sudo/lib/util/closefrom.c

/*
 * Copyright (c) 2004-2005, 2007, 2010, 2012-2015
 *	Todd C. Miller <Todd.Miller@courtesan.com>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <config.h>

#ifndef HAVE_CLOSEFROM

#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <limits.h>
#ifdef HAVE_PSTAT_GETPROC
# include <sys/pstat.h>
#else
# include <dirent.h>
#endif

#include "sudo_compat.h"

#ifndef _POSIX_OPEN_MAX
# define _POSIX_OPEN_MAX	20
#endif

#if defined(HAVE_FCNTL_CLOSEM) && !defined(HAVE_DIRFD)
# define sudo_closefrom	closefrom_fallback
#endif

/*
 * Close all file descriptors greater than or equal to lowfd.
 * This is the expensive (fallback) method.
 */
void
closefrom_fallback(int lowfd)
{
    long fd, maxfd;

    /*
     * Fall back on sysconf(_SC_OPEN_MAX).  We avoid checking
     * resource limits since it is possible to open a file descriptor
     * and then drop the rlimit such that it is below the open fd.
     */
    maxfd = sysconf(_SC_OPEN_MAX);
    if (maxfd < 0)
	maxfd = _POSIX_OPEN_MAX;

    for (fd = lowfd; fd < maxfd; fd++) {
#ifdef __APPLE__
	/* Avoid potential libdispatch crash when we close its fds. */
	(void) fcntl((int) fd, F_SETFD, FD_CLOEXEC);
#else
	(void) close((int) fd);
#endif
    }
}

/*
 * Close all file descriptors greater than or equal to lowfd.
 * We try the fast way first, falling back on the slow method.
 */
#if defined(HAVE_FCNTL_CLOSEM)
void
sudo_closefrom(int lowfd)
{
    if (fcntl(lowfd, F_CLOSEM, 0) == -1)
	closefrom_fallback(lowfd);
}
#elif defined(HAVE_PSTAT_GETPROC)
void
sudo_closefrom(int lowfd)
{
    struct pst_status pstat;
    int fd;

    if (pstat_getproc(&pstat, sizeof(pstat), 0, getpid()) != -1) {
	for (fd = lowfd; fd <= pstat.pst_highestfd; fd++)
	    (void) close(fd);
    } else {
	closefrom_fallback(lowfd);
    }
}
#elif defined(HAVE_DIRFD)
void
sudo_closefrom(int lowfd)
{
    const char *path;
    DIR *dirp;

    /* Use /proc/self/fd (or /dev/fd on FreeBSD) if it exists. */
# if defined(__FreeBSD__) || defined(__APPLE__)
    path = _PATH_DEV "fd";
# else
    path = "/proc/self/fd";
# endif
    if ((dirp = opendir(path)) != NULL) {
	struct dirent *dent;
	while ((dent = readdir(dirp)) != NULL) {
	    const char *errstr;
	    int fd = strtonum(dent->d_name, lowfd, INT_MAX, &errstr);
	    if (errstr == NULL && fd != dirfd(dirp)) {
# ifdef __APPLE__
		/* Avoid potential libdispatch crash when we close its fds. */
		(void) fcntl(fd, F_SETFD, FD_CLOEXEC);
# else
		(void) close(fd);
# endif
	    }
	}
	(void) closedir(dirp);
    } else
	closefrom_fallback(lowfd);
}
#endif /* HAVE_FCNTL_CLOSEM */
#endif /* HAVE_CLOSEFROM */
closefrom(3) for systems w/o it 2004-01-12 18:55:30 +00:00			`/*`
Almost no systems actually define OPEN_MAX since it is dynamic on modern OSes. If sysconf(_SC_OPEN_MAX) ever fails, fall back on _POSIX_OPEN_MAX instead. We can assume modern systems have sysconf(). Also remove checks for strrchr() and strtoll() for which the HAVE_* defines are no longer used. 2015-02-19 09:59:25 -07:00			`* Copyright (c) 2004-2005, 2007, 2010, 2012-2015`
Update copyright years. 2008-11-09 14:13:13 +00:00			`* Todd C. Miller <Todd.Miller@courtesan.com>`
closefrom(3) for systems w/o it 2004-01-12 18:55:30 +00:00			`*`
More to a less restrictive, ISC-style license. 2004-02-13 21:36:43 +00:00			`* Permission to use, copy, modify, and distribute this software for any`
			`* purpose with or without fee is hereby granted, provided that the above`
			`* copyright notice and this permission notice appear in all copies.`
closefrom(3) for systems w/o it 2004-01-12 18:55:30 +00:00			`*`
More to a less restrictive, ISC-style license. 2004-02-13 21:36:43 +00:00			`* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES`
			`* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF`
			`* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR`
			`* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES`
			`* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN`
			`* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF`
			`* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.`
closefrom(3) for systems w/o it 2004-01-12 18:55:30 +00:00			`*/`

Use: #include <config.h> Not: #include "config.h" That way we get the correct config.h when build dir != src dir 2004-11-19 18:39:14 +00:00			`#include <config.h>`
If there is a /proc/$$/fd directory, behave like the Solaris closefrom() and only close the descriptors listed therein. 2004-06-01 16:44:14 +00:00
Add guards in compat source files. Not really needed since we only include them in the Makefile if they are needed but should not hurt either. 2013-04-01 10:19:26 -04:00			`#ifndef HAVE_CLOSEFROM`

closefrom(3) for systems w/o it 2004-01-12 18:55:30 +00:00			`#include <sys/types.h>`
			`#include <unistd.h>`
If there is a /proc/$$/fd directory, behave like the Solaris closefrom() and only close the descriptors listed therein. 2004-06-01 16:44:14 +00:00			`#include <stdio.h>`
We require ANSI C so stop using the obsolete STDC_HEADERS. 2015-06-19 14:29:27 -06:00			`#include <stdlib.h>`
include fcntl.h 2007-06-20 11:06:48 +00:00			`#include <fcntl.h>`
Still need limits.h here. 2013-12-17 14:32:24 -07:00			`#include <limits.h>`
Use pst_highestfd from pstat_getproc() on HP-UX. 2013-03-01 13:01:37 -05:00			`#ifdef HAVE_PSTAT_GETPROC`
			`# include <sys/pstat.h>`
If there is a /proc/$$/fd directory, behave like the Solaris closefrom() and only close the descriptors listed therein. 2004-06-01 16:44:14 +00:00			`#else`
We require POSIX so no need to conditionally include dirent.h. Add a check for d_namlen and use the result in the NAMLEN macro. 2015-07-02 09:24:48 -06:00			`# include <dirent.h>`
If there is a /proc/$$/fd directory, behave like the Solaris closefrom() and only close the descriptors listed therein. 2004-06-01 16:44:14 +00:00			`#endif`
closefrom(3) for systems w/o it 2004-01-12 18:55:30 +00:00
Rename missing.h -> sudo_compat.h 2014-07-22 14:25:16 -06:00			`#include "sudo_compat.h"`
If there is a /proc/$$/fd directory, behave like the Solaris closefrom() and only close the descriptors listed therein. 2004-06-01 16:44:14 +00:00
Almost no systems actually define OPEN_MAX since it is dynamic on modern OSes. If sysconf(_SC_OPEN_MAX) ever fails, fall back on _POSIX_OPEN_MAX instead. We can assume modern systems have sysconf(). Also remove checks for strrchr() and strtoll() for which the HAVE_* defines are no longer used. 2015-02-19 09:59:25 -07:00			`#ifndef _POSIX_OPEN_MAX`
			`# define _POSIX_OPEN_MAX 20`
			`#endif`

Use /dev/fd in closefrom() on FreeBSD < 8.0 and Mac OS X. 2013-12-16 16:24:02 -07:00			`#if defined(HAVE_FCNTL_CLOSEM) && !defined(HAVE_DIRFD)`
Prefix all libc replacements with sudo_ and #define the real name to the sudo_ version. That way we don't pollute the libc namespace. 2014-06-26 15:51:08 -06:00			`# define sudo_closefrom closefrom_fallback`
Use /proc/self/fd instead of /proc/$$/fd Move old-style fd closing into closefrom_fallback() and call that if /proc/self/fd doesn't exist or the F_CLOSEM fcntl() fails 2007-06-09 11:26:43 +00:00			`#endif`

closefrom(3) for systems w/o it 2004-01-12 18:55:30 +00:00			`/*`
			`* Close all file descriptors greater than or equal to lowfd.`
Use /dev/fd in closefrom() on FreeBSD < 8.0 and Mac OS X. 2013-12-16 16:24:02 -07:00			`* This is the expensive (fallback) method.`
Use /proc/self/fd instead of /proc/$$/fd Move old-style fd closing into closefrom_fallback() and call that if /proc/self/fd doesn't exist or the F_CLOSEM fcntl() fails 2007-06-09 11:26:43 +00:00			`*/`
			`void`
Convert to ANSI C 2010-02-27 09:23:25 -05:00			`closefrom_fallback(int lowfd)`
Use /proc/self/fd instead of /proc/$$/fd Move old-style fd closing into closefrom_fallback() and call that if /proc/self/fd doesn't exist or the F_CLOSEM fcntl() fails 2007-06-09 11:26:43 +00:00			`{`
			`long fd, maxfd;`

			`/*`
Almost no systems actually define OPEN_MAX since it is dynamic on modern OSes. If sysconf(_SC_OPEN_MAX) ever fails, fall back on _POSIX_OPEN_MAX instead. We can assume modern systems have sysconf(). Also remove checks for strrchr() and strtoll() for which the HAVE_* defines are no longer used. 2015-02-19 09:59:25 -07:00			`* Fall back on sysconf(_SC_OPEN_MAX). We avoid checking`
Use /proc/self/fd instead of /proc/$$/fd Move old-style fd closing into closefrom_fallback() and call that if /proc/self/fd doesn't exist or the F_CLOSEM fcntl() fails 2007-06-09 11:26:43 +00:00			`* resource limits since it is possible to open a file descriptor`
			`* and then drop the rlimit such that it is below the open fd.`
			`*/`
			`maxfd = sysconf(_SC_OPEN_MAX);`
			`if (maxfd < 0)`
Almost no systems actually define OPEN_MAX since it is dynamic on modern OSes. If sysconf(_SC_OPEN_MAX) ever fails, fall back on _POSIX_OPEN_MAX instead. We can assume modern systems have sysconf(). Also remove checks for strrchr() and strtoll() for which the HAVE_* defines are no longer used. 2015-02-19 09:59:25 -07:00			`maxfd = _POSIX_OPEN_MAX;`
Use /proc/self/fd instead of /proc/$$/fd Move old-style fd closing into closefrom_fallback() and call that if /proc/self/fd doesn't exist or the F_CLOSEM fcntl() fails 2007-06-09 11:26:43 +00:00
Avoid a crash on Mac OS X 10.8 (at least) when we close libdispatch's fds out from under it before executing the command. Switch to just setting the close on exec flag instead. 2013-08-07 15:04:58 -06:00			`for (fd = lowfd; fd < maxfd; fd++) {`
			`#ifdef __APPLE__`
Use /dev/fd in closefrom() on FreeBSD < 8.0 and Mac OS X. 2013-12-16 16:24:02 -07:00			`/* Avoid potential libdispatch crash when we close its fds. */`
Use strtonum() instead of atoi(), strtol() or strtoul() where possible. 2013-12-10 16:23:21 -07:00			`(void) fcntl((int) fd, F_SETFD, FD_CLOEXEC);`
Avoid a crash on Mac OS X 10.8 (at least) when we close libdispatch's fds out from under it before executing the command. Switch to just setting the close on exec flag instead. 2013-08-07 15:04:58 -06:00			`#else`
Use /proc/self/fd instead of /proc/$$/fd Move old-style fd closing into closefrom_fallback() and call that if /proc/self/fd doesn't exist or the F_CLOSEM fcntl() fails 2007-06-09 11:26:43 +00:00			`(void) close((int) fd);`
Avoid a crash on Mac OS X 10.8 (at least) when we close libdispatch's fds out from under it before executing the command. Switch to just setting the close on exec flag instead. 2013-08-07 15:04:58 -06:00			`#endif`
			`}`
Use /proc/self/fd instead of /proc/$$/fd Move old-style fd closing into closefrom_fallback() and call that if /proc/self/fd doesn't exist or the F_CLOSEM fcntl() fails 2007-06-09 11:26:43 +00:00			`}`

			`/*`
			`* Close all file descriptors greater than or equal to lowfd.`
			`* We try the fast way first, falling back on the slow method.`
closefrom(3) for systems w/o it 2004-01-12 18:55:30 +00:00			`*/`
Use pst_highestfd from pstat_getproc() on HP-UX. 2013-03-01 13:01:37 -05:00			`#if defined(HAVE_FCNTL_CLOSEM)`
Add fcntl F_CLOSEM support to closefrom(); adapted from a diff by Darren Tucker. 2006-08-17 15:26:54 +00:00			`void`
Prefix all libc replacements with sudo_ and #define the real name to the sudo_ version. That way we don't pollute the libc namespace. 2014-06-26 15:51:08 -06:00			`sudo_closefrom(int lowfd)`
Add fcntl F_CLOSEM support to closefrom(); adapted from a diff by Darren Tucker. 2006-08-17 15:26:54 +00:00			`{`
Use /proc/self/fd instead of /proc/$$/fd Move old-style fd closing into closefrom_fallback() and call that if /proc/self/fd doesn't exist or the F_CLOSEM fcntl() fails 2007-06-09 11:26:43 +00:00			`if (fcntl(lowfd, F_CLOSEM, 0) == -1)`
			`closefrom_fallback(lowfd);`
Add fcntl F_CLOSEM support to closefrom(); adapted from a diff by Darren Tucker. 2006-08-17 15:26:54 +00:00			`}`
Use pst_highestfd from pstat_getproc() on HP-UX. 2013-03-01 13:01:37 -05:00			`#elif defined(HAVE_PSTAT_GETPROC)`
			`void`
Prefix all libc replacements with sudo_ and #define the real name to the sudo_ version. That way we don't pollute the libc namespace. 2014-06-26 15:51:08 -06:00			`sudo_closefrom(int lowfd)`
Use pst_highestfd from pstat_getproc() on HP-UX. 2013-03-01 13:01:37 -05:00			`{`
			`struct pst_status pstat;`
			`int fd;`

			`if (pstat_getproc(&pstat, sizeof(pstat), 0, getpid()) != -1) {`
			`for (fd = lowfd; fd <= pstat.pst_highestfd; fd++)`
			`(void) close(fd);`
			`} else {`
			`closefrom_fallback(lowfd);`
			`}`
			`}`
			`#elif defined(HAVE_DIRFD)`
closefrom(3) for systems w/o it 2004-01-12 18:55:30 +00:00			`void`
Prefix all libc replacements with sudo_ and #define the real name to the sudo_ version. That way we don't pollute the libc namespace. 2014-06-26 15:51:08 -06:00			`sudo_closefrom(int lowfd)`
closefrom(3) for systems w/o it 2004-01-12 18:55:30 +00:00			`{`
Go back to using /proc/self/fd instead of /proc/$$/fd as only AIX lacks /proc/self and it has F_CLOSEM. 2013-12-17 07:38:20 -07:00			`const char *path;`
If there is a /proc/$$/fd directory, behave like the Solaris closefrom() and only close the descriptors listed therein. 2004-06-01 16:44:14 +00:00			`DIR *dirp;`
closefrom(3) for systems w/o it 2004-01-12 18:55:30 +00:00
Go back to using /proc/self/fd instead of /proc/$$/fd as only AIX lacks /proc/self and it has F_CLOSEM. 2013-12-17 07:38:20 -07:00			`/* Use /proc/self/fd (or /dev/fd on FreeBSD) if it exists. */`
Use /dev/fd in closefrom() on FreeBSD < 8.0 and Mac OS X. 2013-12-16 16:24:02 -07:00			`# if defined(__FreeBSD__) \|\| defined(__APPLE__)`
Use _PATH_DEV consistently 2017-06-29 18:10:53 -06:00			`path = _PATH_DEV "fd";`
Use /dev/fd in closefrom() on FreeBSD < 8.0 and Mac OS X. 2013-12-16 16:24:02 -07:00			`# else`
Go back to using /proc/self/fd instead of /proc/$$/fd as only AIX lacks /proc/self and it has F_CLOSEM. 2013-12-17 07:38:20 -07:00			`path = "/proc/self/fd";`
Use /dev/fd in closefrom() on FreeBSD < 8.0 and Mac OS X. 2013-12-16 16:24:02 -07:00			`# endif`
			`if ((dirp = opendir(path)) != NULL) {`
			`struct dirent *dent;`
If there is a /proc/$$/fd directory, behave like the Solaris closefrom() and only close the descriptors listed therein. 2004-06-01 16:44:14 +00:00			`while ((dent = readdir(dirp)) != NULL) {`
Use /dev/fd in closefrom() on FreeBSD < 8.0 and Mac OS X. 2013-12-16 16:24:02 -07:00			`const char *errstr;`
			`int fd = strtonum(dent->d_name, lowfd, INT_MAX, &errstr);`
Use strtonum() instead of atoi(), strtol() or strtoul() where possible. 2013-12-10 16:23:21 -07:00			`if (errstr == NULL && fd != dirfd(dirp)) {`
Use /dev/fd in closefrom() on FreeBSD < 8.0 and Mac OS X. 2013-12-16 16:24:02 -07:00			`# ifdef __APPLE__`
			`/* Avoid potential libdispatch crash when we close its fds. */`
			`(void) fcntl(fd, F_SETFD, FD_CLOEXEC);`
			`# else`
Use strtonum() instead of atoi(), strtol() or strtoul() where possible. 2013-12-10 16:23:21 -07:00			`(void) close(fd);`
Use /dev/fd in closefrom() on FreeBSD < 8.0 and Mac OS X. 2013-12-16 16:24:02 -07:00			`# endif`
Use strtonum() instead of atoi(), strtol() or strtoul() where possible. 2013-12-10 16:23:21 -07:00			`}`
If there is a /proc/$$/fd directory, behave like the Solaris closefrom() and only close the descriptors listed therein. 2004-06-01 16:44:14 +00:00			`}`
Only check /proc/$$/fd if we have the dirfd function/macro. 2004-06-01 20:51:56 +00:00			`(void) closedir(dirp);`
			`} else`
Use /proc/self/fd instead of /proc/$$/fd Move old-style fd closing into closefrom_fallback() and call that if /proc/self/fd doesn't exist or the F_CLOSEM fcntl() fails 2007-06-09 11:26:43 +00:00			`closefrom_fallback(lowfd);`
closefrom(3) for systems w/o it 2004-01-12 18:55:30 +00:00			`}`
Use /proc/self/fd instead of /proc/$$/fd Move old-style fd closing into closefrom_fallback() and call that if /proc/self/fd doesn't exist or the F_CLOSEM fcntl() fails 2007-06-09 11:26:43 +00:00			`#endif /* HAVE_FCNTL_CLOSEM */`
Add guards in compat source files. Not really needed since we only include them in the Makefile if they are needed but should not hurt either. 2013-04-01 10:19:26 -04:00			`#endif /* HAVE_CLOSEFROM */`