[thirdparty/cups.git] / scheduler / process.c

/*
 * "$Id: process.c 7256 2008-01-25 00:48:54Z mike $"
 *
 *   Process management routines for the CUPS scheduler.
 *
 *   Copyright 2007-2010 by Apple Inc.
 *   Copyright 1997-2007 by Easy Software Products, all rights reserved.
 *
 *   These coded instructions, statements, and computer programs are the
 *   property of Apple Inc. and are protected by Federal copyright
 *   law.  Distribution and use rights are outlined in the file "LICENSE.txt"
 *   which should have been included with this file.  If this file is
 *   file is missing or damaged, see the license at "http://www.cups.org/".
 *
 * Contents:
 *
 *   cupsdCreateProfile()  - Create an execution profile for a subprocess.
 *   cupsdDestroyProfile() - Delete an execution profile.
 *   cupsdEndProcess()     - End a process.
 *   cupsdFinishProcess()  - Finish a process and get its name.
 *   cupsdStartProcess()   - Start a process.
 *   compare_procs()       - Compare two processes.
 *   cupsd_requote()       - Make a regular-expression version of a string.
 */

/*
 * Include necessary headers...
 */

#include "cupsd.h"
#include <grp.h>
#ifdef __APPLE__
#  include <libgen.h>
#endif /* __APPLE__ */
#ifdef HAVE_SANDBOX_H
#  define __APPLE_API_PRIVATE
#  include <sandbox.h>
#endif /* HAVE_SANDBOX_H */


/*
 * Process structure...
 */

typedef struct
{
  int	pid,				/* Process ID */
	job_id;				/* Job associated with process */
  char	name[1];			/* Name of process */
} cupsd_proc_t;


/*
 * Local globals...
 */

static cups_array_t	*process_array = NULL;


/*
 * Local functions...
 */

static int	compare_procs(cupsd_proc_t *a, cupsd_proc_t *b);
#ifdef HAVE_SANDBOX_H
static char	*cupsd_requote(char *dst, const char *src, size_t dstsize);
#endif /* HAVE_SANDBOX_H */


/*
 * 'cupsdCreateProfile()' - Create an execution profile for a subprocess.
 */

void *					/* O - Profile or NULL on error */
cupsdCreateProfile(int job_id)		/* I - Job ID or 0 for none */
{
#ifdef HAVE_SANDBOX_H
  cups_file_t	*fp;			/* File pointer */
  char		profile[1024],		/* File containing the profile */
		cache[1024],		/* Quoted CacheDir */
		request[1024],		/* Quoted RequestRoot */
		root[1024],		/* Quoted ServerRoot */
		temp[1024];		/* Quoted TempDir */


  if (!UseProfiles || RunUser)
  {
   /*
    * Only use sandbox profiles as root...
    */

    cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = NULL",
                    job_id);

    return (NULL);
  }

  if ((fp = cupsTempFile2(profile, sizeof(profile))) == NULL)
  {
    cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = NULL",
                    job_id);
    cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to create security profile: %s",
                    strerror(errno));
    return (NULL);
  }

  cupsd_requote(cache, CacheDir, sizeof(cache));
  cupsd_requote(request, RequestRoot, sizeof(request));
  cupsd_requote(root, ServerRoot, sizeof(root));
  cupsd_requote(temp, TempDir, sizeof(temp));

  cupsFilePuts(fp, "(version 1)\n");
  if (LogLevel >= CUPSD_LOG_DEBUG)
    cupsFilePuts(fp, "(debug deny)\n");
  cupsFilePuts(fp, "(allow default)\n");
  cupsFilePrintf(fp,
                 "(deny file-write* file-read-data file-read-metadata\n"
                 "  (regex"
		 " #\"^%s$\""		/* RequestRoot */
		 " #\"^%s/\""		/* RequestRoot/... */
		 " #\"^/Users$\""
		 " #\"^/Users/\""
		 "))\n",
		 request, request);
  cupsFilePrintf(fp,
                 "(deny file-write*\n"
                 "  (regex"
		 " #\"^%s$\""		/* ServerRoot */
		 " #\"^%s/\""		/* ServerRoot/... */
		 " #\"^/private/etc$\""
		 " #\"^/private/etc/\""
		 " #\"^/usr/local/etc$\""
		 " #\"^/usr/local/etc/\""
		 " #\"^/Library$\""
		 " #\"^/Library/\""
		 " #\"^/System$\""
		 " #\"^/System/\""
		 "))\n",
		 root, root);
  /* Specifically allow applications to stat RequestRoot */
  cupsFilePrintf(fp,
                 "(allow file-read-metadata\n"
                 "  (regex"
		 " #\"^%s$\""		/* RequestRoot */
		 "))\n",
		 request);
  cupsFilePrintf(fp,
                 "(allow file-write* file-read-data file-read-metadata\n"
                 "  (regex"
		 " #\"^%s$\""		/* TempDir */
		 " #\"^%s/\""		/* TempDir/... */
		 " #\"^%s$\""		/* CacheDir */
		 " #\"^%s/\""		/* CacheDir/... */
		 " #\"^%s/Library$\""	/* RequestRoot/Library */
		 " #\"^%s/Library/\""	/* RequestRoot/Library/... */
		 " #\"^/Library/Application Support/\""
		 " #\"^/Library/Caches/\""
		 " #\"^/Library/Preferences/\""
		 " #\"^/Library/Printers/.*/\""
		 " #\"^/Users/Shared/\""
		 "))\n",
		 temp, temp, cache, cache, request, request);
  cupsFilePuts(fp,
	       "(deny file-write*\n"
	       "  (regex"
	       " #\"^/Library/Printers/PPDs$\""
	       " #\"^/Library/Printers/PPDs/\""
	       " #\"^/Library/Printers/PPD Plugins$\""
	       " #\"^/Library/Printers/PPD Plugins/\""
	       "))\n");
  if (job_id)
    cupsFilePrintf(fp,
                   "(allow file-read-data file-read-metadata\n"
                   "  (regex #\"^%s/([ac]%05d|d%05d-[0-9][0-9][0-9])$\"))\n",
		   request, job_id, job_id);

  cupsFileClose(fp);

  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = \"%s\"",
                  job_id, profile);
  return ((void *)strdup(profile));

#else
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = NULL",
                  job_id);

  return (NULL);
#endif /* HAVE_SANDBOX_H */
}


/*
 * 'cupsdDestroyProfile()' - Delete an execution profile.
 */

void
cupsdDestroyProfile(void *profile)	/* I - Profile */
{
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdDeleteProfile(profile=\"%s\")",
		  profile ? (char *)profile : "(null)");

#ifdef HAVE_SANDBOX_H
  if (profile)
  {
    unlink((char *)profile);
    free(profile);
  }
#endif /* HAVE_SANDBOX_H */
}


/*
 * 'cupsdEndProcess()' - End a process.
 */

int					/* O - 0 on success, -1 on failure */
cupsdEndProcess(int pid,		/* I - Process ID */
                int force)		/* I - Force child to die */
{
  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdEndProcess(pid=%d, force=%d)", pid,
                  force);

  if (!pid)
    return (0);
  else if (force)
    return (kill(pid, SIGKILL));
  else
    return (kill(pid, SIGTERM));
}


/*
 * 'cupsdFinishProcess()' - Finish a process and get its name.
 */

const char *				/* O - Process name */
cupsdFinishProcess(int  pid,		/* I - Process ID */
                   char *name,		/* I - Name buffer */
		   int  namelen,	/* I - Size of name buffer */
		   int  *job_id)	/* O - Job ID pointer or NULL */
{
  cupsd_proc_t	key,			/* Search key */
		*proc;			/* Matching process */


  key.pid = pid;

  if ((proc = (cupsd_proc_t *)cupsArrayFind(process_array, &key)) != NULL)
  {
    if (job_id)
      *job_id = proc->job_id;

    strlcpy(name, proc->name, namelen);
    cupsArrayRemove(process_array, proc);
    free(proc);
  }
  else
  {
    if (job_id)
      *job_id = 0;

    strlcpy(name, "unknown", namelen);
  }

  cupsdLogMessage(CUPSD_LOG_DEBUG2,
		  "cupsdFinishProcess(pid=%d, name=%p, namelen=%d, "
		  "job_id=%p(%d)) = \"%s\"", pid, name, namelen, job_id,
		  job_id ? *job_id : 0, name);

  return (name);
}


/*
 * 'cupsdStartProcess()' - Start a process.
 */

int					/* O - Process ID or 0 */
cupsdStartProcess(
    const char  *command,		/* I - Full path to command */
    char        *argv[],		/* I - Command-line arguments */
    char        *envp[],		/* I - Environment */
    int         infd,			/* I - Standard input file descriptor */
    int         outfd,			/* I - Standard output file descriptor */
    int         errfd,			/* I - Standard error file descriptor */
    int         backfd,			/* I - Backchannel file descriptor */
    int         sidefd,			/* I - Sidechannel file descriptor */
    int         root,			/* I - Run as root? */
    void        *profile,		/* I - Security profile to use */
    cupsd_job_t *job,			/* I - Job associated with process */
    int         *pid)			/* O - Process ID */
{
  int		user;			/* Command UID */
  struct stat	commandinfo;		/* Command file information */
  cupsd_proc_t	*proc;			/* New process record */
#if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET)
  struct sigaction action;		/* POSIX signal handler */
#endif /* HAVE_SIGACTION && !HAVE_SIGSET */
#if defined(__APPLE__)
  char		processPath[1024],	/* CFProcessPath environment variable */
		linkpath[1024];		/* Link path for symlinks... */
  int		linkbytes;		/* Bytes for link path */
#endif /* __APPLE__ */


  if (RunUser)
    user = RunUser;
  else if (root)
    user = 0;
  else
    user = User;

  if (stat(command, &commandinfo))
  {
    *pid = 0;

    cupsdLogMessage(CUPSD_LOG_DEBUG2,
		    "cupsdStartProcess(command=\"%s\", argv=%p, envp=%p, "
		    "infd=%d, outfd=%d, errfd=%d, backfd=%d, sidefd=%d, root=%d, "
		    "profile=%p, job=%p(%d), pid=%p) = %d",
		    command, argv, envp, infd, outfd, errfd, backfd, sidefd,
		    root, profile, job, job ? job->id : 0, pid, *pid);
    cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to execute %s: %s", command,
                    strerror(errno));

    if (job && job->printer)
    {
      if (cupsdSetPrinterReasons(job->printer, "+cups-missing-filter-warning"))
	cupsdAddEvent(CUPSD_EVENT_PRINTER_STATE, job->printer, NULL,
		      "Printer driver %s is missing.", command);
    }

    return (0);
  }
  else if (!RunUser &&
           ((commandinfo.st_mode & (S_ISUID | S_IWGRP | S_IWOTH)) ||
            commandinfo.st_uid))
  {
    *pid = 0;

    cupsdLogMessage(CUPSD_LOG_DEBUG2,
		    "cupsdStartProcess(command=\"%s\", argv=%p, envp=%p, "
		    "infd=%d, outfd=%d, errfd=%d, backfd=%d, sidefd=%d, root=%d, "
		    "profile=%p, job=%p(%d), pid=%p) = %d",
		    command, argv, envp, infd, outfd, errfd, backfd, sidefd,
		    root, profile, job, job ? job->id : 0, pid, *pid);
    cupsdLogMessage(CUPSD_LOG_ERROR,
                    "Unable to execute %s: insecure file permissions (0%o)",
		    command, commandinfo.st_mode);

    if (job && job->printer)
    {
      if (cupsdSetPrinterReasons(job->printer, "+cups-insecure-filter-warning"))
	cupsdAddEvent(CUPSD_EVENT_PRINTER_STATE, job->printer, NULL,
		      "Printer driver %s has insecure file permissions (0%o).",
		      command, commandinfo.st_mode);
    }

    errno = EPERM;

    return (0);
  }
  else if ((commandinfo.st_uid != user || !(commandinfo.st_mode & S_IXUSR)) &&
           (commandinfo.st_gid != Group || !(commandinfo.st_mode & S_IXGRP)) &&
           !(commandinfo.st_mode & S_IXOTH))
  {
    *pid = 0;

    cupsdLogMessage(CUPSD_LOG_DEBUG2,
		    "cupsdStartProcess(command=\"%s\", argv=%p, envp=%p, "
		    "infd=%d, outfd=%d, errfd=%d, backfd=%d, sidefd=%d, root=%d, "
		    "profile=%p, job=%p(%d), pid=%p) = %d",
		    command, argv, envp, infd, outfd, errfd, backfd, sidefd,
		    root, profile, job, job ? job->id : 0, pid, *pid);
    cupsdLogMessage(CUPSD_LOG_ERROR,
                    "Unable to execute %s: no execute permissions (0%o)",
		    command, commandinfo.st_mode);

    errno = EPERM;
    return (0);
  }

#if defined(__APPLE__)
  if (envp)
  {
   /*
    * Add special voodoo magic for Mac OS X - this allows Mac OS X
    * programs to access their bundle resources properly...
    */

    if ((linkbytes = readlink(command, linkpath, sizeof(linkpath) - 1)) > 0)
    {
     /*
      * Yes, this is a symlink to the actual program, nul-terminate and
      * use it...
      */

      linkpath[linkbytes] = '\0';

      if (linkpath[0] == '/')
	snprintf(processPath, sizeof(processPath), "CFProcessPath=%s",
		 linkpath);
      else
	snprintf(processPath, sizeof(processPath), "CFProcessPath=%s/%s",
		 dirname((char *)command), linkpath);
    }
    else
      snprintf(processPath, sizeof(processPath), "CFProcessPath=%s", command);

    envp[0] = processPath;		/* Replace <CFProcessPath> string */
  }
#endif	/* __APPLE__ */

 /*
  * Block signals before forking...
  */

  cupsdHoldSignals();

  if ((*pid = fork()) == 0)
  {
   /*
    * Child process goes here...
    *
    * Update stdin/stdout/stderr as needed...
    */

    if (infd != 0)
    {
      if (infd < 0)
        infd = open("/dev/null", O_RDONLY);

      if (infd != 0)
      {
        dup2(infd, 0);
	close(infd);
      }
    }

    if (outfd != 1)
    {
      if (outfd < 0)
        outfd = open("/dev/null", O_WRONLY);

      if (outfd != 1)
      {
        dup2(outfd, 1);
	close(outfd);
      }
    }

    if (errfd != 2)
    {
      if (errfd < 0)
        errfd = open("/dev/null", O_WRONLY);

      if (errfd != 2)
      {
        dup2(errfd, 2);
	close(errfd);
      }
    }

    if (backfd != 3 && backfd >= 0)
    {
      dup2(backfd, 3);
      close(backfd);
      fcntl(3, F_SETFL, O_NDELAY);
    }

    if (sidefd != 4 && sidefd >= 0)
    {
      dup2(sidefd, 4);
      close(sidefd);
      fcntl(4, F_SETFL, O_NDELAY);
    }

   /*
    * Change the priority of the process based on the FilterNice setting.
    * (this is not done for root processes...)
    */

    if (!root)
      nice(FilterNice);

#ifdef HAVE_SANDBOX_H
   /*
    * Run in a separate security profile...
    */

    if (profile)
    {
      char *error = NULL;		/* Sandbox error, if any */

      if (sandbox_init((char *)profile, SANDBOX_NAMED_EXTERNAL, &error))
      {
        fprintf(stderr, "ERROR: sandbox_init failed: %s (%s)\n", error,
	        strerror(errno));
	sandbox_free_error(error);
      }
    }
#endif /* HAVE_SANDBOX_H */

   /*
    * Change user to something "safe"...
    */

    if (!root && !RunUser)
    {
     /*
      * Running as root, so change to non-priviledged user...
      */

      if (setgid(Group))
	exit(errno);

      if (setgroups(1, &Group))
	exit(errno);

      if (setuid(User))
        exit(errno);
    }
    else
    {
     /*
      * Reset group membership to just the main one we belong to.
      */

      if (setgid(Group) && !RunUser)
        exit(errno);

      if (setgroups(1, &Group) && !RunUser)
        exit(errno);
    }

   /*
    * Change umask to restrict permissions on created files...
    */

    umask(077);

   /*
    * Unblock signals before doing the exec...
    */

#ifdef HAVE_SIGSET
    sigset(SIGTERM, SIG_DFL);
    sigset(SIGCHLD, SIG_DFL);
    sigset(SIGPIPE, SIG_DFL);
#elif defined(HAVE_SIGACTION)
    memset(&action, 0, sizeof(action));

    sigemptyset(&action.sa_mask);
    action.sa_handler = SIG_DFL;

    sigaction(SIGTERM, &action, NULL);
    sigaction(SIGCHLD, &action, NULL);
    sigaction(SIGPIPE, &action, NULL);
#else
    signal(SIGTERM, SIG_DFL);
    signal(SIGCHLD, SIG_DFL);
    signal(SIGPIPE, SIG_DFL);
#endif /* HAVE_SIGSET */

    cupsdReleaseSignals();

   /*
    * Execute the command; if for some reason this doesn't work,
    * return the error code...
    */

    if (envp)
      execve(command, argv, envp);
    else
      execv(command, argv);

    perror(command);

    exit(errno);
  }
  else if (*pid < 0)
  {
   /*
    * Error - couldn't fork a new process!
    */

    cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to fork %s - %s.", command,
                    strerror(errno));

    *pid = 0;
  }
  else
  {
    if (!process_array)
      process_array = cupsArrayNew((cups_array_func_t)compare_procs, NULL);
 
    if (process_array)
    {
      if ((proc = calloc(1, sizeof(cupsd_proc_t) + strlen(command))) != NULL)
      {
        proc->pid    = *pid;
	proc->job_id = job ? job->id : 0;
	strcpy(proc->name, command);

	cupsArrayAdd(process_array, proc);
      }
    }
  }

  cupsdReleaseSignals();

  cupsdLogMessage(CUPSD_LOG_DEBUG2,
		  "cupsdStartProcess(command=\"%s\", argv=%p, envp=%p, "
		  "infd=%d, outfd=%d, errfd=%d, backfd=%d, sidefd=%d, root=%d, "
		  "profile=%p, job=%p(%d), pid=%p) = %d",
		  command, argv, envp, infd, outfd, errfd, backfd, sidefd,
		  root, profile, job, job ? job->id : 0, pid, *pid);

  return (*pid);
}


/*
 * 'compare_procs()' - Compare two processes.
 */

static int				/* O - Result of comparison */
compare_procs(cupsd_proc_t *a,		/* I - First process */
              cupsd_proc_t *b)		/* I - Second process */
{
  return (a->pid - b->pid);
}


#ifdef HAVE_SANDBOX_H
/*
 * 'cupsd_requote()' - Make a regular-expression version of a string.
 */

static char *				/* O - Quoted string */
cupsd_requote(char       *dst,		/* I - Destination buffer */
              const char *src,		/* I - Source string */
	      size_t     dstsize)	/* I - Size of destination buffer */
{
  int	ch;				/* Current character */
  char	*dstptr,			/* Current position in buffer */
	*dstend;			/* End of destination buffer */


  dstptr = dst;
  dstend = dst + dstsize - 2;

  while (*src && dstptr < dstend)
  {
    ch = *src++;

    if (strchr(".?*()[]^$\\", ch))
      *dstptr++ = '\\';

    *dstptr++ = ch;
  }

  *dstptr = '\0';

  return (dst);
}
#endif /* HAVE_SANDBOX_H */


/*
 * End of "$Id: process.c 7256 2008-01-25 00:48:54Z mike $".
 */
Commit	Line	Data
ef416fc2	1	/*
75bd9771	2	* "$Id: process.c 7256 2008-01-25 00:48:54Z mike $"
ef416fc2	3	*
cc754834	4	* Process management routines for the CUPS scheduler.
ef416fc2	5	*
5a6b583a	6	* Copyright 2007-2010 by Apple Inc.
f7deaa1a	7	* Copyright 1997-2007 by Easy Software Products, all rights reserved.
ef416fc2	8	*
ef416fc2	9	* These coded instructions, statements, and computer programs are the
bc44d920	10	* property of Apple Inc. and are protected by Federal copyright
	11	* law. Distribution and use rights are outlined in the file "LICENSE.txt"
	12	* which should have been included with this file. If this file is
	13	* file is missing or damaged, see the license at "http://www.cups.org/".
ef416fc2	14	*
	15	* Contents:
	16	*
a4924f6c MS	17	* cupsdCreateProfile() - Create an execution profile for a subprocess.
	18	* cupsdDestroyProfile() - Delete an execution profile.
	19	* cupsdEndProcess() - End a process.
	20	* cupsdFinishProcess() - Finish a process and get its name.
	21	* cupsdStartProcess() - Start a process.
	22	* compare_procs() - Compare two processes.
	23	* cupsd_requote() - Make a regular-expression version of a string.
ef416fc2	24	*/
	25
	26	/*
	27	* Include necessary headers...
	28	*/
	29
	30	#include "cupsd.h"
	31	#include <grp.h>
a4924f6c	32	#ifdef __APPLE__
4400e98d	33	# include <libgen.h>
6d2f911b	34	#endif /* __APPLE__ */
a4924f6c MS	35	#ifdef HAVE_SANDBOX_H
	36	# define __APPLE_API_PRIVATE
	37	# include <sandbox.h>
	38	#endif /* HAVE_SANDBOX_H */
ef416fc2	39
ef416fc2	40
e00b005a	41	/*
	42	* Process structure...
	43	*/
	44
	45	typedef struct
	46	{
b9faaae1 MS	47	int pid, /* Process ID */
b9faaae1 MS	48	job_id; /* Job associated with process */
e00b005a	49	char name[1]; /* Name of process */
	50	} cupsd_proc_t;
	51
	52
	53	/*
	54	* Local globals...
	55	*/
	56
	57	static cups_array_t *process_array = NULL;
	58
	59
	60	/*
	61	* Local functions...
	62	*/
	63
	64	static int compare_procs(cupsd_proc_t a, cupsd_proc_t b);
a4924f6c MS	65	#ifdef HAVE_SANDBOX_H
	66	static char cupsd_requote(char dst, const char *src, size_t dstsize);
	67	#endif /* HAVE_SANDBOX_H */
	68
	69
	70	/*
	71	* 'cupsdCreateProfile()' - Create an execution profile for a subprocess.
	72	*/
	73
	74	void * /* O - Profile or NULL on error */
	75	cupsdCreateProfile(int job_id) /* I - Job ID or 0 for none */
	76	{
	77	#ifdef HAVE_SANDBOX_H
	78	cups_file_t fp; / File pointer */
	79	char profile[1024], /* File containing the profile */
	80	cache[1024], /* Quoted CacheDir */
	81	request[1024], /* Quoted RequestRoot */
	82	root[1024], /* Quoted ServerRoot */
	83	temp[1024]; /* Quoted TempDir */
	84
	85
1340db2d	86	if (!UseProfiles \|\| RunUser)
b9faaae1 MS	87	{
	88	/*
	89	* Only use sandbox profiles as root...
	90	*/
	91
	92	cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = NULL",
	93	job_id);
	94
	95	return (NULL);
	96	}
	97
a4924f6c MS	98	if ((fp = cupsTempFile2(profile, sizeof(profile))) == NULL)
a4924f6c MS	99	{
b9faaae1 MS	100	cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = NULL",
b9faaae1 MS	101	job_id);
a4924f6c MS	102	cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to create security profile: %s",
	103	strerror(errno));
	104	return (NULL);
	105	}
	106
	107	cupsd_requote(cache, CacheDir, sizeof(cache));
	108	cupsd_requote(request, RequestRoot, sizeof(request));
	109	cupsd_requote(root, ServerRoot, sizeof(root));
	110	cupsd_requote(temp, TempDir, sizeof(temp));
	111
	112	cupsFilePuts(fp, "(version 1)\n");
cc754834 MS	113	if (LogLevel >= CUPSD_LOG_DEBUG)
cc754834 MS	114	cupsFilePuts(fp, "(debug deny)\n");
a4924f6c MS	115	cupsFilePuts(fp, "(allow default)\n");
	116	cupsFilePrintf(fp,
	117	"(deny file-write* file-read-data file-read-metadata\n"
5a6b583a MS	118	" (regex"
	119	" #\"^%s$\"" /* RequestRoot */
	120	" #\"^%s/\"" /* RequestRoot/... */
	121	" #\"^/Users$\""
	122	" #\"^/Users/\""
	123	"))\n",
	124	request, request);
a4924f6c MS	125	cupsFilePrintf(fp,
a4924f6c MS	126	"(deny file-write*\n"
5a6b583a MS	127	" (regex"
	128	" #\"^%s$\"" /* ServerRoot */
	129	" #\"^%s/\"" /* ServerRoot/... */
	130	" #\"^/private/etc$\""
	131	" #\"^/private/etc/\""
	132	" #\"^/usr/local/etc$\""
	133	" #\"^/usr/local/etc/\""
	134	" #\"^/Library$\""
	135	" #\"^/Library/\""
	136	" #\"^/System$\""
	137	" #\"^/System/\""
	138	"))\n",
	139	root, root);
7cf5915e MS	140	/* Specifically allow applications to stat RequestRoot */
	141	cupsFilePrintf(fp,
	142	"(allow file-read-metadata\n"
	143	" (regex"
	144	" #\"^%s$\"" /* RequestRoot */
	145	"))\n",
	146	request);
a4924f6c MS	147	cupsFilePrintf(fp,
a4924f6c MS	148	"(allow file-write* file-read-data file-read-metadata\n"
5a6b583a MS	149	" (regex"
	150	" #\"^%s$\"" /* TempDir */
	151	" #\"^%s/\"" /* TempDir/... */
	152	" #\"^%s$\"" /* CacheDir */
	153	" #\"^%s/\"" /* CacheDir/... */
	154	" #\"^%s/Library$\"" /* RequestRoot/Library */
	155	" #\"^%s/Library/\"" /* RequestRoot/Library/... */
ed6e7faf MS	156	" #\"^/Library/Application Support/\""
	157	" #\"^/Library/Caches/\""
	158	" #\"^/Library/Preferences/\""
5a6b583a MS	159	" #\"^/Library/Printers/.*/\""
5a6b583a MS	160	" #\"^/Users/Shared/\""
ed6e7faf	161	"))\n",
5a6b583a	162	temp, temp, cache, cache, request, request);
ed6e7faf MS	163	cupsFilePuts(fp,
ed6e7faf MS	164	"(deny file-write*\n"
5a6b583a MS	165	" (regex"
	166	" #\"^/Library/Printers/PPDs$\""
	167	" #\"^/Library/Printers/PPDs/\""
	168	" #\"^/Library/Printers/PPD Plugins$\""
ed6e7faf MS	169	" #\"^/Library/Printers/PPD Plugins/\""
ed6e7faf MS	170	"))\n");
a4924f6c MS	171	if (job_id)
	172	cupsFilePrintf(fp,
	173	"(allow file-read-data file-read-metadata\n"
	174	" (regex #\"^%s/([ac]%05d\|d%05d-[0-9][0-9][0-9])$\"))\n",
5bd77a73	175	request, job_id, job_id);
a4924f6c MS	176
	177	cupsFileClose(fp);
	178
5bd77a73 MS	179	cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = \"%s\"",
5bd77a73 MS	180	job_id, profile);
a4924f6c	181	return ((void *)strdup(profile));
b9faaae1	182
a4924f6c	183	#else
b9faaae1 MS	184	cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = NULL",
b9faaae1 MS	185	job_id);
a4924f6c MS	186
	187	return (NULL);
	188	#endif /* HAVE_SANDBOX_H */
	189	}
	190
	191
	192	/*
	193	* 'cupsdDestroyProfile()' - Delete an execution profile.
	194	*/
	195
	196	void
	197	cupsdDestroyProfile(void profile) / I - Profile */
	198	{
b9faaae1 MS	199	cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdDeleteProfile(profile=\"%s\")",
	200	profile ? (char *)profile : "(null)");
	201
a4924f6c MS	202	#ifdef HAVE_SANDBOX_H
	203	if (profile)
	204	{
	205	unlink((char *)profile);
	206	free(profile);
	207	}
	208	#endif /* HAVE_SANDBOX_H */
	209	}
e00b005a	210
e00b005a	211
ef416fc2	212	/*
	213	* 'cupsdEndProcess()' - End a process.
	214	*/
	215
	216	int /* O - 0 on success, -1 on failure */
	217	cupsdEndProcess(int pid, /* I - Process ID */
	218	int force) /* I - Force child to die */
	219	{
b9faaae1 MS	220	cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdEndProcess(pid=%d, force=%d)", pid,
	221	force);
	222
ef55b745 MS	223	if (!pid)
	224	return (0);
	225	else if (force)
ef416fc2	226	return (kill(pid, SIGKILL));
	227	else
	228	return (kill(pid, SIGTERM));
	229	}
	230
	231
e00b005a	232	/*
	233	* 'cupsdFinishProcess()' - Finish a process and get its name.
	234	*/
	235
	236	const char * /* O - Process name */
	237	cupsdFinishProcess(int pid, /* I - Process ID */
	238	char name, / I - Name buffer */
b9faaae1 MS	239	int namelen, /* I - Size of name buffer */
b9faaae1 MS	240	int job_id) / O - Job ID pointer or NULL */
e00b005a	241	{
	242	cupsd_proc_t key, /* Search key */
	243	proc; / Matching process */
	244
	245
	246	key.pid = pid;
	247
	248	if ((proc = (cupsd_proc_t *)cupsArrayFind(process_array, &key)) != NULL)
	249	{
b9faaae1 MS	250	if (job_id)
	251	*job_id = proc->job_id;
	252
e00b005a	253	strlcpy(name, proc->name, namelen);
	254	cupsArrayRemove(process_array, proc);
	255	free(proc);
e00b005a	256	}
e00b005a	257	else
b9faaae1 MS	258	{
	259	if (job_id)
	260	*job_id = 0;
	261
	262	strlcpy(name, "unknown", namelen);
	263	}
	264
	265	cupsdLogMessage(CUPSD_LOG_DEBUG2,
	266	"cupsdFinishProcess(pid=%d, name=%p, namelen=%d, "
	267	"job_id=%p(%d)) = \"%s\"", pid, name, namelen, job_id,
	268	job_id ? *job_id : 0, name);
	269
	270	return (name);
e00b005a	271	}
	272
	273
ef416fc2	274	/*
	275	* 'cupsdStartProcess()' - Start a process.
	276	*/
	277
	278	int /* O - Process ID or 0 */
	279	cupsdStartProcess(
b9faaae1 MS	280	const char command, / I - Full path to command */
	281	char argv[], / I - Command-line arguments */
	282	char envp[], / I - Environment */
	283	int infd, /* I - Standard input file descriptor */
	284	int outfd, /* I - Standard output file descriptor */
	285	int errfd, /* I - Standard error file descriptor */
	286	int backfd, /* I - Backchannel file descriptor */
	287	int sidefd, /* I - Sidechannel file descriptor */
	288	int root, /* I - Run as root? */
	289	void profile, / I - Security profile to use */
38e73f87	290	cupsd_job_t job, / I - Job associated with process */
b9faaae1	291	int pid) / O - Process ID */
ef416fc2	292	{
bf3816c7 MS	293	int user; /* Command UID */
bf3816c7 MS	294	struct stat commandinfo; /* Command file information */
e00b005a	295	cupsd_proc_t proc; / New process record */
ef416fc2	296	#if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET)
e00b005a	297	struct sigaction action; /* POSIX signal handler */
ef416fc2	298	#endif /* HAVE_SIGACTION && !HAVE_SIGSET */
e53920b9	299	#if defined(__APPLE__)
e00b005a	300	char processPath[1024], /* CFProcessPath environment variable */
	301	linkpath[1024]; /* Link path for symlinks... */
	302	int linkbytes; /* Bytes for link path */
e53920b9	303	#endif /* __APPLE__ */
ef416fc2	304
ef416fc2	305
bf3816c7 MS	306	if (RunUser)
	307	user = RunUser;
	308	else if (root)
	309	user = 0;
	310	else
	311	user = User;
	312
	313	if (stat(command, &commandinfo))
76cd9e37	314	{
b9faaae1 MS	315	*pid = 0;
	316
	317	cupsdLogMessage(CUPSD_LOG_DEBUG2,
	318	"cupsdStartProcess(command=\"%s\", argv=%p, envp=%p, "
	319	"infd=%d, outfd=%d, errfd=%d, backfd=%d, sidefd=%d, root=%d, "
38e73f87	320	"profile=%p, job=%p(%d), pid=%p) = %d",
b9faaae1	321	command, argv, envp, infd, outfd, errfd, backfd, sidefd,
38e73f87	322	root, profile, job, job ? job->id : 0, pid, *pid);
76cd9e37 MS	323	cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to execute %s: %s", command,
76cd9e37 MS	324	strerror(errno));
38e73f87 MS	325
38e73f87 MS	326	if (job && job->printer)
e07d4801 MS	327	{
	328	if (cupsdSetPrinterReasons(job->printer, "+cups-missing-filter-warning"))
	329	cupsdAddEvent(CUPSD_EVENT_PRINTER_STATE, job->printer, NULL,
	330	"Printer driver %s is missing.", command);
	331	}
38e73f87	332
76cd9e37 MS	333	return (0);
76cd9e37 MS	334	}
ef55b745 MS	335	else if (!RunUser &&
	336	((commandinfo.st_mode & (S_ISUID \| S_IWGRP \| S_IWOTH)) \|\|
	337	commandinfo.st_uid))
bf3816c7	338	{
b9faaae1 MS	339	*pid = 0;
	340
	341	cupsdLogMessage(CUPSD_LOG_DEBUG2,
	342	"cupsdStartProcess(command=\"%s\", argv=%p, envp=%p, "
	343	"infd=%d, outfd=%d, errfd=%d, backfd=%d, sidefd=%d, root=%d, "
38e73f87	344	"profile=%p, job=%p(%d), pid=%p) = %d",
b9faaae1	345	command, argv, envp, infd, outfd, errfd, backfd, sidefd,
38e73f87	346	root, profile, job, job ? job->id : 0, pid, *pid);
bf3816c7 MS	347	cupsdLogMessage(CUPSD_LOG_ERROR,
	348	"Unable to execute %s: insecure file permissions (0%o)",
	349	command, commandinfo.st_mode);
b9faaae1	350
38e73f87	351	if (job && job->printer)
e07d4801 MS	352	{
	353	if (cupsdSetPrinterReasons(job->printer, "+cups-insecure-filter-warning"))
	354	cupsdAddEvent(CUPSD_EVENT_PRINTER_STATE, job->printer, NULL,
	355	"Printer driver %s has insecure file permissions (0%o).",
	356	command, commandinfo.st_mode);
	357	}
38e73f87	358
bf3816c7	359	errno = EPERM;
38e73f87	360
bf3816c7 MS	361	return (0);
	362	}
	363	else if ((commandinfo.st_uid != user \|\| !(commandinfo.st_mode & S_IXUSR)) &&
	364	(commandinfo.st_gid != Group \|\| !(commandinfo.st_mode & S_IXGRP)) &&
	365	!(commandinfo.st_mode & S_IXOTH))
	366	{
b9faaae1 MS	367	*pid = 0;
	368
	369	cupsdLogMessage(CUPSD_LOG_DEBUG2,
	370	"cupsdStartProcess(command=\"%s\", argv=%p, envp=%p, "
	371	"infd=%d, outfd=%d, errfd=%d, backfd=%d, sidefd=%d, root=%d, "
38e73f87	372	"profile=%p, job=%p(%d), pid=%p) = %d",
b9faaae1	373	command, argv, envp, infd, outfd, errfd, backfd, sidefd,
38e73f87	374	root, profile, job, job ? job->id : 0, pid, *pid);
bf3816c7 MS	375	cupsdLogMessage(CUPSD_LOG_ERROR,
	376	"Unable to execute %s: no execute permissions (0%o)",
	377	command, commandinfo.st_mode);
b9faaae1	378
bf3816c7 MS	379	errno = EPERM;
	380	return (0);
	381	}
76cd9e37	382
e53920b9	383	#if defined(__APPLE__)
e53920b9	384	if (envp)
e00b005a	385	{
e00b005a	386	/*
6d2f911b	387	* Add special voodoo magic for Mac OS X - this allows Mac OS X
e53920b9	388	* programs to access their bundle resources properly...
e00b005a	389	*/
e00b005a	390
e53920b9	391	if ((linkbytes = readlink(command, linkpath, sizeof(linkpath) - 1)) > 0)
	392	{
	393	/*
	394	* Yes, this is a symlink to the actual program, nul-terminate and
	395	* use it...
	396	*/
	397
	398	linkpath[linkbytes] = '\0';
e00b005a	399
e53920b9	400	if (linkpath[0] == '/')
	401	snprintf(processPath, sizeof(processPath), "CFProcessPath=%s",
	402	linkpath);
	403	else
	404	snprintf(processPath, sizeof(processPath), "CFProcessPath=%s/%s",
f7deaa1a	405	dirname((char *)command), linkpath);
e53920b9	406	}
e00b005a	407	else
e53920b9	408	snprintf(processPath, sizeof(processPath), "CFProcessPath=%s", command);
bd7854cb	409
e53920b9	410	envp[0] = processPath; /* Replace <CFProcessPath> string */
	411	}
	412	#endif /* __APPLE__ */
e00b005a	413
ef416fc2	414	/*
	415	* Block signals before forking...
	416	*/
	417
	418	cupsdHoldSignals();
	419
	420	if ((*pid = fork()) == 0)
	421	{
	422	/*
	423	* Child process goes here...
	424	*
	425	* Update stdin/stdout/stderr as needed...
	426	*/
	427
	428	if (infd != 0)
	429	{
68b10830 MS	430	if (infd < 0)
	431	infd = open("/dev/null", O_RDONLY);
	432
	433	if (infd != 0)
	434	{
	435	dup2(infd, 0);
	436	close(infd);
	437	}
ef416fc2	438	}
68b10830	439
ef416fc2	440	if (outfd != 1)
ef416fc2	441	{
68b10830 MS	442	if (outfd < 0)
	443	outfd = open("/dev/null", O_WRONLY);
	444
	445	if (outfd != 1)
	446	{
	447	dup2(outfd, 1);
	448	close(outfd);
	449	}
ef416fc2	450	}
68b10830	451
ef416fc2	452	if (errfd != 2)
ef416fc2	453	{
68b10830 MS	454	if (errfd < 0)
	455	errfd = open("/dev/null", O_WRONLY);
	456
	457	if (errfd != 2)
	458	{
	459	dup2(errfd, 2);
	460	close(errfd);
	461	}
ef416fc2	462	}
68b10830 MS	463
68b10830 MS	464	if (backfd != 3 && backfd >= 0)
ef416fc2	465	{
68b10830 MS	466	dup2(backfd, 3);
68b10830 MS	467	close(backfd);
ef416fc2	468	fcntl(3, F_SETFL, O_NDELAY);
ef416fc2	469	}
68b10830 MS	470
68b10830 MS	471	if (sidefd != 4 && sidefd >= 0)
f7deaa1a	472	{
68b10830 MS	473	dup2(sidefd, 4);
68b10830 MS	474	close(sidefd);
f7deaa1a	475	fcntl(4, F_SETFL, O_NDELAY);
f7deaa1a	476	}
ef416fc2	477
	478	/*
	479	* Change the priority of the process based on the FilterNice setting.
5bd77a73	480	* (this is not done for root processes...)
ef416fc2	481	*/
	482
	483	if (!root)
	484	nice(FilterNice);
	485
5bd77a73 MS	486	#ifdef HAVE_SANDBOX_H
	487	/*
	488	* Run in a separate security profile...
	489	*/
	490
	491	if (profile)
	492	{
	493	char error = NULL; / Sandbox error, if any */
	494
	495	if (sandbox_init((char *)profile, SANDBOX_NAMED_EXTERNAL, &error))
	496	{
	497	fprintf(stderr, "ERROR: sandbox_init failed: %s (%s)\n", error,
	498	strerror(errno));
	499	sandbox_free_error(error);
	500	}
	501	}
	502	#endif /* HAVE_SANDBOX_H */
	503
ef416fc2	504	/*
	505	* Change user to something "safe"...
	506	*/
	507
	508	if (!root && !RunUser)
	509	{
	510	/*
	511	* Running as root, so change to non-priviledged user...
	512	*/
	513
	514	if (setgid(Group))
e00b005a	515	exit(errno);
ef416fc2	516
ef416fc2	517	if (setgroups(1, &Group))
e00b005a	518	exit(errno);
ef416fc2	519
	520	if (setuid(User))
	521	exit(errno);
	522	}
	523	else
	524	{
	525	/*
	526	* Reset group membership to just the main one we belong to.
	527	*/
	528
41681883 MS	529	if (setgid(Group) && !RunUser)
	530	exit(errno);
	531
	532	if (setgroups(1, &Group) && !RunUser)
	533	exit(errno);
ef416fc2	534	}
	535
	536	/*
	537	* Change umask to restrict permissions on created files...
	538	*/
	539
	540	umask(077);
	541
	542	/*
	543	* Unblock signals before doing the exec...
	544	*/
	545
	546	#ifdef HAVE_SIGSET
	547	sigset(SIGTERM, SIG_DFL);
	548	sigset(SIGCHLD, SIG_DFL);
ef55b745	549	sigset(SIGPIPE, SIG_DFL);
ef416fc2	550	#elif defined(HAVE_SIGACTION)
	551	memset(&action, 0, sizeof(action));
	552
	553	sigemptyset(&action.sa_mask);
	554	action.sa_handler = SIG_DFL;
	555
	556	sigaction(SIGTERM, &action, NULL);
	557	sigaction(SIGCHLD, &action, NULL);
ef55b745	558	sigaction(SIGPIPE, &action, NULL);
ef416fc2	559	#else
	560	signal(SIGTERM, SIG_DFL);
	561	signal(SIGCHLD, SIG_DFL);
ef55b745	562	signal(SIGPIPE, SIG_DFL);
ef416fc2	563	#endif /* HAVE_SIGSET */
	564
	565	cupsdReleaseSignals();
	566
	567	/*
	568	* Execute the command; if for some reason this doesn't work,
	569	* return the error code...
	570	*/
	571
	572	if (envp)
	573	execve(command, argv, envp);
	574	else
	575	execv(command, argv);
	576
	577	perror(command);
	578
	579	exit(errno);
	580	}
	581	else if (*pid < 0)
	582	{
	583	/*
	584	* Error - couldn't fork a new process!
	585	*/
	586
	587	cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to fork %s - %s.", command,
	588	strerror(errno));
	589
	590	*pid = 0;
	591	}
e00b005a	592	else
	593	{
	594	if (!process_array)
	595	process_array = cupsArrayNew((cups_array_func_t)compare_procs, NULL);
	596
	597	if (process_array)
	598	{
	599	if ((proc = calloc(1, sizeof(cupsd_proc_t) + strlen(command))) != NULL)
	600	{
b9faaae1	601	proc->pid = *pid;
38e73f87	602	proc->job_id = job ? job->id : 0;
e00b005a	603	strcpy(proc->name, command);
	604
	605	cupsArrayAdd(process_array, proc);
	606	}
	607	}
	608	}
ef416fc2	609
	610	cupsdReleaseSignals();
	611
b9faaae1 MS	612	cupsdLogMessage(CUPSD_LOG_DEBUG2,
	613	"cupsdStartProcess(command=\"%s\", argv=%p, envp=%p, "
	614	"infd=%d, outfd=%d, errfd=%d, backfd=%d, sidefd=%d, root=%d, "
38e73f87	615	"profile=%p, job=%p(%d), pid=%p) = %d",
b9faaae1	616	command, argv, envp, infd, outfd, errfd, backfd, sidefd,
38e73f87	617	root, profile, job, job ? job->id : 0, pid, *pid);
b9faaae1	618
ef416fc2	619	return (*pid);
	620	}
	621
	622
	623	/*
e00b005a	624	* 'compare_procs()' - Compare two processes.
	625	*/
	626
	627	static int /* O - Result of comparison */
	628	compare_procs(cupsd_proc_t a, / I - First process */
	629	cupsd_proc_t b) / I - Second process */
	630	{
	631	return (a->pid - b->pid);
	632	}
	633
	634
a4924f6c MS	635	#ifdef HAVE_SANDBOX_H
	636	/*
	637	* 'cupsd_requote()' - Make a regular-expression version of a string.
	638	*/
	639
	640	static char * /* O - Quoted string */
	641	cupsd_requote(char dst, / I - Destination buffer */
	642	const char src, / I - Source string */
	643	size_t dstsize) /* I - Size of destination buffer */
	644	{
	645	int ch; /* Current character */
	646	char dstptr, / Current position in buffer */
	647	dstend; / End of destination buffer */
	648
	649
	650	dstptr = dst;
	651	dstend = dst + dstsize - 2;
	652
	653	while (*src && dstptr < dstend)
	654	{
	655	ch = *src++;
	656
	657	if (strchr(".?*()[]^$\\", ch))
	658	*dstptr++ = '\\';
	659
	660	*dstptr++ = ch;
	661	}
	662
	663	*dstptr = '\0';
	664
	665	return (dst);
	666	}
	667	#endif /* HAVE_SANDBOX_H */
	668
	669
e00b005a	670	/*
75bd9771	671	* End of "$Id: process.c 7256 2008-01-25 00:48:54Z mike $".
ef416fc2	672	*/