
740 if (error != 0) {
741 if (*errmsg != '\0') {
742 emergency("cannot mount tmpfs on %s: %s: %m",
743 fspath, errmsg);
744 } else {
745 emergency("cannot mount tmpfs on %s: %m",
746 fspath);
747 }
748 return (error);
749 }
750 return (0);
751 }
752
753 static state_func_t
reroot(void)754 reroot(void)
755 {
756 void *buf;
757 size_t bufsize;
758 int error;
759
760 buf = NULL;
761 bufsize = 0;
762
763 revoke_ttys();
764 runshutdown();
765
766 /*
767 * Make sure nobody can interfere with our scheme.
768 * Ignore ESRCH, which can apparently happen when
769 * there are no processes to kill.
770 */
771 error = kill(-1, SIGKILL);
772 if (error != 0 && errno != ESRCH) {
773 emergency("kill(2) failed: %m");
774 goto out;
775 }
776
777 /*
778 * Copy the init binary into tmpfs, so that we can unmount
779 * the old rootfs without committing suicide.
780 */
781 error = read_file(init_path_argv0, &buf, &bufsize);
782 if (error != 0)
783 goto out;
784 error = mount_tmpfs(_PATH_REROOT);
785 if (error != 0)
786 goto out;
787 error = create_file(_PATH_REROOT_INIT, buf, bufsize);
788 if (error != 0)
789 goto out;
790
791 /*
792 * Execute the temporary init.
793 */
794 execl(_PATH_REROOT_INIT, _PATH_REROOT_INIT, "-r", NULL);
795 emergency("cannot exec %s: %m", _PATH_REROOT_INIT);
796
797 out:
798 emergency("reroot failed; going to single user mode");
799 free(buf);
800 return (state_func_t) single_user;
801 }
802
803 static state_func_t
reroot_phase_two(void)804 reroot_phase_two(void)
805 {
806 char init_path[PATH_MAX], *path, *path_component;
807 size_t init_path_len;
808 int nbytes, error;
809
810 /*
811 * Ask the kernel to mount the new rootfs.
812 */
813 error = reboot(RB_REROOT);
814 if (error != 0) {
815 emergency("RB_REBOOT failed: %m");
816 goto out;
817 }
818
819 /*
820 * Figure out where the destination init(8) binary is. Note that
821 * the path could be different than what we've started with. Use
822 * the value from kenv, if set, or the one from sysctl otherwise.
823 * The latter defaults to a hardcoded value, but can be overridden
824 * by a build time option.
825 */
826 nbytes = kenv(KENV_GET, "init_path", init_path, sizeof(init_path));
827 if (nbytes <= 0) {
828 init_path_len = sizeof(init_path);
829 error = sysctlbyname("kern.init_path",
830 init_path, &init_path_len, NULL, 0);
831 if (error != 0) {
832 emergency("failed to retrieve kern.init_path: %m");
833 goto out;
834 }
835 }
836
837 /*
838 * Repeat the init search logic from sys/kern/init_path.c
839 */
840 path_component = init_path;
841 while ((path = strsep(&path_component, ":")) != NULL) {
842 /*
843 * Execute init(8) from the new rootfs.
844 */
845 execl(path, path, NULL);
846 }
847 emergency("cannot exec init from %s: %m", init_path);
848
849 out:
850 emergency("reroot failed; going to single user mode");
851 return (state_func_t) single_user;
852 }
853
854 /*
855 * Bring the system up single user.
856 */
857 static state_func_t
single_user(void)858 single_user(void)
859 {
860 pid_t pid, wpid;
861 int status;
862 sigset_t mask;
863 const char *shell;
864 char *argv[2];
865 struct timeval tv, tn;
866 #ifdef SECURE
867 struct ttyent *typ;
868 struct passwd *pp;
869 static const char banner[] =
870 "Enter root password, or ^D to go multi-user\n";
871 char *clear, *password;
872 #endif
873 #ifdef DEBUGSHELL
874 char altshell[128];
875 #endif
876
877 if (Reboot) {
878 /* Instead of going single user, let's reboot the machine */
879 BOOTTRACE("shutting down the system");
880 sync();
881 /* Run scripts after all processes have been terminated. */
882 runfinal();
883 if (reboot(howto) == -1) {
884 emergency("reboot(%#x) failed, %m", howto);
885 _exit(1); /* panic and reboot */
886 }
887 warning("reboot(%#x) returned", howto);
888 _exit(0); /* panic as well */
889 }
890
891 BOOTTRACE("going to single user mode");
892 shell = get_shell();
893
894 if ((pid = fork()) == 0) {
895 /*
896 * Start the single user session.
897 */
898 open_console();
899
900 #ifdef SECURE
901 /*
902 * Check the root password.
903 * We don't care if the console is 'on' by default;
904 * it's the only tty that can be 'off' and 'secure'.
905 */
906 typ = getttynam("console");
907 pp = getpwnam("root");
908 if (typ && (typ->ty_status & TTY_SECURE) == 0 &&
909 pp && *pp->pw_passwd) {
910 write_stderr(banner);
911 for (;;) {
912 clear = getpass("Password:");
913 if (clear == NULL || *clear == '\0')
914 _exit(0);
915 password = crypt(clear, pp->pw_passwd);
916 explicit_bzero(clear, _PASSWORD_LEN);
917 if (password != NULL &&
918 strcmp(password, pp->pw_passwd) == 0)
919 break;
920 warning("single-user login failed\n");
921 }
922 }
923 endttyent();
924 endpwent();
925 #endif /* SECURE */
926
927 #ifdef DEBUGSHELL
928 {
929 char *cp = altshell;
930 int num;
931
932 #define SHREQUEST "Enter full pathname of shell or RETURN for "
933 write_stderr(SHREQUEST);
934 write_stderr(shell);
935 write_stderr(": ");
936 while ((num = read(STDIN_FILENO, cp, 1)) != -1 &&
937 num != 0 && *cp != '\n' && cp < &altshell[127])
938 cp++;
939 *cp = '\0';
940 if (altshell[0] != '\0')
941 shell = altshell;
942 }
943 #endif /* DEBUGSHELL */
944
945 /*
946 * Unblock signals.
947 * We catch all the interesting ones,
948 * and those are reset to SIG_DFL on exec.
949 */
950 sigemptyset(&mask);
951 sigprocmask(SIG_SETMASK, &mask, NULL);
952
953 /*
954 * Fire off a shell.
955 * If the default one doesn't work, try the Bourne shell.
956 */
957
958 char name[] = "-sh";
959
960 argv[0] = name;
961 argv[1] = NULL;
962 execv(shell, argv);
963 emergency("can't exec %s for single user: %m", shell);
964 execv(_PATH_BSHELL, argv);
965 emergency("can't exec %s for single user: %m", _PATH_BSHELL);
966 sleep(STALL_TIMEOUT);
967 _exit(1);
968 }
969
970 if (pid == -1) {
971 /*
972 * We are seriously hosed. Do our best.
973 */
974 emergency("can't fork single-user shell, trying again");
975 while (waitpid(-1, (int *) 0, WNOHANG) > 0)
976 continue;
977 return (state_func_t) single_user;
978 }
979
980 requested_transition = 0;
981 do {
982 if ((wpid = waitpid(-1, &status, WUNTRACED)) != -1)
983 collect_child(wpid);
984 if (wpid == -1) {
985 if (errno == EINTR)
986 continue;
987 warning("wait for single-user shell failed: %m; restarting");
988 return (state_func_t) single_user;
989 }
990 if (wpid == pid && WIFSTOPPED(status)) {
991 warning("init: shell stopped, restarting\n");
992 kill(pid, SIGCONT);
993 wpid = -1;
994 }
995 } while (wpid != pid && !requested_transition);
996
997 if (requested_transition)
998 return (state_func_t) requested_transition;
999
1000 if (!WIFEXITED(status)) {
1001 if (WTERMSIG(status) == SIGKILL) {
1002 /*
1003 * reboot(8) killed shell?
1004 */
1005 warning("single user shell terminated.");
1006 gettimeofday(&tv, NULL);
1007 tn = tv;
1008 tv.tv_sec += STALL_TIMEOUT;
1009 while (tv.tv_sec > tn.tv_sec || (tv.tv_sec ==
1010 tn.tv_sec && tv.tv_usec > tn.tv_usec)) {
1011 sleep(1);
1012 gettimeofday(&tn, NULL);
1013 }
1014 _exit(0);
1015 } else {
1016 warning("single user shell terminated, restarting");
1017 return (state_func_t) single_user;
1018 }
1019 }
1020
1021 runcom_mode = FASTBOOT;
1022 return (state_func_t) runcom;
1023 }
1024
1025 /*
1026 * Run the system startup script.
1027 */
1028 static state_func_t
runcom(void)1029 runcom(void)
1030 {
1031 state_func_t next_transition;
1032
1033 BOOTTRACE("/etc/rc starting...");
1034 if ((next_transition = run_script(_PATH_RUNCOM)) != NULL)
1035 return next_transition;
1036 BOOTTRACE("/etc/rc finished");
1037
1038 runcom_mode = AUTOBOOT; /* the default */
1039 return (state_func_t) read_ttys;
1040 }
1041
1042 static void
execute_script(char * argv[])1043 execute_script(char *argv[])
1044 {
1045 struct sigaction sa;
1046 char* sh_argv[3 + SCRIPT_ARGV_SIZE];
1047 const char *shell, *script;
1048 int error, sh_argv_len, i;
1049
1050 bzero(&sa, sizeof(sa));
1051 sigemptyset(&sa.sa_mask);
1052 sa.sa_handler = SIG_IGN;
1053 sigaction(SIGTSTP, &sa, NULL);
1054 sigaction(SIGHUP, &sa, NULL);
1055
1056 open_console();
1057
1058 sigprocmask(SIG_SETMASK, &sa.sa_mask, NULL);
1059 #ifdef LOGIN_CAP
1060 setprocresources(RESOURCE_RC);
1061 #endif
1062
1063 /*
1064 * Try to directly execute the script first. If it
1065 * fails, try the old method of passing the script path
1066 * to sh(1). Don't complain if it fails because of
1067 * the missing execute bit.
1068 */
1069 script = argv[0];
1070 error = access(script, X_OK);
1071 if (error == 0) {
1072 execv(script, argv);
1073 warning("can't directly exec %s: %m", script);
1074 } else if (errno != EACCES) {
1075 warning("can't access %s: %m", script);
1076 }
1077
1078 shell = get_shell();
1079 sh_argv[0] = __DECONST(char*, shell);
1080 sh_argv_len = 1;
1081 #ifdef SECURE
1082 if (strcmp(shell, _PATH_BSHELL) == 0) {
1083 sh_argv[1] = __DECONST(char*, "-o");
1084 sh_argv[2] = __DECONST(char*, "verify");
1085 sh_argv_len = 3;
1086 }
1087 #endif
1088 for (i = 0; i != SCRIPT_ARGV_SIZE; ++i)
1089 sh_argv[i + sh_argv_len] = argv[i];
1090 execv(shell, sh_argv);
1091 stall("can't exec %s for %s: %m", shell, script);
1092 }
1093
1094 /*
1095 * Execute binary, replacing init(8) as PID 1.
1096 */
1097 static void
replace_init(char * path)1098 replace_init(char *path)
1099 {
1100 char *argv[SCRIPT_ARGV_SIZE];
1101
1102 argv[0] = path;
1103 argv[1] = NULL;
1104
1105 execute_script(argv);
1106 }
1107
1108 /*
1109 * Run a shell script.
1110 * Returns 0 on success, otherwise the next transition to enter:
1111 * - single_user if fork/execv/waitpid failed, or if the script
1112 * terminated with a signal or exit code != 0.
1113 * - death_single if a SIGTERM was delivered to init(8).
1114 */
1115 static state_func_t
run_script(const char * script)1116 run_script(const char *script)
1117 {
1118 pid_t pid, wpid;
1119 int status;
1120 char *argv[SCRIPT_ARGV_SIZE];
1121 const char *shell;
1122
1123 shell = get_shell();
1124
1125 if ((pid = fork()) == 0) {
1126
1127 char _autoboot[] = "autoboot";
1128
1129 argv[0] = __DECONST(char *, script);
1130 argv[1] = runcom_mode == AUTOBOOT ? _autoboot : NULL;
1131 argv[2] = NULL;
1132
1133 execute_script(argv);
1134 sleep(STALL_TIMEOUT);
1135 _exit(1); /* force single user mode */
1136 }
1137
1138 if (pid == -1) {
1139 emergency("can't fork for %s on %s: %m", shell, script);
1140 while (waitpid(-1, (int *) 0, WNOHANG) > 0)
1141 continue;
1142 sleep(STALL_TIMEOUT);
1143 return (state_func_t) single_user;
1144 }
1145
1146 /*
1147 * Copied from single_user(). This is a bit paranoid.
1148 */
1149 requested_transition = 0;
1150 do {
1151 if ((wpid = waitpid(-1, &status, WUNTRACED)) != -1)
1152 collect_child(wpid);
1153 if (requested_transition == death_single ||
1154 requested_transition == reroot)
1155 return (state_func_t) requested_transition;
1156 if (wpid == -1) {
1157 if (errno == EINTR)
1158 continue;
1159 warning("wait for %s on %s failed: %m; going to "
1160 "single user mode", shell, script);
1161 return (state_func_t) single_user;
1162 }
1163 if (wpid == pid && WIFSTOPPED(status)) {
1164 warning("init: %s on %s stopped, restarting\n",
1165 shell, script);
1166 kill(pid, SIGCONT);
1167 wpid = -1;
1168 }
1169 } while (wpid != pid);
1170
1171 if (WIFSIGNALED(status) && WTERMSIG(status) == SIGTERM &&
1172 requested_transition == catatonia) {
1173 /* /etc/rc executed /sbin/reboot; wait for the end quietly */
1174 sigset_t s;
1175
1176 sigfillset(&s);
1177 for (;;)
1178 sigsuspend(&s);
1179 }
1180
1181 if (!WIFEXITED(status)) {
1182 warning("%s on %s terminated abnormally, going to single "
1183 "user mode", shell, script);
1184 return (state_func_t) single_user;
1185 }
1186
1187 if (WEXITSTATUS(status))
1188 return (state_func_t) single_user;
1189
1190 return (state_func_t) 0;
1191 }
1192
1193 /*
1194 * Open the session database.
1195 *
1196 * NB: We could pass in the size here; is it necessary?
1197 */
1198 static int
start_session_db(void)1199 start_session_db(void)
1200 {
1201 if (session_db && (*session_db->close)(session_db))
1202 emergency("session database close: %m");
1203 if ((session_db = dbopen(NULL, O_RDWR, 0, DB_HASH, NULL)) == NULL) {
1204 emergency("session database open: %m");
1205 return (1);
1206 }
1207 return (0);
1208
1209 }
1210
1211 /*
1212 * Add a new login session.
1213 */
1214 static void
add_session(session_t * sp)1215 add_session(session_t *sp)
1216 {
1217 DBT key;
1218 DBT data;
1219
1220 key.data = &sp->se_process;
1221 key.size = sizeof sp->se_process;
1222 data.data = &sp;
1223 data.size = sizeof sp;
1224
1225 if ((*session_db->put)(session_db, &key, &data, 0))
1226 emergency("insert %d: %m", sp->se_process);
1227 }
1228
1229 /*
1230 * Delete an old login session.
1231 */
1232 static void
del_session(session_t * sp)1233 del_session(session_t *sp)
1234 {
1235 DBT key;
1236
1237 key.data = &sp->se_process;
1238 key.size = sizeof sp->se_process;
1239
1240 if ((*session_db->del)(session_db, &key, 0))
1241 emergency("delete %d: %m", sp->se_process);
1242 }
1243
1244 /*
1245 * Look up a login session by pid.
1246 */
1247 static session_t *
find_session(pid_t pid)1248 find_session(pid_t pid)
1249 {
1250 DBT key;
1251 DBT data;
1252 session_t *ret;
1253
1254 key.data = &pid;
1255 key.size = sizeof pid;
1256 if ((*session_db->get)(session_db, &key, &data, 0) != 0)
1257 return 0;
1258 bcopy(data.data, (char *)&ret, sizeof(ret));
1259 return ret;
1260 }
1261
1262 /*
1263 * Construct an argument vector from a command line.
1264 */
1265 static char **
construct_argv(char * command)1266 construct_argv(char *command)
1267 {
1268 int argc = 0;
1269 char **argv = (char **) malloc(((strlen(command) + 1) / 2 + 1)
1270 * sizeof (char *));
1271
1272 if ((argv[argc++] = strk(command)) == NULL) {
1273 free(argv);
1274 return (NULL);
1275 }
1276 while ((argv[argc++] = strk((char *) 0)) != NULL)
1277 continue;
1278 return argv;
1279 }
1280
1281 /*
1282 * Deallocate a session descriptor.
1283 */
1284 static void
free_session(session_t * sp)1285 free_session(session_t *sp)
1286 {
1287 free(sp->se_device);
1288 if (sp->se_getty) {
1289 free(sp->se_getty);
1290 free(sp->se_getty_argv_space);
1291 free(sp->se_getty_argv);
1292 }
1293 if (sp->se_window) {
1294 free(sp->se_window);
1295 free(sp->se_window_argv_space);
1296 free(sp->se_window_argv);
1297 }
1298 if (sp->se_type)
1299 free(sp->se_type);
1300 free(sp);
1301 }
1302
1303 /*
1304 * Allocate a new session descriptor.
1305 * Mark it SE_PRESENT.
1306 */
1307 static session_t *
new_session(session_t * sprev,struct ttyent * typ)1308 new_session(session_t *sprev, struct ttyent *typ)
1309 {
1310 session_t *sp;
1311
1312 if ((typ->ty_status & TTY_ON) == 0 ||
1313 typ->ty_name == 0 ||
1314 typ->ty_getty == 0)
1315 return 0;
1316
1317 sp = (session_t *) calloc(1, sizeof (session_t));
1318
1319 sp->se_flags |= SE_PRESENT;
1320
1321 if ((typ->ty_status & TTY_IFEXISTS) != 0)
1322 sp->se_flags |= SE_IFEXISTS;
1323
1324 if ((typ->ty_status & TTY_IFCONSOLE) != 0)
1325 sp->se_flags |= SE_IFCONSOLE;
1326
1327 if (asprintf(&sp->se_device, "%s%s", _PATH_DEV, typ->ty_name) < 0)
1328 err(1, "asprintf");
1329
1330 if (setupargv(sp, typ) == 0) {
1331 free_session(sp);
1332 return (0);
1333 }
1334
1335 sp->se_next = 0;
1336 if (sprev == NULL) {
1337 sessions = sp;
1338 sp->se_prev = 0;
1339 } else {
1340 sprev->se_next = sp;
1341 sp->se_prev = sprev;
1342 }
1343
1344 return sp;
1345 }
1346
1347 /*
1348 * Calculate getty and if useful window argv vectors.
1349 */
1350 static int
setupargv(session_t * sp,struct ttyent * typ)1351 setupargv(session_t *sp, struct ttyent *typ)
1352 {
1353
1354 if (sp->se_getty) {
1355 free(sp->se_getty);
1356 free(sp->se_getty_argv_space);
1357 free(sp->se_getty_argv);
1358 }
1359 if (asprintf(&sp->se_getty, "%s %s", typ->ty_getty, typ->ty_name) < 0)
1360 err(1, "asprintf");
1361 sp->se_getty_argv_space = strdup(sp->se_getty);
1362 sp->se_getty_argv = construct_argv(sp->se_getty_argv_space);
1363 if (sp->se_getty_argv == NULL) {
1364 warning("can't parse getty for port %s", sp->se_device);
1365 free(sp->se_getty);
1366 free(sp->se_getty_argv_space);
1367 sp->se_getty = sp->se_getty_argv_space = 0;
1368 return (0);
1369 }
1370 if (sp->se_window) {
1371 free(sp->se_window);
1372 free(sp->se_window_argv_space);
1373 free(sp->se_window_argv);
1374 }
1375 sp->se_window = sp->se_window_argv_space = 0;
1376 sp->se_window_argv = 0;
1377 if (typ->ty_window) {
1378 sp->se_window = strdup(typ->ty_window);
1379 sp->se_window_argv_space = strdup(sp->se_window);
1380 sp->se_window_argv = construct_argv(sp->se_window_argv_space);
1381 if (sp->se_window_argv == NULL) {
1382 warning("can't parse window for port %s",
1383 sp->se_device);
1384 free(sp->se_window_argv_space);
1385 free(sp->se_window);
1386 sp->se_window = sp->se_window_argv_space = 0;
1387 return (0);
1388 }
1389 }
1390 if (sp->se_type)
1391 free(sp->se_type);
1392 sp->se_type = typ->ty_type ? strdup(typ->ty_type) : 0;
1393 return (1);
1394 }
1395
1396 /*
1397 * Walk the list of ttys and create sessions for each active line.
1398 */
1399 static state_func_t
read_ttys(void)1400 read_ttys(void)
1401 {
1402 session_t *sp, *snext;
1403 struct ttyent *typ;
1404
1405 /*
1406 * Destroy any previous session state.
1407 * There shouldn't be any, but just in case...
1408 */
1409 for (sp = sessions; sp; sp = snext) {
1410 snext = sp->se_next;
1411 free_session(sp);
1412 }
1413 sessions = 0;
1414 if (start_session_db())
1415 return (state_func_t) single_user;
1416
1417 /*
1418 * Allocate a session entry for each active port.
1419 * Note that sp starts at 0.
1420 */
1421 while ((typ = getttyent()) != NULL)
1422 if ((snext = new_session(sp, typ)) != NULL)
1423 sp = snext;
1424
1425 endttyent();
1426
1427 return (state_func_t) multi_user;
1428 }
1429
1430 /*
1431 * Start a window system running.
1432 */
1433 static void
start_window_system(session_t * sp)1434 start_window_system(session_t *sp)
1435 {
1436 pid_t pid;
1437 sigset_t mask;
1438 char term[64], *env[2];
1439 int status;
1440
1441 if ((pid = fork()) == -1) {
1442 emergency("can't fork for window system on port %s: %m",
1443 sp->se_device);
1444 /* hope that getty fails and we can try again */
1445 return;
1446 }
1447 if (pid) {
1448 waitpid(-1, &status, 0);
1449 return;
1450 }
1451
1452 /* reparent window process to the init to not make a zombie on exit */
1453 if ((pid = fork()) == -1) {
1454 emergency("can't fork for window system on port %s: %m",
1455 sp->se_device);
1456 _exit(1);
1457 }
1458 if (pid)
1459 _exit(0);
1460
1461 sigemptyset(&mask);
1462 sigprocmask(SIG_SETMASK, &mask, NULL);
1463
1464 if (setsid() < 0)
1465 emergency("setsid failed (window) %m");
1466
1467 #ifdef LOGIN_CAP
1468 setprocresources(RESOURCE_WINDOW);
1469 #endif
1470 if (sp->se_type) {
1471 /* Don't use malloc after fork */
1472 strcpy(term, "TERM=");
1473 strlcat(term, sp->se_type, sizeof(term));
1474 env[0] = term;
1475 env[1] = NULL;
1476 }
1477 else
1478 env[0] = NULL;
1479 execve(sp->se_window_argv[0], sp->se_window_argv, env);
1480 stall("can't exec window system '%s' for port %s: %m",
1481 sp->se_window_argv[0], sp->se_device);
1482 _exit(1);
1483 }
1484
1485 /*
1486 * Start a login session running.
1487 */
1488 static pid_t
start_getty(session_t * sp)1489 start_getty(session_t *sp)
1490 {
1491 pid_t pid;
1492 sigset_t mask;
1493 time_t current_time = time((time_t *) 0);
1494 int too_quick = 0;
1495 char term[64], *env[2];
1496
1497 if (current_time >= sp->se_started &&
1498 current_time - sp->se_started < GETTY_SPACING) {
1499 if (++sp->se_nspace > GETTY_NSPACE) {
1500 sp->se_nspace = 0;
1501 too_quick = 1;
1502 }
1503 } else
1504 sp->se_nspace = 0;
1505
1506 /*
1507 * fork(), not vfork() -- we can't afford to block.
1508 */
1509 if ((pid = fork()) == -1) {
1510 emergency("can't fork for getty on port %s: %m", sp->se_device);
1511 return -1;
1512 }
1513
1514 if (pid)
1515 return pid;
1516
1517 if (too_quick) {
1518 warning("getty repeating too quickly on port %s, sleeping %d secs",
1519 sp->se_device, GETTY_SLEEP);
1520 sleep((unsigned) GETTY_SLEEP);
1521 }
1522
1523 if (sp->se_window) {
1524 start_window_system(sp);
1525 sleep(WINDOW_WAIT);
1526 }
1527
1528 sigemptyset(&mask);
1529 sigprocmask(SIG_SETMASK, &mask, NULL);
1530
1531 #ifdef LOGIN_CAP
1532 setprocresources(RESOURCE_GETTY);
1533 #endif
1534 if (sp->se_type) {
1535 /* Don't use malloc after fork */
1536 strcpy(term, "TERM=");
1537 strlcat(term, sp->se_type, sizeof(term));
1538 env[0] = term;
1539 env[1] = NULL;
1540 } else
1541 env[0] = NULL;
1542 execve(sp->se_getty_argv[0], sp->se_getty_argv, env);
1543 stall("can't exec getty '%s' for port %s: %m",
1544 sp->se_getty_argv[0], sp->se_device);
1545 _exit(1);
1546 }
1547
1548 /*
1549 * Return 1 if the session is defined as "onifexists"
1550 * or "onifconsole" and the device node does not exist.
1551 */
1552 static int
session_has_no_tty(session_t * sp)1553 session_has_no_tty(session_t *sp)
1554 {
1555 int fd;
1556
1557 if ((sp->se_flags & SE_IFEXISTS) == 0 &&
1558 (sp->se_flags & SE_IFCONSOLE) == 0)
1559 return (0);
1560
1561 fd = open(sp->se_device, O_RDONLY | O_NONBLOCK, 0);
1562 if (fd < 0) {
1563 if (errno == ENOENT)
1564 return (1);
1565 return (0);
1566 }
1567
1568 close(fd);
1569 return (0);
1570 }
1571
1572 /*
1573 * Collect exit status for a child.
1574 * If an exiting login, start a new login running.
1575 */
1576 static void
collect_child(pid_t pid)1577 collect_child(pid_t pid)
1578 {
1579 session_t *sp, *sprev, *snext;
1580
1581 if (! sessions)
1582 return;
1583
1584 if (! (sp = find_session(pid)))
1585 return;
1586
1587 del_session(sp);
1588 sp->se_process = 0;
1589
1590 if (sp->se_flags & SE_SHUTDOWN ||
1591 session_has_no_tty(sp)) {
1592 if ((sprev = sp->se_prev) != NULL)
1593 sprev->se_next = sp->se_next;
1594 else
1595 sessions = sp->se_next;
1596 if ((snext = sp->se_next) != NULL)
1597 snext->se_prev = sp->se_prev;
1598 free_session(sp);
1599 return;
1600 }
1601
1602 if ((pid = start_getty(sp)) == -1) {
1603 /* serious trouble */
1604 requested_transition = clean_ttys;
1605 return;
1606 }
1607
1608 sp->se_process = pid;
1609 sp->se_started = time((time_t *) 0);
1610 add_session(sp);
1611 }
1612
1613 static const char *
get_current_state(void)1614 get_current_state(void)
1615 {
1616
1617 if (current_state == single_user)
1618 return ("single-user");
1619 if (current_state == runcom)
1620 return ("runcom");
1621 if (current_state == read_ttys)
1622 return ("read-ttys");
1623 if (current_state == multi_user)
1624 return ("multi-user");
1625 if (current_state == clean_ttys)
1626 return ("clean-ttys");
1627 if (current_state == catatonia)
1628 return ("catatonia");
1629 if (current_state == death)
1630 return ("death");
1631 if (current_state == death_single)
1632 return ("death-single");
1633 return ("unknown");
1634 }
1635
1636 static void
boottrace_transition(int sig)1637 boottrace_transition(int sig)
1638 {
1639 const char *action;
1640
1641 switch (sig) {
1642 case SIGUSR2:
1643 action = "halt & poweroff";
1644 break;
1645 case SIGUSR1:
1646 action = "halt";
1647 break;
1648 case SIGINT:
1649 action = "reboot";
1650 break;
1651 case SIGWINCH:
1652 action = "powercycle";
1653 break;
1654 case SIGTERM:
1655 action = Reboot ? "reboot" : "single-user";
1656 break;
1657 default:
1658 BOOTTRACE("signal %d from %s", sig, get_current_state());
1659 return;
1660 }
1661
1662 /* Trace the shutdown reason. */
1663 SHUTTRACE("%s from %s", action, get_current_state());
1664 }
1665
1666 /*
1667 * Catch a signal and request a state transition.
1668 */
1669 static void
transition_handler(int sig)1670 transition_handler(int sig)
1671 {
1672
1673 boottrace_transition(sig);
1674 switch (sig) {
1675 case SIGHUP:
1676 if (current_state == read_ttys || current_state == multi_user ||
1677 current_state == clean_ttys || current_state == catatonia)
1678 requested_transition = clean_ttys;
1679 break;
1680 case SIGUSR2:
1681 howto = RB_POWEROFF;
1682 case SIGUSR1:
1683 howto |= RB_HALT;
1684 case SIGWINCH:
1685 case SIGINT:
1686 if (sig == SIGWINCH)
1687 howto |= RB_POWERCYCLE;
1688 Reboot = true;
1689 case SIGTERM:
1690 if (current_state == read_ttys || current_state == multi_user ||
1691 current_state == clean_ttys || current_state == catatonia)
1692 requested_transition = death;
1693 else
1694 requested_transition = death_single;
1695 break;
1696 case SIGTSTP:
1697 if (current_state == runcom || current_state == read_ttys ||
1698 current_state == clean_ttys ||
1699 current_state == multi_user || current_state == catatonia)
1700 requested_transition = catatonia;
1701 break;
1702 case SIGEMT:
1703 requested_transition = reroot;
1704 break;
1705 default:
1706 requested_transition = 0;
1707 break;
1708 }
1709 }
1710
1711 /*
1712 * Take the system multiuser.
1713 */
1714 static state_func_t
multi_user(void)1715 multi_user(void)
1716 {
1717 static bool inmultiuser = false;
1718 pid_t pid;
1719 session_t *sp;
1720
1721 requested_transition = 0;
1722
1723 /*
1724 * If the administrator has not set the security level to -1
1725 * to indicate that the kernel should not run multiuser in secure
1726 * mode, and the run script has not set a higher level of security
1727 * than level 1, then put the kernel into secure mode.
1728 */
1729 if (getsecuritylevel() == 0)
1730 setsecuritylevel(1);
1731
1732 for (sp = sessions; sp; sp = sp->se_next) {
1733 if (sp->se_process)
1734 continue;
1735 if (session_has_no_tty(sp))
1736 continue;
1737 if ((pid = start_getty(sp)) == -1) {
1738 /* serious trouble */
1739 requested_transition = clean_ttys;
1740 break;
1741 }
1742 sp->se_process = pid;
1743 sp->se_started = time((time_t *) 0);
1744 add_session(sp);
1745 }
1746
1747 if (requested_transition == 0 && !inmultiuser) {
1748 inmultiuser = true;
1749 /* This marks the change from boot-time tracing to run-time. */
1750 RUNTRACE("multi-user start");
1751 }
1752 while (!requested_transition)
1753 if ((pid = waitpid(-1, (int *) 0, 0)) != -1)
1754 collect_child(pid);
1755
1756 return (state_func_t) requested_transition;
1757 }
1758
1759 /*
1760 * This is an (n*2)+(n^2) algorithm. We hope it isn't run often...
1761 */
1762 static state_func_t
clean_ttys(void)1763 clean_ttys(void)
1764 {
1765 session_t *sp, *sprev;
1766 struct ttyent *typ;
1767 int devlen;
1768 char *old_getty, *old_window, *old_type;
1769
1770 /*
1771 * mark all sessions for death, (!SE_PRESENT)
1772 * as we find or create new ones they'll be marked as keepers,
1773 * we'll later nuke all the ones not found in /etc/ttys
1774 */
1775 for (sp = sessions; sp != NULL; sp = sp->se_next)
1776 sp->se_flags &= ~SE_PRESENT;
1777
1778 devlen = sizeof(_PATH_DEV) - 1;
1779 while ((typ = getttyent()) != NULL) {
1780 for (sprev = 0, sp = sessions; sp; sprev = sp, sp = sp->se_next)
1781 if (strcmp(typ->ty_name, sp->se_device + devlen) == 0)
1782 break;
1783
1784 if (sp) {
1785 /* we want this one to live */
1786 sp->se_flags |= SE_PRESENT;
1787 if ((typ->ty_status & TTY_ON) == 0 ||
1788 typ->ty_getty == 0) {
1789 sp->se_flags |= SE_SHUTDOWN;
1790 kill(sp->se_process, SIGHUP);
1791 continue;
1792 }
1793 sp->se_flags &= ~SE_SHUTDOWN;
1794 old_getty = sp->se_getty ? strdup(sp->se_getty) : 0;
1795 old_window = sp->se_window ? strdup(sp->se_window) : 0;
1796 old_type = sp->se_type ? strdup(sp->se_type) : 0;
1797 if (setupargv(sp, typ) == 0) {
1798 warning("can't parse getty for port %s",
1799 sp->se_device);
1800 sp->se_flags |= SE_SHUTDOWN;
1801 kill(sp->se_process, SIGHUP);
1802 }
1803 else if ( !old_getty
1804 || (!old_type && sp->se_type)
1805 || (old_type && !sp->se_type)
1806 || (!old_window && sp->se_window)
1807 || (old_window && !sp->se_window)
1808 || (strcmp(old_getty, sp->se_getty) != 0)
1809 || (old_window && strcmp(old_window, sp->se_window) != 0)
1810 || (old_type && strcmp(old_type, sp->se_type) != 0)
1811 ) {
1812 /* Don't set SE_SHUTDOWN here */
1813 sp->se_nspace = 0;
1814 sp->se_started = 0;
1815 kill(sp->se_process, SIGHUP);
1816 }
1817 if (old_getty)
1818 free(old_getty);
1819 if (old_window)
1820 free(old_window);
1821 if (old_type)
1822 free(old_type);
1823 continue;
1824 }
1825
1826 new_session(sprev, typ);
1827 }
1828
1829 endttyent();
1830
1831 /*
1832 * sweep through and kill all deleted sessions
1833 * ones who's /etc/ttys line was deleted (SE_PRESENT unset)
1834 */
1835 for (sp = sessions; sp != NULL; sp = sp->se_next) {
1836 if ((sp->se_flags & SE_PRESENT) == 0) {
1837 sp->se_flags |= SE_SHUTDOWN;
1838 kill(sp->se_process, SIGHUP);
1839 }
1840 }
1841
1842 return (state_func_t) multi_user;
1843 }
1844
1845 /*
1846 * Block further logins.
1847 */
1848 static state_func_t
catatonia(void)1849 catatonia(void)
1850 {
1851 session_t *sp;
1852
1853 for (sp = sessions; sp; sp = sp->se_next)
1854 sp->se_flags |= SE_SHUTDOWN;
1855
1856 return (state_func_t) multi_user;
1857 }
1858
1859 /*
1860 * Note SIGALRM.
1861 */
1862 static void
alrm_handler(int sig)1863 alrm_handler(int sig)
1864 {
1865
1866 (void)sig;
1867 clang = true;
1868 }
1869
1870 /*
1871 * Bring the system down to single user.
1872 */
1873 static state_func_t
death(void)1874 death(void)
1875 {
1876 int block, blocked;
1877 size_t len;
1878
1879 /* Temporarily block suspend. */
1880 len = sizeof(blocked);
1881 block = 1;
1882 if (sysctlbyname("kern.suspend_blocked", &blocked, &len,
1883 &block, sizeof(block)) == -1)
1884 blocked = 0;
1885
1886 /*
1887 * Also revoke the TTY here. Because runshutdown() may reopen
1888 * the TTY whose getty we're killing here, there is no guarantee
1889 * runshutdown() will perform the initial open() call, causing
1890 * the terminal attributes to be misconfigured.
1891 */
1892 revoke_ttys();
1893
1894 /* Try to run the rc.shutdown script within a period of time */
1895 runshutdown();
1896
1897 /* Unblock suspend if we blocked it. */
1898 if (!blocked)
1899 sysctlbyname("kern.suspend_blocked", NULL, NULL,
1900 &blocked, sizeof(blocked));
1901
1902 return (state_func_t) death_single;
1903 }
1904
1905 /*
1906 * Do what is necessary to reinitialize single user mode or reboot
1907 * from an incomplete state.
1908 */
1909 static state_func_t
death_single(void)1910 death_single(void)
1911 {
1912 int i;
1913 pid_t pid;
1914 static const int death_sigs[2] = { SIGTERM, SIGKILL };
1915
1916 revoke(_PATH_CONSOLE);
1917
1918 BOOTTRACE("start killing user processes");
1919 for (i = 0; i < 2; ++i) {
1920 if (kill(-1, death_sigs[i]) == -1 && errno == ESRCH)
1921 return (state_func_t) single_user;
1922
1923 clang = false;
1924 alarm(DEATH_WATCH);
1925 do
1926 if ((pid = waitpid(-1, (int *)0, 0)) != -1)
1927 collect_child(pid);
1928 while (!clang && errno != ECHILD);
1929
1930 if (errno == ECHILD)
1931 return (state_func_t) single_user;
1932 }
1933
1934 warning("some processes would not die; ps axl advised");
1935
1936 return (state_func_t) single_user;
1937 }
1938
1939 static void
revoke_ttys(void)1940 revoke_ttys(void)
1941 {
1942 session_t *sp;
1943
1944 for (sp = sessions; sp; sp = sp->se_next) {
1945 sp->se_flags |= SE_SHUTDOWN;
1946 kill(sp->se_process, SIGHUP);
1947 revoke(sp->se_device);
1948 }
1949 }
1950
1951 /*
1952 * Run the system shutdown script.
1953 *
1954 * Exit codes: XXX I should document more
1955 * -2 shutdown script terminated abnormally
1956 * -1 fatal error - can't run script
1957 * 0 good.
1958 * >0 some error (exit code)
1959 */
1960 static int
runshutdown(void)1961 runshutdown(void)
1962 {
1963 pid_t pid, wpid;
1964 int status;
1965 int shutdowntimeout;
1966 size_t len;
1967 char *argv[SCRIPT_ARGV_SIZE];
1968 struct stat sb;
1969
1970 BOOTTRACE("init(8): start rc.shutdown");
1971
1972 /*
1973 * rc.shutdown is optional, so to prevent any unnecessary
1974 * complaints from the shell we simply don't run it if the
1975 * file does not exist. If the stat() here fails for other
1976 * reasons, we'll let the shell complain.
1977 */
1978 if (stat(_PATH_RUNDOWN, &sb) == -1 && errno == ENOENT)
1979 return 0;
1980
1981 if ((pid = fork()) == 0) {
1982 char _reboot[] = "reboot";
1983 char _single[] = "single";
1984 char _path_rundown[] = _PATH_RUNDOWN;
1985
1986 argv[0] = _path_rundown;
1987 argv[1] = Reboot ? _reboot : _single;
1988 argv[2] = NULL;
1989
1990 execute_script(argv);
1991 _exit(1); /* force single user mode */
1992 }
1993
1994 if (pid == -1) {
1995 emergency("can't fork for %s: %m", _PATH_RUNDOWN);
1996 while (waitpid(-1, (int *) 0, WNOHANG) > 0)
1997 continue;
1998 sleep(STALL_TIMEOUT);
1999 return -1;
2000 }
2001
2002 len = sizeof(shutdowntimeout);
2003 if (sysctlbyname("kern.init_shutdown_timeout", &shutdowntimeout, &len,
2004 NULL, 0) == -1 || shutdowntimeout < 2)
2005 shutdowntimeout = DEATH_SCRIPT;
2006 alarm(shutdowntimeout);
2007 clang = false;
2008 /*
2009 * Copied from single_user(). This is a bit paranoid.
2010 * Use the same ALRM handler.
2011 */
2012 do {
2013 if ((wpid = waitpid(-1, &status, WUNTRACED)) != -1)
2014 collect_child(wpid);
2015 if (clang) {
2016 /* we were waiting for the sub-shell */
2017 kill(wpid, SIGTERM);
2018 warning("timeout expired for %s: %m; going to "
2019 "single user mode", _PATH_RUNDOWN);
2020 BOOTTRACE("rc.shutdown's %d sec timeout expired",
2021 shutdowntimeout);
2022 return -1;
2023 }
2024 if (wpid == -1) {
2025 if (errno == EINTR)
2026 continue;
2027 warning("wait for %s failed: %m; going to "
2028 "single user mode", _PATH_RUNDOWN);
2029 return -1;
2030 }
2031 if (wpid == pid && WIFSTOPPED(status)) {
2032 warning("init: %s stopped, restarting\n",
2033 _PATH_RUNDOWN);
2034 kill(pid, SIGCONT);
2035 wpid = -1;
2036 }
2037 } while (wpid != pid && !clang);
2038
2039 /* Turn off the alarm */
2040 alarm(0);
2041
2042 if (WIFSIGNALED(status) && WTERMSIG(status) == SIGTERM &&
2043 requested_transition == catatonia) {
2044 /*
2045 * /etc/rc.shutdown executed /sbin/reboot;
2046 * wait for the end quietly
2047 */
2048 sigset_t s;
2049
2050 sigfillset(&s);
2051 for (;;)
2052 sigsuspend(&s);
2053 }
2054
2055 if (!WIFEXITED(status)) {
2056 warning("%s terminated abnormally, going to "
2057 "single user mode", _PATH_RUNDOWN);
2058 return -2;
2059 }
2060
2061 if ((status = WEXITSTATUS(status)) != 0)
2062 warning("%s returned status %d", _PATH_RUNDOWN, status);
2063
2064 return status;
2065 }
2066
2067 static char *
strk(char * p)2068 strk(char *p)
2069 {
2070 static char *t;
2071 char *q;
2072 int c;
2073
2074 if (p)
2075 t = p;
2076 if (!t)
2077 return 0;
2078
2079 c = *t;
2080 while (c == ' ' || c == '\t' )
2081 c = *++t;
2082 if (!c) {
2083 t = 0;
2084 return 0;
2085 }
2086 q = t;
2087 if (c == '\'') {
2088 c = *++t;
2089 q = t;
2090 while (c && c != '\'')
2091 c = *++t;
2092 if (!c) /* unterminated string */
2093 q = t = 0;
2094 else
2095 *t++ = 0;
2096 } else {
2097 while (c && c != ' ' && c != '\t' )
2098 c = *++t;
2099 *t++ = 0;
2100 if (!c)
2101 t = 0;
2102 }
2103 return q;
2104 }
2105
2106 #ifdef LOGIN_CAP
2107 static void
setprocresources(const char * cname)2108 setprocresources(const char *cname)
2109 {
2110 login_cap_t *lc;
2111 if ((lc = login_getclassbyname(cname, NULL)) != NULL) {
2112 setusercontext(lc, (struct passwd*)NULL, 0,
2113 LOGIN_SETENV |
2114 LOGIN_SETPRIORITY | LOGIN_SETRESOURCES |
2115 LOGIN_SETLOGINCLASS | LOGIN_SETCPUMASK);
2116 login_close(lc);
2117 }
2118 }
2119 #endif
2120
2121 /*
2122 * Run /etc/rc.final to execute scripts after all user processes have been
2123 * terminated.
2124 */
2125 static void
runfinal(void)2126 runfinal(void)
2127 {
2128 struct stat sb;
2129 pid_t other_pid, pid;
2130 sigset_t mask;
2131
2132 /* Avoid any surprises. */
2133 alarm(0);
2134
2135 /* rc.final is optional. */
2136 if (stat(_PATH_RUNFINAL, &sb) == -1 && errno == ENOENT)
2137 return;
2138 if (access(_PATH_RUNFINAL, X_OK) != 0) {
2139 warning("%s exists, but not executable", _PATH_RUNFINAL);
2140 return;
2141 }
2142
2143 pid = fork();
2144 if (pid == 0) {
2145 /*
2146 * Reopen stdin/stdout/stderr so that scripts can write to
2147 * console.
2148 */
2149 close(0);
2150 open(_PATH_DEVNULL, O_RDONLY);
2151 close(1);
2152 close(2);
2153 open_console();
2154 dup2(1, 2);
2155 sigemptyset(&mask);
2156 sigprocmask(SIG_SETMASK, &mask, NULL);
2157 signal(SIGCHLD, SIG_DFL);
2158 execl(_PATH_RUNFINAL, _PATH_RUNFINAL, NULL);
2159 perror("execl(" _PATH_RUNFINAL ") failed");
2160 exit(1);
2161 }
2162
2163 /* Wait for rc.final script to exit */
2164 while ((other_pid = waitpid(-1, NULL, 0)) != pid && other_pid > 0) {
2165 continue;
2166 }
2167 }
2168