/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ /* Copyright (c) 1988 AT&T */ /* All Rights Reserved */ #include "lint.h" #include "mtlib.h" #include <sys/types.h> #include <sys/wait.h> #include <signal.h> #include <stdlib.h> #include <wait.h> #include <sys/stat.h> #include <unistd.h> #include <memory.h> #include <thread.h> #include <pthread.h> #include <errno.h> #include <synch.h> #include <spawn.h> #include <paths.h> #include "libc.h" extern const char **_environ; extern int __xpg4; /* defined in _xpg4.c; 0 if not xpg4-compiled program */ extern const sigset_t maskset; /* all maskable signals */ static mutex_t sys_lock = DEFAULTMUTEX; /* protects the following */ static uint_t sys_count = 0; /* number of threads in system() */ static struct sigaction sys_ibuf; /* saved SIGINT sigaction */ static struct sigaction sys_qbuf; /* saved SIGQUIT sigaction */ static struct sigaction ignore = {0, {SIG_IGN}, {0}}; /* * Things needed by the cancellation cleanup handler. */ typedef struct { sigset_t savemask; /* saved signal mask */ pid_t pid; /* if nonzero, the child's pid */ } cleanup_t; /* * Daemon thread whose sole function is to reap an abandoned child. * Also invoked from pclose() (see port/stdio/popen.c). */ void * reapchild(void *arg) { pid_t pid = (pid_t)(uintptr_t)arg; int cancel_state; (void) pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &cancel_state); while (waitpid(pid, NULL, 0) == -1) { if (errno != EINTR) break; } (void) pthread_setcancelstate(cancel_state, NULL); return (NULL); } /* * Cancellation cleanup handler. * If we were cancelled in waitpid(), create a daemon thread to * reap our abandoned child. No other thread can do this for us. * It would be better if there were a system call to disinherit * a child process (give it to init, just as though we exited). */ static void cleanup(void *arg) { cleanup_t *cup = arg; if (cup->pid != 0) { /* we were cancelled; abandoning our pid */ (void) thr_sigsetmask(SIG_SETMASK, &maskset, NULL); (void) thr_create(NULL, 0, reapchild, (void *)(uintptr_t)cup->pid, THR_DAEMON, NULL); } lmutex_lock(&sys_lock); if (--sys_count == 0) { /* leaving system() */ /* * There are no remaining threads in system(), so * restore the SIGINT and SIGQUIT signal actions. */ (void) sigaction(SIGINT, &sys_ibuf, NULL); (void) sigaction(SIGQUIT, &sys_qbuf, NULL); } lmutex_unlock(&sys_lock); (void) thr_sigsetmask(SIG_SETMASK, &cup->savemask, NULL); } int system(const char *cmd) { cleanup_t cu; pid_t w; int status; int error; sigset_t mask; struct stat64 buf; const char *shpath = _PATH_BSHELL; char *argv[4]; posix_spawnattr_t attr; static const char *shell = "sh"; if (cmd == NULL) { if (stat64(shpath, &buf) != 0) { return (0); } else if (getuid() == buf.st_uid) { /* exec for user */ if ((buf.st_mode & 0100) == 0) return (0); } else if (getgid() == buf.st_gid) { /* exec for group */ if ((buf.st_mode & 0010) == 0) return (0); } else if ((buf.st_mode & 0001) == 0) { /* exec for others */ return (0); } return (1); } /* * Initialize the posix_spawn() attributes structure. * * The setting of POSIX_SPAWN_WAITPID_NP ensures that no * wait-for-multiple wait() operation will reap our child * and that the child will not be automatically reaped due * to the disposition of SIGCHLD being set to be ignored. * Only a specific wait for the specific pid will be able * to reap the child. Since no other thread knows the pid * of our child, this should be safe enough. * * The POSIX_SPAWN_NOEXECERR_NP flag tells posix_spawn() not * to fail if the shell cannot be executed, but rather cause * a child to be created that simply performs _exit(127). * This is in order to satisfy the Posix requirement on system(): * The system function shall behave as if a child process were * created using fork(), and the child process invoked the sh * utility using execl(). If some error prevents the command * language interpreter from executing after the child process * is created, the return value from system() shall be as if * the command language interpreter had terminated using * exit(127) or _exit(127). */ error = posix_spawnattr_init(&attr); if (error == 0) error = posix_spawnattr_setflags(&attr, POSIX_SPAWN_SETSIGMASK | POSIX_SPAWN_SETSIGDEF | POSIX_SPAWN_NOSIGCHLD_NP | POSIX_SPAWN_WAITPID_NP | POSIX_SPAWN_NOEXECERR_NP); /* * The POSIX spec for system() requires us to block SIGCHLD, * the rationale being that the process's signal handler for * SIGCHLD, if any, should not be called when our child exits. * This doesn't work for a multithreaded process because some * other thread could receive the SIGCHLD. * * The above setting of POSIX_SPAWN_NOSIGCHLD_NP ensures that no * SIGCHLD signal will be posted for our child when it exits, so * we don't have to block SIGCHLD to meet the intent of the spec. * We block SIGCHLD anyway, just because the spec requires it. */ (void) sigemptyset(&mask); (void) sigaddset(&mask, SIGCHLD); (void) thr_sigsetmask(SIG_BLOCK, &mask, &cu.savemask); /* * Tell posix_spawn() to restore the signal mask in the child. */ if (error == 0) error = posix_spawnattr_setsigmask(&attr, &cu.savemask); /* * We are required to set the disposition of SIGINT and SIGQUIT * to be ignored for the duration of the system() operation. * * We allow more than one thread to call system() concurrently by * keeping a count of such threads. The signal actions are set * to SIG_IGN when the first thread calls system(). They are * restored in cleanup() when the last thread exits system(). * * However, system() is still MT-unsafe because sigaction() has * a process-wide effect and some other thread may also be * setting the signal actions for SIGINT or SIGQUIT. */ lmutex_lock(&sys_lock); if (sys_count++ == 0) { (void) sigaction(SIGINT, &ignore, &sys_ibuf); (void) sigaction(SIGQUIT, &ignore, &sys_qbuf); } lmutex_unlock(&sys_lock); /* * If SIGINT and SIGQUIT were not already SIG_IGN, tell * posix_spawn() to make them SIG_DFL in the child, * else leave them as SIG_IGN in the child. */ (void) sigemptyset(&mask); if (sys_ibuf.sa_handler != SIG_IGN) (void) sigaddset(&mask, SIGINT); if (sys_qbuf.sa_handler != SIG_IGN) (void) sigaddset(&mask, SIGQUIT); if (error == 0) error = posix_spawnattr_setsigdefault(&attr, &mask); argv[0] = (char *)shell; argv[1] = "-c"; argv[2] = (char *)cmd; argv[3] = NULL; if (error == 0) error = posix_spawn(&cu.pid, shpath, NULL, &attr, (char *const *)argv, (char *const *)_environ); (void) posix_spawnattr_destroy(&attr); if (error) { errno = error; status = -1; } else { /* * system() is a cancellation point and so is waitpid(). */ pthread_cleanup_push(cleanup, &cu); do { w = waitpid(cu.pid, &status, 0); } while (w == -1 && errno == EINTR); pthread_cleanup_pop(0); if (w == -1) status = -1; } error = errno; cu.pid = 0; cleanup(&cu); errno = error; return (status); }
