tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-07-23 21:55:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

ProcessSpawnImpl(): use POSIX execvp(3), not GNU/OpenBSD-only execvpe(3)

Browse Source 
Modify the fork(2)ed process' env in-place, then call execvp(3).
This commit is contained in:
Alexander A. Klimov 2023-03-03 13:16:16 +01:00
parent a13751d972
commit 643f7f2b7e
2 changed files with 28 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/22-selinux.md
View File

@ -122,7 +122,7 @@ Having this boolean enabled allows icinga2 to connect to all ports. This can be
**icinga2_run_sudo** **icinga2_run_sudo**
To allow Icinga 2 executing plugins via sudo you can toggle this boolean. It is disabled by default, resulting in error messages like `execvpe(sudo) failed: Permission denied`. To allow Icinga 2 executing plugins via sudo you can toggle this boolean. It is disabled by default, resulting in error messages like `execvp(sudo) failed: Permission denied`.
**httpd_can_write_icinga2_command** **httpd_can_write_icinga2_command**
@ -219,7 +219,7 @@ In this case it is the CheckCommand [running_kernel](10-icinga-template-library.
assign where host.name == NodeName assign where host.name == NodeName
} }
Having this Service defined will result in a UNKNOWN state and the error message `execvpe(sudo) failed: Permission denied` because SELinux denying the execution. Having this Service defined will result in a UNKNOWN state and the error message `execvp(sudo) failed: Permission denied` because SELinux denying the execution.
Switching the boolean `icinga2_run_sudo` to allow the execution will result in the check executed successfully. Switching the boolean `icinga2_run_sudo` to allow the execution will result in the check executed successfully.

72
lib/base/process.cpp
View File

@ -15,19 +15,14 @@
#include <boost/thread/once.hpp> #include <boost/thread/once.hpp>
#include <thread> #include <thread>
#include <iostream> #include <iostream>
#include <utility>
#include <vector>
#ifndef _WIN32 #ifndef _WIN32
# include <execvpe.h>
# include <poll.h> # include <poll.h>
# include <signal.h> # include <signal.h>
# include <string.h> # include <string.h>
# include <unistd.h>
# ifndef __APPLE__
extern char **environ;
# else /* __APPLE__ */
# include <crt_externs.h>
# define environ (*_NSGetEnviron())
# endif /* __APPLE__ */
#endif /* _WIN32 */ #endif /* _WIN32 */
using namespace icinga; using namespace icinga;
@ -97,44 +92,18 @@ static Value ProcessSpawnImpl(struct msghdr *msgh, const Dictionary::Ptr& reques
argv[arguments->GetLength()] = nullptr; argv[arguments->GetLength()] = nullptr;
// build envp std::vector<std::pair<String, String>> extraEnv;
int envc = 0;
/* count existing environment variables */
while (environ[envc])
envc++;
auto **envp = new char *[envc + (extraEnvironment ? extraEnvironment->GetLength() : 0) + 2];
const char* lcnumeric = "LC_NUMERIC=";
const char* notifySocket = "NOTIFY_SOCKET=";
int j = 0;
for (int i = 0; i < envc; i++) {
if (strncmp(environ[i], lcnumeric, strlen(lcnumeric)) == 0) {
continue;
}
if (strncmp(environ[i], notifySocket, strlen(notifySocket)) == 0) {
continue;
}
envp[j] = strdup(environ[i]);
++j;
}
if (extraEnvironment) { if (extraEnvironment) {
ObjectLock olock(extraEnvironment); ObjectLock olock(extraEnvironment);
extraEnv.reserve(extraEnvironment->GetLength());
for (const Dictionary::Pair& kv : extraEnvironment) { for (const Dictionary::Pair& kv : extraEnvironment) {
String skv = kv.first + "=" + Convert::ToString(kv.second); extraEnv.emplace_back(kv.first, Convert::ToString(kv.second));
envp[j] = strdup(skv.CStr());
j++;
} }
} }
envp[j] = strdup("LC_NUMERIC=C");
envp[j + 1] = nullptr;
extraEnvironment.reset(); extraEnvironment.reset();
pid_t pid = fork(); pid_t pid = fork();
@ -163,6 +132,23 @@ static Value ProcessSpawnImpl(struct msghdr *msgh, const Dictionary::Ptr& reques
(void)close(fds[1]); (void)close(fds[1]);
(void)close(fds[2]); (void)close(fds[2]);
if (unsetenv("NOTIFY_SOCKET")) {
perror("unsetenv() failed");
_exit(128);
}
if (setenv("LC_NUMERIC", "C", 1)) {
perror("setenv() failed");
_exit(128);
}
for (auto& kv : extraEnv) {
if (setenv(kv.first.CStr(), kv.second.CStr(), 1)) {
perror("setenv() failed");
_exit(128);
}
}
#ifdef HAVE_NICE #ifdef HAVE_NICE
if (adjustPriority) { if (adjustPriority) {
// Cheating the compiler on "warning: ignoring return value of 'int nice(int)', declared with attribute warn_unused_result [-Wunused-result]". // Cheating the compiler on "warning: ignoring return value of 'int nice(int)', declared with attribute warn_unused_result [-Wunused-result]".
@ -186,9 +172,9 @@ static Value ProcessSpawnImpl(struct msghdr *msgh, const Dictionary::Ptr& reques
sigemptyset(&mask); sigemptyset(&mask);
sigprocmask(SIG_SETMASK, &mask, nullptr); sigprocmask(SIG_SETMASK, &mask, nullptr);
if (icinga2_execvpe(argv[0], argv, envp) < 0) { if (execvp(argv[0], argv) < 0) {
char errmsg[512]; char errmsg[512];
strcpy(errmsg, "execvpe("); strcpy(errmsg, "execvp(");
strncat(errmsg, argv[0], sizeof(errmsg) - strlen(errmsg) - 1); strncat(errmsg, argv[0], sizeof(errmsg) - strlen(errmsg) - 1);
strncat(errmsg, ") failed", sizeof(errmsg) - strlen(errmsg) - 1); strncat(errmsg, ") failed", sizeof(errmsg) - strlen(errmsg) - 1);
errmsg[sizeof(errmsg) - 1] = '\0'; errmsg[sizeof(errmsg) - 1] = '\0';
@ -208,12 +194,6 @@ static Value ProcessSpawnImpl(struct msghdr *msgh, const Dictionary::Ptr& reques
delete[] argv; delete[] argv;
// free environment
for (int i = 0; envp[i]; i++)
free(envp[i]);
delete[] envp;
Dictionary::Ptr response = new Dictionary({ Dictionary::Ptr response = new Dictionary({
{ "rc", pid }, { "rc", pid },
{ "errno", errorCode } { "errno", errorCode }