]> sourceware.org Git - systemtap.git/blob - stap-serverd
git://sourceware.org / systemtap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add user_{int8,int16,uint16,int32,uint32,int64}.
[systemtap.git] / stap-serverd
1 #!/bin/bash
2
3 # Compile server manager for systemtap
4 #
5 # Copyright (C) 2008-2010 Red Hat Inc.
6 #
7 # This file is part of systemtap, and is free software. You can
8 # redistribute it and/or modify it under the terms of the GNU General
9 # Public License (GPL); either version 2, or (at your option) any
10 # later version.
11
12 # This script publishes its presence on the network and then listens for
13 # incoming connections. When a connection is detected, the stap-server script
14 # is run to handle the request.
15
16 # Catch ctrl-c and other termination signals
17 trap 'terminate' SIGTERM SIGINT
18
19 # Initialize the environment
20 . ${PKGLIBEXECDIR}stap-env
21
22 # PR11197: security prophylactics
23 set_ulimits=0
24 if [ -z "$STAP_PR11197_OVERRIDE" ]; then
25 # 1) reject use as root, except via a special environment variable
26 if [ `id -u` -eq 0 ]; then
27 echo "For security reasons, invocation of stap-server as root is not supported." 1>&2
28 exit 1
29 fi
30 # 2) resource limits should be set if the user is the 'stap-server' daemon
31 test `id -un` = "stap-server" && set_ulimits=1
32 fi
33
34
35 #-----------------------------------------------------------------------------
36 # Helper functions.
37 #-----------------------------------------------------------------------------
38 # function: initialization PORT
39 function initialization {
40 # Initial values
41 port=
42 ssl_db=
43 stap_options=
44 uname_r="`uname -r`"
45 arch="`stap_get_arch`"
46 logfile=/dev/null
47 B_options=
48 I_options=
49 R_option=
50
51 # Parse the arguments
52 parse_options "$@"
53
54 echo ===== compile server pid $$ starting >> "$logfile"
55
56 # What port will we listen on?
57 test "X$port" = "X" && port=$((1024+$RANDOM%64000))
58 while netstat -atn | awk '{print $4}' | cut -f2 -d: | egrep -q "^$port\$";
59 do
60 # Whoops, the port is busy; try another one.
61 echo "$0: Port $port is busy" >> "$logfile"
62 port=$((1024+($port + $RANDOM)%64000))
63 done
64
65 # Where is the ssl certificate/key database?
66 if test "X$ssl_db" = "X"; then
67 ssl_db="$stap_ssl_db/server"
68 fi
69
70 nss_pw="$ssl_db/pw"
71 nss_cert=stap-server
72
73 # Ensure that our certificate is valid. Generate a new one if
74 # not.
75 check_cert
76 }
77
78 # function: parse_options [ STAP-OPTIONS ]
79 #
80 # Examine the command line. We need not do much checking, but we do need to
81 # parse all options in order to discover the ones we're interested in.
82 function parse_options {
83 while test $# != 0
84 do
85 advance_p=0
86 dash_seen=0
87
88 # Start of a new token.
89 first_token=$1
90
91 # Process the option.
92 until test $advance_p != 0
93 do
94 # Identify the next option
95 first_char=`expr "$first_token" : '\(.\).*'`
96 if test $dash_seen = 0; then
97 if test "$first_char" = "-"; then
98 if test "$first_token" != "-"; then
99 # It's not a lone dash, so it's an option.
100 # Is it a long option (i.e. --option)?
101 second_char=`expr "$first_token" : '.\(.\).*'`
102 if test "X$second_char" = "X-"; then
103 case `expr "$first_token" : '--\([^=]*\)'` in
104 port)
105 get_long_arg "$first_token" "$2"
106 port="$stap_arg"
107 ;;
108 ssl)
109 get_long_arg "$first_token" "$2"
110 ssl_db="$stap_arg"
111 ;;
112 log)
113 get_long_arg "$first_token" "$2"
114 logfile="$stap_arg"
115 ;;
116 *)
117 warning "Option '$first_token' ignored"
118 advance_p=$(($advance_p + 1))
119 break
120 ;;
121 esac
122 fi
123 # It's not a lone dash, or a long option, so it's a short option string.
124 # Remove the dash.
125 first_token=`expr "$first_token" : '-\(.*\)'`
126 dash_seen=1
127 first_char=`expr "$first_token" : '\(.\).*'`
128 fi
129 fi
130 if test $dash_seen = 0; then
131 # The dash has not been seen. This is not an option at all.
132 warning "Option '$first_token' ignored"
133 advance_p=$(($advance_p + 1))
134 break
135 fi
136 fi
137
138 # We are at the start of an option. Look at the first character.
139 case $first_char in
140 a)
141 get_arg "$first_token" "$2"
142 process_a $stap_arg
143 ;;
144 B)
145 get_arg "$first_token" "$2"
146 B_options="$B_options $stap_arg"
147 stap_options="$stap_options -$first_char $stap_arg"
148 ;;
149 c)
150 get_arg "$first_token" "$2"
151 warning "Option '-$first_char $stap_arg' ignored"
152 ;;
153 d)
154 get_arg "$first_token" "$2"
155 warning "Option '-$first_char $stap_arg' ignored"
156 ;;
157 D)
158 get_arg "$first_token" "$2"
159 warning "Option '-$first_char $stap_arg' ignored"
160 ;;
161 e)
162 get_arg "$first_token" "$2"
163 warning "Option '-$first_char '$stap_arg' ignored'"
164 ;;
165 I)
166 get_arg "$first_token" "$2"
167 I_options="$I_options $stap_arg"
168 stap_options="$stap_options -$first_char $stap_arg"
169 ;;
170 l)
171 get_arg "$first_token" "$2"
172 warning "Option '-$first_char $stap_arg' ignored"
173 ;;
174 L)
175 get_arg "$first_token" "$2"
176 warning "Option '-$first_char $stap_arg' ignored"
177 ;;
178 m)
179 get_arg "$first_token" "$2"
180 warning "Option '-$first_char $stap_arg' ignored"
181 ;;
182 o)
183 get_arg "$first_token" "$2"
184 warning "Option '-$first_char $stap_arg' ignored"
185 ;;
186 p)
187 get_arg "$first_token" "$2"
188 warning "Option '-$first_char $stap_arg' ignored"
189 ;;
190 r)
191 get_arg "$first_token" "$2"
192 process_r $stap_arg
193 ;;
194 R)
195 get_arg "$first_token" "$2"
196 R_option="$stap_arg"
197 stap_options="$stap_options -$first_char $stap_arg"
198 ;;
199 s)
200 get_arg "$first_token" "$2"
201 warning "Option '-$first_char $stap_arg' ignored"
202 ;;
203 S)
204 get_arg "$first_token" "$2"
205 warning "Option '-$first_char $stap_arg' ignored"
206 ;;
207 x)
208 get_arg "$first_token" "$2"
209 warning "Option '-$first_char $stap_arg' ignored"
210 ;;
211 *)
212 # An unknown flag. Ignore it.
213 ;;
214 esac
215
216 if test $advance_p = 0; then
217 # Just another flag character. Consume it.
218 warning "Option '-$first_char' ignored"
219 first_token=`expr "$first_token" : '.\(.*\)'`
220 if test "X$first_token" = "X"; then
221 advance_p=$(($advance_p + 1))
222 fi
223 fi
224 done
225
226 # Consume the arguments we just processed.
227 while test $advance_p != 0
228 do
229 shift
230 advance_p=$(($advance_p - 1))
231 done
232 done
233 }
234
235 # function: get_arg FIRSTWORD SECONDWORD
236 #
237 # Collect an argument to the given short option
238 function get_arg {
239 # Remove first character. Advance to the next token, if the first one
240 # is exhausted.
241 local first=`expr "$1" : '.\(.*\)'`
242 if test "X$first" = "X"; then
243 shift
244 advance_p=$(($advance_p + 1))
245 first="$1"
246 fi
247 stap_arg="$first"
248 advance_p=$(($advance_p + 1))
249 }
250
251 # function: get_arg FIRSTWORD SECONDWORD
252 #
253 # Collect an argument to the given long option
254 function get_long_arg {
255 # Remove first character. Advance to the next token, if the first one
256 # is exhausted.
257 local first=`expr "$1" : '.*\=\(.*\)'`
258 if test "X$first" = "X"; then
259 shift
260 advance_p=$(($advance_p + 1))
261 first="$1"
262 fi
263 stap_arg="$first"
264 advance_p=$(($advance_p + 1))
265 }
266
267 # function: process_a ARGUMENT
268 #
269 # Process the -a flag.
270 function process_a {
271 if test "X$1" != "X$arch"; then
272 arch="$1"
273 stap_options="$stap_options -a $1"
274 fi
275 }
276
277 # function: process_r ARGUMENT
278 #
279 # Process the -r flag.
280 function process_r {
281 local first_char=`expr "$1" : '\(.\).*'`
282
283 if test "$first_char" = "/"; then # fully specified path
284 kernel_build_tree="$1"
285 version_file_name="$kernel_build_tree/include/config/kernel.release"
286 # The file include/config/kernel.release within the kernel
287 # build tree is used to pull out the version information
288 release=`cat $version_file_name 2>/dev/null`
289 if test "X$release" = "X"; then
290 fatal "Missing $version_file_name"
291 return
292 fi
293 else
294 # kernel release specified directly
295 release="$1"
296 fi
297
298 if test "X$release" != "X$uname_r"; then
299 uname_r="$release"
300 stap_options="$stap_options -r $release"
301 fi
302 }
303
304 # function: check_cert
305 #
306 # Ensure that our certificate exists and is valid.
307 # Generate a new one if not.
308 function check_cert {
309 # If our certificate exists, log some information about it.
310 if test -f "$ssl_db/cert8.db"; then
311 echo "Certificate found in database $ssl_db" >> "$logfile"
312 certutil -L -d "$ssl_db" -n $nss_cert | \
313 awk '/Validity|Not After|Not Before/ { print $0 }' | \
314 sed 's/^ */ /' >> "$logfile" 2>&1
315 fi
316
317 # If the certificate does not exist or the certificate
318 # is not valid, then generate a new one.
319 if test ! -d "$ssl_db" -o ! -f "$ssl_db/$stap_certfile" -o ! -f "$ssl_db/cert8.db" || \
320 ! certutil -V -n $nss_cert -u V -d "$ssl_db" -e -f "$nss_pw" \
321 -b `date +%g%m%d%H%M%S`+0005 >> "$logfile" 2>&1; then
322 # Our certificate does not exist or is not valid.
323 # Generate a new certificate database.
324 ${stap_pkglibexecdir}stap-gen-cert "$ssl_db" >> "$logfile" 2>&1 || exit 1
325
326 # Now add the new certificate to the client's database,
327 # making it a trusted peer for this user.
328 ${stap_pkglibexecdir}stap-authorize-cert "$ssl_db/$stap_certfile" "$stap_ssl_db/client" >> "$logfile" 2>&1
329 elif ! test -f "$stap_ssl_db/client/cert8.db"; then
330 # Our certificate exists and is valid.
331 # If the client's database does not exist, then initialize it with our certificate.
332 ${stap_pkglibexecdir}stap-authorize-cert "$ssl_db/$stap_certfile" "$stap_ssl_db/client" >> "$logfile" 2>&1
333 fi
334 }
335
336 # function: advertise_presence
337 #
338 # Advertise the availability of the server on the network.
339 function advertise_presence {
340 # Build up a string representing our server's properties.
341 # The service name must differ for each server, so put the port number
342 # in it.
343 service_name="Systemtap Compile Server on port $port"
344
345 # Target kernel and arch information
346 local sysinfo="sysinfo=$uname_r $arch"
347
348 # Invocation option information
349 local optinfo="optinfo="
350 test -n "$R_option" && optinfo="${optinfo}-R '$R_option'"
351 for opt in $B_options; do
352 optinfo="$optinfo -B '$opt'"
353 done
354 for opt in $I_options; do
355 optinfo="$optinfo -I '$opt'"
356 done
357 optinfo=`echo $optinfo | sed 's/optinfo= /optinfo=/'`
358
359 # Certificate information
360 certinfo="certinfo=`certutil -L -n $nss_cert -d \"$ssl_db\" | \
361 awk '{if (print_next == 1) {print $1; print_next = 0}};\
362 /Serial Number/ {print_next = 1}'`" 2>>"$logfile"
363
364 # Call avahi-publish-service to advertise our presence.
365 avahi-publish-service "$service_name" \
366 $stap_avahi_service_tag $port "$sysinfo" "$optinfo" "$certinfo" \
367 >> "$logfile" 2>&1 &
368 }
369
370 # function: listen
371 #
372 # Listen for and handle requests to the server.
373 function listen {
374 # The stap-server-connect program will listen forever
375 # accepting requests.
376 # CVE-2009-4273 ... or at least, until resource limits fire
377 while true; do # NB: loop to avoid DoS by deliberate rlimit-induced halt
378 # NB: impose resource limits in case of mischevious data inducing
379 # too much / long computation
380 (test $set_ulimits = 1 && ulimit -f 50000 -s 1000 -t 60 -u 20 -v 500000;
381 exec ${stap_pkglibexecdir}stap-server-connect \
382 -p $port -n $nss_cert -d "$ssl_db" -w "$nss_pw" \
383 -s "$stap_options") &
384 stap_server_connect_pid=$!
385 echo "$service_name ready"
386 wait $stap_server_connect_pid
387
388 # Ensure that our certificate is still valid. Generate a new one if
389 # not.
390 check_cert
391
392 # NB: avoid superfast spinning in case of a ulimit or other failure
393 sleep 1
394 done >> "$logfile" 2>&1
395 }
396
397 # function: warning [ MESSAGE ]
398 #
399 # Warning error
400 # Prints its arguments to stderr
401 function warning {
402 echo "$0: WARNING:" "$@" >> "$logfile"
403 }
404
405 # function: fatal [ MESSAGE ]
406 #
407 # Fatal error
408 # Prints its arguments to stderr and exits
409 function fatal {
410 echo "$0: ERROR:" "$@" >> "$logfile"
411 terminate
412 exit 1
413 }
414
415 # function: terminate
416 #
417 # Terminate gracefully.
418 function terminate {
419 echo "$0: Exiting" >> "$logfile"
420
421 # Kill the running 'avahi-publish-service' job
422 kill -s SIGTERM '%avahi-publish-service' >> "$logfile" 2>&1
423 wait '%avahi-publish-service' >> "$logfile" 2>&1
424
425 # Kill any running 'stap-server-connect' job.
426 kill -s SIGTERM $stap_server_connect_pid >> "$logfile" 2>&1
427 wait $stap_server_connect_pid >> "$logfile" 2>&1
428
429 exit
430 }
431
432 #-----------------------------------------------------------------------------
433 # Beginning of main line execution.
434 #-----------------------------------------------------------------------------
435 initialization "$@"
436 advertise_presence
437 listen
systemtap: system-wide probe/trace tool
This page took 0.052722 seconds and 5 git commands to generate.