Implement POSIX grantpt(3) functionality, and add a pt_chown utility (akin

to Solaris, it is in /usr/libexec) to perform the handing over of tty nodes
to the user being granted the pty.

Submitted by:	Ryan Younce <ryany@pobox.com>
Reviewed by:	security-officer@, standards@, mike@

3 files changed, 491 insertions, 7 deletions

diff --git a/lib/libc/stdlib/Makefile.inc b/lib/libc/stdlib/Makefile.inc
index e388908..bc1030d 100644
--- a/lib/libc/stdlib/Makefile.inc
+++ b/lib/libc/stdlib/Makefile.inc
@@ -6,11 +6,11 @@
 
 MISRCS+=_Exit.c abort.c abs.c atexit.c atof.c atoi.c atol.c atoll.c \
 	bsearch.c calloc.c div.c exit.c getenv.c getopt.c getopt_long.c \
-	getsubopt.c hcreate.c heapsort.c imaxabs.c imaxdiv.c insque.c \
-	labs.c ldiv.c llabs.c lldiv.c lsearch.c malloc.c merge.c putenv.c \
-	qsort.c qsort_r.c radixsort.c rand.c random.c reallocf.c realpath.c \
-	remque.c setenv.c strfmon.c strhash.c strtod.c strtoimax.c strtol.c \
-	strtoll.c strtoq.c strtoul.c strtoull.c strtoumax.c strtouq.c \
+	getsubopt.c grantpt.c hcreate.c heapsort.c imaxabs.c imaxdiv.c \
+	insque.c labs.c ldiv.c llabs.c lldiv.c lsearch.c malloc.c merge.c \
+	putenv.c qsort.c qsort_r.c radixsort.c rand.c random.c reallocf.c \
+	realpath.c remque.c setenv.c strfmon.c strhash.c strtod.c strtoimax.c \
+	strtol.c strtoll.c strtoq.c strtoul.c strtoull.c strtoumax.c strtouq.c \
 	system.c tdelete.c tfind.c tsearch.c twalk.c
 
 # machine-dependent stdlib sources
@@ -19,14 +19,15 @@ MISRCS+=_Exit.c abort.c abs.c atexit.c atof.c atoi.c atol.c atoll.c \
 .endif
 
 MAN+=	abort.3 abs.3 alloca.3 atexit.3 atof.3 atoi.3 atol.3 bsearch.3 \
-	div.3 exit.3 getenv.3 getopt.3 getopt_long.3 getsubopt.3 hcreate.3 \
-	imaxabs.3 imaxdiv.3 insque.3 labs.3 ldiv.3 llabs.3 lldiv.3 \
+	div.3 exit.3 getenv.3 getopt.3 getopt_long.3 getsubopt.3 grantpt.3 \
+	hcreate.3 imaxabs.3 imaxdiv.3 insque.3 labs.3 ldiv.3 llabs.3 lldiv.3 \
 	lsearch.3 malloc.3 memory.3 qsort.3 radixsort.3 rand.3 random.3 \
 	realpath.3 strfmon.3 strtod.3 strtol.3 strtoul.3 system.3 tsearch.3
 
 MLINKS+=atol.3 atoll.3
 MLINKS+=exit.3 _Exit.3
 MLINKS+=getenv.3 putenv.3 getenv.3 setenv.3 getenv.3 unsetenv.3
+MLINKS+=grantpt.3 posix_openpt.3 grantpt.3 ptsname.3 grantpt.3 unlockpt.3
 MLINKS+=hcreate.3 hdestroy.3 hcreate.3 hsearch.3
 MLINKS+=insque.3 remque.3
 MLINKS+=lsearch.3 lfind.3
diff --git a/lib/libc/stdlib/grantpt.3 b/lib/libc/stdlib/grantpt.3
new file mode 100644
index 0000000..2983c2d
--- /dev/null
+++ b/lib/libc/stdlib/grantpt.3
@@ -0,0 +1,224 @@
+.\"
+.\" Copyright (c) 2002 The FreeBSD Project, Inc.
+.\" All rights reserved.
+.\"
+.\" This software includes code contributed to the FreeBSD Project
+.\" by Ryan Younce of North Carolina State University.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the FreeBSD Project nor the names of its
+.\"    contributors may be used to endorse or promote products derived from
+.\"    this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+.\" PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FREEBSD PROJECT
+.\" OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+.\" TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+.\" PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+.\" LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+.\" NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+.\" SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd December 23, 2002
+.Os
+.Dt GRANTPT 3
+.Sh NAME
+.Nm grantpt ,
+.Nm ptsname ,
+.Nm unlockpt ,
+.Nm posix_openpt
+.Nd pseudo-terminal access functions
+.Sh LIBRARY
+.Lb libc
+.Sh SYNOPSIS
+.In stdlib.h
+.Ft int
+.Fn grantpt "int fildes"
+.Ft char *
+.Fn ptsname "int fildes"
+.Ft int
+.Fn unlockpt "int fildes"
+.In fcntl.h
+.Ft int
+.Fn posix_openpt "int mode"
+.Sh DESCRIPTION
+The
+.Fn grantpt ,
+.Fn ptsname ,
+.Fn unlockpt ,
+and
+.Fn posix_openpt
+functions allow access to pseudo-terminal devices.
+The first three functions accept a file descriptor
+that references the master half of a pseudo-terminal pair.
+This file descriptor is created with
+.Fn posix_openpt .
+.Pp
+The
+.Fn grantpt
+function is used to establish ownership and permissions
+of the slave device counterpart to the master device
+specified with
+.Va fildes .
+The slave device's ownership is set to the real user ID
+of the calling process, and the permissions are set to
+user readable-writable and group writable.
+The group owner of the slave device is also set to the
+group "tty" if it exists on the system; otherwise, it
+is left untouched.
+.Pp
+The
+.Fn ptsname
+function returns the full pathname of the slave device
+counterpart to the master device specified with
+.Va fildes .
+This value can be used
+to subsequently open the appropriate slave after
+.Fn posix_openpt
+and
+.Fn grantpt
+have been called.
+.Pp
+The
+.Fn unlockpt
+function clears the lock held on the pseudo-terminal pair
+for the master device specified with
+.Va fildes .
+.Pp
+The
+.Fn posix_openpt
+function opens the first available master pseudo-terminal
+device and returns a descriptor to it.
+.Va mode
+specifies the flags used for opening the device:
+.Bl -tag -width O_NOCTTY
+.It Dv O_RDWR
+Open for reading and writing.
+.It Dv O_NOCTTY
+If set, do not allow the terminal to become
+the controlling terminal for the calling process.
+.El
+.Sh RETURN VALUES
+The
+.Fn grantpt
+and
+.Fn unlockpt
+functions return 0 on success; otherwise -1 is returned and
+.Va errno
+is set to indicate the error.
+.Pp
+The
+.Fn ptsname
+function returns a pointer to the name
+of the slave device on success;
+otherwise a NULL pointer is returned and
+.Va errno
+is set to indicate the error.
+.Pp
+The
+.Fn posix_openpt
+function returns a file descriptor to the first
+available master pseudo-terminal device on success;
+otherwise -1 is returned and
+.Va errno
+is set to indicate the error.
+.Sh ERRORS
+The
+.Fn grantpt ,
+.Fn ptsname ,
+and
+.Fn unlockpt
+functions may fail and set
+.Va errno
+to:
+.Bl -tag -width Er
+.It EINVAL
+.Va fildes
+is not a master pseudo-terminal device.
+.El
+.Pp
+In addition, the
+.Fn grantpt
+function may set
+.Va errno
+to:
+.Bl -tag -width Er
+.It EACCES
+The slave pseudo-terminal device could not be accessed.
+.El
+.Pp
+The
+.Fn posix_openpt
+function may fail and set
+.Va errno
+to:
+.Bl -tag -width Er
+.It EINVAL
+.Va mode
+consists an an invalid mode bit.
+.It EAGAIN
+The system has no available pseudo-terminal devices.
+.El
+.Pp
+The
+.Fn grantpt ,
+.Fn ptsname ,
+and
+.Fn unlockpt
+functions may also fail and set
+.Va errno
+for any of the errors specified for the routine
+.Xr fstat 2 .
+.Pp
+The
+.Fn posix_openpt
+function may also fail and set
+.Va errno
+for any of the errors specified for the routine
+.Xr open 2 .
+.Sh SEE ALSO
+.Xr open 2 ,
+.Xr pty 4 ,
+.Xr tty 4
+.Sh STANDARDS
+The
+.Fn grantpt ,
+.Fn ptsname ,
+.Fn unlockpt ,
+and
+.Fn posix_openpt
+functions conform to
+.St -p1003.1-2001 .
+.Sh HISTORY
+The
+.Fn grantpt ,
+.Fn ptsname ,
+.Fn unlockpt ,
+and
+.Fn posix_openpt
+functions appeared in
+.Fx 5.0 .
+.Sh NOTES
+The purpose of the
+.Fn unlockpt
+function has no meaning in
+.Fx .
+.Pp
+The flag
+.Dv O_NOCTTY
+is included for compatibility; in
+.Fx ,
+opening a terminal does not cause it to become
+a process's controlling terminal.
diff --git a/lib/libc/stdlib/grantpt.c b/lib/libc/stdlib/grantpt.c
new file mode 100644
index 0000000..3e69f17
--- /dev/null
+++ b/lib/libc/stdlib/grantpt.c
@@ -0,0 +1,259 @@
+/*
+ * Copyright (c) 2002 The FreeBSD Project, Inc.
+ * All rights reserved.
+ *
+ * This software includes code contributed to the FreeBSD Project
+ * by Ryan Younce of North Carolina State University.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the FreeBSD Project nor the names of its
+ *    contributors may be used to endorse or promote products derived from
+ *    this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT AND CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE FREEBSD PROJECT OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+#ifndef lint
+__FBSDID("$FreeBSD$");
+#endif /* not lint */
+
+#include "namespace.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <grp.h>
+#include <paths.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sysexits.h>
+#include <unistd.h>
+#include "un-namespace.h"
+
+#define PTM_MAJOR	6	/* pseudo tty master major */
+#define PTS_MAJOR	5	/* pseudo tty slave major */
+#define PTM_PREFIX	"pty"	/* pseudo tty master naming convention */
+#define PTS_PREFIX	"tty"	/* pseudo tty slave naming convention */
+
+/*
+ * The following are range values for pseudo TTY devices.  Pseudo TTYs have a
+ * name of /dev/[pt]ty[p-sP-S][0-9a-v], yielding 256 combinations per major.
+ */
+#define PT_MAX		256
+#define	PT_DEV1		"pqrsPQRS"
+#define PT_DEV2		"0123456789abcdefghijklmnopqrstuv"
+
+/*
+ * grantpt(3) support utility.
+ */
+#define _PATH_PTCHOWN	"/usr/libexec/pt_chown"
+
+/*
+ * ISPTM(x) returns 0 for struct stat x if x is not a pty master.
+ * The bounds checking may be unnecessary but it does eliminate doubt.
+ */
+#define ISPTM(x)	(S_ISCHR((x).st_mode) && 			\
+			 major((x).st_rdev) == PTM_MAJOR &&		\
+			 minor((x).st_rdev) >= 0 &&			\
+			 minor((x).st_rdev) < PT_MAX)
+
+/*
+ * grantpt():  grant ownership of a slave pseudo-terminal device to the
+ *             current user.
+ */
+
+int
+grantpt(int fildes)
+{
+	int retval, serrno, status;
+	pid_t pid, spid;
+	gid_t gid;
+	char *slave;
+	sigset_t oblock, nblock;
+	struct stat sbuf;
+	struct group *grp;
+
+	retval = -1;
+	serrno = errno;
+
+	if ((slave = ptsname(fildes)) != NULL) {
+		/*
+		 * Block SIGCHLD.
+		 */
+		(void)sigemptyset(&nblock);
+		(void)sigaddset(&nblock, SIGCHLD);
+		(void)_sigprocmask(SIG_BLOCK, &nblock, &oblock);
+
+		switch (pid = fork()) {
+		case -1:
+			break;
+		case 0:		/* child */
+			/*
+			 * pt_chown expects the master pseudo TTY to be its
+			 * standard input.
+			 */
+			(void)_dup2(fildes, STDIN_FILENO);
+			(void)_sigprocmask(SIG_SETMASK, &oblock, NULL);
+			execl(_PATH_PTCHOWN, _PATH_PTCHOWN, (char *)NULL);
+			_exit(EX_UNAVAILABLE);
+			/* NOTREACHED */
+		default:	/* parent */
+			/*
+			 * Just wait for the process.  Error checking is
+			 * done below.
+			 */
+			while ((spid = _waitpid(pid, &status, 0)) == -1 &&
+			       (errno == EINTR))
+				;
+			if (spid != -1 && WIFEXITED(status) &&
+			    WEXITSTATUS(status) == EX_OK)
+				retval = 0;
+			else
+				errno = EACCES;
+			break;
+		}
+
+		/*
+		 * Restore process's signal mask.
+		 */
+		(void)_sigprocmask(SIG_SETMASK, &oblock, NULL);
+
+		if (retval) {
+			/*
+			 * pt_chown failed.  Try to manually change the
+			 * permissions for the slave.
+			 */
+			gid = (grp = getgrnam("tty")) ? grp->gr_gid : -1;
+			if (chown(slave, getuid(), gid) == -1 ||
+			    chmod(slave, S_IRUSR | S_IWUSR | S_IWGRP) == -1)
+				errno = EACCES;
+			else
+				retval = 0;
+		}
+	}
+
+	if (!retval)
+		errno = serrno;
+
+	return (retval);
+}
+
+/*
+ * posix_openpt():  open the first available master pseudo-terminal device
+ *                  and return descriptor.
+ */
+int
+posix_openpt(int oflag)
+{
+	char *mc1, *mc2, master[] = _PATH_DEV PTM_PREFIX "XY";
+	const char *pc1, *pc2;
+	int fildes, bflag, serrno;
+
+	fildes = -1;
+	bflag = 0;
+	serrno = errno;
+
+	/*
+	 * Check flag validity.  POSIX doesn't require it,
+	 * but we still do so.
+	 */
+	if (oflag & ~(O_RDWR | O_NOCTTY))
+		errno = EINVAL;
+	else {
+		mc1 = master + strlen(_PATH_DEV PTM_PREFIX);
+		mc2 = mc1 + 1;
+
+		/* Cycle through all possible master PTY devices. */
+		for (pc1 = PT_DEV1; !bflag && (*mc1 = *pc1); ++pc1)
+			for (pc2 = PT_DEV2; *mc2 = *pc2; ++pc2) {
+				/*
+				 * Break out if we successfully open a PTY,
+				 * or if open() fails due to limits.
+				 */
+				if ((fildes = _open(master, oflag)) != -1 ||
+				    (errno == EMFILE || errno == ENFILE)) {
+					++bflag;
+					break;
+				}
+			}
+
+		if (fildes != -1)
+			errno = serrno;
+		else if (!bflag)
+			errno = EAGAIN;
+	}
+
+	return (fildes);
+}
+
+/*
+ * ptsname():  return the pathname of the slave pseudo-terminal device
+ *             associated with the specified master.
+ */
+char *
+ptsname(int fildes)
+{
+	static char slave[] = _PATH_DEV PTS_PREFIX "XY";
+	char *retval;
+	struct stat sbuf;
+
+	retval = NULL;
+
+	if (_fstat(fildes, &sbuf) == 0) {
+		if (!ISPTM(sbuf))
+			errno = EINVAL;
+		else {
+			(void)sprintf(slave, _PATH_DEV PTS_PREFIX "%c%c",
+				      PT_DEV1[minor(sbuf.st_rdev) / 32],
+				      PT_DEV2[minor(sbuf.st_rdev) % 32]);
+			retval = slave;
+		}
+	}
+
+	return (retval);
+}
+
+/*
+ * unlockpt():  unlock a pseudo-terminal device pair.
+ */
+int
+unlockpt(int fildes)
+{
+	int retval;
+	struct stat sbuf;
+
+	/*
+	 * Unlocking a master/slave pseudo-terminal pair has no meaning in a
+	 * non-streams PTY environment.  However, we do ensure fildes is a
+	 * valid master pseudo-terminal device.
+	 */
+	if ((retval = _fstat(fildes, &sbuf)) == 0 && !ISPTM(sbuf)) {
+		errno = EINVAL;
+		retval = -1;
+	}
+
+	return (retval);
+}