upstream/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2026-04-27 00:57:01 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge 56f8307c9a into a810d6409b

Browse source
This commit is contained in:
Alexander Aleksandrovič Klimov 2026-04-07 08:11:44 +00:00 committed by GitHub
commit fc8cb738ca
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 61 additions and 325 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CMakeLists.txt
View file

@ -230,10 +230,6 @@ include_directories(
${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_CURRENT_BINARY_DIR}/lib
)
if(UNIX OR CYGWIN)
list(APPEND base_OBJS $<TARGET_OBJECTS:execvpe>)
endif()
if(HAVE_SYSTEMD)
list(APPEND base_DEPS systemd)
endif()

4
doc/22-selinux.md
View file

@ -122,7 +122,7 @@ Having this boolean enabled allows icinga2 to connect to all ports. This can be
**icinga2_run_sudo**
To allow Icinga 2 executing plugins via sudo you can toggle this boolean. It is disabled by default, resulting in error messages like `execvpe(sudo) failed: Permission denied`.
To allow Icinga 2 executing plugins via sudo you can toggle this boolean. It is disabled by default, resulting in error messages like `execvp(sudo) failed: Permission denied`.
**httpd_can_write_icinga2_command**
@ -219,7 +219,7 @@ In this case it is the CheckCommand [running_kernel](10-icinga-template-library.
assign where host.name == NodeName
}
Having this Service defined will result in a UNKNOWN state and the error message `execvpe(sudo) failed: Permission denied` because SELinux denying the execution.
Having this Service defined will result in a UNKNOWN state and the error message `execvp(sudo) failed: Permission denied` because SELinux denying the execution.
Switching the boolean `icinga2_run_sudo` to allow the execution will result in the check executed successfully.

3
lib/base/CMakeLists.txt
View file

@ -145,9 +145,6 @@ endif()
add_library(base OBJECT ${base_SOURCES})
include_directories(SYSTEM ${icinga2_SOURCE_DIR}/third-party/execvpe)
link_directories(${icinga2_BINARY_DIR}/third-party/execvpe)
include_directories(SYSTEM ${icinga2_SOURCE_DIR}/third-party/mmatch)
link_directories(${icinga2_BINARY_DIR}/third-party/mmatch)

131
lib/base/process.cpp
View file

@ -16,19 +16,14 @@
#include <boost/thread/once.hpp>
#include <thread>
#include <iostream>
#include <utility>
#include <vector>
#ifndef _WIN32
# include <execvpe.h>
# include <poll.h>
# include <signal.h>
# include <string.h>
# ifndef __APPLE__
extern char **environ;
# else /* __APPLE__ */
# include <crt_externs.h>
# define environ (*_NSGetEnviron())
# endif /* __APPLE__ */
# include <unistd.h>
#endif /* _WIN32 */
using namespace icinga;
@ -88,56 +83,6 @@ static Value ProcessSpawnImpl(struct msghdr *msgh, const Dictionary::Ptr& reques
Dictionary::Ptr extraEnvironment = request->Get("extraEnvironment");
bool adjustPriority = request->Get("adjustPriority");
// build argv
auto **argv = new char *[arguments->GetLength() + 1];
for (unsigned int i = 0; i < arguments->GetLength(); i++) {
String arg = arguments->Get(i);
argv[i] = strdup(arg.CStr());
}
argv[arguments->GetLength()] = nullptr;
// build envp
int envc = 0;
/* count existing environment variables */
while (environ[envc])
envc++;
auto **envp = new char *[envc + (extraEnvironment ? extraEnvironment->GetLength() : 0) + 2];
const char* lcnumeric = "LC_NUMERIC=";
const char* notifySocket = "NOTIFY_SOCKET=";
int j = 0;
for (int i = 0; i < envc; i++) {
if (strncmp(environ[i], lcnumeric, strlen(lcnumeric)) == 0) {
continue;
}
if (strncmp(environ[i], notifySocket, strlen(notifySocket)) == 0) {
continue;
}
envp[j] = strdup(environ[i]);
++j;
}
if (extraEnvironment) {
ObjectLock olock(extraEnvironment);
for (const Dictionary::Pair& kv : extraEnvironment) {
String skv = kv.first + "=" + Convert::ToString(kv.second);
envp[j] = strdup(skv.CStr());
j++;
}
}
envp[j] = strdup("LC_NUMERIC=C");
envp[j + 1] = nullptr;
extraEnvironment.reset();
pid_t pid = fork();
int errorCode = 0;
@ -164,6 +109,60 @@ static Value ProcessSpawnImpl(struct msghdr *msgh, const Dictionary::Ptr& reques
(void)close(fds[1]);
(void)close(fds[2]);
std::vector<String> args;
std::vector<char*> argv;
ObjectLock oLock (arguments);
try {
args.reserve(arguments->GetLength());
argv.reserve(arguments->GetLength() + 1u);
} catch (const std::exception& ex) {
fprintf(stderr, "std::vector#reserve() failed: %s\n", ex.what());
_exit(128);
}
for (auto& argument : arguments) {
try {
args.emplace_back(Convert::ToString(argument));
argv.emplace_back(args.back().GetData().data());
} catch (const std::exception& ex) {
fprintf(stderr, "Convert::ToString() failed: %s\n", ex.what());
_exit(128);
}
}
argv.emplace_back(nullptr);
if (unsetenv("NOTIFY_SOCKET")) {
perror("unsetenv() failed");
_exit(128);
}
if (setenv("LC_NUMERIC", "C", 1)) {
perror("setenv() failed");
_exit(128);
}
if (extraEnvironment) {
ObjectLock oLock (extraEnvironment);
for (auto& kv : extraEnvironment) {
String v;
try {
v = Convert::ToString(kv.second);
} catch (const std::exception& ex) {
fprintf(stderr, "Convert::ToString() failed: %s\n", ex.what());
_exit(128);
}
if (setenv(kv.first.CStr(), v.CStr(), 1)) {
perror("setenv() failed");
_exit(128);
}
}
}
#ifdef HAVE_NICE
if (adjustPriority) {
// Cheating the compiler on "warning: ignoring return value of 'int nice(int)', declared with attribute warn_unused_result [-Wunused-result]".
@ -187,9 +186,9 @@ static Value ProcessSpawnImpl(struct msghdr *msgh, const Dictionary::Ptr& reques
sigemptyset(&mask);
sigprocmask(SIG_SETMASK, &mask, nullptr);
if (icinga2_execvpe(argv[0], argv, envp) < 0) {
if (execvp(argv[0], argv.data()) < 0) {
char errmsg[512];
strcpy(errmsg, "execvpe(");
strcpy(errmsg, "execvp(");
strncat(errmsg, argv[0], sizeof(errmsg) - strlen(errmsg) - 1);
strncat(errmsg, ") failed", sizeof(errmsg) - strlen(errmsg) - 1);
errmsg[sizeof(errmsg) - 1] = '\0';
@ -203,18 +202,6 @@ static Value ProcessSpawnImpl(struct msghdr *msgh, const Dictionary::Ptr& reques
(void)close(fds[1]);
(void)close(fds[2]);
// free arguments
for (int i = 0; argv[i]; i++)
free(argv[i]);
delete[] argv;
// free environment
for (int i = 0; envp[i]; i++)
free(envp[i]);
delete[] envp;
Dictionary::Ptr response = new Dictionary({
{ "rc", pid },
{ "errno", errorCode }

4
third-party/CMakeLists.txt vendored
View file

@ -3,8 +3,4 @@
add_subdirectory(mmatch)
if(UNIX OR CYGWIN)
add_subdirectory(execvpe)
endif()
add_subdirectory(socketpair)

13
third-party/execvpe/CMakeLists.txt vendored
View file

@ -1,13 +0,0 @@
# SPDX-FileCopyrightText: 2012 Icinga GmbH <https://icinga.com>
# SPDX-License-Identifier: GPL-2.0-or-later
set(execvpe_SOURCES
execvpe.c execvpe.h
)
add_library(execvpe OBJECT ${execvpe_SOURCES})
set_target_properties (
execvpe PROPERTIES
FOLDER Lib
)

208
third-party/execvpe/execvpe.c vendored
View file

@ -1,208 +0,0 @@
/* Copyright (C) 1991,92, 1995-99, 2002, 2004, 2005, 2007, 2009
Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, write to the Free
Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA. */
#if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__NetBSD__)
#include <alloca.h>
#endif /* !__FreeBSD__ && !__OpenBSD__ && !__NetBSD__ */
#include <unistd.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include "execvpe.h"
#if !defined(_MSC_VER) && !defined(HAVE_EXECVPE)
/* The file is accessible but it is not an executable file. Invoke
the shell to interpret it as a script. */
static void
scripts_argv (const char *file, char *const argv[], int argc, char **new_argv)
{
/* Construct an argument list for the shell. */
new_argv[0] = (char *) "/bin/sh";
new_argv[1] = (char *) file;
while (argc > 1)
{
new_argv[argc] = argv[argc - 1];
--argc;
}
}
/* Execute FILE, searching in the `PATH' environment variable if it contains
no slashes, with arguments ARGV and environment from ENVP. */
int
icinga2_execvpe (file, argv, envp)
const char *file;
char *const argv[];
char *const envp[];
{
if (*file == '\0')
{
/* We check the simple case first. */
errno = ENOENT;
return -1;
}
if (strchr (file, '/') != NULL)
{
/* Don't search when it contains a slash. */
execve (file, argv, envp);
if (errno == ENOEXEC)
{
/* Count the arguments. */
int argc = 0;
while (argv[argc++])
;
size_t len = (argc + 1) * sizeof (char *);
char **script_argv;
void *ptr = NULL;
script_argv = alloca (len);
if (script_argv != NULL)
{
scripts_argv (file, argv, argc, script_argv);
execve (script_argv[0], script_argv, envp);
free (ptr);
}
}
}
else
{
size_t pathlen;
size_t alloclen = 0;
char *path = getenv ("PATH");
if (path == NULL)
{
pathlen = confstr (_CS_PATH, (char *) NULL, 0);
alloclen = pathlen + 1;
}
else
pathlen = strlen (path);
size_t len = strlen (file) + 1;
alloclen += pathlen + len + 1;
char *name;
name = alloca (alloclen);
if (path == NULL)
{
/* There is no `PATH' in the environment.
The default search path is the current directory
followed by the path `confstr' returns for `_CS_PATH'. */
path = name + pathlen + len + 1;
path[0] = ':';
(void) confstr (_CS_PATH, path + 1, pathlen);
}
/* Copy the file name at the top. */
name = (char *) memcpy (name + pathlen + 1, file, len);
/* And add the slash. */
*--name = '/';
char **script_argv = NULL;
bool got_eacces = false;
char *p = path;
do
{
char *startp;
path = p;
p = strchr (path, ':');
if (!p)
p = path + strlen(path);
if (p == path)
/* Two adjacent colons, or a colon at the beginning or the end
of `PATH' means to search the current directory. */
startp = name + 1;
else
startp = (char *) memcpy (name - (p - path), path, p - path);
/* Try to execute this name. If it works, execve will not return. */
execve (startp, argv, envp);
if (errno == ENOEXEC)
{
if (script_argv == NULL)
{
/* Count the arguments. */
int argc = 0;
while (argv[argc++])
;
size_t arglen = (argc + 1) * sizeof (char *);
script_argv = alloca (arglen);
if (script_argv == NULL)
{
/* A possible EACCES error is not as important as
the ENOMEM. */
got_eacces = false;
break;
}
scripts_argv (startp, argv, argc, script_argv);
}
execve (script_argv[0], script_argv, envp);
}
switch (errno)
{
case EACCES:
/* Record the we got a `Permission denied' error. If we end
up finding no executable we can use, we want to diagnose
that we did find one but were denied access. */
got_eacces = true;
case ENOENT:
case ESTALE:
case ENOTDIR:
/* Those errors indicate the file is missing or not executable
by us, in which case we want to just try the next path
directory. */
case ENODEV:
case ETIMEDOUT:
/* Some strange filesystems like AFS return even
stranger error numbers. They cannot reasonably mean
anything else so ignore those, too. */
break;
default:
/* Some other error means we found an executable file, but
something went wrong executing it; return the error to our
caller. */
return -1;
}
}
while (*p++ != '\0');
/* We tried every element and none of them worked. */
if (got_eacces)
/* At least one failure was due to permissions, so report that
error. */
errno = EACCES;
}
/* Return the error from the last attempt (probably ENOENT). */
return -1;
}
#endif /* !defined(_MSC_VER) && !defined(HAVE_EXECVPE) */

19
third-party/execvpe/execvpe.h vendored
View file

@ -1,19 +0,0 @@
// SPDX-FileCopyrightText: 2012 Icinga GmbH <https://icinga.com>
// SPDX-License-Identifier: GPL-2.0-or-later
#ifndef EXECVPE_H
#define EXECVPE_H
#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */
#ifndef _MSC_VER
int icinga2_execvpe(const char *file, char *const argv[], char *const envp[]);
#endif /* _MSC_VER */
#ifdef __cplusplus
}
#endif /* __cplusplus */
#endif /* EXECVPE_H */