From 5a318ce649a7a5f754892518a4452a519b41dac8 Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Fri, 4 Dec 2020 07:25:12 +0000 Subject: Big signal/command semantics change to svscan/supervise; add s6-svperms. --- .gitignore | 1 + NEWS | 11 +- doc/index.html | 1 + doc/overview.html | 24 +++ doc/s6-supervise.html | 28 ++-- doc/s6-svperms.html | 135 +++++++++++++++++ doc/s6-svscan.html | 149 +++++++++---------- doc/s6-svscanctl.html | 75 ++++------ doc/servicedir.html | 9 -- doc/upgrade.html | 16 +- package/deps.mak | 5 +- package/modes | 1 + package/targets.mak | 1 + src/libs6/ftrigw_fifodir_make.c | 6 +- src/supervision/deps-exe/s6-supervise | 2 +- src/supervision/deps-exe/s6-svperms | 1 + src/supervision/s6-supervise.c | 108 ++++++-------- src/supervision/s6-svc.c | 3 +- src/supervision/s6-svperms.c | 272 ++++++++++++++++++++++++++++++++++ src/supervision/s6-svscan.c | 2 +- 20 files changed, 620 insertions(+), 230 deletions(-) create mode 100644 doc/s6-svperms.html create mode 100644 src/supervision/deps-exe/s6-svperms create mode 100644 src/supervision/s6-svperms.c diff --git a/.gitignore b/.gitignore index 98f7368..93a1802 100644 --- a/.gitignore +++ b/.gitignore @@ -23,6 +23,7 @@ /s6-svwait /s6-svlisten1 /s6-svlisten +/s6-svperms /s6-notifyoncheck /s6-svdt /s6-svdt-clear diff --git a/NEWS b/NEWS index 52c3405..4998b5b 100644 --- a/NEWS +++ b/NEWS @@ -4,7 +4,16 @@ In 2.10.0.0 ----------- - Bugfixes. - - Changes to s6-svscan and s6-svscanctl. + - Changes to s6-svscan and s6-svscanctl: the list of commands +that can be sent to s6-svscan has been thoroughly cleaned up. +s6-svscan now scans and prunes on SIGHUP. + - Changes to s6-supervise and s6-svc: -X not supported anymore, +nosetsid not supported anymore. SIGHUP now properly closes +stdin/stdout to allow the service to naturally exit on EOF; +SIGQUIT semantics changed to immediately bail. SIGINT is now +trapped and forwarded to the service's process group. + - New binary: s6-svperms, implementing a split permissions +model. (By default, everything is the same as before.) In 2.9.2.0 diff --git a/doc/index.html b/doc/index.html index 9a01f14..ceb854e 100644 --- a/doc/index.html +++ b/doc/index.html @@ -161,6 +161,7 @@ a user interface to control those processes and monitor service states.
  • The s6-svc program
  • The s6-svok program
  • The s6-svstat program
  • +
  • The s6-svperms program
  • The s6-svwait program
  • The s6-svlisten1 program
  • The s6-svlisten program
  • diff --git a/doc/overview.html b/doc/overview.html index 1b4cb5d..9e41824 100644 --- a/doc/overview.html +++ b/doc/overview.html @@ -379,6 +379,30 @@ implemented for instance in the s6-rc package.

    +

    Fine-grained control over services

    + +

    + s6 provides you with a few more tools to control and monitor your +services. services. For instance: +

    + + + +

    + These tools make s6 the most powerful and flexible of the existing +process supervision suites. +

    +

    Additional utilities

    diff --git a/doc/s6-supervise.html b/doc/s6-supervise.html index 2926f83..94504e3 100644 --- a/doc/s6-supervise.html +++ b/doc/s6-supervise.html @@ -108,11 +108,15 @@ daemon as fdmove -c 2 1 fdmove 1 3 prog... (in execline), or

    @@ -183,17 +187,9 @@ better to have a collection of service directories single scan directory, and just run s6-svscan on that scan directory. s6-svscan will spawn the necessary s6-supervise processes, and will also take care of logged services. -
  • s6-supervise is not supposed to have a controlling terminal: it's generally -launched by a s6-svscan process that itself does not -have a controlling terminal. If you run s6-supervise from an interactive shell, be -warned that typing ^C in the controlling terminal (which sends a SIGINT to -all processes in the foreground process group in the terminal) will terminate -s6-supervise, but not the supervised processes - so, the daemon will keep running -as an orphan. This is by design: supervised processes should be as resilient as -possible, even when their supervisors die. However, if you want to launch -s6-supervise from an interactive shell and need your service to die when you ^C it, -you can obtain this behaviour by creating a ./nosetsid file in the -service directory.
  • +
  • s6-supervise always spawns its child in a new session, as a session leader. +The goal is to protect the supervision tree from misbehaved services that would +send signals to their whole process group.
  • You can use s6-svc to send commands to the s6-supervise process; mostly to change the service state and send signals to the monitored process.
  • diff --git a/doc/s6-svperms.html b/doc/s6-svperms.html new file mode 100644 index 0000000..5b5d485 --- /dev/null +++ b/doc/s6-svperms.html @@ -0,0 +1,135 @@ + + + + + + s6: the s6-svperms program + + + + + + +

    +s6
    +Software
    +skarnet.org +

    + +

    The s6-svperms program

    + +

    +s6-svperms allows the user to see, or modify, for a given +list of services: who can read their states, who can send them +control commands, and who can subscribe to up/down events for those +services. +

    + +

    Interface

    + +
    +     s6-svperms [ -v ] [ -u | -g group | -G group | -o | -O group ] [ -e | -E group ] servicedirs...
    +
    + +

    + Without options, or with only the -v option, +s6-svperms prints 3 lines to stdout for every service directory +listed in servicedirs. Every line contains the name +of the service directory, then the following information: +

    + + + +

    + If something goes wrong while reading a part of the configuration of +a service directory, s6-svperms does not print the corresponding +line to stdout; instead, it prints a warning message to stderr. +

    + +

    + When invoked with other options, s6-svperms modifies the +permissions of the service directories listed in servicedirs... as +specified by the options. The same permissions will be applied to all +the services listed in servicedirs.... +

    + +

    Options

    + + + +

    + group is normally a group name that will be searched in the group +database. But if it starts with a colon (:), the rest of group +will be interpreted as a numerical gid, and the group database will not be read. +

    + +

    Exit codes

    + + + +

    Notes

    + + + + + diff --git a/doc/s6-svscan.html b/doc/s6-svscan.html index 3a93e00..5d92174 100644 --- a/doc/s6-svscan.html +++ b/doc/s6-svscan.html @@ -27,7 +27,7 @@ the root or a branch of a supervision tree.

    Interface

    -     s6-svscan [ -S | -s ] [ -d notif ] [ -X consoleholder ] [ -c max ] [ -t rescan ] [ scandir ]
    +     s6-svscan [ -d notif ] [ -X consoleholder ] [ -c max ] [ -t rescan ] [ scandir ]
     

    Options

    Signals

    - s6-svscan always reacts to the following signals: + s6-svscan has special handling for the following signals:

    - By default, it also reacts to the following signals: + Signals that are not in the above list are not caught by s6-svscan and will +have the system's default effect.

    - -

    - But if the -s option was given, then instead of those default actions, -s6-svscan uses configurable handlers: it forks and executes a program every time -it receives one of the following signals. + The behaviour for the first three signals in the list is always fixed:

    - If an action cannot be taken (the relevant file doesn't exist, or isn't -executable, or any kind of error happens), s6-svscan prints a warning -message to its standard error but does nothing else with the signal. -

    - -

    - The -s mechanism is useful, for instance, when s6-svscan is running as -process 1 and needs to trap signals such as SIGINT (sent on some systems by -a Ctrl-Alt-Del press) in order to perform some specific work instead of -executing into .s6-svscan/finish on the spot. + The behaviour for the rest of the list is configurable: on receipt of a +SIGFOO, +s6-svscan will try to run an executable .s6-svscan/SIGFOO file. For +instance, a .s6-svscan/SIGTERM executable script will be run on receipt of +a SIGTERM. If the file cannot be found, or cannot be executed for any reason, the +default behaviour for the signal will be applied. Default behaviours are:

    -

    - s6-svscan will not exit its loop on its own when it receives a signal such as -SIGINT and the -s option has been given. To make it exit its loop, -invoke a s6-svscanctl command from the signal -handling script. For instance, a .s6-svscan/SIGINT script could look -like this: -

    - -
      #!/command/execlineb -P
    -  foreground { shutdown-the-services }
    -  s6-svscanctl -i .
    -
    +

    The reaper

    @@ -189,9 +189,10 @@ one second later.

    The scanner

    - Every rescan milliseconds, or upon receipt of a SIGALRM or a + Upon receipt of a SIGALRM or a s6-svscanctl -a command, s6-svscan runs a -scanner routine. +scanner routine. (It also runs it every rescan milliseconds +if the -t option has been given.)

    @@ -217,8 +218,8 @@ Every service the scanner finds is flagged as "active". started in an earlier scan, but the current scan can't find the corresponding directory, the service is then flagged as inactive. No command is sent to stop inactive s6-supervise processes (unless the administrator -uses s6-svscanctl -n), but inactive -s6-supervise processes will not be restarted if they die. +uses s6-svscanctl -n or a SIGHUP), but +inactive s6-supervise processes will not be restarted if they die.

    Notes

    @@ -238,22 +239,10 @@ process commands at any time, even when the computer is in trouble. memory. However, s6-svscan uses opendir(), and most opendir() implementations internally use heap memory - so unfortunately, it's impossible to guarantee that s6-svscan does not use heap memory at all. -
  • When run with the -t0 option, s6-svscan never polls, -it only wakes up on notifications, just like s6-supervise. The s6 supervision -tree can be used in energy-critical environments.
  • -
  • The supervision tree (i.e. the tree of processes made of s6-svscan and -all its scions) is not supposed to have a controlling terminal; s6-svscan -generally is either process 1 or a child of process 1, not something that is -launched from a terminal. If you run s6-svscan from an interactive shell, be -warned that typing ^C in the controlling terminal (which sends a SIGINT to -all processes in the foreground process group in the terminal) will terminate -the supervision tree, but not the supervised processes - so, the supervised -processes will keep running as orphans. This is by design: supervised -processes should be as resilient as possible, even when their supervisors -die. However, if you want to launch s6-svscan from an interactive shell and -need your services to die with the supervision tree when you ^C it, you can -obtain this behaviour by creating ./nosetsid files in every -service directory.
  • +
  • Unless run with a nonzero -t option, which is only a legacy +feature used to emulate other supervision suites such as daemontools or runit, +s6-svscan never polls; it only wakes up on notifications. +The s6 supervision tree can be used in energy-critical environments.
  • diff --git a/doc/s6-svscanctl.html b/doc/s6-svscanctl.html index ae0f8ee..6340c14 100644 --- a/doc/s6-svscanctl.html +++ b/doc/s6-svscanctl.html @@ -26,82 +26,57 @@ process.

    Interface

    -     s6-svscanctl [ -phratszbnNiq0678 ] svscandir
    +     s6-svscanctl [ -zabhitqnN ] scandir
     

    s6-svscanctl sends the given series of commands to the s6-svscan process monitoring the -svscandir directory, then exits 0. It exits 111 if it cannot send -a command, or 100 if no s6-svscan process is running on svscandir. +scandir directory, then exits 0. It exits 111 if it cannot send +a command, or 100 if no s6-svscan process is running on scandir.

    Options

    -

    Usage examples

    - -
     s6-svscanctl -an /service 
    -

    - Updates the process supervision tree -to exactly match the services listed in /service. -

    - -
     s6-svscanctl -6 /service 
    -

    - Orders the s6-svscan process monitoring /service to exit in -reboot mode: all the supervision tree at /service will be terminated, -and s6-svscan will execute into the /service/.s6-svscan/finish -script with the reboot argument. -

    -

    Internals

    -s6-svscanctl writes control commands into the svscandir/.s6-svscan/control -FIFO. An s6-svscan process running on svscandir will be listening to this FIFO, +s6-svscanctl writes control commands into the scandir/.s6-svscan/control +FIFO. An s6-svscan process running on scandir will be listening to this FIFO, and will read and interpret those commands.

    diff --git a/doc/servicedir.html b/doc/servicedir.html index fa7f974..d8d7c8d 100644 --- a/doc/servicedir.html +++ b/doc/servicedir.html @@ -122,15 +122,6 @@ must be writable. the default state of the service is considered down, not up: s6-supervise will not automatically start it until it receives a s6-svc -u command. If no down file exists, the default state of the service is up. -
  • An optional, empty, regular file named nosetsid. -If this file exists and starts with the word setpgrp, s6-supervise will run the service -in a new process group (the run script will be a process group leader), but not in a new session. -If this file exists and does not start with setpgrp, -s6-supervise will start the service in the same session and process group as itself. -If no nosetsid file exists, the service has its own process group and is started -as a session leader - which is the default and should normally not be changed. Using the -nosetsid file is a hack; it should only be used in testing environments for -job control convenience, and probably never outside that use case.
  • An optional regular file named notification-fd. If such a file exists, it means that the service supports readiness notification. The file must only diff --git a/doc/upgrade.html b/doc/upgrade.html index 5837345..f49cc0f 100644 --- a/doc/upgrade.html +++ b/doc/upgrade.html @@ -25,8 +25,20 @@ dependency bumped to 2.10.0.0.
  • execline dependency bumped to 2.7.0.0.
  • -
  • s6-svscan and -s6-svscanctl have changed.
  • +
  • Commands received by s6-svscan and +sent by s6-svscanctl have changed significantly. +Different semantics of SIGHUP for s6-svscan.
  • +
  • Commands received by s6-supervise and +sent by s6-svc have changed slightly +(no s6-svc -X anymore). Different semantics of SIGHUP and SIGQUIT +for s6-supervise.
  • +
  • s6-supervise now handles SIGINT +appropriately, by forwarding it to its child's process group.
  • +
  • The nosetsid file is not recognized anymore in service +directories. s6-supervise now always starts +it child as a session leader.
  • +
  • Split permissions on service control are now officially supported. +New binary: s6-svperms.
  • in 2.9.2.0

    diff --git a/package/deps.mak b/package/deps.mak index 08b7aec..5c43a12 100644 --- a/package/deps.mak +++ b/package/deps.mak @@ -125,6 +125,7 @@ src/supervision/s6-svdt.o src/supervision/s6-svdt.lo: src/supervision/s6-svdt.c src/supervision/s6-svlisten.o src/supervision/s6-svlisten.lo: src/supervision/s6-svlisten.c src/supervision/s6-svlisten.h src/include/s6/compat.h src/supervision/s6-svlisten1.o src/supervision/s6-svlisten1.lo: src/supervision/s6-svlisten1.c src/supervision/s6-svlisten.h src/supervision/s6-svok.o src/supervision/s6-svok.lo: src/supervision/s6-svok.c src/include/s6/s6-supervise.h +src/supervision/s6-svperms.o src/supervision/s6-svperms.lo: src/supervision/s6-svperms.c src/include/s6/s6-supervise.h src/supervision/s6-svscan.o src/supervision/s6-svscan.lo: src/supervision/s6-svscan.c src/include/s6/config.h src/include/s6/s6-supervise.h src/supervision/s6-svscanctl.o src/supervision/s6-svscanctl.lo: src/supervision/s6-svscanctl.c src/include/s6/s6-supervise.h src/supervision/s6-svstat.o src/supervision/s6-svstat.lo: src/supervision/s6-svstat.c src/include/s6/s6-supervise.h @@ -228,7 +229,7 @@ s6-notifyoncheck: src/supervision/s6-notifyoncheck.o ${LIBS6} s6-permafailon: EXTRA_LIBS := -lskarnet ${SYSCLOCK_LIB} s6-permafailon: src/supervision/s6-permafailon.o ${LIBS6} s6-supervise: EXTRA_LIBS := -lskarnet ${SYSCLOCK_LIB} -s6-supervise: src/supervision/s6-supervise.o ${LIBS6} +s6-supervise: src/supervision/s6-supervise.o libs6.a.xyzzy s6-svc: EXTRA_LIBS := -lskarnet s6-svc: src/supervision/s6-svc.o ${LIBS6} s6-svdt: EXTRA_LIBS := -lskarnet @@ -241,6 +242,8 @@ s6-svlisten1: EXTRA_LIBS := -lskarnet ${SOCKET_LIB} ${SYSCLOCK_LIB} ${SPAWN_LIB} s6-svlisten1: src/supervision/s6-svlisten1.o src/supervision/s6_svlisten_signal_handler.o src/supervision/s6_svlisten_loop.o ${LIBS6} s6-svok: EXTRA_LIBS := -lskarnet s6-svok: src/supervision/s6-svok.o ${LIBS6} +s6-svperms: EXTRA_LIBS := -lskarnet +s6-svperms: src/supervision/s6-svperms.o s6-svscan: EXTRA_LIBS := -lskarnet ${SYSCLOCK_LIB} ${SPAWN_LIB} s6-svscan: src/supervision/s6-svscan.o s6-svscanctl: EXTRA_LIBS := -lskarnet diff --git a/package/modes b/package/modes index 851c316..d8690ea 100644 --- a/package/modes +++ b/package/modes @@ -19,6 +19,7 @@ s6-svdt-clear 0755 s6-svwait 0755 s6-svlisten1 0755 s6-svlisten 0755 +s6-svperms 0755 s6-notifyoncheck 0755 s6-permafailon 0755 s6-applyuidgid 0700 diff --git a/package/targets.mak b/package/targets.mak index 1a17cdc..ca447b8 100644 --- a/package/targets.mak +++ b/package/targets.mak @@ -20,6 +20,7 @@ s6-permafailon \ s6-svwait \ s6-svlisten1 \ s6-svlisten \ +s6-svperms \ s6-notifyoncheck \ s6-envdir \ s6-envuidgid \ diff --git a/src/libs6/ftrigw_fifodir_make.c b/src/libs6/ftrigw_fifodir_make.c index 86e9310..df12e25 100644 --- a/src/libs6/ftrigw_fifodir_make.c +++ b/src/libs6/ftrigw_fifodir_make.c @@ -8,7 +8,7 @@ int ftrigw_fifodir_make (char const *path, gid_t gid, int force) { mode_t m = umask(0) ; - if (mkdir(path, 0700) == -1) + if (mkdir(path, 0700) < 0) { struct stat st ; umask(m) ; @@ -19,7 +19,7 @@ int ftrigw_fifodir_make (char const *path, gid_t gid, int force) if (!force) return 1 ; } else umask(m) ; - if ((gid != (gid_t)-1) && (chown(path, -1, gid) == -1)) return 0 ; - if (chmod(path, (gid != (gid_t)-1) ? 03730 : 01733) == -1) return 0 ; + if ((gid != (gid_t)-1) && (chown(path, -1, gid) < 0)) return 0 ; + if (chmod(path, gid != (gid_t)-1 ? 03730 : 01733) < 0) return 0 ; return 1 ; } diff --git a/src/supervision/deps-exe/s6-supervise b/src/supervision/deps-exe/s6-supervise index b1e57e4..34dc00e 100644 --- a/src/supervision/deps-exe/s6-supervise +++ b/src/supervision/deps-exe/s6-supervise @@ -1,3 +1,3 @@ -${LIBS6} +libs6.a.xyzzy -lskarnet ${SYSCLOCK_LIB} diff --git a/src/supervision/deps-exe/s6-svperms b/src/supervision/deps-exe/s6-svperms new file mode 100644 index 0000000..e7187fe --- /dev/null +++ b/src/supervision/deps-exe/s6-svperms @@ -0,0 +1 @@ +-lskarnet diff --git a/src/supervision/s6-supervise.c b/src/supervision/s6-supervise.c index a8be37d..a175f0a 100644 --- a/src/supervision/s6-supervise.c +++ b/src/supervision/s6-supervise.c @@ -40,9 +40,9 @@ typedef enum trans_e trans_t, *trans_t_ref ; enum trans_e { - V_TIMEOUT, V_CHLD, V_TERM, V_HUP, V_QUIT, - V_a, V_b, V_q, V_h, V_k, V_t, V_i, V_1, V_2, V_f, V_F, V_p, V_c, V_y, V_r, - V_o, V_d, V_u, V_x, V_O, V_X + V_TIMEOUT, V_CHLD, V_TERM, V_HUP, V_QUIT, V_INT, + V_a, V_b, V_q, V_h, V_k, V_t, V_i, V_1, V_2, V_p, V_c, V_y, V_r, + V_o, V_d, V_u, V_x, V_O } ; typedef enum state_e state_t, *state_t_ref ; @@ -140,14 +140,22 @@ static void bail (void) cont = 0 ; } +static void sigint (void) +{ + pid_t pgid = getpgid(status.pid) ; + if (pgid == -1) strerr_warnwu1sys("getpgid") ; + else killpg(pgid, SIGINT) ; + bail() ; +} + static void closethem (void) { - close(0) ; - close(1) ; - close(2) ; - open_readb("/dev/null") ; - open_write("/dev/null") ; ndelay_off(1) ; - open_write("/dev/null") ; ndelay_off(2) ; + fd_close(0) ; + fd_close(1) ; + if (open_readb("/dev/null")) + strerr_warnwu2sys("open /dev/null for ", "reading") ; + else if (open_write("/dev/null") != 1 || ndelay_off(1) < 0) + strerr_warnwu2sys("open /dev/null for ", "writing") ; } static void killa (void) @@ -226,24 +234,6 @@ static void failcoe (int fd) errno = e ; } -static int maybesetsid (void) -{ - char buf[8] = "-------" ; - ssize_t r = openreadnclose("nosetsid", buf, 8) ; - if (r < 0) - { - if (errno != ENOENT) return 0 ; - setsid() ; - } - else - { - if (r == 8 && buf[7] == '\n') buf[--r] = 0 ; - if (r == 7 && !strncasecmp(buf, "setpgrp", 7)) - setpgid(0, 0) ; - } - return 1 ; -} - static void trystart (void) { int p[2] ; @@ -285,11 +275,7 @@ static void trystart (void) failcoe(p[1]) ; strerr_diefu1sys(127, "move notification descriptor") ; } - if (!maybesetsid()) - { - failcoe(p[1]) ; - strerr_diefu1sys(127, "access ./nosetsid") ; - } + setsid() ; execv("./run", (char *const *)cargv) ; failcoe(p[1]) ; strerr_dieexec(127, "run") ; @@ -407,7 +393,7 @@ static int uplastup_z (void) selfpipe_finish() ; fmt0[uint_fmt(fmt0, WIFSIGNALED(status.wstat) ? 256 : WEXITSTATUS(status.wstat))] = 0 ; fmt1[uint_fmt(fmt1, WTERMSIG(status.wstat))] = 0 ; - maybesetsid() ; + setsid() ; execv("./finish", cargv) ; _exit(127) ; } @@ -481,17 +467,12 @@ static void up_u (void) static void up_x (void) { state = LASTUP ; -} - -static void up_X (void) -{ closethem() ; - up_x() ; } static void up_term (void) { - up_x() ; + state = LASTUP ; up_d() ; } @@ -522,12 +503,7 @@ static void finish_u (void) static void finish_x (void) { state = LASTFINISH ; -} - -static void finish_X (void) -{ closethem() ; - finish_x() ; } static void lastfinish_z (void) @@ -536,23 +512,23 @@ static void lastfinish_z (void) bail() ; } -static action_t_ref const actions[5][26] = -{ - { &downtimeout, &nop, &bail, &bail, &bail, - &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, - &down_o, &down_d, &down_u, &bail, &down_O, &bail }, - { &uptimeout, &up_z, &up_term, &up_x, &up_X, - &killa, &killb, &killq, &killh, &killk, &killt, &killi, &kill1, &kill2, &nop, &nop, &killp, &killc, &killy, &killr, - &up_o, &up_d, &up_u, &up_x, &up_o, &up_X }, - { &finishtimeout, &finish_z, &finish_x, &finish_x, &finish_X, - &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, - &up_o, &down_d, &finish_u, &finish_x, &up_o, &finish_X }, - { &uptimeout, &lastup_z, &up_d, &nop, &closethem, - &killa, &killb, &killq, &killh, &killk, &killt, &killi, &kill1, &kill2, &nop, &nop, &killp, &killc, &killy, &killr, - &up_o, &up_d, &nop, &nop, &up_o, &closethem }, - { &finishtimeout, &lastfinish_z, &nop, &nop, &closethem, - &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, - &nop, &nop, &nop, &nop, &nop, &closethem } +static action_t_ref const actions[5][24] = +{ + { &downtimeout, &nop, &bail, &bail, &bail, &bail, + &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, + &down_o, &down_d, &down_u, &bail, &down_O }, + { &uptimeout, &up_z, &up_term, &up_x, &bail, &sigint, + &killa, &killb, &killq, &killh, &killk, &killt, &killi, &kill1, &kill2, &killp, &killc, &killy, &killr, + &up_o, &up_d, &up_u, &up_x, &up_o }, + { &finishtimeout, &finish_z, &finish_x, &finish_x, &bail, &sigint, + &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, + &up_o, &down_d, &finish_u, &finish_x, &up_o }, + { &uptimeout, &lastup_z, &up_d, &closethem, &bail, &sigint, + &killa, &killb, &killq, &killh, &killk, &killt, &killi, &kill1, &kill2, &killp, &killc, &killy, &killr, + &up_o, &up_d, &nop, &nop, &up_o }, + { &finishtimeout, &lastfinish_z, &nop, &closethem, &bail, &sigint, + &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, &nop, + &nop, &nop, &nop, &nop, &nop } } ; @@ -615,6 +591,9 @@ static inline void handle_signals (void) case SIGQUIT : (*actions[state][V_QUIT])() ; break ; + case SIGINT : + (*actions[state][V_INT])() ; + break ; default : strerr_dief1x(101, "internal error: inconsistent signal state. Please submit a bug-report.") ; } @@ -631,8 +610,8 @@ static inline void handle_control (int fd) else if (!r) break ; else { - size_t pos = byte_chr("abqhkti12fFpcyroduxOX", 21, c) ; - if (pos < 21) (*actions[state][V_a + pos])() ; + size_t pos = byte_chr("abqhkti12pcyroduxO", 18, c) ; + if (pos < 18) (*actions[state][V_a + pos])() ; } } } @@ -736,10 +715,11 @@ int main (int argc, char const *const *argv) { sigset_t set ; sigemptyset(&set) ; + sigaddset(&set, SIGCHLD) ; sigaddset(&set, SIGTERM) ; sigaddset(&set, SIGHUP) ; sigaddset(&set, SIGQUIT) ; - sigaddset(&set, SIGCHLD) ; + sigaddset(&set, SIGINT) ; if (selfpipe_trapset(&set) < 0) strerr_diefu1sys(111, "trap signals") ; } diff --git a/src/supervision/s6-svc.c b/src/supervision/s6-svc.c index 3e024d6..a189d24 100644 --- a/src/supervision/s6-svc.c +++ b/src/supervision/s6-svc.c @@ -28,7 +28,7 @@ int main (int argc, char const *const *argv) subgetopt_t l = SUBGETOPT_ZERO ; for (;;) { - int opt = subgetopt_r(argc, argv, "abqhkti12pcyroduxOXT:w:", &l) ; + int opt = subgetopt_r(argc, argv, "abqhkti12pcyroduxOT:w:", &l) ; if (opt == -1) break ; switch (opt) { @@ -50,7 +50,6 @@ int main (int argc, char const *const *argv) case 'u' : case 'x' : case 'O' : - case 'X' : { if (datalen >= DATASIZE) strerr_dief1x(100, "too many commands") ; data[datalen++] = opt ; diff --git a/src/supervision/s6-svperms.c b/src/supervision/s6-svperms.c new file mode 100644 index 0000000..178ea08 --- /dev/null +++ b/src/supervision/s6-svperms.c @@ -0,0 +1,272 @@ +/* ISC license. */ + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +#include + +#define USAGE "s6-svperms [ -v ] [ -u | -g group | -G group | -o | -O group ] [ -e | -E group ] servicedir..." +#define dieusage() strerr_dieusage(100, USAGE) + +static gid_t scangid (char const *s) +{ + if (s[0] == ':') + { + gid_t g ; + if (!gid0_scan(s+1, &g)) dieusage() ; + return g ; + } + else + { + struct group *gr ; + errno = 0 ; + gr = getgrnam(s) ; + if (!gr) + { + if (errno) strerr_diefu1sys(111, "getgrnam") ; + else strerr_diefu3x(100, "find entry for ", s, " in group database") ; + } + return gr->gr_gid ; + } +} + +static char *gidname (gid_t gid) +{ + struct group *gr ; + errno = 0 ; + gr = getgrgid(gid) ; + if (!gr) + { + static char fmt[GID_FMT] ; + fmt[gid_fmt(fmt, gid)] = 0 ; + if (errno) strerr_warnwu2sys("getgrgid ", fmt) ; + return fmt ; + } + return gr->gr_name ; +} + +static void out (char const *s) +{ + if (buffer_puts(buffer_1, s) < 0) + strerr_diefu1sys(111, "write to stdout") ; +} + +static inline int printsupervise (char const *dir) +{ + struct stat st ; + size_t len = strlen(dir) ; + char fn[len + sizeof(S6_SUPERVISE_CTLDIR) + 9] ; + memcpy(fn, dir, len) ; + memcpy(fn + len, "/" S6_SUPERVISE_CTLDIR, sizeof(S6_SUPERVISE_CTLDIR) + 1) ; + if (stat(fn, &st) < 0) + { + strerr_warnwu2sys("stat ", fn) ; + return 1 ; + } + if (!S_ISDIR(st.st_mode)) + { + strerr_warnw2x(fn, " is not a directory") ; + return 1 ; + } + if (st.st_mode & 05066 || (st.st_mode & 0700) != 0700 || ((st.st_mode & 0001) && !(st.st_mode & 0010))) + { + char fmt[UINT_OFMT] ; + fmt[uint_ofmt(fmt, st.st_mode & 07777)] = 0 ; + strerr_warnw3x(fn, " has incorrect permissions: ", fmt) ; + return 1 ; + } + out(dir) ; + out(" status: ") ; + if (st.st_mode & 0011) + { + if (st.st_mode & 0001) buffer_puts(buffer_1, "public") ; + else + { + out("group ") ; + out(gidname(st.st_gid)) ; + } + } + else out("owner") ; + out("\n") ; + memcpy(fn + len + sizeof(S6_SUPERVISE_CTLDIR), "/control", 9) ; + if (stat(fn, &st) < 0) + { + strerr_warnwu2sys("stat ", fn) ; + return 1 ; + } + if (!S_ISFIFO(st.st_mode)) + { + strerr_warnw2x(fn, " is not a named pipe") ; + return 1 ; + } + if (st.st_mode & 0157) + { + char fmt[UINT_OFMT] ; + fmt[uint_ofmt(fmt, st.st_mode & 07777)] = 0 ; + strerr_warnw3x(fn, " has incorrect permissions: ", fmt) ; + return 1 ; + } + out(dir) ; + out(" control: ") ; + if (st.st_mode & 0020) + { + out("group ") ; + out(gidname(st.st_gid)) ; + } + else out("owner") ; + out("\n") ; + return 0 ; +} + +static inline int printevent (char const *dir) +{ + struct stat st ; + size_t len = strlen(dir) ; + char fn[len + sizeof(S6_SUPERVISE_EVENTDIR) + 1] ; + memcpy(fn, dir, len) ; + memcpy(fn + len, "/" S6_SUPERVISE_EVENTDIR, sizeof(S6_SUPERVISE_EVENTDIR) + 1) ; + if (stat(fn, &st) < 0) + { + strerr_warnwu2sys("stat ", fn) ; + return 1 ; + } + if (!S_ISDIR(st.st_mode)) + { + strerr_warnw2x(fn, " is not a directory") ; + return 1 ; + } + if ((st.st_mode & 07777) != 01733 && (st.st_mode & 07777) != 03730) + { + char fmt[UINT_OFMT] ; + fmt[uint_ofmt(fmt, st.st_mode & 07777)] = 0 ; + strerr_warnw3x(fn, " has incorrect permissions: ", fmt) ; + return 1 ; + } + out(dir) ; + out(" events: ") ; + if ((st.st_mode & 07777) == 03730) + { + out("group ") ; + out(gidname(st.st_gid)) ; + } + else out("public") ; + out("\n") ; + return 0 ; +} + +static gid_t primarygid (char const *fn) +{ + struct passwd *pw ; + struct stat st ; + if (stat(fn, &st) < 0) strerr_diefu2sys(111, "stat ", fn) ; + errno = 0 ; + pw = getpwuid(st.st_uid) ; + if (!pw) + { + strerr_warnwu3sys("determine primary gid for the owner of ", fn, " (using root instead)") ; + return 0 ; + } + else return pw->pw_gid ; +} + +static inline void modsupervise (char const *dir, unsigned int what, gid_t gid) +{ + size_t len = strlen(dir) ; + gid_t cgid = 0 ; + mode_t mode = 0700 ; + char fn[len + sizeof(S6_SUPERVISE_CTLDIR) + 9] ; + memcpy(fn, dir, len) ; + memcpy(fn + len, "/" S6_SUPERVISE_CTLDIR, sizeof(S6_SUPERVISE_CTLDIR) + 1) ; + switch (what & 3) + { + case 0 : cgid = primarygid(fn) ; mode = 0700 ; break ; + case 1 : cgid = gid ; mode = 0710 ; break ; + case 2 : cgid = primarygid(fn) ; mode = 0711 ; break ; + } + if (chown(fn, -1, cgid) < 0) + strerr_diefu2sys(111, "chown ", fn) ; + if (chmod(fn, mode) < 0) + strerr_diefu2sys(111, "chmod ", fn) ; + memcpy(fn + len + sizeof(S6_SUPERVISE_CTLDIR), "/control", 9) ; + if (what & 4) mode = 0620 ; + else + { + gid = primarygid(fn) ; + mode = 0600 ; + } + if (chown(fn, -1, gid) < 0) + strerr_diefu2sys(111, "chown ", fn) ; + if (chmod(fn, mode) < 0) + strerr_diefu2sys(111, "chmod ", fn) ; +} + +static inline void modevent (char const *dir, gid_t gid) +{ + size_t len = strlen(dir) ; + mode_t mode ; + char fn[len + sizeof(S6_SUPERVISE_EVENTDIR) + 1] ; + memcpy(fn, dir, len) ; + memcpy(fn + len, "/" S6_SUPERVISE_EVENTDIR, sizeof(S6_SUPERVISE_EVENTDIR) + 1) ; + if (gid == (gid_t)-1) + { + gid = primarygid(fn) ; + mode = 01733 ; + } + else mode = 03730 ; + if (chown(fn, -1, gid) < 0) + strerr_diefu2sys(111, "chown ", fn) ; + if (chmod(fn, mode) < 0) + strerr_diefu2sys(111, "chmod ", fn) ; +} + +int main (int argc, char const *const *argv) +{ + int e = 0 ; + gid_t gid = -1 ; + gid_t eventgid = -1 ; + int rw = 0 ; + unsigned int what = 0 ; + PROG = "s6-svperms" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + for (;;) + { + int opt = subgetopt_r(argc, argv, "vug:G:oO:eE:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'v' : rw |= 1 ; break ; + case 'u' : rw |= 2 ; what = 0 ; break ; + case 'g' : rw |= 2 ; what = 1 ; gid = scangid(l.arg) ; break ; + case 'G' : rw |= 2 ; what = 5 ; gid = scangid(l.arg) ; break ; + case 'o' : rw |= 2 ; what = 2 ; break ; + case 'O' : rw |= 2 ; what = 6 ; gid = scangid(l.arg) ; break ; + case 'e' : rw |= 4 ; eventgid = -1 ; break ; + case 'E' : rw |= 4 ; eventgid = scangid(l.arg) ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + } + if (!argc) dieusage() ; + + if (!rw) rw = 1 ; + for (; *argv ; argv++) + { + if (rw & 2) modsupervise(*argv, what, gid) ; + if (rw & 4) modevent(*argv, eventgid) ; + if (rw & 1) { e |= printsupervise(*argv) ; e |= printevent(*argv) ; } + } + if (rw & 1 && !buffer_flush(buffer_1)) + strerr_diefu1sys(111, "write to stdout") ; + return e ; +} diff --git a/src/supervision/s6-svscan.c b/src/supervision/s6-svscan.c index 0a3c286..1d17a3a 100644 --- a/src/supervision/s6-svscan.c +++ b/src/supervision/s6-svscan.c @@ -497,7 +497,7 @@ static inline int control_init (void) strerr_dief1x(100, S6_SVSCAN_CTLDIR " exists and is not a directory") ; } - fdlck = open(LCK, O_WRONLY | O_NONBLOCK | O_CREAT | O_CLOEXEC, 0644) ; + fdlck = open(LCK, O_WRONLY | O_NONBLOCK | O_CREAT | O_CLOEXEC, 0600) ; if (fdlck < 0) strerr_diefu1sys(111, "open " LCK) ; r = fd_lock(fdlck, 1, 1) ; if (r < 0) strerr_diefu1sys(111, "lock " LCK) ; -- cgit v1.2.3