// StartdCronJob initializer
int
ClassAdCronJob::Initialize( void )
{
// Build my interface version environment (but, I need a 'name' to do it)
const MyString &mgr_name_uc = Params().GetMgrNameUc( );
if ( mgr_name_uc.Length() ) {
MyString env_name;
env_name = Params().GetMgrNameUc();
env_name += "_INTERFACE_VERSION";
m_classad_env.SetEnv( env_name, INTERFACE_VERSION );
env_name = get_mySubSystem()->getName( );
env_name += "_CRON_NAME";
m_classad_env.SetEnv( env_name, Mgr().GetName() );
}
if ( Params().GetConfigValProg().Length() && mgr_name_uc.Length() ) {
MyString env_name;
env_name = mgr_name_uc;
env_name += "_CONFIG_VAL";
m_classad_env.SetEnv( env_name, Params().GetConfigValProg() );
}
RwParams().AddEnv( m_classad_env );
// And, run the "main" Initialize function
return CronJob::Initialize( );
}
/*static */ FILESQL *
FILESQL::createInstance(bool use_sql_log) {
FILESQL *ptr = NULL;
MyString outfilename = "";
MyString param_name;
param_name.formatstr("%s_SQLLOG", get_mySubSystem()->getName());
char *tmp = param(param_name.Value());
if( tmp ) {
outfilename = tmp;
free(tmp);
}
else {
tmp = param ("LOG");
if (tmp) {
outfilename.formatstr("%s/sql.log", tmp);
free(tmp);
}
else {
outfilename.formatstr("sql.log");
}
}
ptr = new FILESQL(outfilename.Value(), O_WRONLY|O_CREAT|O_APPEND, use_sql_log);
if (ptr->file_open() == QUILL_FAILURE) {
dprintf(D_ALWAYS, "FILESQL createInstance failed\n");
}
return ptr;
}
bool
CCBListener::RegisterWithCCBServer(bool blocking)
{
ClassAd msg;
if( m_waiting_for_connect || m_reconnect_timer != -1 || m_waiting_for_registration || m_registered) {
// already registered or being registered
return m_registered;
}
msg.Assign( ATTR_COMMAND, CCB_REGISTER );
if( !m_ccbid.IsEmpty() ) {
// we are reconnecting; trying to preserve ccbid so that prospective
// clients with stale information can still contact us
msg.Assign( ATTR_CCBID, m_ccbid.Value() );
msg.Assign( ATTR_CLAIM_ID, m_reconnect_cookie.Value() );
}
// for debugging purposes only, identify ourselves to the CCB server
MyString name;
name.formatstr("%s %s",get_mySubSystem()->getName(),daemonCore->publicNetworkIpAddr());
msg.Assign( ATTR_NAME, name.Value() );
bool success = SendMsgToCCB(msg,blocking);
if( success ) {
if( blocking ) {
success = ReadMsgFromCCB();
}
else {
// now we wait for CCB server to respond with our CCBID
m_waiting_for_registration = true;
}
}
return success;
}
void
JobInfoCommunicator::writeExecutionVisa( ClassAd& visa_ad )
{
int value;
if (!job_ad->EvalBool(ATTR_WANT_STARTER_EXECUTION_VISA, NULL, value) ||
!value)
{
return;
}
MyString iwd;
if (!job_ad->LookupString(ATTR_JOB_IWD, iwd)) {
dprintf(D_ALWAYS,
"writeExecutionVisa error: no IWD in job ad!\n");
return;
}
priv_state priv = set_user_priv();
MyString filename;
bool ok = classad_visa_write(&visa_ad,
get_mySubSystem()->getName(),
daemonCore->InfoCommandSinfulString(),
iwd.Value(),
&filename);
set_priv(priv);
if (ok) {
addToOutputFiles(filename.Value());
}
}
int Condor_Auth_Kerberos :: authenticate(const char * /* remoteHost */, CondorError* /* errstack */, bool /*non_blocking*/)
{
int status = 0;
if ( mySock_->isClient() ) {
// we are the client.
// initialize everything if needed.
if (init_kerberos_context() && init_server_info()) {
if (isDaemon() || get_mySubSystem()->isDaemon() ) {
status = init_daemon();
} else {
status = init_user();
}
} else {
status = FALSE;
}
int message = (status == TRUE? KERBEROS_PROCEED : KERBEROS_ABORT);
mySock_->encode();
if (!mySock_->code(message) || !mySock_->end_of_message()) {
status = FALSE;
} else {
if (message == KERBEROS_PROCEED) {
// We are ready to go
status = authenticate_client_kerberos();
} else {
status = FALSE;
}
}
} else {
// we are the server.
int ready;
mySock_->decode();
if (!mySock_->code(ready) || !mySock_->end_of_message()) {
status = FALSE;
} else {
if (ready == KERBEROS_PROCEED) {
dprintf(D_SECURITY,"About to authenticate client using Kerberos\n" );
// initialize everything if needed.
if (init_kerberos_context() && init_server_info()) {
status = authenticate_server_kerberos();
} else {
status = FALSE;
}
}
}
}
return( status );
}
MyString
SharedPortClient::myName()
{
// This is purely for debugging purposes.
// It is who we say we are when talking to the shared port server.
MyString name;
name = get_mySubSystem()->getName();
if( daemonCoreSockAdapter.isEnabled() ) {
name += " ";
name += daemonCoreSockAdapter.publicNetworkIpAddr();
}
return name;
}
/*ARGSUSED*/
int
main(int argc, char *argv[] )
{
char *tmp = NULL;
int reserved_swap, free_swap;
char *host = NULL, *cluster = NULL, *proc = NULL;
char *bogus_capability;
int i;
set_mySubSystem( "SHADOW", SUBSYSTEM_TYPE_SHADOW );
myDistro->Init( argc, argv );
if( argc == 2 && strncasecmp(argv[1], "-cl", 3) == MATCH ) {
printClassAd();
exit( 0 );
}
#if defined(SYSCALL_DEBUG)
SyscallLabel = argv[0] + 7;
#endif
#if !defined(WIN32)
install_sig_handler(SIGPIPE, (SIG_HANDLER)SIG_IGN );
#endif
if( argc > 1 ) {
if( strcmp("-t",argv[1]) == MATCH ) {
Termlog = 1;
argv++;
argc--;
}
}
ShadowBDate = LastRestartTime = time(0);
_EXCEPT_Cleanup = ExceptCleanup;
MyPid = getpid();
config();
/* Start up with condor.condor privileges. */
/*
we need to do this AFTER we call config() so that if CONDOR_IDS
is being defined in the config file, we'll get the right value
*/
set_condor_priv();
if(Termlog)
dprintf_set_tool_debug(get_mySubSystem()->getName(), 0);
else
dprintf_config( get_mySubSystem()->getName() );
DebugId = whoami;
// create a database connection object
dprintf( D_ALWAYS, "******* Standard Shadow starting up *******\n" );
dprintf( D_ALWAYS, "** %s\n", CondorVersion() );
dprintf( D_ALWAYS, "** %s\n", CondorPlatform() );
dprintf( D_ALWAYS, "*******************************************\n" );
reserved_swap = param_integer("RESERVED_SWAP", 0);
reserved_swap *= 1024; /* megabytes -> kb */
bool use_sql_log = param_boolean("QUILL_USE_SQL_LOG", false);
FILEObj = FILESQL::createInstance(use_sql_log);
free_swap = sysapi_swap_space();
dprintf( D_FULLDEBUG, "*** Reserved Swap = %d\n", reserved_swap );
dprintf( D_FULLDEBUG, "*** Free Swap = %d\n", free_swap );
if( reserved_swap && free_swap < reserved_swap ) {
dprintf( D_ALWAYS, "Not enough reserved swap space\n" );
if(FILEObj) {
delete FILEObj;
}
exit( JOB_NO_MEM );
}
dprintf(D_ALWAYS, "uid=%d, euid=%d, gid=%d, egid=%d\n",
getuid(), geteuid(), getgid(), getegid());
dprintf(D_FULLDEBUG, "argc = %d\n", argc);
for(i = 0; i < argc; i++)
{
dprintf(D_FULLDEBUG, "argv[%d] = %s\n", i, argv[i]);
}
if( argc < 6 ) {
usage();
}
if (param_boolean("SHADOW_DEBUG_WAIT", false, false)) {
int debug_wait = 1;
dprintf(D_ALWAYS,
"SHADOW_DEBUG_WAIT is TRUE, waiting for debugger to attach to pid %d.\n",
(int)::getpid());
while (debug_wait) {
sleep(1);
}
}
CheckSpoolVersion(SPOOL_MIN_VERSION_SHADOW_SUPPORTS,SPOOL_CUR_VERSION_SHADOW_SUPPORTS);
if( strcmp("-pipe",argv[1]) == 0 ) {
bogus_capability = argv[2];
cluster = argv[3];
proc = argv[4];
// read the big comment in the function for why this is here.
RemoveNewShadowDroppings(cluster, proc);
pipe_setup( cluster, proc, bogus_capability );
} else {
schedd = argv[1];
host = argv[2];
bogus_capability = argv[3];
cluster = argv[4];
proc = argv[5];
if ( argc > 6 ) {
IpcFile = argv[6];
dprintf(D_FULLDEBUG,"Setting IpcFile to %s\n",IpcFile);
} else {
IpcFile = NULL;
}
// read the big comment in the function for why this is here.
RemoveNewShadowDroppings(cluster, proc);
regular_setup( host, cluster, proc );
}
scheddName = getenv( EnvGetName( ENV_SCHEDD_NAME ) );
#if 0
/* Don't want to share log file lock between child and pnarent */
(void)close( LockFd );
LockFd = -1;
#endif
// initialize the user log
initializeUserLog();
My_Filesystem_Domain = param( "FILESYSTEM_DOMAIN" );
dprintf( D_ALWAYS, "My_Filesystem_Domain = \"%s\"\n",
My_Filesystem_Domain );
My_UID_Domain = param( "UID_DOMAIN" );
dprintf( D_ALWAYS, "My_UID_Domain = \"%s\"\n", My_UID_Domain );
UseAFS = param_boolean_crufty( "USE_AFS", false ) ? TRUE : FALSE;
UseNFS = param_boolean_crufty( "USE_NFS", false ) ? TRUE : FALSE;
// if job specifies a checkpoint server host, this overrides
// the config file parameters
tmp = NULL;
if (JobAd->LookupString(ATTR_CKPT_SERVER, &tmp) == 1) {
if (CkptServerHost) free(CkptServerHost);
UseCkptServer = TRUE;
CkptServerHost = strdup(tmp);
StarterChoosesCkptServer = FALSE;
free(tmp);
} else {
free(tmp);
if (CkptServerHost) {
free(CkptServerHost);
}
CkptServerHost = param( "CKPT_SERVER_HOST" );
UseCkptServer = FALSE;
if( CkptServerHost && param_boolean_crufty( "USE_CKPT_SERVER", true ) ) {
UseCkptServer = TRUE;
}
StarterChoosesCkptServer =
param_boolean_crufty("STARTER_CHOOSES_CKPT_SERVER", true) ? TRUE : FALSE;
}
// Initialize location of our checkpoint file. If we stored it
// on a checkpoint server then set LastCkptServer. Otherwise,
// LastCkptServer should be NULL to indicate that we should
// look on the local disk for our checkpoint file.
LastCkptServer = NULL;
if (JobAd->LookupString(ATTR_LAST_CKPT_SERVER,
&LastCkptServer) == 0) {
free(LastCkptServer);
LastCkptServer = NULL;
}
// LIGO
if (param_boolean("ALWAYS_USE_LOCAL_CKPT_SERVER", false)) {
if (LastCkptServer) {
char *remoteHost = NULL;
JobAd->LookupString(ATTR_REMOTE_HOST, &remoteHost);
char *machineName = strrchr(remoteHost, '@');
if (machineName == NULL) {
machineName = remoteHost;
} else {
machineName++;
}
LastCkptServer = strdup(machineName);
CkptServerHost = strdup(machineName);
dprintf(D_ALWAYS, "ALWAYS_USE_LOCAL_CKPT_SERVER is true, forcing LastCkptServer to %s\n", LastCkptServer);
} else {
dprintf(D_ALWAYS, "ALWAYS_USE_LOCAL_CKPT_SERVER is true, but checkpoint is not on server, restoring file local file\n");
}
}
MaxDiscardedRunTime = param_integer( "MAX_DISCARDED_RUN_TIME", 3600 );
CompressPeriodicCkpt = param_boolean( "COMPRESS_PERIODIC_CKPT", false );
PeriodicSync = param_boolean( "PERIODIC_MEMORY_SYNC", false );
CompressVacateCkpt = param_boolean( "COMPRESS_VACATE_CKPT", false );
SlowCkptSpeed = param_integer( "SLOW_CKPT_SPEED", 0 );
// Install signal handlers such that all signals are blocked when inside
// the handler.
sigset_t fullset;
sigfillset(&fullset);
install_sig_handler_with_mask( SIGCHLD,&fullset, reaper );
// SIGUSR1 is sent by the schedd when a job is removed with
// condor_rm.
install_sig_handler_with_mask( SIGUSR1, &fullset, handle_sigusr1 );
// SIGQUIT is sent for a fast shutdow.
install_sig_handler_with_mask( SIGQUIT, &fullset, handle_sigquit );
// SIGTERM is sent for a graceful shutdow.
install_sig_handler_with_mask( SIGTERM, &fullset, handle_sigterm );
/* Here we block the async signals. We do this mainly because on HPUX,
* XDR wigs out if it is interrupted by a signal. We do it on all
* platforms because it seems like a safe idea. We unblock the signals
* during before select(), which is where we spend most of our time. */
block_signal(SIGCHLD);
block_signal(SIGUSR1);
/* If the completed job had been committed to the job queue,
but for some reason the shadow exited wierdly and the
schedd is trying to run it again, then simply write
the job termination events and send the email as if the job had
just ended. */
if (terminate_is_pending() == TRUE) {
/* This function will exit()! */
handle_terminate_pending();
}
HandleSyscalls();
Wrapup();
/* HACK! WHOOO!!!!! Throw the old shadow away already! */
/* This will figure out whether or not the job should go on hold AFTER the
job has exited for whatever reason, or if the job should be allowed
to exit. It modifies ExitReason approriately for job holding, or, get
this, just EXCEPTs if the jobs is supposed to go into idle state and
not leave. :) */
/* Small change by Todd : only check the static policy if the job really
exited of its own accord -- we don't want to even evaluate the static
policy if the job exited because it was preempted, for instance */
if (check_static_policy &&
(ExitReason == JOB_EXITED || ExitReason == JOB_KILLED
|| ExitReason == JOB_COREDUMPED))
{
static_policy();
}
if( My_UID_Domain ) {
free( My_UID_Domain );
}
if( My_Filesystem_Domain ) {
free( My_Filesystem_Domain );
}
if(FILEObj) {
delete FILEObj;
}
dprintf( D_ALWAYS, "********** Shadow Exiting(%d) **********\n",
ExitReason );
exit( ExitReason );
}
void
main_pre_dc_init( int argc, char* argv[] )
{
param_functions *p_funcs = NULL;
// figure out what get_mySubSystem() should be based on argv[0], or
// if we see "-gridshell" anywhere on the command-line
const char* base = condor_basename(argv[0]);
char const *tmp;
tmp = strrchr(base, '_' );
if( tmp && strncasecmp(tmp, "_gridshell", 10) == MATCH ) {
get_mySubSystem()->setName( "GRIDSHELL" );
is_gridshell = true;
} else {
int i, len;
for( i=1; i<argc; i++ ) {
len = strlen(argv[i]);
if( len < 3 ) {
// ambiguous, bail out, since we don't want to get
// confused with just "-" or something
continue;
}
if( strncasecmp(argv[i], "-gridshell", MIN(len,10)) == MATCH ) {
get_mySubSystem()->setName( "GRIDSHELL" );
is_gridshell = true;
break;
}
}
}
if( ! is_gridshell ) {
get_mySubSystem()->setName( "STARTER" );
}
// if we were passed "-classad", just print our classad and
// exit, without going back to daemoncore or anything. we
// need to do this *after* we set get_mySubSystem(), since this ends
// up calling functions that rely on it being defined...
if( argc == 2 && strncasecmp(argv[1],"-cla",4) == MATCH ) {
// needed for Java stuff
config(true);
// Would like to log errors to stderr if stderr is not
// /dev/null to make it easier for users to debug, but not
// sure how to do that on windows. On Windows, when
// condor_starter is run by the startd, setting Termlog=1
// causes a dprintf to abort with an error if any calls to
// dprintf() are made in a debug level that is turned on.
// I have not found a way to detect when stderr is in this
// state, so I am just leaving Termlog turned off in all
// cases.
//Termlog = 1;
p_funcs = get_param_functions();
dprintf_config(get_mySubSystem()->getName(), p_funcs);
printClassAd();
exit(0);
}
// if we're still here, stash the cwd for future reference
MyString cwd;
if( ! condor_getcwd(cwd)) {
dprintf( D_ALWAYS, "ERROR calling getcwd(): %s (errno %d)\n",
strerror(errno), errno );
} else {
orig_cwd = strdup(cwd.Value());
}
// if we're the gridshell, assume a "-f" option. all that
// does in DaemonCore-land is set a global variable, so we'll
// just do that here, ourselves...
if( is_gridshell ) {
Foreground = 1;
}
// finally, dup() our standard file streams, so we can pass
// those onto the actual user job if requested.
starter_stdin_fd = dup( 0 );
starter_stdout_fd = dup( 1 );
starter_stderr_fd = dup( 2 );
}
bool
SharedPortEndpoint::UseSharedPort(MyString *why_not,bool already_open)
{
#ifndef HAVE_SHARED_PORT
if( why_not ) {
*why_not = "shared ports not supported on this platform";
}
return false;
#else
// The shared port server itself should not try to operate as
// a shared point endpoint, since it needs to be the one
// daemon with its own port.
// This subsys check is appropriate for when we are inside of
// the daemon in question, not when we are the master trying
// to decide whether to create a shared port for our child.
// In the latter case, other methods are used to determine
// that a shared port should not be used.
bool never_use_shared_port =
get_mySubSystem()->isType(SUBSYSTEM_TYPE_SHARED_PORT);
if( never_use_shared_port ) {
if( why_not ) {
*why_not = "this daemon requires its own port";
}
return false;
}
if( !param_boolean("USE_SHARED_PORT",false) ) {
if( why_not ) {
*why_not = "USE_SHARED_PORT=false";
}
return false;
}
if( already_open ) {
// skip following tests of writability of daemon socket dir,
// since we already have a socket (perhaps created for us by
// our parent)
return true;
}
#ifdef WIN32
return true;
#endif
if( can_switch_ids() ) {
// If we are running as root, assume that we will be able to
// write to the daemon socket dir (as condor). If we can't,
// it is better to try and fail so that the admin will see
// that something is broken.
return true;
}
// If we can write to the daemon socket directory, we can use
// the shared port service. Cache this result briefly so we
// don't check access too often when spawning lots of children.
// Invalidate the cache both forwards and backwards in time in
// case of system clock jumps.
static bool cached_result = false;
static time_t cached_time = 0;
time_t now = time(NULL);
if( abs((int)now-(int)cached_time) > 10 || cached_time==0 || why_not ) {
cached_time = now;
std::string socket_dir;
bool is_file_socket = true;
#ifdef USE_ABSTRACT_DOMAIN_SOCKET
is_file_socket = false;
#endif
if (!GetDaemonSocketDir(socket_dir)) {
is_file_socket = true;
if (!GetAltDaemonSocketDir(socket_dir)) {
why_not->formatstr("No DAEMON_SOCKET_DIR is available.\n");
cached_result = false;
return cached_result;
}
}
if (!is_file_socket) {
cached_result = true;
return cached_result;
}
cached_result = access(socket_dir.c_str(),W_OK)==0;
if( !cached_result && errno == ENOENT )
{
// if socket_dir doesn't exist, see if we are allowed to
// create it
char *parent_dir = condor_dirname( socket_dir.c_str() );
if( parent_dir ) {
cached_result = access(parent_dir,W_OK)==0;
free( parent_dir );
}
}
if( !cached_result && why_not ) {
why_not->formatstr("cannot write to %s: %s",
socket_dir.c_str(),
strerror(errno));
}
}
return cached_result;
#endif
}
SubsystemType get_mySubSystemType(void) {
return get_mySubSystem()->getType();
}
const char* get_mySubSystemName(void) {
return get_mySubSystem()->getName();
}
int
IpVerify::Init()
{
char *pAllow = NULL, *pDeny = NULL, *pOldAllow = NULL, *pOldDeny = NULL,
*pNewAllow = NULL, *pNewDeny = NULL;
DCpermission perm;
const char* const ssysname = get_mySubSystem()->getName();
did_init = TRUE;
// Make sure that perm_mask_t is big enough to hold all possible
// results of allow_mask() and deny_mask().
ASSERT( sizeof(perm_mask_t)*8 - 2 > LAST_PERM );
// Clear the Permission Hash Table in case re-initializing
if (PermHashTable) {
// iterate through the table and delete the entries
struct in6_addr key;
UserPerm_t * value;
PermHashTable->startIterations();
while (PermHashTable->iterate(key, value)) {
delete value;
}
PermHashTable->clear();
}
// and Clear the Permission Type Array
for (perm=FIRST_PERM; perm<LAST_PERM; perm=NEXT_PERM(perm)) {
if ( PermTypeArray[perm] ) {
delete PermTypeArray[perm];
PermTypeArray[perm] = NULL;
}
}
// This is the new stuff
for ( perm=FIRST_PERM; perm < LAST_PERM; perm=NEXT_PERM(perm) ) {
PermTypeEntry* pentry = new PermTypeEntry();
ASSERT( pentry );
PermTypeArray[perm] = pentry;
MyString allow_param, deny_param;
dprintf(D_SECURITY,"IPVERIFY: Subsystem %s\n",ssysname);
dprintf(D_SECURITY,"IPVERIFY: Permission %s\n",PermString(perm));
if(strcmp(ssysname,"TOOL")==0 || strcmp(ssysname,"SUBMIT")==0){
// to avoid unneccesary DNS activity, the TOOL and SUBMIT
// subsystems only load the CLIENT lists, since they have no
// command port and don't need the other authorization lists.
if(strcmp(PermString(perm),"CLIENT")==0){
pNewAllow = SecMan::getSecSetting("ALLOW_%s",perm,&allow_param, ssysname );
pOldAllow = SecMan::getSecSetting("HOSTALLOW_%s",perm,&allow_param, ssysname );
pNewDeny = SecMan::getSecSetting("DENY_%s",perm,&deny_param, ssysname );
pOldDeny = SecMan::getSecSetting("HOSTDENY_%s",perm,&deny_param, ssysname );
}
} else {
pNewAllow = SecMan::getSecSetting("ALLOW_%s",perm,&allow_param, ssysname );
pOldAllow = SecMan::getSecSetting("HOSTALLOW_%s",perm,&allow_param, ssysname );
pNewDeny = SecMan::getSecSetting("DENY_%s",perm,&deny_param, ssysname );
pOldDeny = SecMan::getSecSetting("HOSTDENY_%s",perm,&deny_param, ssysname );
}
// concat the two
pAllow = merge(pNewAllow, pOldAllow);
// concat the two
pDeny = merge(pNewDeny, pOldDeny);
if( pAllow ) {
dprintf ( D_SECURITY, "IPVERIFY: allow %s: %s (from config value %s)\n", PermString(perm),pAllow,allow_param.Value());
}
if( pDeny ) {
dprintf ( D_SECURITY, "IPVERIFY: deny %s: %s (from config value %s)\n", PermString(perm),pDeny,deny_param.Value());
}
// Treat a "*", "*/*" for ALLOW_XXX as if it's just undefined,
// because that's the optimized default, except for
// CONFIG_PERM which has a different default (see below).
if( perm != CONFIG_PERM ) {
if(pAllow && (!strcmp(pAllow, "*") || !strcmp(pAllow, "*/*"))) {
free( pAllow );
pAllow = NULL;
}
}
if ( !pAllow && !pDeny ) {
if (perm == CONFIG_PERM) { // deny all CONFIG requests
pentry->behavior = USERVERIFY_DENY; // by default
dprintf( D_SECURITY, "ipverify: %s optimized to deny everyone\n", PermString(perm) );
} else {
pentry->behavior = USERVERIFY_ALLOW;
if( perm != ALLOW ) {
dprintf( D_SECURITY, "ipverify: %s optimized to allow anyone\n", PermString(perm) );
}
}
} else {
if ( pDeny && !pAllow && perm != CONFIG_PERM ) {
pentry->behavior = USERVERIFY_ONLY_DENIES;
} else {
pentry->behavior = USERVERIFY_USE_TABLE;
}
if ( pAllow ) {
fill_table( pentry, pAllow, true );
free(pAllow);
pAllow = NULL;
}
if ( pDeny ) {
fill_table( pentry, pDeny, false );
free(pDeny);
pDeny = NULL;
}
}
if (pAllow) {
free(pAllow);
pAllow = NULL;
}
if (pDeny) {
free(pDeny);
pDeny = NULL;
}
if (pOldAllow) {
free(pOldAllow);
pOldAllow = NULL;
}
if (pOldDeny) {
free(pOldDeny);
pOldDeny = NULL;
}
if (pNewAllow) {
free(pNewAllow);
pNewAllow = NULL;
}
if (pNewDeny) {
free(pNewDeny);
pNewDeny = NULL;
}
}
dprintf(D_FULLDEBUG|D_SECURITY,"Initialized the following authorization table:\n");
if(PermHashTable)
PrintAuthTable(D_FULLDEBUG|D_SECURITY);
return TRUE;
}
int
main( int argc, char* argv[] )
{
int i;
param_functions *p_funcs = NULL;
set_mySubSystem( "DAEMON-TOOL", SUBSYSTEM_TYPE_TOOL );
MyName = argv[0];
myDistro->Init( argc, argv );
FILE *input_fp = stdin;
for( i=1; i<argc; i++ ) {
if( match_prefix( argv[i], "-daemontype" ) ) {
if( argv[i + 1] ) {
get_mySubSystem()->setName( argv[++i] );
get_mySubSystem()->setTypeFromName( );
} else {
usage();
}
} else if( match_prefix( argv[i], "-debug" ) ) {
// dprintf to console
Termlog = 1;
p_funcs = get_param_functions();
dprintf_config( "DAEMON-TOOL", p_funcs );
set_debug_flags(NULL, D_FULLDEBUG|D_SECURITY);
} else if( match_prefix( argv[i], "-" ) ) {
usage();
} else {
usage();
}
}
// If we didn't get told what subsystem we should use, set it
// to "TOOL".
if( !get_mySubSystem()->isNameValid() ) {
get_mySubSystem()->setName( "DAEMON-TOOL" );
}
config( 0, true );
IpVerify ipverify;
MyString line;
while( line.readLine(input_fp) ) {
line.chomp();
if( line.IsEmpty() || line[0] == '#' ) {
printf("%s\n",line.Value());
continue;
}
StringList fields(line.Value()," ");
fields.rewind();
char const *perm_str = fields.next();
char const *fqu = fields.next();
char const *ip = fields.next();
char const *expected = fields.next();
MyString sin_str = generate_sinful(ip, 0);
condor_sockaddr addr;
if( !addr.from_sinful(sin_str) ) {
fprintf(stderr,"Invalid ip address: %s\n",ip);
exit(1);
}
DCpermission perm = StringToDCpermission(perm_str);
if( perm == LAST_PERM ) {
fprintf(stderr,"Invalid permission level: %s\n",perm_str);
exit(1);
}
if( strcmp(fqu,"*") == 0 ) {
fqu = "";
}
char const *result;
MyString reason;
if( ipverify.Verify(perm,addr,fqu,&reason,&reason) != USER_AUTH_SUCCESS ) {
result = "DENIED";
}
else {
result = "ALLOWED";
}
if( expected && strcasecmp(expected,result) != 0 ) {
printf("Got wrong result '%s' for '%s': reason: %s!\n",
result,line.Value(),reason.Value());
printf("Aborting.\n");
exit(1);
}
if( expected ) {
printf("%s\n",line.Value());
}
else {
printf("%s %s\n",line.Value(),result);
}
}
}
bool
UserProc::getStdFile( std_file_type type,
const char* attr,
bool allow_dash,
const char* log_header,
int* out_fd,
MyString* out_name)
{
// we're going to return true on success, false on error.
// if we succeed, then if we have an open FD that should
// be passed down to the job, return it in the descriptor
// argument. otherwise, return -1 in the descriptor
// argument and return the name of the file that should
// be opened for the child in the name argument
ASSERT(out_fd != NULL);
ASSERT(out_name != NULL);
*out_fd = -1;
const char* filename = NULL;
bool wants_stream = false;
const char* stream_name = NULL;
const char* phrase = NULL;
bool is_output = true;
bool is_null_file = false;
///////////////////////////////////////////////////////
// Initialize some settings depending on the type
///////////////////////////////////////////////////////
switch( type ) {
case SFT_IN:
is_output = false;
phrase = "standard input";
stream_name = "stdin";
break;
case SFT_OUT:
is_output = true;
phrase = "standard output";
stream_name = "stdout";
break;
case SFT_ERR:
is_output = true;
phrase = "standard error";
stream_name = "stderr";
break;
default:
EXCEPT("Programmer error in getStdFile, type =%d", type);
}
///////////////////////////////////////////////////////
// Figure out what we're trying to open, if anything
///////////////////////////////////////////////////////
if( m_pre_defined_std_fds[type] != -1 ||
m_pre_defined_std_fnames[type] != NULL )
{
filename = m_pre_defined_std_fnames[type];
*out_fd = m_pre_defined_std_fds[type];
if( *out_fd != -1 ) {
// we must dup() the file descriptor because our caller
// will take ownership of it (i.e. they should close it)
*out_fd = dup(*out_fd);
if( *out_fd == -1 ) {
dprintf(D_ALWAYS,"Failed to dup fd %d for %s\n",
m_pre_defined_std_fds[type],phrase);
return false;
}
}
wants_stream = false;
} else if( attr ) {
filename = Starter->jic->getJobStdFile( attr );
wants_stream = Starter->jic->streamStdFile( attr );
} else {
switch( type ) {
case SFT_IN:
filename = Starter->jic->jobInputFilename();
wants_stream = Starter->jic->streamInput();
break;
case SFT_OUT:
filename = Starter->jic->jobOutputFilename();
wants_stream = Starter->jic->streamOutput();
break;
case SFT_ERR:
filename = Starter->jic->jobErrorFilename();
wants_stream = Starter->jic->streamError();
break;
}
}
if( ! filename && *out_fd == -1) {
// If there's nothing specified, we always want to open
// the system-appropriate NULL file (/dev/null or NUL).
// Otherwise, we can mostly treat this as if the job
// defined a real local filename. For the few cases were
// we have to behave differently, record it in a bool.
filename = NULL_FILE;
is_null_file = true;
}
///////////////////////////////////////////////////////
// Deal with special cases
///////////////////////////////////////////////////////
//////////////////////
// Use streaming I/O
//////////////////////
if( wants_stream && ! is_null_file ) {
StreamHandler *handler = new StreamHandler;
if( !handler->Init(filename, stream_name, is_output) ) {
MyString err_msg;
err_msg.sprintf( "unable to establish %s stream", phrase );
Starter->jic->notifyStarterError( err_msg.Value(), true,
is_output ? CONDOR_HOLD_CODE_UnableToOpenOutputStream :
CONDOR_HOLD_CODE_UnableToOpenInputStream, 0 );
return false;
}
*out_fd = handler->GetJobPipe();
dprintf( D_ALWAYS, "%s: streaming from remote file %s\n",
log_header, filename );
return true;
}
////////////////////////////////////
// Use the starter's equivalent fd
////////////////////////////////////
if( allow_dash && filename && (filename[0] == '-') && !filename[1] )
{
// use the starter's fd
switch( type ) {
case SFT_IN:
*out_fd = Starter->starterStdinFd();
dprintf( D_ALWAYS, "%s: using STDIN of %s\n", log_header,
get_mySubSystem()->getName() );
break;
case SFT_OUT:
*out_fd = Starter->starterStdoutFd();
dprintf( D_ALWAYS, "%s: using STDOUT of %s\n", log_header,
get_mySubSystem()->getName() );
break;
case SFT_ERR:
*out_fd = Starter->starterStderrFd();
dprintf( D_ALWAYS, "%s: using STDERR of %s\n", log_header,
get_mySubSystem()->getName() );
break;
}
return true;
}
///////////////////////////////////////////////////////
// The regular case of a local file
///////////////////////////////////////////////////////
*out_name = filename;
return true;
}
