4 * Process management routines for the CUPS scheduler.
6 * Copyright 2007-2011 by Apple Inc.
7 * Copyright 1997-2007 by Easy Software Products, all rights reserved.
9 * These coded instructions, statements, and computer programs are the
10 * property of Apple Inc. and are protected by Federal copyright
11 * law. Distribution and use rights are outlined in the file "LICENSE.txt"
12 * which should have been included with this file. If this file is
13 * file is missing or damaged, see the license at "http://www.cups.org/".
17 * cupsdCheckProgram() - Check the permissions of the given program and its
18 * containing directory.
19 * cupsdCreateProfile() - Create an execution profile for a subprocess.
20 * cupsdDestroyProfile() - Delete an execution profile.
21 * cupsdEndProcess() - End a process.
22 * cupsdFinishProcess() - Finish a process and get its name.
23 * cupsdStartProcess() - Start a process.
24 * compare_procs() - Compare two processes.
25 * cupsd_requote() - Make a regular-expression version of a string.
29 * Include necessary headers...
36 #endif /* __APPLE__ */
40 * Process structure...
45 int pid
, /* Process ID */
46 job_id
; /* Job associated with process */
47 char name
[1]; /* Name of process */
55 static cups_array_t
*process_array
= NULL
;
62 static int compare_procs(cupsd_proc_t
*a
, cupsd_proc_t
*b
);
64 static char *cupsd_requote(char *dst
, const char *src
, size_t dstsize
);
65 #endif /* HAVE_SANDBOX_H */
69 * 'cupsdCheckProgram()' - Check the permissions of the given program and its
70 * containing directory.
73 int /* O - 1 if OK, 0 if not OK */
75 const char *filename
, /* I - Filename to check */
76 cupsd_printer_t
*p
) /* I - Printer, if any */
78 struct stat fileinfo
; /* File information */
79 char temp
[1024], /* Parent directory filename */
80 *ptr
; /* Pointer into parent directory */
84 * Does the program even exist and is it accessible?
87 if (stat(filename
, &fileinfo
))
95 snprintf(p
->state_message
, sizeof(p
->state_message
),
96 "Printer driver \"%s\" not available: %s", filename
,
98 cupsdLogMessage(CUPSD_LOG_ERROR
, "%s: %s", p
->name
, p
->state_message
);
100 if (cupsdSetPrinterReasons(p
, "+cups-missing-filter-warning"))
101 cupsdAddEvent(CUPSD_EVENT_PRINTER_STATE
, p
, NULL
,
102 "Printer driver \"%s\" not available.", filename
);
105 cupsdLogMessage(CUPSD_LOG_ERROR
, "Program \"%s\" not available: %s",
106 filename
, strerror(errno
));
112 * Are we running as root?
118 * Nope, so anything goes...
125 * Verify permission of the program itself:
127 * 1. Must be owned by root
128 * 2. Must not be writable by group unless group is root/wheel/admin
129 * 3. Must not be setuid
130 * 4. Must not be writable by others
133 if (fileinfo
.st_uid
|| /* 1. Must be owned by root */
135 ((fileinfo
.st_mode
& S_IWGRP
) && fileinfo
.st_gid
&&
136 fileinfo
.st_gid
!= 80) || /* 2. Must not be writable by group */
138 ((fileinfo
.st_mode
& S_IWGRP
) && fileinfo
.st_gid
) ||
139 /* 2. Must not be writable by group */
140 #endif /* __APPLE__ */
141 (fileinfo
.st_mode
& S_ISUID
) || /* 3. Must not be setuid */
142 (fileinfo
.st_mode
& S_IWOTH
)) /* 4. Must not be writable by others */
146 snprintf(p
->state_message
, sizeof(p
->state_message
),
147 "Printer driver \"%s\" has insecure permissions "
148 "(0%o/uid=%d/gid=%d).", filename
, fileinfo
.st_mode
,
149 (int)fileinfo
.st_uid
, (int)fileinfo
.st_gid
);
151 cupsdLogMessage(CUPSD_LOG_ERROR
, "%s: %s", p
->name
, p
->state_message
);
153 if (cupsdSetPrinterReasons(p
, "+cups-insecure-filter-warning"))
154 cupsdAddEvent(CUPSD_EVENT_PRINTER_STATE
, p
, NULL
, "%s",
158 cupsdLogMessage(CUPSD_LOG_ERROR
,
159 "Program \"%s\" has insecure permissions "
160 "(0%o/uid=%d/gid=%d).", filename
, fileinfo
.st_mode
,
161 (int)fileinfo
.st_uid
, (int)fileinfo
.st_gid
);
168 cupsdLogMessage(CUPSD_LOG_DEBUG2
,
169 "%s%s \"%s\" permissions OK "
170 "(0%o/uid=%d/gid=%d).", p
? p
->name
: "",
171 p
? ": Printer driver" : "Program", filename
,
172 fileinfo
.st_mode
, (int)fileinfo
.st_uid
,
173 (int)fileinfo
.st_gid
);
176 * Now check the containing directory...
179 strlcpy(temp
, filename
, sizeof(temp
));
180 if ((ptr
= strrchr(temp
, '/')) != NULL
)
188 if (stat(temp
, &fileinfo
))
196 snprintf(p
->state_message
, sizeof(p
->state_message
),
197 "Printer driver directory \"%s\" not available: %s", temp
,
199 cupsdLogMessage(CUPSD_LOG_ERROR
, "%s: %s", p
->name
, p
->state_message
);
201 if (cupsdSetPrinterReasons(p
, "+cups-missing-filter-warning"))
202 cupsdAddEvent(CUPSD_EVENT_PRINTER_STATE
, p
, NULL
,
203 "Printer driver directory \"%s\" not available.", temp
);
206 cupsdLogMessage(CUPSD_LOG_ERROR
,
207 "Program directory \"%s\" not available: %s", temp
,
213 if (fileinfo
.st_uid
|| /* 1. Must be owned by root */
215 ((fileinfo
.st_mode
& S_IWGRP
) && fileinfo
.st_gid
&&
216 fileinfo
.st_gid
!= 80) || /* 2. Must not be writable by group */
218 ((fileinfo
.st_mode
& S_IWGRP
) && fileinfo
.st_gid
) ||
219 /* 2. Must not be writable by group */
220 #endif /* __APPLE__ */
221 (fileinfo
.st_mode
& S_ISUID
) || /* 3. Must not be setuid */
222 (fileinfo
.st_mode
& S_IWOTH
)) /* 4. Must not be writable by others */
226 snprintf(p
->state_message
, sizeof(p
->state_message
),
227 "Printer driver directory \"%s\" has insecure permissions "
228 "(0%o/uid=%d/gid=%d).", temp
, fileinfo
.st_mode
,
229 (int)fileinfo
.st_uid
, (int)fileinfo
.st_gid
);
231 cupsdLogMessage(CUPSD_LOG_ERROR
, "%s: %s", p
->name
, p
->state_message
);
233 if (cupsdSetPrinterReasons(p
, "+cups-insecure-filter-warning"))
234 cupsdAddEvent(CUPSD_EVENT_PRINTER_STATE
, p
, NULL
, "%s",
238 cupsdLogMessage(CUPSD_LOG_ERROR
,
239 "Program directory \"%s\" has insecure permissions "
240 "(0%o/uid=%d/gid=%d).", temp
, fileinfo
.st_mode
,
241 (int)fileinfo
.st_uid
, (int)fileinfo
.st_gid
);
248 cupsdLogMessage(CUPSD_LOG_DEBUG2
,
249 "%s%s directory \"%s\" permissions OK "
250 "(0%o/uid=%d/gid=%d).", p
? p
->name
: "",
251 p
? ": Printer driver" : "Program", temp
,
252 fileinfo
.st_mode
, (int)fileinfo
.st_uid
,
253 (int)fileinfo
.st_gid
);
256 * If we get here then we can "safely" run this program...
264 * 'cupsdCreateProfile()' - Create an execution profile for a subprocess.
267 void * /* O - Profile or NULL on error */
268 cupsdCreateProfile(int job_id
) /* I - Job ID or 0 for none */
270 #ifdef HAVE_SANDBOX_H
271 cups_file_t
*fp
; /* File pointer */
272 char profile
[1024], /* File containing the profile */
273 cache
[1024], /* Quoted CacheDir */
274 request
[1024], /* Quoted RequestRoot */
275 root
[1024], /* Quoted ServerRoot */
276 temp
[1024]; /* Quoted TempDir */
282 * Only use sandbox profiles as root...
285 cupsdLogMessage(CUPSD_LOG_DEBUG2
, "cupsdCreateProfile(job_id=%d) = NULL",
291 if ((fp
= cupsTempFile2(profile
, sizeof(profile
))) == NULL
)
293 cupsdLogMessage(CUPSD_LOG_DEBUG2
, "cupsdCreateProfile(job_id=%d) = NULL",
295 cupsdLogMessage(CUPSD_LOG_ERROR
, "Unable to create security profile: %s",
300 fchown(cupsFileNumber(fp
), RunUser
, Group
);
301 fchmod(cupsFileNumber(fp
), 0640);
303 cupsd_requote(cache
, CacheDir
, sizeof(cache
));
304 cupsd_requote(request
, RequestRoot
, sizeof(request
));
305 cupsd_requote(root
, ServerRoot
, sizeof(root
));
306 cupsd_requote(temp
, TempDir
, sizeof(temp
));
308 cupsFilePuts(fp
, "(version 1)\n");
309 if (LogLevel
>= CUPSD_LOG_DEBUG
)
310 cupsFilePuts(fp
, "(debug deny)\n");
311 cupsFilePuts(fp
, "(allow default)\n");
313 "(deny file-write* file-read-data file-read-metadata\n"
315 " #\"^%s$\"" /* RequestRoot */
316 " #\"^%s/\"" /* RequestRoot/... */
321 "(deny file-write* file-read-data file-read-metadata\n"
327 "(deny file-write*\n"
329 " #\"^%s$\"" /* ServerRoot */
330 " #\"^%s/\"" /* ServerRoot/... */
331 " #\"^/private/etc$\""
332 " #\"^/private/etc/\""
333 " #\"^/usr/local/etc$\""
334 " #\"^/usr/local/etc/\""
341 /* Specifically allow applications to stat RequestRoot */
343 "(allow file-read-metadata\n"
345 " #\"^%s$\"" /* RequestRoot */
349 "(allow file-write* file-read-data file-read-metadata\n"
351 " #\"^%s$\"" /* TempDir */
352 " #\"^%s/\"" /* TempDir/... */
353 " #\"^%s$\"" /* CacheDir */
354 " #\"^%s/\"" /* CacheDir/... */
355 " #\"^%s/Library$\"" /* RequestRoot/Library */
356 " #\"^%s/Library/\"" /* RequestRoot/Library/... */
357 " #\"^/Library/Application Support/\""
358 " #\"^/Library/Caches/\""
359 " #\"^/Library/Preferences/\""
360 " #\"^/Library/Printers/.*/\""
361 " #\"^/Users/Shared/\""
363 temp
, temp
, cache
, cache
, request
, request
);
365 "(deny file-write*\n"
367 " #\"^/Library/Printers/PPDs$\""
368 " #\"^/Library/Printers/PPDs/\""
369 " #\"^/Library/Printers/PPD Plugins$\""
370 " #\"^/Library/Printers/PPD Plugins/\""
375 * Allow job filters to read the spool file(s)...
379 "(allow file-read-data file-read-metadata\n"
380 " (regex #\"^%s/([ac]%05d|d%05d-[0-9][0-9][0-9])$\"))\n",
381 request
, job_id
, job_id
);
386 * Allow email notifications from notifiers...
390 "(allow process-exec\n"
391 " (literal \"/usr/sbin/sendmail\")\n"
392 " (with no-sandbox)\n"
398 cupsdLogMessage(CUPSD_LOG_DEBUG2
, "cupsdCreateProfile(job_id=%d) = \"%s\"",
400 return ((void *)strdup(profile
));
403 cupsdLogMessage(CUPSD_LOG_DEBUG2
, "cupsdCreateProfile(job_id=%d) = NULL",
407 #endif /* HAVE_SANDBOX_H */
412 * 'cupsdDestroyProfile()' - Delete an execution profile.
416 cupsdDestroyProfile(void *profile
) /* I - Profile */
418 cupsdLogMessage(CUPSD_LOG_DEBUG2
, "cupsdDeleteProfile(profile=\"%s\")",
419 profile
? (char *)profile
: "(null)");
421 #ifdef HAVE_SANDBOX_H
424 unlink((char *)profile
);
427 #endif /* HAVE_SANDBOX_H */
432 * 'cupsdEndProcess()' - End a process.
435 int /* O - 0 on success, -1 on failure */
436 cupsdEndProcess(int pid
, /* I - Process ID */
437 int force
) /* I - Force child to die */
439 cupsdLogMessage(CUPSD_LOG_DEBUG2
, "cupsdEndProcess(pid=%d, force=%d)", pid
,
445 return (kill(pid
, SIGKILL
));
447 return (kill(pid
, SIGTERM
));
452 * 'cupsdFinishProcess()' - Finish a process and get its name.
455 const char * /* O - Process name */
456 cupsdFinishProcess(int pid
, /* I - Process ID */
457 char *name
, /* I - Name buffer */
458 int namelen
, /* I - Size of name buffer */
459 int *job_id
) /* O - Job ID pointer or NULL */
461 cupsd_proc_t key
, /* Search key */
462 *proc
; /* Matching process */
467 if ((proc
= (cupsd_proc_t
*)cupsArrayFind(process_array
, &key
)) != NULL
)
470 *job_id
= proc
->job_id
;
472 strlcpy(name
, proc
->name
, namelen
);
473 cupsArrayRemove(process_array
, proc
);
481 strlcpy(name
, "unknown", namelen
);
484 cupsdLogMessage(CUPSD_LOG_DEBUG2
,
485 "cupsdFinishProcess(pid=%d, name=%p, namelen=%d, "
486 "job_id=%p(%d)) = \"%s\"", pid
, name
, namelen
, job_id
,
487 job_id
? *job_id
: 0, name
);
494 * 'cupsdStartProcess()' - Start a process.
497 int /* O - Process ID or 0 */
499 const char *command
, /* I - Full path to command */
500 char *argv
[], /* I - Command-line arguments */
501 char *envp
[], /* I - Environment */
502 int infd
, /* I - Standard input file descriptor */
503 int outfd
, /* I - Standard output file descriptor */
504 int errfd
, /* I - Standard error file descriptor */
505 int backfd
, /* I - Backchannel file descriptor */
506 int sidefd
, /* I - Sidechannel file descriptor */
507 int root
, /* I - Run as root? */
508 void *profile
, /* I - Security profile to use */
509 cupsd_job_t
*job
, /* I - Job associated with process */
510 int *pid
) /* O - Process ID */
512 int i
; /* Looping var */
513 const char *exec_path
= command
; /* Command to be exec'd */
514 char *real_argv
[103], /* Real command-line arguments */
515 cups_exec
[1024]; /* Path to "cups-exec" program */
516 int user
; /* Command UID */
517 cupsd_proc_t
*proc
; /* New process record */
518 #if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET)
519 struct sigaction action
; /* POSIX signal handler */
520 #endif /* HAVE_SIGACTION && !HAVE_SIGSET */
521 #if defined(__APPLE__)
522 char processPath
[1024], /* CFProcessPath environment variable */
523 linkpath
[1024]; /* Link path for symlinks... */
524 int linkbytes
; /* Bytes for link path */
525 #endif /* __APPLE__ */
531 * Figure out the UID for the child process...
542 * Check the permissions of the command we are running...
545 if (!cupsdCheckProgram(command
, job
? job
->printer
: NULL
))
548 #if defined(__APPLE__)
552 * Add special voodoo magic for Mac OS X - this allows Mac OS X
553 * programs to access their bundle resources properly...
556 if ((linkbytes
= readlink(command
, linkpath
, sizeof(linkpath
) - 1)) > 0)
559 * Yes, this is a symlink to the actual program, nul-terminate and
563 linkpath
[linkbytes
] = '\0';
565 if (linkpath
[0] == '/')
566 snprintf(processPath
, sizeof(processPath
), "CFProcessPath=%s",
569 snprintf(processPath
, sizeof(processPath
), "CFProcessPath=%s/%s",
570 dirname((char *)command
), linkpath
);
573 snprintf(processPath
, sizeof(processPath
), "CFProcessPath=%s", command
);
575 envp
[0] = processPath
; /* Replace <CFProcessPath> string */
577 #endif /* __APPLE__ */
580 * Use helper program when we have a sandbox profile...
585 snprintf(cups_exec
, sizeof(cups_exec
), "%s/daemon/cups-exec", ServerBin
);
587 real_argv
[0] = cups_exec
;
588 real_argv
[1] = profile
;
589 real_argv
[2] = (char *)command
;
592 i
< (int)(sizeof(real_argv
) / sizeof(real_argv
[0]) - 4) && argv
[i
];
594 real_argv
[i
+ 3] = argv
[i
];
596 real_argv
[i
+ 3] = NULL
;
599 exec_path
= cups_exec
;
603 * Block signals before forking...
608 if ((*pid
= fork()) == 0)
611 * Child process goes here...
613 * Update stdin/stdout/stderr as needed...
619 infd
= open("/dev/null", O_RDONLY
);
631 outfd
= open("/dev/null", O_WRONLY
);
643 errfd
= open("/dev/null", O_WRONLY
);
652 if (backfd
!= 3 && backfd
>= 0)
656 fcntl(3, F_SETFL
, O_NDELAY
);
659 if (sidefd
!= 4 && sidefd
>= 0)
663 fcntl(4, F_SETFL
, O_NDELAY
);
667 * Change the priority of the process based on the FilterNice setting.
668 * (this is not done for root processes...)
675 * Change user to something "safe"...
678 if (!root
&& !RunUser
)
681 * Running as root, so change to non-priviledged user...
687 if (setgroups(1, &Group
))
696 * Reset group membership to just the main one we belong to.
699 if (setgid(Group
) && !RunUser
)
702 if (setgroups(1, &Group
) && !RunUser
)
707 * Change umask to restrict permissions on created files...
713 * Unblock signals before doing the exec...
717 sigset(SIGTERM
, SIG_DFL
);
718 sigset(SIGCHLD
, SIG_DFL
);
719 sigset(SIGPIPE
, SIG_DFL
);
720 #elif defined(HAVE_SIGACTION)
721 memset(&action
, 0, sizeof(action
));
723 sigemptyset(&action
.sa_mask
);
724 action
.sa_handler
= SIG_DFL
;
726 sigaction(SIGTERM
, &action
, NULL
);
727 sigaction(SIGCHLD
, &action
, NULL
);
728 sigaction(SIGPIPE
, &action
, NULL
);
730 signal(SIGTERM
, SIG_DFL
);
731 signal(SIGCHLD
, SIG_DFL
);
732 signal(SIGPIPE
, SIG_DFL
);
733 #endif /* HAVE_SIGSET */
735 cupsdReleaseSignals();
738 * Execute the command; if for some reason this doesn't work, log an error
739 * exit with a non-zero value...
743 execve(exec_path
, argv
, envp
);
745 execv(exec_path
, argv
);
754 * Error - couldn't fork a new process!
757 cupsdLogMessage(CUPSD_LOG_ERROR
, "Unable to fork %s - %s.", command
,
765 process_array
= cupsArrayNew((cups_array_func_t
)compare_procs
, NULL
);
769 if ((proc
= calloc(1, sizeof(cupsd_proc_t
) + strlen(command
))) != NULL
)
772 proc
->job_id
= job
? job
->id
: 0;
773 _cups_strcpy(proc
->name
, command
);
775 cupsArrayAdd(process_array
, proc
);
780 cupsdReleaseSignals();
782 cupsdLogMessage(CUPSD_LOG_DEBUG2
,
783 "cupsdStartProcess(command=\"%s\", argv=%p, envp=%p, "
784 "infd=%d, outfd=%d, errfd=%d, backfd=%d, sidefd=%d, root=%d, "
785 "profile=%p, job=%p(%d), pid=%p) = %d",
786 command
, argv
, envp
, infd
, outfd
, errfd
, backfd
, sidefd
,
787 root
, profile
, job
, job
? job
->id
: 0, pid
, *pid
);
794 * 'compare_procs()' - Compare two processes.
797 static int /* O - Result of comparison */
798 compare_procs(cupsd_proc_t
*a
, /* I - First process */
799 cupsd_proc_t
*b
) /* I - Second process */
801 return (a
->pid
- b
->pid
);
805 #ifdef HAVE_SANDBOX_H
807 * 'cupsd_requote()' - Make a regular-expression version of a string.
810 static char * /* O - Quoted string */
811 cupsd_requote(char *dst
, /* I - Destination buffer */
812 const char *src
, /* I - Source string */
813 size_t dstsize
) /* I - Size of destination buffer */
815 int ch
; /* Current character */
816 char *dstptr
, /* Current position in buffer */
817 *dstend
; /* End of destination buffer */
821 dstend
= dst
+ dstsize
- 2;
823 while (*src
&& dstptr
< dstend
)
827 if (strchr(".?*()[]^$\\", ch
))
837 #endif /* HAVE_SANDBOX_H */