| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712 |
- /* Copyright (c) 1998-2026 Free Software Foundation, Inc.
- This file is part of the GNU C Library.
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published
- by the Free Software Foundation; version 2 of the License, or
- (at your option) any later version.
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
- You should have received a copy of the GNU General Public License
- along with this program; if not, see <https://www.gnu.org/licenses/>. */
- /* nscd - Name Service Cache Daemon. Caches passwd, group, and hosts. */
- #include <argp.h>
- #include <assert.h>
- #include <dirent.h>
- #include <errno.h>
- #include <error.h>
- #include <fcntl.h>
- #include <libintl.h>
- #include <locale.h>
- #include <paths.h>
- #include <pthread.h>
- #include <signal.h>
- #include <stdbool.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include <syslog.h>
- #include <unistd.h>
- #include <sys/mman.h>
- #include <sys/socket.h>
- #include <sys/stat.h>
- #include <sys/uio.h>
- #include <sys/un.h>
- #include <sys/wait.h>
- #include <stdarg.h>
- #include "dbg_log.h"
- #include "nscd.h"
- #include "selinux.h"
- #include "../nss/nsswitch.h"
- #include <device-nrs.h>
- #ifdef HAVE_INOTIFY
- # include <sys/inotify.h>
- #endif
- #include <kernel-features.h>
- /* Get libc version number. */
- #include <version.h>
- #define PACKAGE _libc_intl_domainname
- int do_shutdown;
- int disabled_passwd;
- int disabled_group;
- typedef enum
- {
- /* Running in background as daemon. */
- RUN_DAEMONIZE,
- /* Running in foreground but otherwise behave like a daemon,
- i.e., detach from terminal and use syslog. This allows
- better integration with services like systemd. */
- RUN_FOREGROUND,
- /* Run in foreground in debug mode. */
- RUN_DEBUG
- } run_modes;
- static run_modes run_mode = RUN_DAEMONIZE;
- static const char *conffile = _PATH_NSCDCONF;
- static const char *print_cache = NULL;
- time_t start_time;
- uintptr_t pagesize_m1;
- int paranoia;
- time_t restart_time;
- time_t restart_interval = RESTART_INTERVAL;
- const char *oldcwd;
- uid_t old_uid;
- gid_t old_gid;
- static int check_pid (const char *file);
- static int write_pid (const char *file);
- static int monitor_child (int fd);
- /* Name and version of program. */
- static void print_version (FILE *stream, struct argp_state *state);
- void (*argp_program_version_hook) (FILE *, struct argp_state *) = print_version;
- /* Function to print some extra text in the help message. */
- static char *more_help (int key, const char *text, void *input);
- /* Definitions of arguments for argp functions. */
- static const struct argp_option options[] =
- {
- { "config-file", 'f', N_("NAME"), 0,
- N_("Read configuration data from NAME") },
- { "debug", 'd', NULL, 0,
- N_("Do not fork and display messages on the current tty") },
- { "print", 'p', N_("NAME"), 0,
- N_("Print contents of the offline cache file NAME") },
- { "foreground", 'F', NULL, 0,
- N_("Do not fork, but otherwise behave like a daemon") },
- { "nthreads", 't', N_("NUMBER"), 0, N_("Start NUMBER threads") },
- { "shutdown", 'K', NULL, 0, N_("Shut the server down") },
- { "statistics", 'g', NULL, 0, N_("Print current configuration statistics") },
- { "invalidate", 'i', N_("TABLE"), 0,
- N_("Invalidate the specified cache") },
- { "secure", 'S', N_("TABLE,yes"), OPTION_HIDDEN,
- N_("Use separate cache for each user")},
- { NULL, 0, NULL, 0, NULL }
- };
- /* Short description of program. */
- static const char doc[] = N_("Name Service Cache Daemon.");
- /* Prototype for option handler. */
- static error_t parse_opt (int key, char *arg, struct argp_state *state);
- /* Data structure to communicate with argp functions. */
- static struct argp argp =
- {
- options, parse_opt, NULL, doc, NULL, more_help
- };
- /* True if only statistics are requested. */
- static bool get_stats;
- static int parent_fd = -1;
- int
- main (int argc, char **argv)
- {
- int remaining;
- /* Set locale via LC_ALL. */
- setlocale (LC_ALL, "");
- /* Set the text message domain. */
- textdomain (PACKAGE);
- /* Determine if the kernel has SELinux support. */
- nscd_selinux_enabled (&selinux_enabled);
- /* Parse and process arguments. */
- argp_parse (&argp, argc, argv, 0, &remaining, NULL);
- if (remaining != argc)
- {
- error (0, 0, gettext ("wrong number of arguments"));
- argp_help (&argp, stdout, ARGP_HELP_SEE, program_invocation_short_name);
- exit (1);
- }
- /* Print the contents of the indicated cache file. */
- if (print_cache != NULL)
- /* Does not return. */
- nscd_print_cache (print_cache);
- /* Read the configuration file. */
- if (nscd_parse_file (conffile, dbs) != 0)
- /* We couldn't read the configuration file. We don't start the
- server. */
- error (EXIT_FAILURE, 0,
- _("failure while reading configuration file; this is fatal"));
- /* Do we only get statistics? */
- if (get_stats)
- /* Does not return. */
- receive_print_stats ();
- /* Check if we are already running. */
- if (check_pid (_PATH_NSCDPID))
- error (EXIT_FAILURE, 0, _("already running"));
- /* Remember when we started. */
- start_time = time (NULL);
- /* Determine page size. */
- pagesize_m1 = getpagesize () - 1;
- if (run_mode == RUN_DAEMONIZE || run_mode == RUN_FOREGROUND)
- {
- int i;
- pid_t pid;
- /* Behave like a daemon. */
- if (run_mode == RUN_DAEMONIZE)
- {
- int fd[2];
- if (pipe (fd) != 0)
- error (EXIT_FAILURE, errno,
- _("cannot create a pipe to talk to the child"));
- pid = fork ();
- if (pid == -1)
- error (EXIT_FAILURE, errno, _("cannot fork"));
- if (pid != 0)
- {
- /* The parent only reads from the child. */
- close (fd[1]);
- exit (monitor_child (fd[0]));
- }
- else
- {
- /* The child only writes to the parent. */
- close (fd[0]);
- parent_fd = fd[1];
- }
- }
- int nullfd = open (_PATH_DEVNULL, O_RDWR);
- if (nullfd != -1)
- {
- struct stat64 st;
- if (fstat64 (nullfd, &st) == 0 && S_ISCHR (st.st_mode) != 0
- #if defined DEV_NULL_MAJOR && defined DEV_NULL_MINOR
- && st.st_rdev == makedev (DEV_NULL_MAJOR, DEV_NULL_MINOR)
- #endif
- )
- {
- /* It is the /dev/null special device alright. */
- (void) dup2 (nullfd, STDIN_FILENO);
- (void) dup2 (nullfd, STDOUT_FILENO);
- (void) dup2 (nullfd, STDERR_FILENO);
- if (nullfd > 2)
- close (nullfd);
- }
- else
- {
- /* Ugh, somebody is trying to play a trick on us. */
- close (nullfd);
- nullfd = -1;
- }
- }
- int min_close_fd = nullfd == -1 ? 0 : STDERR_FILENO + 1;
- DIR *d = opendir ("/proc/self/fd");
- if (d != NULL)
- {
- struct dirent64 *dirent;
- int dfdn = dirfd (d);
- while ((dirent = readdir64 (d)) != NULL)
- {
- char *endp;
- long int fdn = strtol (dirent->d_name, &endp, 10);
- if (*endp == '\0' && fdn != dfdn && fdn >= min_close_fd
- && fdn != parent_fd)
- close ((int) fdn);
- }
- closedir (d);
- }
- else
- for (i = min_close_fd; i < getdtablesize (); i++)
- if (i != parent_fd)
- close (i);
- setsid ();
- if (chdir ("/") != 0)
- do_exit (EXIT_FAILURE, errno,
- _("cannot change current working directory to \"/\""));
- openlog ("nscd", LOG_CONS | LOG_ODELAY, LOG_DAEMON);
- if (write_pid (_PATH_NSCDPID) < 0)
- dbg_log ("%s: %s", _PATH_NSCDPID, strerror (errno));
- if (!init_logfile ())
- dbg_log (_("Could not create log file"));
- /* Ignore job control signals. */
- signal (SIGTTOU, SIG_IGN);
- signal (SIGTTIN, SIG_IGN);
- signal (SIGTSTP, SIG_IGN);
- }
- else
- /* In debug mode we are not paranoid. */
- paranoia = 0;
- signal (SIGINT, termination_handler);
- signal (SIGQUIT, termination_handler);
- signal (SIGTERM, termination_handler);
- signal (SIGPIPE, SIG_IGN);
- /* Cleanup files created by a previous 'bind'. */
- unlink (_PATH_NSCDSOCKET);
- #ifdef HAVE_INOTIFY
- /* Use inotify to recognize changed files. */
- inotify_fd = inotify_init1 (IN_NONBLOCK);
- # ifndef __ASSUME_IN_NONBLOCK
- if (inotify_fd == -1 && errno == ENOSYS)
- {
- inotify_fd = inotify_init ();
- if (inotify_fd != -1)
- fcntl (inotify_fd, F_SETFL, O_RDONLY | O_NONBLOCK);
- }
- # endif
- #endif
- #ifdef USE_NSCD
- /* Make sure we do not get recursive calls. */
- __nss_disable_nscd (register_traced_file);
- #endif
- /* Init databases. */
- nscd_init ();
- /* Start the SELinux AVC. */
- if (selinux_enabled)
- nscd_avc_init ();
- /* Handle incoming requests */
- start_threads ();
- return 0;
- }
- static void __attribute__ ((noreturn))
- invalidate_db (const char *dbname)
- {
- int sock = nscd_open_socket ();
- if (sock == -1)
- exit (EXIT_FAILURE);
- size_t dbname_len = strlen (dbname) + 1;
- size_t reqlen = sizeof (request_header) + dbname_len;
- struct
- {
- request_header req;
- char dbname[];
- } *reqdata = alloca (reqlen);
- reqdata->req.key_len = dbname_len;
- reqdata->req.version = NSCD_VERSION;
- reqdata->req.type = INVALIDATE;
- memcpy (reqdata->dbname, dbname, dbname_len);
- ssize_t nbytes = TEMP_FAILURE_RETRY (send (sock, reqdata, reqlen,
- MSG_NOSIGNAL));
- if (nbytes != reqlen)
- {
- int err = errno;
- close (sock);
- error (EXIT_FAILURE, err, _("write incomplete"));
- }
- /* Wait for ack. Older nscd just closed the socket when
- prune_cache finished, silently ignore that. */
- int32_t resp = 0;
- nbytes = TEMP_FAILURE_RETRY (read (sock, &resp, sizeof (resp)));
- if (nbytes != 0 && nbytes != sizeof (resp))
- {
- int err = errno;
- close (sock);
- error (EXIT_FAILURE, err, _("cannot read invalidate ACK"));
- }
- close (sock);
- if (resp != 0)
- error (EXIT_FAILURE, resp, _("invalidation failed"));
- exit (0);
- }
- static void __attribute__ ((noreturn))
- send_shutdown (void)
- {
- int sock = nscd_open_socket ();
- if (sock == -1)
- exit (EXIT_FAILURE);
- request_header req;
- req.version = NSCD_VERSION;
- req.type = SHUTDOWN;
- req.key_len = 0;
- ssize_t nbytes = TEMP_FAILURE_RETRY (send (sock, &req, sizeof req,
- MSG_NOSIGNAL));
- close (sock);
- exit (nbytes != sizeof (request_header) ? EXIT_FAILURE : EXIT_SUCCESS);
- }
- /* Handle program arguments. */
- static error_t
- parse_opt (int key, char *arg, struct argp_state *state)
- {
- switch (key)
- {
- case 'd':
- ++debug_level;
- run_mode = RUN_DEBUG;
- break;
- case 'p':
- print_cache = arg;
- break;
- case 'F':
- run_mode = RUN_FOREGROUND;
- break;
- case 'f':
- conffile = arg;
- break;
- case 'K':
- if (getuid () != 0)
- error (4, 0, _("Only root is allowed to use this option!"));
- else
- send_shutdown ();
- break;
- case 'g':
- get_stats = true;
- break;
- case 'i':
- {
- /* Validate the database name. */
- dbtype cnt;
- for (cnt = pwddb; cnt < lastdb; ++cnt)
- if (strcmp (arg, dbnames[cnt]) == 0)
- break;
- if (cnt == lastdb)
- {
- argp_error (state, _("'%s' is not a known database"), arg);
- return EINVAL;
- }
- }
- if (getuid () != 0)
- error (4, 0, _("Only root is allowed to use this option!"));
- else
- invalidate_db (arg);
- break;
- case 't':
- nthreads = atol (arg);
- break;
- case 'S':
- error (0, 0, _("secure services not implemented anymore"));
- break;
- default:
- return ARGP_ERR_UNKNOWN;
- }
- return 0;
- }
- /* Print bug-reporting information in the help message. */
- static char *
- more_help (int key, const char *text, void *input)
- {
- switch (key)
- {
- case ARGP_KEY_HELP_EXTRA:
- {
- /* We print some extra information. */
- char *tables = xstrdup (dbnames[0]);
- for (dbtype i = 1; i < lastdb; ++i)
- {
- char *more_tables;
- if (asprintf (&more_tables, "%s %s", tables, dbnames[i]) < 0)
- more_tables = NULL;
- free (tables);
- if (more_tables == NULL)
- return NULL;
- tables = more_tables;
- }
- char *tp;
- if (asprintf (&tp, gettext ("\
- Supported tables:\n\
- %s\n\
- \n\
- For bug reporting instructions, please see:\n\
- %s.\n\
- "), tables, REPORT_BUGS_TO) < 0)
- tp = NULL;
- free (tables);
- return tp;
- }
- default:
- break;
- }
- return (char *) text;
- }
- /* Print the version information. */
- static void
- print_version (FILE *stream, struct argp_state *state)
- {
- fprintf (stream, "nscd %s%s\n", PKGVERSION, VERSION);
- fprintf (stream, gettext ("\
- Copyright (C) %s Free Software Foundation, Inc.\n\
- This is free software; see the source for copying conditions. There is NO\n\
- warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\
- "), "2024");
- fprintf (stream, gettext ("Written by %s.\n"),
- "Thorsten Kukuk and Ulrich Drepper");
- }
- /* Create a socket connected to a name. */
- int
- nscd_open_socket (void)
- {
- struct sockaddr_un addr;
- int sock;
- sock = socket (PF_UNIX, SOCK_STREAM, 0);
- if (sock < 0)
- return -1;
- addr.sun_family = AF_UNIX;
- assert (sizeof (addr.sun_path) >= sizeof (_PATH_NSCDSOCKET));
- strcpy (addr.sun_path, _PATH_NSCDSOCKET);
- if (connect (sock, (struct sockaddr *) &addr, sizeof (addr)) < 0)
- {
- close (sock);
- return -1;
- }
- return sock;
- }
- /* Cleanup. */
- void
- termination_handler (int signum)
- {
- close_sockets ();
- /* Clean up the file created by 'bind'. */
- unlink (_PATH_NSCDSOCKET);
- /* Clean up pid file. */
- unlink (_PATH_NSCDPID);
- // XXX Terminate threads.
- /* Synchronize memory. */
- for (int cnt = 0; cnt < lastdb; ++cnt)
- {
- if (!dbs[cnt].enabled || dbs[cnt].head == NULL)
- continue;
- /* Make sure nobody keeps using the database. */
- dbs[cnt].head->timestamp = 0;
- if (dbs[cnt].persistent)
- // XXX async OK?
- msync (dbs[cnt].head, dbs[cnt].memsize, MS_ASYNC);
- }
- _exit (EXIT_SUCCESS);
- }
- /* Returns 1 if the process in pid file FILE is running, 0 if not. */
- static int
- check_pid (const char *file)
- {
- FILE *fp;
- fp = fopen (file, "r");
- if (fp)
- {
- pid_t pid;
- int n;
- n = fscanf (fp, "%d", &pid);
- fclose (fp);
- /* If we cannot parse the file default to assuming nscd runs.
- If the PID is alive, assume it is running. That all unless
- the PID is the same as the current process' since the latter
- can mean we re-exec. */
- if ((n != 1 || kill (pid, 0) == 0) && pid != getpid ())
- return 1;
- }
- return 0;
- }
- /* Write the current process id to the file FILE.
- Returns 0 if successful, -1 if not. */
- static int
- write_pid (const char *file)
- {
- FILE *fp;
- fp = fopen (file, "w");
- if (fp == NULL)
- return -1;
- fprintf (fp, "%d\n", getpid ());
- int result = fflush (fp) || ferror (fp) ? -1 : 0;
- fclose (fp);
- return result;
- }
- static int
- monitor_child (int fd)
- {
- int child_ret = 0;
- int ret = read (fd, &child_ret, sizeof (child_ret));
- /* The child terminated with an error, either via exit or some other abnormal
- method, like a segfault. */
- if (ret <= 0 || child_ret != 0)
- {
- int status;
- int err = wait (&status);
- if (err < 0)
- {
- fprintf (stderr, _("'wait' failed\n"));
- return 1;
- }
- if (WIFEXITED (status))
- {
- child_ret = WEXITSTATUS (status);
- fprintf (stderr, _("child exited with status %d\n"), child_ret);
- }
- if (WIFSIGNALED (status))
- {
- child_ret = WTERMSIG (status);
- fprintf (stderr, _("child terminated by signal %d\n"), child_ret);
- }
- }
- /* We have the child status, so exit with that code. */
- close (fd);
- return child_ret;
- }
- void
- do_exit (int child_ret, int errnum, const char *format, ...)
- {
- if (parent_fd != -1)
- {
- int ret __attribute__ ((unused));
- ret = write (parent_fd, &child_ret, sizeof (child_ret));
- assert (ret == sizeof (child_ret));
- close (parent_fd);
- }
- if (format != NULL)
- {
- /* Emulate error() since we don't have a va_list variant for it. */
- va_list argp;
- fflush (stdout);
- fprintf (stderr, "%s: ", program_invocation_name);
- va_start (argp, format);
- vfprintf (stderr, format, argp);
- va_end (argp);
- fprintf (stderr, ": %s\n", strerror (errnum));
- fflush (stderr);
- }
- /* Finally, exit. */
- exit (child_ret);
- }
- void
- notify_parent (int child_ret)
- {
- if (parent_fd == -1)
- return;
- int ret __attribute__ ((unused));
- ret = write (parent_fd, &child_ret, sizeof (child_ret));
- assert (ret == sizeof (child_ret));
- close (parent_fd);
- parent_fd = -1;
- }
|