1 /* vi: set sw=4 ts=4: */
4 * Bjorn Wesen, Axis Communications AB (bjornw@axis.com)
6 * Licensed under GPLv2 or later, see file LICENSE in this tarball for details.
8 * ---------------------------------------------------------------------------
9 * (C) Copyright 2000, Axis Communications AB, LUND, SWEDEN
10 ****************************************************************************
12 * The telnetd manpage says it all:
14 * Telnetd operates by allocating a pseudo-terminal device (see pty(4)) for
15 * a client, then creating a login process which has the slave side of the
16 * pseudo-terminal as stdin, stdout, and stderr. Telnetd manipulates the
17 * master side of the pseudo-terminal, implementing the telnet protocol and
18 * passing characters between the remote client and the login process.
20 * Vladimir Oleynik <dzo@simtreas.ru> 2001
21 * Set process group corrections, initial busybox port
32 #include <arpa/telnet.h>
34 #if ENABLE_FEATURE_UTMP
35 # include <utmp.h> /* LOGIN_PROCESS */
40 struct tsession *next;
46 /* two circular buffers */
47 /*char *buf1, *buf2;*/
48 /*#define TS_BUF1(ts) ts->buf1*/
49 /*#define TS_BUF2(ts) TS_BUF2(ts)*/
50 #define TS_BUF1(ts) ((unsigned char*)(ts + 1))
51 #define TS_BUF2(ts) (((unsigned char*)(ts + 1)) + BUFSIZE)
52 int rdidx1, wridx1, size1;
53 int rdidx2, wridx2, size2;
56 /* Two buffers are directly after tsession in malloced memory.
57 * Make whole thing fit in 4k */
58 enum { BUFSIZE = (4 * 1024 - sizeof(struct tsession)) / 2 };
63 struct tsession *sessions;
64 const char *loginpath;
65 const char *issuefile;
68 #define G (*(struct globals*)&bb_common_bufsiz1)
69 #define INIT_G() do { \
70 G.loginpath = "/bin/login"; \
71 G.issuefile = "/etc/issue.net"; \
76 Remove all IAC's from buf1 (received IACs are ignored and must be removed
77 so as to not be interpreted by the terminal). Make an uninterrupted
78 string of characters fit for the terminal. Do this by packing
79 all characters meant for the terminal sequentially towards the end of buf.
81 Return a pointer to the beginning of the characters meant for the terminal
82 and make *num_totty the number of characters that should be sent to
85 Note - if an IAC (3 byte quantity) starts before (bf + len) but extends
86 past (bf + len) then that IAC will be left unprocessed and *processed
87 will be less than len.
89 CR-LF ->'s CR mapping is also done here, for convenience.
91 NB: may fail to remove iacs which wrap around buffer!
93 static unsigned char *
94 remove_iacs(struct tsession *ts, int *pnum_totty)
96 unsigned char *ptr0 = TS_BUF1(ts) + ts->wridx1;
97 unsigned char *ptr = ptr0;
98 unsigned char *totty = ptr;
99 unsigned char *end = ptr + MIN(BUFSIZE - ts->wridx1, ts->size1);
108 /* We map \r\n ==> \r for pragmatic reasons.
109 * Many client implementations send \r\n when
110 * the user hits the CarriageReturn key.
112 if (c == '\r' && ptr < end && (*ptr == '\n' || *ptr == '\0'))
119 if (ptr[1] == NOP) { /* Ignore? (putty keepalive, etc.) */
123 if (ptr[1] == IAC) { /* Literal IAC? (emacs M-DEL) */
130 * TELOPT_NAWS support!
132 if ((ptr+2) >= end) {
133 /* Only the beginning of the IAC is in the
134 buffer we were asked to process, we can't
139 * IAC -> SB -> TELOPT_NAWS -> 4-byte -> IAC -> SE
141 if (ptr[1] == SB && ptr[2] == TELOPT_NAWS) {
144 break; /* incomplete, can't process */
145 ws.ws_col = (ptr[3] << 8) | ptr[4];
146 ws.ws_row = (ptr[5] << 8) | ptr[6];
147 ioctl(ts->ptyfd, TIOCSWINSZ, (char *)&ws);
151 /* skip 3-byte IAC non-SB cmd */
153 fprintf(stderr, "Ignoring IAC %s,%s\n",
154 TELCMD(ptr[1]), TELOPT(ptr[2]));
159 num_totty = totty - ptr0;
160 *pnum_totty = num_totty;
161 /* The difference between ptr and totty is number of iacs
162 we removed from the stream. Adjust buf1 accordingly */
163 if ((ptr - totty) == 0) /* 99.999% of cases */
165 ts->wridx1 += ptr - totty;
166 ts->size1 -= ptr - totty;
167 /* Move chars meant for the terminal towards the end of the buffer */
168 return memmove(ptr - num_totty, ptr0, num_totty);
172 * Converting single IAC into double on output
174 static size_t iac_safe_write(int fd, const char *buf, size_t count)
177 size_t wr, rc, total;
183 if (*buf == (char)IAC) {
184 static const char IACIAC[] ALIGN1 = { IAC, IAC };
185 rc = safe_write(fd, IACIAC, 2);
193 /* count != 0, *buf != IAC */
194 IACptr = memchr(buf, IAC, count);
198 rc = safe_write(fd, buf, wr);
205 /* here: rc - result of last short write */
206 if ((ssize_t)rc < 0) { /* error? */
214 /* Must match getopt32 string */
216 OPT_WATCHCHILD = (1 << 2), /* -K */
217 OPT_INETD = (1 << 3) * ENABLE_FEATURE_TELNETD_STANDALONE, /* -i */
218 OPT_PORT = (1 << 4) * ENABLE_FEATURE_TELNETD_STANDALONE, /* -p PORT */
219 OPT_FOREGROUND = (1 << 6) * ENABLE_FEATURE_TELNETD_STANDALONE, /* -F */
220 OPT_SYSLOG = (1 << 7) * ENABLE_FEATURE_TELNETD_INETD_WAIT, /* -S */
221 OPT_WAIT = (1 << 8) * ENABLE_FEATURE_TELNETD_INETD_WAIT, /* -w SEC */
224 static struct tsession *
226 IF_FEATURE_TELNETD_STANDALONE(int sock)
227 IF_NOT_FEATURE_TELNETD_STANDALONE(void)
229 #if !ENABLE_FEATURE_TELNETD_STANDALONE
232 const char *login_argv[2];
233 struct termios termbuf;
235 char tty_name[GETPTY_BUFSIZE];
236 struct tsession *ts = xzalloc(sizeof(struct tsession) + BUFSIZE * 2);
238 /*ts->buf1 = (char *)(ts + 1);*/
239 /*ts->buf2 = ts->buf1 + BUFSIZE;*/
241 /* Got a new connection, set up a tty */
242 fd = xgetpty(tty_name);
247 close_on_exec_on(fd);
249 /* SO_KEEPALIVE by popular demand */
250 setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, &const_int_1, sizeof(const_int_1));
251 #if ENABLE_FEATURE_TELNETD_STANDALONE
252 ts->sockfd_read = sock;
254 if (sock == 0) { /* We are called with fd 0 - we are in inetd mode */
255 sock++; /* so use fd 1 for output */
258 ts->sockfd_write = sock;
262 /* ts->sockfd_read = 0; - done by xzalloc */
263 ts->sockfd_write = 1;
268 /* Make the telnet client understand we will echo characters so it
269 * should not do it locally. We don't tell the client to run linemode,
270 * because we want to handle line editing and tab completion and other
271 * stuff that requires char-by-char support. */
273 static const char iacs_to_send[] ALIGN1 = {
274 IAC, DO, TELOPT_ECHO,
275 IAC, DO, TELOPT_NAWS,
276 /* This requires telnetd.ctrlSQ.patch (incomplete) */
277 /* IAC, DO, TELOPT_LFLOW, */
278 IAC, WILL, TELOPT_ECHO,
279 IAC, WILL, TELOPT_SGA
281 /* This confuses iac_safe_write(), it will try to duplicate
283 //memcpy(TS_BUF2(ts), iacs_to_send, sizeof(iacs_to_send));
284 //ts->rdidx2 = sizeof(iacs_to_send);
285 //ts->size2 = sizeof(iacs_to_send);
286 /* So just stuff it into TCP stream! (no error check...) */
287 #if ENABLE_FEATURE_TELNETD_STANDALONE
288 safe_write(sock, iacs_to_send, sizeof(iacs_to_send));
290 safe_write(1, iacs_to_send, sizeof(iacs_to_send));
292 /*ts->rdidx2 = 0; - xzalloc did it */
297 pid = vfork(); /* NOMMU-friendly */
301 /* sock will be closed by caller */
302 bb_perror_msg("vfork");
312 /* Careful - we are after vfork! */
314 /* Restore default signal handling ASAP */
315 bb_signals((1 << SIGCHLD) + (1 << SIGPIPE), SIG_DFL);
317 if (ENABLE_FEATURE_UTMP) {
318 len_and_sockaddr *lsa = get_peer_lsa(sock);
319 char *hostname = NULL;
321 hostname = xmalloc_sockaddr2dotted(&lsa->u.sa);
324 write_new_utmp(pid, LOGIN_PROCESS, tty_name, /*username:*/ "LOGIN", hostname);
328 /* Make new session and process group */
331 /* Open the child's side of the tty */
332 /* NB: setsid() disconnects from any previous ctty's. Therefore
333 * we must open child's side of the tty AFTER setsid! */
335 xopen(tty_name, O_RDWR); /* becomes our ctty */
339 tcsetpgrp(0, pid); /* switch this tty's process group to us */
341 /* The pseudo-terminal allocated to the client is configured to operate
342 * in cooked mode, and with XTABS CRMOD enabled (see tty(4)) */
343 tcgetattr(0, &termbuf);
344 termbuf.c_lflag |= ECHO; /* if we use readline we dont want this */
345 termbuf.c_oflag |= ONLCR | XTABS;
346 termbuf.c_iflag |= ICRNL;
347 termbuf.c_iflag &= ~IXOFF;
348 /*termbuf.c_lflag &= ~ICANON;*/
349 tcsetattr_stdin_TCSANOW(&termbuf);
351 /* Uses FILE-based I/O to stdout, but does fflush_all(),
352 * so should be safe with vfork.
353 * I fear, though, that some users will have ridiculously big
354 * issue files, and they may block writing to fd 1,
355 * (parent is supposed to read it, but parent waits
356 * for vforked child to exec!) */
357 print_login_issue(G.issuefile, tty_name);
359 /* Exec shell / login / whatever */
360 login_argv[0] = G.loginpath;
361 login_argv[1] = NULL;
362 /* exec busybox applet (if PREFER_APPLETS=y), if that fails,
363 * exec external program.
364 * NB: sock is either 0 or has CLOEXEC set on it.
365 * fd has CLOEXEC set on it too. These two fds will be closed here.
367 BB_EXECVP(G.loginpath, (char **)login_argv);
368 /* _exit is safer with vfork, and we shouldn't send message
369 * to remote clients anyway */
370 _exit(EXIT_FAILURE); /*bb_perror_msg_and_die("execv %s", G.loginpath);*/
373 #if ENABLE_FEATURE_TELNETD_STANDALONE
376 free_session(struct tsession *ts)
380 if (option_mask32 & OPT_INETD)
383 /* Unlink this telnet session from the session list */
386 G.sessions = ts->next;
388 while (t->next != ts)
394 /* It was said that "normal" telnetd just closes ptyfd,
395 * doesn't send SIGKILL. When we close ptyfd,
396 * kernel sends SIGHUP to processes having slave side opened. */
397 kill(ts->shell_pid, SIGKILL);
398 waitpid(ts->shell_pid, NULL, 0);
401 close(ts->sockfd_read);
402 /* We do not need to close(ts->sockfd_write), it's the same
403 * as sockfd_read unless we are in inetd mode. But in inetd mode
404 * we do not reach this */
407 /* Scan all sessions and find new maxfd */
411 if (G.maxfd < ts->ptyfd)
413 if (G.maxfd < ts->sockfd_read)
414 G.maxfd = ts->sockfd_read;
416 /* Again, sockfd_write == sockfd_read here */
417 if (G.maxfd < ts->sockfd_write)
418 G.maxfd = ts->sockfd_write;
424 #else /* !FEATURE_TELNETD_STANDALONE */
426 /* Used in main() only, thus "return 0" actually is exit(EXIT_SUCCESS). */
427 #define free_session(ts) return 0
431 static void handle_sigchld(int sig UNUSED_PARAM)
435 int save_errno = errno;
437 /* Looping: more than one child may have exited */
439 pid = wait_any_nohang(NULL);
444 if (ts->shell_pid == pid) {
447 // When init(8) finds that a process has exited, it locates its utmp entry
448 // by ut_pid, sets ut_type to DEAD_PROCESS, and clears ut_user, ut_host
449 // and ut_time with null bytes.
450 // [same applies to other processes which maintain utmp entries, like telnetd]
452 // We do not bother actually clearing fields:
453 // it might be interesting to know who was logged in and from where
454 update_utmp(pid, DEAD_PROCESS, /*tty_name:*/ NULL, /*username:*/ NULL, /*hostname:*/ NULL);
464 int telnetd_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
465 int telnetd_main(int argc UNUSED_PARAM, char **argv)
467 fd_set rdfdset, wrfdset;
471 #if ENABLE_FEATURE_TELNETD_STANDALONE
472 #define IS_INETD (opt & OPT_INETD)
473 int master_fd = master_fd; /* for compiler */
474 int sec_linger = sec_linger;
475 char *opt_bindaddr = NULL;
485 /* -w NUM, and implies -F. -w and -i don't mix */
486 IF_FEATURE_TELNETD_INETD_WAIT(opt_complementary = "wF:w+:i--w:w--i";)
487 /* Even if !STANDALONE, we accept (and ignore) -i, thus people
488 * don't need to guess whether it's ok to pass -i to us */
489 opt = getopt32(argv, "f:l:Ki"
490 IF_FEATURE_TELNETD_STANDALONE("p:b:F")
491 IF_FEATURE_TELNETD_INETD_WAIT("Sw:"),
492 &G.issuefile, &G.loginpath
493 IF_FEATURE_TELNETD_STANDALONE(, &opt_portnbr, &opt_bindaddr)
494 IF_FEATURE_TELNETD_INETD_WAIT(, &sec_linger)
496 if (!IS_INETD /*&& !re_execed*/) {
497 /* inform that we start in standalone mode?
498 * May be useful when people forget to give -i */
499 /*bb_error_msg("listening for connections");*/
500 if (!(opt & OPT_FOREGROUND)) {
501 /* DAEMON_CHDIR_ROOT was giving inconsistent
502 * behavior with/without -F, -i */
503 bb_daemonize_or_rexec(0 /*was DAEMON_CHDIR_ROOT*/, argv);
506 /* Redirect log to syslog early, if needed */
507 if (IS_INETD || (opt & OPT_SYSLOG) || !(opt & OPT_FOREGROUND)) {
508 openlog(applet_name, LOG_PID, LOG_DAEMON);
509 logmode = LOGMODE_SYSLOG;
511 #if ENABLE_FEATURE_TELNETD_STANDALONE
513 G.sessions = make_new_session(0);
514 if (!G.sessions) /* pty opening or vfork problem, exit */
515 return 1; /* make_new_session printed error message */
518 if (!(opt & OPT_WAIT)) {
519 unsigned portnbr = 23;
521 portnbr = xatou16(opt_portnbr);
522 master_fd = create_and_bind_stream_or_die(opt_bindaddr, portnbr);
523 xlisten(master_fd, 1);
525 close_on_exec_on(master_fd);
528 G.sessions = make_new_session();
529 if (!G.sessions) /* pty opening or vfork problem, exit */
530 return 1; /* make_new_session printed error message */
533 /* We don't want to die if just one session is broken */
534 signal(SIGPIPE, SIG_IGN);
536 if (opt & OPT_WATCHCHILD)
537 signal(SIGCHLD, handle_sigchld);
538 else /* prevent dead children from becoming zombies */
539 signal(SIGCHLD, SIG_IGN);
542 This is how the buffers are used. The arrows indicate data flow.
544 +-------+ wridx1++ +------+ rdidx1++ +----------+
545 | | <-------------- | buf1 | <-------------- | |
546 | | size1-- +------+ size1++ | |
548 | | rdidx2++ +------+ wridx2++ | |
549 | | --------------> | buf2 | --------------> | |
550 +-------+ size2++ +------+ size2-- +----------+
552 size1: "how many bytes are buffered for pty between rdidx1 and wridx1?"
553 size2: "how many bytes are buffered for socket between rdidx2 and wridx2?"
555 Each session has got two buffers. Buffers are circular. If sizeN == 0,
556 buffer is empty. If sizeN == BUFSIZE, buffer is full. In both these cases
563 /* Select on the master socket, all telnet sockets and their
564 * ptys if there is room in their session buffers.
565 * NB: scalability problem: we recalculate entire bitmap
566 * before each select. Can be a problem with 500+ connections. */
569 struct tsession *next = ts->next; /* in case we free ts */
570 if (ts->shell_pid == -1) {
571 /* Child died and we detected that */
574 if (ts->size1 > 0) /* can write to pty */
575 FD_SET(ts->ptyfd, &wrfdset);
576 if (ts->size1 < BUFSIZE) /* can read from socket */
577 FD_SET(ts->sockfd_read, &rdfdset);
578 if (ts->size2 > 0) /* can write to socket */
579 FD_SET(ts->sockfd_write, &wrfdset);
580 if (ts->size2 < BUFSIZE) /* can read from pty */
581 FD_SET(ts->ptyfd, &rdfdset);
586 FD_SET(master_fd, &rdfdset);
587 /* This is needed because free_session() does not
588 * take master_fd into account when it finds new
589 * maxfd among remaining fd's */
590 if (master_fd > G.maxfd)
595 struct timeval *tv_ptr = NULL;
596 #if ENABLE_FEATURE_TELNETD_INETD_WAIT
598 if ((opt & OPT_WAIT) && !G.sessions) {
599 tv.tv_sec = sec_linger;
604 count = select(G.maxfd + 1, &rdfdset, &wrfdset, NULL, tv_ptr);
606 if (count == 0) /* "telnetd -w SEC" timed out */
609 goto again; /* EINTR or ENOMEM */
611 #if ENABLE_FEATURE_TELNETD_STANDALONE
612 /* Check for and accept new sessions */
613 if (!IS_INETD && FD_ISSET(master_fd, &rdfdset)) {
615 struct tsession *new_ts;
617 fd = accept(master_fd, NULL, NULL);
620 close_on_exec_on(fd);
622 /* Create a new session and link it into active list */
623 new_ts = make_new_session(fd);
625 new_ts->next = G.sessions;
633 /* Then check for data tunneling */
635 while (ts) { /* For all sessions... */
636 struct tsession *next = ts->next; /* in case we free ts */
638 if (/*ts->size1 &&*/ FD_ISSET(ts->ptyfd, &wrfdset)) {
641 /* Write to pty from buffer 1 */
642 ptr = remove_iacs(ts, &num_totty);
643 count = safe_write(ts->ptyfd, ptr, num_totty);
651 if (ts->wridx1 >= BUFSIZE) /* actually == BUFSIZE */
655 if (/*ts->size2 &&*/ FD_ISSET(ts->sockfd_write, &wrfdset)) {
656 /* Write to socket from buffer 2 */
657 count = MIN(BUFSIZE - ts->wridx2, ts->size2);
658 count = iac_safe_write(ts->sockfd_write, (void*)(TS_BUF2(ts) + ts->wridx2), count);
666 if (ts->wridx2 >= BUFSIZE) /* actually == BUFSIZE */
670 /* Should not be needed, but... remove_iacs is actually buggy
671 * (it cannot process iacs which wrap around buffer's end)!
672 * Since properly fixing it requires writing bigger code,
673 * we rely instead on this code making it virtually impossible
674 * to have wrapped iac (people don't type at 2k/second).
675 * It also allows for bigger reads in common case. */
676 if (ts->size1 == 0) {
680 if (ts->size2 == 0) {
685 if (/*ts->size1 < BUFSIZE &&*/ FD_ISSET(ts->sockfd_read, &rdfdset)) {
686 /* Read from socket to buffer 1 */
687 count = MIN(BUFSIZE - ts->rdidx1, BUFSIZE - ts->size1);
688 count = safe_read(ts->sockfd_read, TS_BUF1(ts) + ts->rdidx1, count);
690 if (count < 0 && errno == EAGAIN)
694 /* Ignore trailing NUL if it is there */
695 if (!TS_BUF1(ts)[ts->rdidx1 + count - 1]) {
700 if (ts->rdidx1 >= BUFSIZE) /* actually == BUFSIZE */
704 if (/*ts->size2 < BUFSIZE &&*/ FD_ISSET(ts->ptyfd, &rdfdset)) {
705 /* Read from pty to buffer 2 */
706 count = MIN(BUFSIZE - ts->rdidx2, BUFSIZE - ts->size2);
707 count = safe_read(ts->ptyfd, TS_BUF2(ts) + ts->rdidx2, count);
709 if (count < 0 && errno == EAGAIN)
715 if (ts->rdidx2 >= BUFSIZE) /* actually == BUFSIZE */
722 if (ts->shell_pid > 0)
723 update_utmp(ts->shell_pid, DEAD_PROCESS, /*tty_name:*/ NULL, /*username:*/ NULL, /*hostname:*/ NULL);