exec_script.c revision 1.45.10.2
1 1.45.10.2 elad /* $NetBSD: exec_script.c,v 1.45.10.2 2006/04/19 05:13:59 elad Exp $ */ 2 1.8 cgd 3 1.1 cgd /* 4 1.14 cgd * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou 5 1.1 cgd * All rights reserved. 6 1.1 cgd * 7 1.1 cgd * Redistribution and use in source and binary forms, with or without 8 1.1 cgd * modification, are permitted provided that the following conditions 9 1.1 cgd * are met: 10 1.1 cgd * 1. Redistributions of source code must retain the above copyright 11 1.1 cgd * notice, this list of conditions and the following disclaimer. 12 1.1 cgd * 2. Redistributions in binary form must reproduce the above copyright 13 1.1 cgd * notice, this list of conditions and the following disclaimer in the 14 1.1 cgd * documentation and/or other materials provided with the distribution. 15 1.1 cgd * 3. All advertising materials mentioning features or use of this software 16 1.1 cgd * must display the following acknowledgement: 17 1.1 cgd * This product includes software developed by Christopher G. Demetriou. 18 1.1 cgd * 4. The name of the author may not be used to endorse or promote products 19 1.3 jtc * derived from this software without specific prior written permission 20 1.1 cgd * 21 1.1 cgd * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 1.1 cgd * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 1.1 cgd * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 1.1 cgd * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 1.1 cgd * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 1.1 cgd * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 1.1 cgd * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 1.1 cgd * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 1.1 cgd * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 1.1 cgd * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 1.1 cgd */ 32 1.30 lukem 33 1.30 lukem #include <sys/cdefs.h> 34 1.45.10.2 elad __KERNEL_RCSID(0, "$NetBSD: exec_script.c,v 1.45.10.2 2006/04/19 05:13:59 elad Exp $"); 35 1.1 cgd 36 1.1 cgd #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS) 37 1.1 cgd #define FDSCRIPTS /* Need this for safe set-id scripts. */ 38 1.1 cgd #endif 39 1.1 cgd 40 1.42 christos #include "opt_verified_exec.h" 41 1.42 christos 42 1.1 cgd #include <sys/param.h> 43 1.1 cgd #include <sys/systm.h> 44 1.1 cgd #include <sys/proc.h> 45 1.1 cgd #include <sys/malloc.h> 46 1.1 cgd #include <sys/vnode.h> 47 1.1 cgd #include <sys/namei.h> 48 1.1 cgd #include <sys/file.h> 49 1.18 christos #ifdef SETUIDSCRIPTS 50 1.18 christos #include <sys/stat.h> 51 1.18 christos #endif 52 1.1 cgd #include <sys/filedesc.h> 53 1.1 cgd #include <sys/exec.h> 54 1.1 cgd #include <sys/resourcevar.h> 55 1.1 cgd 56 1.1 cgd #include <sys/exec_script.h> 57 1.38 matt #include <sys/exec_elf.h> 58 1.1 cgd 59 1.44 elad #ifdef VERIFIED_EXEC 60 1.39 elad #include <sys/verified_exec.h> 61 1.44 elad #endif /* VERIFIED_EXEC */ 62 1.39 elad 63 1.40 elad #ifdef SYSTRACE 64 1.40 elad #include <sys/systrace.h> 65 1.40 elad #endif /* SYSTRACE */ 66 1.40 elad 67 1.1 cgd /* 68 1.1 cgd * exec_script_makecmds(): Check if it's an executable shell script. 69 1.1 cgd * 70 1.1 cgd * Given a proc pointer and an exec package pointer, see if the referent 71 1.1 cgd * of the epp is in shell script. If it is, then set thing up so that 72 1.1 cgd * the script can be run. This involves preparing the address space 73 1.1 cgd * and arguments for the shell which will run the script. 74 1.1 cgd * 75 1.1 cgd * This function is ultimately responsible for creating a set of vmcmds 76 1.1 cgd * which can be used to build the process's vm space and inserting them 77 1.1 cgd * into the exec package. 78 1.1 cgd */ 79 1.1 cgd int 80 1.45 christos exec_script_makecmds(struct lwp *l, struct exec_package *epp) 81 1.1 cgd { 82 1.1 cgd int error, hdrlinelen, shellnamelen, shellarglen; 83 1.1 cgd char *hdrstr = epp->ep_hdr; 84 1.1 cgd char *cp, *shellname, *shellarg, *oldpnbuf; 85 1.1 cgd char **shellargp, **tmpsap; 86 1.1 cgd struct vnode *scriptvp; 87 1.45 christos struct proc *p = l->l_proc; 88 1.1 cgd #ifdef SETUIDSCRIPTS 89 1.18 christos /* Gcc needs those initialized for spurious uninitialized warning */ 90 1.18 christos uid_t script_uid = (uid_t) -1; 91 1.18 christos gid_t script_gid = NOGROUP; 92 1.1 cgd u_short script_sbits; 93 1.1 cgd #endif 94 1.1 cgd 95 1.1 cgd /* 96 1.1 cgd * if the magic isn't that of a shell script, or we've already 97 1.1 cgd * done shell script processing for this exec, punt on it. 98 1.1 cgd */ 99 1.1 cgd if ((epp->ep_flags & EXEC_INDIR) != 0 || 100 1.1 cgd epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN || 101 1.1 cgd strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN)) 102 1.1 cgd return ENOEXEC; 103 1.1 cgd 104 1.1 cgd /* 105 1.1 cgd * check that the shell spec is terminated by a newline, 106 1.1 cgd * and that it isn't too large. Don't modify the 107 1.1 cgd * buffer unless we're ready to commit to handling it. 108 1.1 cgd * (The latter requirement means that we have to check 109 1.1 cgd * for both spaces and tabs later on.) 110 1.1 cgd */ 111 1.33 perry hdrlinelen = min(epp->ep_hdrvalid, SCRIPT_HDR_SIZE); 112 1.1 cgd for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen; 113 1.1 cgd cp++) { 114 1.1 cgd if (*cp == '\n') { 115 1.1 cgd *cp = '\0'; 116 1.1 cgd break; 117 1.1 cgd } 118 1.1 cgd } 119 1.1 cgd if (cp >= hdrstr + hdrlinelen) 120 1.1 cgd return ENOEXEC; 121 1.1 cgd 122 1.38 matt /* 123 1.38 matt * If the script has an ELF header, don't exec it. 124 1.38 matt */ 125 1.38 matt if (epp->ep_hdrvalid >= sizeof(ELFMAG)-1 && 126 1.38 matt memcmp(hdrstr, ELFMAG, sizeof(ELFMAG)-1) == 0) 127 1.38 matt return ENOEXEC; 128 1.38 matt 129 1.1 cgd shellname = NULL; 130 1.1 cgd shellarg = NULL; 131 1.13 christos shellarglen = 0; 132 1.1 cgd 133 1.1 cgd /* strip spaces before the shell name */ 134 1.1 cgd for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t'; 135 1.1 cgd cp++) 136 1.1 cgd ; 137 1.1 cgd 138 1.1 cgd /* collect the shell name; remember it's length for later */ 139 1.1 cgd shellname = cp; 140 1.1 cgd shellnamelen = 0; 141 1.1 cgd if (*cp == '\0') 142 1.1 cgd goto check_shell; 143 1.1 cgd for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++) 144 1.1 cgd shellnamelen++; 145 1.1 cgd if (*cp == '\0') 146 1.1 cgd goto check_shell; 147 1.1 cgd *cp++ = '\0'; 148 1.1 cgd 149 1.1 cgd /* skip spaces before any argument */ 150 1.1 cgd for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++) 151 1.1 cgd ; 152 1.1 cgd if (*cp == '\0') 153 1.1 cgd goto check_shell; 154 1.1 cgd 155 1.1 cgd /* 156 1.1 cgd * collect the shell argument. everything after the shell name 157 1.1 cgd * is passed as ONE argument; that's the correct (historical) 158 1.1 cgd * behaviour. 159 1.1 cgd */ 160 1.1 cgd shellarg = cp; 161 1.1 cgd for ( /* cp = cp */ ; *cp != '\0'; cp++) 162 1.1 cgd shellarglen++; 163 1.1 cgd *cp++ = '\0'; 164 1.1 cgd 165 1.1 cgd check_shell: 166 1.1 cgd #ifdef SETUIDSCRIPTS 167 1.1 cgd /* 168 1.29 thorpej * MNT_NOSUID has already taken care of by check_exec, 169 1.29 thorpej * so we don't need to worry about it now or later. We 170 1.29 thorpej * will need to check P_TRACED later, however. 171 1.1 cgd */ 172 1.17 mycroft script_sbits = epp->ep_vap->va_mode & (S_ISUID | S_ISGID); 173 1.1 cgd if (script_sbits != 0) { 174 1.1 cgd script_uid = epp->ep_vap->va_uid; 175 1.1 cgd script_gid = epp->ep_vap->va_gid; 176 1.1 cgd } 177 1.1 cgd #endif 178 1.1 cgd #ifdef FDSCRIPTS 179 1.1 cgd /* 180 1.1 cgd * if the script isn't readable, or it's set-id, then we've 181 1.1 cgd * gotta supply a "/dev/fd/..." for the shell to read. 182 1.1 cgd * Note that stupid shells (csh) do the wrong thing, and 183 1.1 cgd * close all open fd's when the start. That kills this 184 1.1 cgd * method of implementing "safe" set-id and x-only scripts. 185 1.1 cgd */ 186 1.19 fvdl vn_lock(epp->ep_vp, LK_EXCLUSIVE | LK_RETRY); 187 1.45.10.1 elad error = VOP_ACCESS(epp->ep_vp, VREAD, l->l_proc->p_cred, l); 188 1.19 fvdl VOP_UNLOCK(epp->ep_vp, 0); 189 1.14 cgd if (error == EACCES 190 1.9 cgd #ifdef SETUIDSCRIPTS 191 1.9 cgd || script_sbits 192 1.9 cgd #endif 193 1.9 cgd ) { 194 1.1 cgd struct file *fp; 195 1.1 cgd 196 1.1 cgd #if defined(DIAGNOSTIC) && defined(FDSCRIPTS) 197 1.1 cgd if (epp->ep_flags & EXEC_HASFD) 198 1.1 cgd panic("exec_script_makecmds: epp already has a fd"); 199 1.1 cgd #endif 200 1.1 cgd 201 1.21 thorpej /* falloc() will use the descriptor for us */ 202 1.18 christos if ((error = falloc(p, &fp, &epp->ep_fd)) != 0) { 203 1.18 christos scriptvp = NULL; 204 1.18 christos shellargp = NULL; 205 1.4 cgd goto fail; 206 1.18 christos } 207 1.1 cgd 208 1.1 cgd epp->ep_flags |= EXEC_HASFD; 209 1.1 cgd fp->f_type = DTYPE_VNODE; 210 1.1 cgd fp->f_ops = &vnops; 211 1.1 cgd fp->f_data = (caddr_t) epp->ep_vp; 212 1.1 cgd fp->f_flag = FREAD; 213 1.28 thorpej FILE_SET_MATURE(fp); 214 1.45 christos FILE_UNUSE(fp, l); 215 1.1 cgd } 216 1.1 cgd #endif 217 1.1 cgd 218 1.1 cgd /* set up the parameters for the recursive check_exec() call */ 219 1.1 cgd epp->ep_ndp->ni_dirp = shellname; 220 1.1 cgd epp->ep_ndp->ni_segflg = UIO_SYSSPACE; 221 1.1 cgd epp->ep_flags |= EXEC_INDIR; 222 1.1 cgd 223 1.1 cgd /* and set up the fake args list, for later */ 224 1.1 cgd MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK); 225 1.1 cgd tmpsap = shellargp; 226 1.45.10.2 elad *tmpsap = malloc(shellnamelen + 1, M_EXEC, M_WAITOK); 227 1.34 itojun strlcpy(*tmpsap++, shellname, shellnamelen + 1); 228 1.1 cgd if (shellarg != NULL) { 229 1.45.10.2 elad *tmpsap = malloc(shellarglen + 1, M_EXEC, M_WAITOK); 230 1.34 itojun strlcpy(*tmpsap++, shellarg, shellarglen + 1); 231 1.1 cgd } 232 1.1 cgd MALLOC(*tmpsap, char *, MAXPATHLEN, M_EXEC, M_WAITOK); 233 1.1 cgd #ifdef FDSCRIPTS 234 1.1 cgd if ((epp->ep_flags & EXEC_HASFD) == 0) { 235 1.1 cgd #endif 236 1.1 cgd /* normally can't fail, but check for it if diagnostic */ 237 1.40 elad #ifdef SYSTRACE 238 1.41 elad error = 1; 239 1.41 elad if (ISSET(p->p_flag, P_SYSTRACE)) { 240 1.41 elad error = systrace_scriptname(p, *tmpsap); 241 1.41 elad if (error == 0) 242 1.41 elad tmpsap++; 243 1.41 elad } 244 1.41 elad if (error) { 245 1.41 elad /* 246 1.41 elad * Since systrace_scriptname() provides a 247 1.41 elad * convenience, not a security issue, we are 248 1.41 elad * safe to do this. 249 1.41 elad */ 250 1.41 elad error = copystr(epp->ep_name, *tmpsap++, MAXPATHLEN, 251 1.41 elad NULL); 252 1.41 elad } 253 1.40 elad #else 254 1.11 mycroft error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN, 255 1.11 mycroft (size_t *)0); 256 1.40 elad #endif /* SYSTRACE */ 257 1.1 cgd #ifdef DIAGNOSTIC 258 1.1 cgd if (error != 0) 259 1.31 provos panic("exec_script: copyinstr couldn't fail"); 260 1.1 cgd #endif 261 1.1 cgd #ifdef FDSCRIPTS 262 1.1 cgd } else 263 1.37 itojun snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd); 264 1.1 cgd #endif 265 1.1 cgd *tmpsap = NULL; 266 1.1 cgd 267 1.1 cgd /* 268 1.1 cgd * mark the header we have as invalid; check_exec will read 269 1.1 cgd * the header from the new executable 270 1.1 cgd */ 271 1.1 cgd epp->ep_hdrvalid = 0; 272 1.1 cgd 273 1.1 cgd /* 274 1.1 cgd * remember the old vp and pnbuf for later, so we can restore 275 1.1 cgd * them if check_exec() fails. 276 1.1 cgd */ 277 1.1 cgd scriptvp = epp->ep_vp; 278 1.7 mycroft oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf; 279 1.1 cgd 280 1.32 blymn #ifdef VERIFIED_EXEC 281 1.45 christos if ((error = check_exec(l, epp, VERIEXEC_INDIRECT)) == 0) { 282 1.32 blymn #else 283 1.45 christos if ((error = check_exec(l, epp, 0)) == 0) { 284 1.32 blymn #endif 285 1.4 cgd /* note that we've clobbered the header */ 286 1.27 jdolecek epp->ep_flags |= EXEC_DESTR|EXEC_HASES; 287 1.4 cgd 288 1.1 cgd /* 289 1.1 cgd * It succeeded. Unlock the script and 290 1.1 cgd * close it if we aren't using it any more. 291 1.4 cgd * Also, set things up so that the fake args 292 1.1 cgd * list will be used. 293 1.1 cgd */ 294 1.14 cgd if ((epp->ep_flags & EXEC_HASFD) == 0) { 295 1.20 wrstuden vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY); 296 1.45.10.1 elad VOP_CLOSE(scriptvp, FREAD, p->p_cred, l); 297 1.20 wrstuden vput(scriptvp); 298 1.14 cgd } 299 1.2 cgd 300 1.2 cgd /* free the old pathname buffer */ 301 1.26 thorpej PNBUF_PUT(oldpnbuf); 302 1.1 cgd 303 1.1 cgd epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG); 304 1.1 cgd epp->ep_fa = shellargp; 305 1.1 cgd #ifdef SETUIDSCRIPTS 306 1.1 cgd /* 307 1.1 cgd * set thing up so that set-id scripts will be 308 1.29 thorpej * handled appropriately. P_TRACED will be 309 1.29 thorpej * checked later when the shell is actually 310 1.29 thorpej * exec'd. 311 1.1 cgd */ 312 1.1 cgd epp->ep_vap->va_mode |= script_sbits; 313 1.17 mycroft if (script_sbits & S_ISUID) 314 1.1 cgd epp->ep_vap->va_uid = script_uid; 315 1.17 mycroft if (script_sbits & S_ISGID) 316 1.1 cgd epp->ep_vap->va_gid = script_gid; 317 1.1 cgd #endif 318 1.4 cgd return (0); 319 1.4 cgd } 320 1.4 cgd 321 1.5 cgd /* XXX oldpnbuf not set for "goto fail" path */ 322 1.7 mycroft epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf; 323 1.13 christos #ifdef FDSCRIPTS 324 1.4 cgd fail: 325 1.13 christos #endif 326 1.4 cgd /* note that we've clobbered the header */ 327 1.4 cgd epp->ep_flags |= EXEC_DESTR; 328 1.4 cgd 329 1.4 cgd /* kill the opened file descriptor, else close the file */ 330 1.4 cgd if (epp->ep_flags & EXEC_HASFD) { 331 1.4 cgd epp->ep_flags &= ~EXEC_HASFD; 332 1.45 christos (void) fdrelease(l, epp->ep_fd); 333 1.18 christos } else if (scriptvp) { 334 1.20 wrstuden vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY); 335 1.45.10.1 elad VOP_CLOSE(scriptvp, FREAD, p->p_cred, l); 336 1.20 wrstuden vput(scriptvp); 337 1.14 cgd } 338 1.4 cgd 339 1.26 thorpej PNBUF_PUT(epp->ep_ndp->ni_cnd.cn_pnbuf); 340 1.1 cgd 341 1.4 cgd /* free the fake arg list, because we're not returning it */ 342 1.18 christos if ((tmpsap = shellargp) != NULL) { 343 1.18 christos while (*tmpsap != NULL) { 344 1.18 christos FREE(*tmpsap, M_EXEC); 345 1.18 christos tmpsap++; 346 1.18 christos } 347 1.18 christos FREE(shellargp, M_EXEC); 348 1.1 cgd } 349 1.4 cgd 350 1.4 cgd /* 351 1.4 cgd * free any vmspace-creation commands, 352 1.4 cgd * and release their references 353 1.4 cgd */ 354 1.4 cgd kill_vmcmds(&epp->ep_vmcmds); 355 1.1 cgd 356 1.4 cgd return error; 357 1.1 cgd } 358
Indexes created Fri Oct 03 23:09:56 GMT 2025