In legacy cgroups mode, we were running `mountinfo -q ""` which was
generating an error message. If we return immediately when
cgroup2_find_path returns an empty value, we avoid this message.
The previous fix excludes PIDs of processes running in a different namespace
regardless of whether the PID has been explicitly stored in a PID file mentioned
in the --pidfile parameter. The correct behavior is to only exclude the pid if
it is not stored in a pidfile.
X-Gentoo-Bug: 776010
X-Gentoo-Bug-URL: https://bugs.gentoo.org/776010
The cgroups v2 setup required the rc_cgroups_controllers variable
to be set to the list of controllers to enable regardless of whether the
mode was hybrid or unified.
This makes sense for hybrid mode since the controllers can't be in both
the cgroups v1 and v2 hierarchies, but for unified mode we should enable
all controllers that are configured in the kernel.
The test `[ -h "${ifname}" ] && continue` skips the symlinks while it is
the opposite that is the expected: ignoring files that are not symlinks.
Fixes commit f42ec82f21.
This fixes#391.
Otherwise this would create the following output:
rc-status -f ini
* Caching service dependencies ... [ ok ]
[default]
dbus = started
NetworkManager = started
syslog-ng = started
...
This fixes#364.
I found the original note a little confusing, since using rc-update will
add it to a runlevel so it *is* auto-started when the system reaches
that runlevel again, but I don't think that was the intended meaning of
'auto-start', so hopefully this makes it a little more clear.
Currently when osclock is enabled as a init.d service the following
messages appear during boot when osclock starts:
* The command variable is undefined.
* There is nothing for osclock to start.
* If this is what you intend, please write a start function.
* This will become a failure in a future release.
osclock is activated whenever a machine's system clock is automatically
configured from a RTC by the kernel and the osclock's only purpose is to
satisfy the "clock" dependency defined by other init.d services.
Adding a stub start() function prevents OpenRC from showing warnings but
continues to ensure that the osclock service still does not actually do
anything.
This fixes#377.
The do_check() function recently gained some defenses against symlink
replacement attacks that involve the use of *at functions in place of
their vanilla counterparts; openat() instead of open(), for example.
One opportunity to replace mkdir() with mkdirat() was missed, however,
and this commit replaces it.
This fixes#386.
start-stop-daemon and supervise-daemon parse usernames and group names
passed via the --user argument as numeric UID/GID if they start with a
number (e.g. user "4foo" will be treated as UID 4). This results in the
process that is being started to run under a totally unexpected user if
that UID exists.
Even though the result of the sscanf calls are tested for a result of
exactly 1, which means exactly one value was extracted, because sscanf's
format string only contains only one placeholder, it will never return
a value greater than 1, even if there are still characters left to be
parsed. This causes start-stop-daemon and supervise-daemon to assume
that usernames starting with a number are just that number. Adding a
second placeholder "%1s" to the format string, which matches a string of
length 1, makes sure that sscanf can distinguish between pure numbers
(in which case it will return 1) and strings either starting with a
number (in which case it will return 2) and any other string (in which
case it will return 0).
This fixes#379.
This fixes#380.
Starting program: /sbin/start-stop-daemon --start --exec i-dont-exist
Program received signal SIGSEGV, Segmentation fault.
0x0000555555559053 in main (argc=1, argv=0x7fffffffdc20)
at start-stop-daemon.c:631
631 *exec_file ? exec_file : exec);
This fixes#385.
This walks the directory path to the file we are going to manipulate to make
sure that when we create the file and change the ownership and permissions
we are working on the same file.
Also, all non-terminal symbolic links must be owned by root. This will
keep a non-root user from making a symbolic link as described in the
bug. If root creates the symbolic link, it is assumed to be trusted.
On non-linux platforms, we no longer follow non-terminal symbolic links
by default. If you need to do that, add the -s option on the checkpath
command line, but keep in mind that this is not secure.
This fixes#201.
When executable is provided just by name (and therefore searched in a
path), exec_file is reset to NULL every time. exists() handles it being
NULL just fine, but dereferencing it in eerror does not work.
Fixes#326Fixes#327
It looks like some stray text was left at the bottom of the file:
```
package.
migrating your system to openrc-init.
```
There's a subsection on migrating a system to `openrc-ini`; perhaps this was
an embryonic section title?
This fixes#347.
prior to cgroups getting mounted, /sys/fs/cgroup will still exist,
but attempts to make directories in it will fail, change cgroup2_set_limits() to
verify that cgroups are mounted instead of just checking that /sys/fs/cgroup
exists.
This fixes#307.
This fixes#321.
This allows openrc to direct sysvinit to shut down the system by setting
the INIT_HALT environment variable appropriately. Also, we do not try to
communicate with sysvinit if its fifo does not exist.
I am removing this on the advice of a member of the Gentoo toolchain
team. It was explained to me that this doesn't offer any significant
benefits to OpenRC.
If anyone ffeels differently, please open a pull request reverting
this and adding an explanation of what it does and how to know which
functions to mark hidden in the future.
This fixes#301.
The do_openrc() function was not waiting properly for the child process
which started the runlevel to return. We need to repeatedly call
waitpid() until its return value matches the pid of the child process or
the child process does not exist.
This fixes#216.
This fixes#300.
The 'readelf'-based tests cover a few situations:
1. undefined symbols in shared libraries
2. unexpected exports in shared libraries
Bug #575958 shows that [2.] implementation is too simplistic
in assuming that presence of relocation equals to export presence.
It is incorrect for PLT stubs and local symbols.
Let's just drop these tests.
If one needs to cover [1.] it is better to use LDFLAGS=-Wl,--no-undefined.
This closes#292.
X-Reported-by: Benda Xu
X-Gentoo-Bug: https://bugs.gentoo.org/575958
X-Gentoo-Bug-URL: https://bugs.gentoo.org/575958
The -f option can be used when showing the status of services in
runlevels to allow making the output more easily parsable.
Currently, the .ini format is the only one supported.
The .Dt header is supposed to be all caps. This was mixing case.
The options block was being incorrectly indented due to a missing .El.
Some of the new options were missing the .It block, so add that.
Finally, the -D option was missing capitalization.
readlink(3) does not nul-terminate the result it sticks
into the supplied buffer. Consequently, the code
rc = readlink(path, buf, sizeof(buf));
does not necessarily produce a C string.
The code in rc_find_pid() produces some C strings this way
and passes them to strlen() and strcmp(), which can lead
to an out-of-bounds read.
In this case, since the code already takes care to
zero-initialize the buffers before passing them
to readlink(3), only allow sizeof(buf)-1 bytes to
be returned.
(While fixing this issue, I fixed two other locations that
used the same problematic pattern.)
This fixes#270.
The contents of /proc/<pid>/cmdline are read into
a stack buffer using
bytes = read(fd, buffer, sizeof(buffer));
followed by appending a null terminator to the buffer with
buffer[bytes] = '\0';
If bytes == sizeof(buffer), then this write is out-of-bounds.
Refactor the code to use rc_getfile instead, since PATH_MAX
is not the maximum size of /proc/<pid>/cmdline. (I hit this
issue in practice while compiling Linux; it tripped the
stack-smashing protector.)
This is roughly the same buffer overflow condition
that was fixed by commit 0ddee9b7d2
This fixes#269.
The following will cause a segfault due to NULL being
passed to strcmp(3)
$ RC_SVCNAME=foo supervise-daemon
Fix the bounds check on argc in main. If argc<=1, then
it is not safe to dereference argv[1].
The statement
ll = strlen(applet);
appears twice in the same block without any
intervening assignment to the variables
'll' or 'applet'
Remove the second (duplicate) statement.
We have used /run for some time now and we have had this migration
script for 6 years. Linux users should have upgraded by now to a version
of OpenRC which stores its information in /run.
In order to run healthcheck() and the unhealthy() function, add an
exec_command call to the supervisor.
Another difference is This function also logs errors instead of
attempting to display them.
This is for #271.
I do not know of a need to have the default shell be a build-time
configurable setting. All *nix systems I am aware of have /bin/sh as a
default posix compatible shell.
If some systems running OpenRC do not make that assumption about
/bin/sh, I will consider bringing this back, so feel free to open an
issue.
Without a respawn period setting, the supervisor will give up on
respawning agetty after it is respawned respawn_max times. For most
daemons giving up like this is reasonable, but not for agettys. Agettys
should always be respawned unless they are respawning too fafst,.
If an agetty is respawning faster than 10 times in 60 seconds, this
seems to be too fast.
Since the pid file is internal to us, start moving toward deprecating it
by not requiring the user to specify it.
In the next release, I plan on working on code to start phasing out the
use of a pid file if this is possible.
This is needed in preparation for adding support for a fifo to allow us
to communicate with the supervisor to ask it to signal the child it is
supervising.
This reverts commit 2af0cedd59.
After speaking with Luis Ressel on the Gentoo selinux team, I am reverting
this commit for the following reasons:
- Luis told me that he feels this is not the solution we need to address
the concern with checkpath; I will be working with him on another
solution.
- There are concerns about the way the path variable was handled
and the assert() call.
The path variable should be dynamically allocated using xasprintf
instead of defining a length at compile time. This would eliminate the
need for the assert() call.
- It introduces the definition of _GNU_SOURCE which makes it
easier to introduce portability concerns in the future (see #262).
The pidfile of the supervisor doesn't need to be adjustable by the
service script. It is only used so the supervisor can stop itself when
the --stop option is used.
In start-stop-daemon and rc-schedules, we were printing out a warning if
the nanosleep call was interrupted by a signal, but we did not treat
this as an error situation other than displaying the message, so there
is no need for the message.
These services represent the parts of the keymaps and termencoding
services which saved the settings back to the root file system so they
can be loaded very early in the boot process.
These are needed to allow keymaps and termencoding to run earlier in the
boot sequence.
X-Gentoo-Bug: 446018
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=446018
On Linux, kernel modules should be loaded once during boot, either in an
initramfs or by this service.
This does not change anything other than printing out messages if a
module is loaded more than once.
X-Gentoo-Bug: 659530
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=659530
Health checks are a way to monitor a service and make sure it stays
healthy.
If a service is not healthy, it will be automatically restarted after
running the unhealthy() function to clean up.
You can now schedule a shutdown for a certain time or a cpecific number
of minutes into the future.
When a shutdown is running, you can now cancel it with ^c from the
keyboard or by running "openrc-shutdown -c" from another shell.
Fix the comparison between respawn_count and respawn_max so that
respawn_max = 1 will allow for one respawn. Since respawn_count is
incremented before the comparison, use a 'greater than' comparison
so that respawn will be triggered when respawn_count is equal to
respawn_max.
Fixes: https://github.com/OpenRC/openrc/issues/247
Fixes: https://github.com/OpenRC/openrc/issues/248
We do not need to do this any longer since all supported linux kernels
make efivarfs immutable and the tools that manipulate it are aware of
this feature.
This fixes https://github.com/openrc/openrc/issues/238.
Use errno != EACCES to fix false-positive for non-root users
with grsecurity kernels.
Fixes: 37e2944272 ("librc: Add check for crashed state")
This fixes#237
This test to find if we could see pid 1 was being used inconsistently in
rc-status and mark_service_crashed to decide whether we could test to
see if the daemon for the service was crashed, and it was not part of
the librc library.
I am removing it from the executables because of inconsistent usage. I
will add it to the library if it is needed there.
Gentoo was changing some of our installation modes from 0444 to 0644.
There isn't a reason to install things 0444, so we are switching these
to 0644 so the Gentoo ebuild doesn't need this extra step.
This removes localmount from the dependencies of the consolefont,
keymaps, numlock and procfs services.
These services are Linux only and the default modern linux system has /
and /usr on the same file system.
This also fixes the following issue.
X-Gentoo-Bug: 651998
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=651998
If pidfile does not exist when we are stopping the daemon, assume it is
already stopped, and report success.
hostapd is an example of a daemon which removes its pidfile when it is
exiting. If this daemon terminates prematurely, that is, without s-s-d
involvement, then openrc fails to restart it, because s-s-d "stop"
command fails when pidfile is missing.
X-Gentoo-Bug: 646274
X-Gentoo-Bug-URL: https://bugs.gentoo.org/646274
The current check only tries to detect whether /sys/fs/cgroup exists and
whether it is writable or not. But when the init system doesn't mount
cgroups then /sys/fs/cgroup will just be an empty directory. When paired
with unprivileged containers that mount sysfs this will cause misleading
errors to be printed since /sys/fs/cgroup will be owned by user
nobody:nogroup in this case. Independent of this specific problem this
check will also be misleading when the /sys/fs/cgroup exists and is in
fact writable by the init system but isn't actually a mountpoint.
Note from William. "grep -qs" doesn't need to redirect output to
/dev/null since it is completely silent.
This fixes#209.
This is our own version of asprintf(). This original code was written by
Mike Frysinger, and I was able to modify it to use our memory helper
functions.
We need a version of this code because it is not available on glibc at
least without defining _GNU_SOURCE, and I would rather not do that.
This is the first step in improving string handling in OpenRC for #207.
The "Ar" tag for the mountinfo command contained a typo (leading
space) that resulted in the tag being output verbatim; that is,
mountinfo ... .Ar mount1 mount2
rather than e.g.
mountinfo ... <mount1> <mount2>
This commit deletes the leading space to fix the output.
This fixes#204.
The BUILTINS are all surrounded by Xo...Xc tags, but the opening "Xo"
was missing from the two commands fstabinfo and mountinfo. This commit
adds them, and thereby fixes the spacing when viewed by man.
This is for #204.
Refer to /var/run in the documentation instead of /run, and make it
clear at the top of the pidfile section that we use /run under Linux.
This is for #202.
This is related to #195.
This is an attempt to shorten the window for the first two issues
discussed by using a file descriptor which does not follow symbolic
links and using the fchmod and fchown calls instead of chown and chmod.
with.
rc_deptree_update_needed would return early as soon as it found
any file newer than the existing dependency cache. Unfortunately,
the first file found may not be the newest one there; so the
clock skew workaround in rc-misc:_rc_deptree_load would be given
a timestamp that was still too old.
This fix forces a full scan of all relevant files, so as to
ensure that we return a timestamp that will allow the clock skew
fix to operate. The runtime cost is no worse than the case where
the cache is up to date (ie. we must check every possible file).
This fixes#161.
Add the following variables to expose more arguments that can be passed
to start-stop-daemon or supervise-daemon:
- directory will be passed to --chdir
- error_log will be passed to --stderr
- output_log will be passed to --stdout
- umask will be passed to umask
This is for #184.
Add the ability to force-kill a service if it does not go down
successfully. Also, adjust the default wait time for an s6 service to go
down to 60 seconds.
The OpenRC team does not currently know of any modern linux tools that
require /etc/mtab to be a flat file, so this puts users on notice that
the mtab service will be removed in the future.
localmount had mtab in its "use" dependencies; however, it makes more
sense to add "before localmount" to the mtab service and remove
"use mtab" from the localmount service.
Ignore namespaces if there are errors reading either the pid namespace
for the current process or the process we aare testing.
This fixes https://github.com/openrc/openrc/issues/180.
This is to be used if the service is being supervised and the
supervisor is somehow killed.
Currently, this is very linux specific, but I will expand to other
platforms, patches are welcome.
- Harden against dying by handling all signals that would terminate the
program and adding --reexec support
- factor the supervisor into its own function
- fix test for whether we are already running
Prior to this change, we were logging unexpected terminations of daemons
we were supervising at the info level. This change moves the logs to
warnings.
The sysfs init script referred to @LIBEXECDIR@ before this change, but
it is better to refer to RC_LIBEXECDIR so that we get rid of a sed
substitution.
The service binary was just a synonym for rc-service, so use rc-service
instead of service. If you want a "service" binary, it should be
something that can determine which service manager you are running and
run the appropriate service manager commands.
rc-selinux.c: In function ‘selinux_setup’:
rc-selinux.c:361:9: warning: assignment discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
curr_t = context_type_get(curr_con);
^
Instead of looping and sending multiple signals to child processes in
cgroup_cleanup, we send sigterm followed by sleeping one second then
sigkill.
This brings us more in line with systemd's "control group" killmode
setting.
Also, this commit includes several shellcheck cleanups.
The --retry option for supervise-daemon defines how the supervisor will
attempt to stop the child process it is monitoring. It is defined when
the supervisor is started since stopping the supervisor just sends a
signal to the active supervisor.
This fixes#160.
This makes the halt wrapper sysvinit compatible. It ignores several
command line switches which are not currently implemented; however,
those can be implemented if we need to do so.
This fixes https://github.com/openrc/openrc/issues/146.
The syntax for expanding a variable with a default value is
${parameter:-word}
not
${parameter-word}
although the latter still works for a reason I could not explain.
This fixes#143.
Sysvinit shutdown has a default of single user mode, but openrc-shutdown
makes you choose a default action. Because of this, the shutdown wrapper
needs to pass --single to openrc-shutdown.
How to reproduce 1-byte overflow:
```
$ FEATURES=-test CFLAGS="-fsanitize=address -O0 -ggdb3" emerge -1 openrc
=================================================================
==1==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff0efd8710
at pc 0x000000402076 bp 0x7fff0efd7d50 sp 0x7fff0efd7d40
WRITE of size 1 at 0x7fff0efd8710 thread T0
#0 0x402075 (/sbin/openrc-init+0x402075)
#1 0x3cf6e2070f in __libc_start_main (/lib64/libc.so.6+0x3cf6e2070f)
#2 0x4013b8 (/sbin/openrc-init+0x4013b8)
Address 0x7fff0efd8710 is located in stack of thread T0 at offset 2432 in frame
#0 0x401cfb (/sbin/openrc-init+0x401cfb)
This frame has 3 object(s):
[32, 160) 'signals'
[192, 344) 'sa'
[384, 2432) 'buf' <== Memory access at offset 2432 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
```
The problem here is in the code handling reads from 'init.ctl':
```
int main(int argc, char **argv) {
...
char buf[2048];
for (;;) {
/* This will block until a command is sent down the pipe... */
fifo = fopen(RC_INIT_FIFO, "r");
count = fread(buf, 1, 2048, fifo);
buf[count] = 0;
...
}
```
`buf[count] = 0;` writes outside the buffer when `fread()` returns non-truncated read.
This fixes#138.
rc-status now shows the amount of time a supervised daemon has been
active as well as the number of times it has been respawned during the
current respawn period.
This creates --respawn-delay, --respawn-max and --respawn-period. It was
suggested that it would be easier to follow if the options were
separated.
This is for #126.
Allow limiting the number of times supervise-daemon will attempt to respawn a
daemon once it has died to prevent infinite respawning. Also, set a
reasonable default limit (10 times in a 5 second period).
This is for issue #126.
openrc-init.c and openrc-shutdown.c are based on code which was written by
James Hammons <jlhamm@acm.org>, so I would like to publically
thank him for his work.
We do not need to care about the path on the shebang line of a service
script as long as the shebang line ends with "openrc-run".
This fixes#119 and #120.
The clock services had a very long list of "before" dependencies that
referred to other services within OpenRC. For ease of maintenance,
convert these to "after clock" dependencies in the individual services.
Using wildcards in dependencies causes issues when rc_parallel is set to
yes because it can lead to deadlocks.
All dependencies need to be explicit rather than implicit.
This is the first stage of moving this direction.
Since we check for /sys/firmware/efi/efivars, we do not need to check
for /sys/firmware/efi
Since Failing to mount efivarfs is not critical, we silence the error
message from mount.
My understanding is that the kernel can autoload this module. If it
doesn't, the module should be built in or loaded from an initramfs.
This fixes https://github.com/openrc/openrc/pulls/112.
- switch from attempting to ping the default gateway to a host outside
the local network, defaulting to google.com.
- along with this, change the name of the variable that requests a ping
test to include_ping_test so the meaning is more clear.
These files have been in the distribution for some time but haven't been
installed. They are good examples of how to do things, so we should
install them.
Since deptree2dot and the perl requirement are completely optional, we
can move this tool to the support folder. This gives the user the option
of using it if they have perl installed, and means we do not have an
optional runtime dependency on perl.
Documentation for this tool has also been added to the support folder.
X-Gentoo-Bug: 600742
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=600742
The test environment previously used the system default paths instead of installing the necessary $PATH environment
variable to make finding eval_ecolors work.
This closes#117.
X-Gentoo-Bug: 374191.
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=374191.
This path should not be hard coded in the open call.
Linux prior to 2.4.19 did not have /proc/self/mounts, so for now I'm
making this value /proc/mounts everywhere, but that may change to
/proc/self/mounts on linux; I'm not sure we should care about <2.4.19.
X-Gentoo-Bug: 604646
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=604646
Now that we respect the module blacklists, don't print every module we
try to load, because it might not end up loaded due to the blacklist,
and modprobe doesn't consider that a failure.
Supervisor setups break easily when start/stop/status functions are not
default.
Applications that write multiple PIDs to a pidfile (eg HAProxy as
described in bug 601540), can also benefit from being able to call the
default start/stop/status with modified environment variables.
Expose the default start/stop/status functions as
default_start/stop/status, and use them for the defaults
start/stop/status.
Trivial usage example:
```
stop()
{
t=$(mktemp)
for pid in $(cat $pidfile) ; do
echo $pid >$t
pidfile=$t default_stop
done
rm -f $t
}
```
X-Gentoo-Bug: 601540
X-Gentoo-Bug-URL: https://bugs.gentoo.org/601540
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
The /etc/init.d/localmount script has a syntax error that causes it to
attempt to mount remote filesystems, causing the boot to fail. The
script appends a "no" to each remote filesystem type, but it should only
be append the "no" to the beginning of the list. This patch fixes
localmount on FreeBSD 12.0. A review of the mount(8) manpage on Ubuntu
12.04 suggests that this patch is correct for Linux, too.
The documentation implied that if you stop a daemon we handle multiple
pids in a pid file. This is not correct. We only handle the first pid.
X-Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=601540
Busybox does not support the 'scope' argument on 'ip address add' or 'ip
route add', this is documented in BUSYBOX.md, but is no longer actually
needed, as the kernel does get it right without manual specification,
and the ifconfig variant already relies on the kernel to get it right.
This is part of #103.
X-Gentoo-Bug: 487208
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=487208
Separate loading the module, if it isn't built in or loaded, from
mounting the file system.
This also makes sure the warning about configuring the module in
/etc/conf.d/modules or building it in is displayed only if it is loaded
successfully.
X-Gentoo-Bug: 595836
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=595836
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
