/*- * at.c : Put file into atrun queue * * SPDX-License-Identifier: BSD-2-Clause * * Copyright (C) 1993, 1994 Thomas Koenig * * Atrun & Atq modifications * Copyright (C) 1993 David Parsons * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. The name of the author(s) may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include <sys/cdefs.h> #define _USE_BSD 1 /* System Headers */ #include <sys/param.h> #include <sys/stat.h> #include <sys/time.h> #include <sys/wait.h> #include <ctype.h> #include <dirent.h> #include <err.h> #include <errno.h> #include <fcntl.h> #ifndef __FreeBSD__ #include <getopt.h> #endif #ifdef __FreeBSD__ #include <locale.h> #endif #include <pwd.h> #include <signal.h> #include <stddef.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <time.h> #include <unistd.h> /* Local headers */ #include "at.h" #include "panic.h" #include "parsetime.h" #include "perm.h" #define MAIN #include "privs.h" /* Macros */ #ifndef ATJOB_DIR #define ATJOB_DIR "/usr/spool/atjobs/" #endif #ifndef LFILE #define LFILE ATJOB_DIR ".lockfile" #endif #ifndef ATJOB_MX #define ATJOB_MX 255 #endif #define ALARMC 10 /* Number of seconds to wait for timeout */ #define SIZE 255 #define TIMESIZE 50 enum { ATQ, ATRM, AT, BATCH, CAT }; /* what program we want to run */ /* File scope variables */ static const char *no_export[] = { "TERM", "TERMCAP", "DISPLAY", "_" }; static int send_mail = 0; static char *atinput = NULL; /* where to get input from */ static char atqueue = 0; /* which queue to examine for jobs (atq) */ /* External variables */ extern char **environ; int fcreated; char atfile[] = ATJOB_DIR "12345678901234"; char atverify = 0; /* verify time instead of queuing job */ char *namep; /* Function declarations */ static void sigc(int signo); static void alarmc(int signo); static char *cwdname(void); static void writefile(time_t runtimer, char queue); static void list_jobs(long *, int); static long nextjob(void); static time_t ttime(const char *arg); static int in_job_list(long, long *, int); static long *get_job_list(int, char *[], int *); /* Signal catching functions */ static void sigc(int signo __unused) { /* If the user presses ^C, remove the spool file and exit */ if (fcreated) { PRIV_START unlink(atfile); PRIV_END } _exit(EXIT_FAILURE); } static void alarmc(int signo __unused) { char buf[1024]; /* Time out after some seconds. */ strlcpy(buf, namep, sizeof(buf)); strlcat(buf, ": file locking timed out\n", sizeof(buf)); write(STDERR_FILENO, buf, strlen(buf)); sigc(0); } /* Local functions */ static char *cwdname(void) { /* Read in the current directory; the name will be overwritten on * subsequent calls. */ static char *ptr = NULL; static size_t size = SIZE; if (ptr == NULL) if ((ptr = malloc(size)) == NULL) errx(EXIT_FAILURE, "virtual memory exhausted"); while (1) { if (ptr == NULL) panic("out of memory"); if (getcwd(ptr, size-1) != NULL) return ptr; if (errno != ERANGE) perr("cannot get directory"); free (ptr); size += SIZE; if ((ptr = malloc(size)) == NULL) errx(EXIT_FAILURE, "virtual memory exhausted"); } } static long nextjob(void) { long jobno; FILE *fid; if ((fid = fopen(ATJOB_DIR ".SEQ", "r+")) != NULL) { if (fscanf(fid, "%5lx", &jobno) == 1) { rewind(fid); jobno = (1+jobno) % 0xfffff; /* 2^20 jobs enough? */ fprintf(fid, "%05lx\n", jobno); } else jobno = EOF; fclose(fid); return jobno; } else if ((fid = fopen(ATJOB_DIR ".SEQ", "w")) != NULL) { fprintf(fid, "%05lx\n", jobno = 1); fclose(fid); return 1; } return EOF; } static void writefile(time_t runtimer, char queue) { /* This does most of the work if at or batch are invoked for writing a job. */ long jobno; char *ap, *ppos, *mailname; struct passwd *pass_entry; struct stat statbuf; int fdes, lockdes, fd2; FILE *fp, *fpin; struct sigaction act; char **atenv; int ch; mode_t cmask; struct flock lock; #ifdef __FreeBSD__ (void) setlocale(LC_TIME, ""); #endif /* Install the signal handler for SIGINT; terminate after removing the * spool file if necessary */ act.sa_handler = sigc; sigemptyset(&(act.sa_mask)); act.sa_flags = 0; sigaction(SIGINT, &act, NULL); ppos = atfile + strlen(ATJOB_DIR); /* Loop over all possible file names for running something at this * particular time, see if a file is there; the first empty slot at any * particular time is used. Lock the file LFILE first to make sure * we're alone when doing this. */ PRIV_START if ((lockdes = open(LFILE, O_WRONLY | O_CREAT, S_IWUSR | S_IRUSR)) < 0) perr("cannot open lockfile " LFILE); lock.l_type = F_WRLCK; lock.l_whence = SEEK_SET; lock.l_start = 0; lock.l_len = 0; act.sa_handler = alarmc; sigemptyset(&(act.sa_mask)); act.sa_flags = 0; /* Set an alarm so a timeout occurs after ALARMC seconds, in case * something is seriously broken. */ sigaction(SIGALRM, &act, NULL); alarm(ALARMC); fcntl(lockdes, F_SETLKW, &lock); alarm(0); if ((jobno = nextjob()) == EOF) perr("cannot generate job number"); sprintf(ppos, "%c%5lx%8lx", queue, jobno, (unsigned long) (runtimer/60)); for(ap=ppos; *ap != '\0'; ap ++) if (*ap == ' ') *ap = '0'; if (stat(atfile, &statbuf) != 0) if (errno != ENOENT) perr("cannot access " ATJOB_DIR); /* Create the file. The x bit is only going to be set after it has * been completely written out, to make sure it is not executed in the * meantime. To make sure they do not get deleted, turn off their r * bit. Yes, this is a kluge. */ cmask = umask(S_IRUSR | S_IWUSR | S_IXUSR); if ((fdes = creat(atfile, O_WRONLY)) == -1) perr("cannot create atjob file"); if ((fd2 = dup(fdes)) <0) perr("error in dup() of job file"); if(fchown(fd2, real_uid, real_gid) != 0) perr("cannot give away file"); PRIV_END /* We no longer need suid root; now we just need to be able to write * to the directory, if necessary. */ REDUCE_PRIV(DAEMON_UID, DAEMON_GID) /* We've successfully created the file; let's set the flag so it * gets removed in case of an interrupt or error. */ fcreated = 1; /* Now we can release the lock, so other people can access it */ lock.l_type = F_UNLCK; lock.l_whence = SEEK_SET; lock.l_start = 0; lock.l_len = 0; fcntl(lockdes, F_SETLKW, &lock); close(lockdes); if((fp = fdopen(fdes, "w")) == NULL) panic("cannot reopen atjob file"); /* Get the userid to mail to, first by trying getlogin(), * then from LOGNAME, finally from getpwuid(). */ mailname = getlogin(); if (mailname == NULL) mailname = getenv("LOGNAME"); if ((mailname == NULL) || (mailname[0] == '\0') || (strlen(mailname) >= MAXLOGNAME) || (getpwnam(mailname)==NULL)) { pass_entry = getpwuid(real_uid); if (pass_entry != NULL) mailname = pass_entry->pw_name; } if (atinput != (char *) NULL) { fpin = freopen(atinput, "r", stdin); if (fpin == NULL) perr("cannot open input file"); } fprintf(fp, "#!/bin/sh\n# atrun uid=%ld gid=%ld\n# mail %*s %d\n", (long) real_uid, (long) real_gid, MAXLOGNAME - 1, mailname, send_mail); /* Write out the umask at the time of invocation */ fprintf(fp, "umask %lo\n", (unsigned long) cmask); /* Write out the environment. Anything that may look like a * special character to the shell is quoted, except for \n, which is * done with a pair of "'s. Don't export the no_export list (such * as TERM or DISPLAY) because we don't want these. */ for (atenv= environ; *atenv != NULL; atenv++) { int export = 1; char *eqp; eqp = strchr(*atenv, '='); if (eqp == NULL) eqp = *atenv; else { size_t i; for (i = 0; i < nitems(no_export); i++) { export = export && (strncmp(*atenv, no_export[i], (size_t) (eqp-*atenv)) != 0); } eqp++; } if (export) { (void)fputs("export ", fp); fwrite(*atenv, sizeof(char), eqp-*atenv, fp); for(ap = eqp;*ap != '\0'; ap++) { if (*ap == '\n') fprintf(fp, "\"\n\""); else { if (!isalnum(*ap)) { switch (*ap) { case '%': case '/': case '{': case '[': case ']': case '=': case '}': case '@': case '+': case '#': case ',': case '.': case ':': case '-': case '_': break; default: fputc('\\', fp); break; } } fputc(*ap, fp); } } fputc('\n', fp); } } /* Cd to the directory at the time and write out all the * commands the user supplies from stdin. */ fprintf(fp, "cd "); for (ap = cwdname(); *ap != '\0'; ap++) { if (*ap == '\n') fprintf(fp, "\"\n\""); else { if (*ap != '/' && !isalnum(*ap)) fputc('\\', fp); fputc(*ap, fp); } } /* Test cd's exit status: die if the original directory has been * removed, become unreadable or whatever */ fprintf(fp, " || {\n\t echo 'Execution directory " "inaccessible' >&2\n\t exit 1\n}\n"); while((ch = getchar()) != EOF) fputc(ch, fp); fprintf(fp, "\n"); if (ferror(fp)) panic("output error"); if (ferror(stdin)) panic("input error"); fclose(fp); /* Set the x bit so that we're ready to start executing */ if (fchmod(fd2, S_IRUSR | S_IWUSR | S_IXUSR) < 0) perr("cannot give away file"); close(fd2); fprintf(stderr, "Job %ld will be executed using /bin/sh\n", jobno); } static int in_job_list(long job, long *joblist, int len) { int i; for (i = 0; i < len; i++) if (job == joblist[i]) return 1; return 0; } static void list_jobs(long *joblist, int len) { /* List all a user's jobs in the queue, by looping through ATJOB_DIR, * or everybody's if we are root */ struct passwd *pw; DIR *spool; struct dirent *dirent; struct stat buf; struct tm runtime; unsigned long ctm; char queue; long jobno; time_t runtimer; char timestr[TIMESIZE]; int first=1; #ifdef __FreeBSD__ (void) setlocale(LC_TIME, ""); #endif PRIV_START if (chdir(ATJOB_DIR) != 0) perr("cannot change to " ATJOB_DIR); if ((spool = opendir(".")) == NULL) perr("cannot open " ATJOB_DIR); /* Loop over every file in the directory */ while((dirent = readdir(spool)) != NULL) { if (stat(dirent->d_name, &buf) != 0) perr("cannot stat in " ATJOB_DIR); /* See it's a regular file and has its x bit turned on and * is the user's */ if (!S_ISREG(buf.st_mode) || ((buf.st_uid != real_uid) && ! (real_uid == 0)) || !(S_IXUSR & buf.st_mode || atverify)) continue; if(sscanf(dirent->d_name, "%c%5lx%8lx", &queue, &jobno, &ctm)!=3) continue; /* If jobs are given, only list those jobs */ if (joblist && !in_job_list(jobno, joblist, len)) continue; if (atqueue && (queue != atqueue)) continue; runtimer = 60*(time_t) ctm; runtime = *localtime(&runtimer); strftime(timestr, TIMESIZE, "%+", &runtime); if (first) { printf("Date\t\t\t\tOwner\t\tQueue\tJob#\n"); first=0; } pw = getpwuid(buf.st_uid); printf("%s\t%-16s%c%s\t%ld\n", timestr, pw ? pw->pw_name : "???", queue, (S_IXUSR & buf.st_mode) ? "":"(done)", jobno); } PRIV_END closedir(spool); } static void process_jobs(int argc, char **argv, int what) { /* Delete every argument (job - ID) given */ int i; int rc; int nofJobs; int nofDone; int statErrno; struct stat buf; DIR *spool; struct dirent *dirent; unsigned long ctm; char queue; long jobno; nofJobs = argc - optind; nofDone = 0; PRIV_START if (chdir(ATJOB_DIR) != 0) perr("cannot change to " ATJOB_DIR); if ((spool = opendir(".")) == NULL) perr("cannot open " ATJOB_DIR); PRIV_END /* Loop over every file in the directory */ while((dirent = readdir(spool)) != NULL) { PRIV_START rc = stat(dirent->d_name, &buf); statErrno = errno; PRIV_END /* There's a race condition between readdir above and stat here: * another atrm process could have removed the file from the spool * directory under our nose. If this happens, stat will set errno to * ENOENT, which we shouldn't treat as fatal. */ if (rc != 0) { if (statErrno == ENOENT) continue; else perr("cannot stat in " ATJOB_DIR); } if(sscanf(dirent->d_name, "%c%5lx%8lx", &queue, &jobno, &ctm)!=3) continue; for (i=optind; i < argc; i++) { if (atoi(argv[i]) == jobno) { if ((buf.st_uid != real_uid) && !(real_uid == 0)) errx(EXIT_FAILURE, "%s: not owner", argv[i]); switch (what) { case ATRM: PRIV_START if (unlink(dirent->d_name) != 0) perr(dirent->d_name); PRIV_END break; case CAT: { FILE *fp; int ch; PRIV_START fp = fopen(dirent->d_name,"r"); PRIV_END if (!fp) { perr("cannot open file"); } while((ch = getc(fp)) != EOF) { putchar(ch); } fclose(fp); } break; default: errx(EXIT_FAILURE, "internal error, process_jobs = %d", what); } /* All arguments have been processed */ if (++nofDone == nofJobs) goto end; } } } end: closedir(spool); } /* delete_jobs */ #define ATOI2(ar) ((ar)[0] - '0') * 10 + ((ar)[1] - '0'); (ar) += 2; static time_t ttime(const char *arg) { /* * This is pretty much a copy of stime_arg1() from touch.c. I changed * the return value and the argument list because it's more convenient * (IMO) to do everything in one place. - Joe Halpin */ struct timeval tv[2]; time_t now; struct tm *t; int yearset; char *p; if (gettimeofday(&tv[0], NULL)) panic("Cannot get current time"); /* Start with the current time. */ now = tv[0].tv_sec; if ((t = localtime(&now)) == NULL) panic("localtime"); /* [[CC]YY]MMDDhhmm[.SS] */ if ((p = strchr(arg, '.')) == NULL) t->tm_sec = 0; /* Seconds defaults to 0. */ else { if (strlen(p + 1) != 2) goto terr; *p++ = '\0'; t->tm_sec = ATOI2(p); } yearset = 0; switch(strlen(arg)) { case 12: /* CCYYMMDDhhmm */ t->tm_year = ATOI2(arg); t->tm_year *= 100; yearset = 1; /* FALLTHROUGH */ case 10: /* YYMMDDhhmm */ if (yearset) { yearset = ATOI2(arg); t->tm_year += yearset; } else { yearset = ATOI2(arg); t->tm_year = yearset + 2000; } t->tm_year -= 1900; /* Convert to UNIX time. */ /* FALLTHROUGH */ case 8: /* MMDDhhmm */ t->tm_mon = ATOI2(arg); --t->tm_mon; /* Convert from 01-12 to 00-11 */ t->tm_mday = ATOI2(arg); t->tm_hour = ATOI2(arg); t->tm_min = ATOI2(arg); break; default: goto terr; } t->tm_isdst = -1; /* Figure out DST. */ tv[0].tv_sec = tv[1].tv_sec = mktime(t); if (tv[0].tv_sec != -1) return tv[0].tv_sec; else terr: panic( "out of range or illegal time specification: [[CC]YY]MMDDhhmm[.SS]"); } static long * get_job_list(int argc, char *argv[], int *joblen) { int i, len; long *joblist; char *ep; joblist = NULL; len = argc; if (len > 0) { if ((joblist = malloc(len * sizeof(*joblist))) == NULL) panic("out of memory"); for (i = 0; i < argc; i++) { errno = 0; if ((joblist[i] = strtol(argv[i], &ep, 10)) < 0 || ep == argv[i] || *ep != '\0' || errno) panic("invalid job number"); } } *joblen = len; return joblist; } int main(int argc, char **argv) { int c; char queue = DEFAULT_AT_QUEUE; char queue_set = 0; char *pgm; int program = AT; /* our default program */ const char *options = "q:f:t:rmvldbc"; /* default options for at */ time_t timer; long *joblist; int joblen; joblist = NULL; joblen = 0; timer = -1; RELINQUISH_PRIVS /* Eat any leading paths */ if ((pgm = strrchr(argv[0], '/')) == NULL) pgm = argv[0]; else pgm++; namep = pgm; /* find out what this program is supposed to do */ if (strcmp(pgm, "atq") == 0) { program = ATQ; options = "q:v"; } else if (strcmp(pgm, "atrm") == 0) { program = ATRM; options = ""; } else if (strcmp(pgm, "batch") == 0) { program = BATCH; options = "f:q:mv"; } /* process whatever options we can process */ opterr=1; while ((c=getopt(argc, argv, options)) != -1) switch (c) { case 'v': /* verify time settings */ atverify = 1; break; case 'm': /* send mail when job is complete */ send_mail = 1; break; case 'f': atinput = optarg; break; case 'q': /* specify queue */ if (strlen(optarg) > 1) usage(); atqueue = queue = *optarg; if (!(islower(queue)||isupper(queue))) usage(); queue_set = 1; break; case 'd': warnx("-d is deprecated; use -r instead"); /* fall through to 'r' */ case 'r': if (program != AT) usage(); program = ATRM; options = ""; break; case 't': if (program != AT) usage(); timer = ttime(optarg); break; case 'l': if (program != AT) usage(); program = ATQ; options = "q:"; break; case 'b': if (program != AT) usage(); program = BATCH; options = "f:q:mv"; break; case 'c': program = CAT; options = ""; break; default: usage(); break; } /* end of options eating */ /* select our program */ if(!check_permission()) errx(EXIT_FAILURE, "you do not have permission to use this program"); switch (program) { case ATQ: REDUCE_PRIV(DAEMON_UID, DAEMON_GID) if (queue_set == 0) joblist = get_job_list(argc - optind, argv + optind, &joblen); list_jobs(joblist, joblen); break; case ATRM: REDUCE_PRIV(DAEMON_UID, DAEMON_GID) process_jobs(argc, argv, ATRM); break; case CAT: process_jobs(argc, argv, CAT); break; case AT: /* * If timer is > -1, then the user gave the time with -t. In that * case, it's already been set. If not, set it now. */ if (timer == -1) timer = parsetime(argc, argv); if (atverify) { struct tm *tm = localtime(&timer); fprintf(stderr, "%s\n", asctime(tm)); } writefile(timer, queue); break; case BATCH: if (queue_set) queue = toupper(queue); else queue = DEFAULT_BATCH_QUEUE; if (argc > optind) timer = parsetime(argc, argv); else timer = time(NULL); if (atverify) { struct tm *tm = localtime(&timer); fprintf(stderr, "%s\n", asctime(tm)); } writefile(timer, queue); break; default: panic("internal error"); break; } exit(EXIT_SUCCESS); }