exec_script.c revision 1.7
1 1.1 cgd /* 2 1.1 cgd * Copyright (c) 1993, 1994 Christopher G. Demetriou 3 1.1 cgd * All rights reserved. 4 1.1 cgd * 5 1.1 cgd * Redistribution and use in source and binary forms, with or without 6 1.1 cgd * modification, are permitted provided that the following conditions 7 1.1 cgd * are met: 8 1.1 cgd * 1. Redistributions of source code must retain the above copyright 9 1.1 cgd * notice, this list of conditions and the following disclaimer. 10 1.1 cgd * 2. Redistributions in binary form must reproduce the above copyright 11 1.1 cgd * notice, this list of conditions and the following disclaimer in the 12 1.1 cgd * documentation and/or other materials provided with the distribution. 13 1.1 cgd * 3. All advertising materials mentioning features or use of this software 14 1.1 cgd * must display the following acknowledgement: 15 1.1 cgd * This product includes software developed by Christopher G. Demetriou. 16 1.1 cgd * 4. The name of the author may not be used to endorse or promote products 17 1.3 jtc * derived from this software without specific prior written permission 18 1.1 cgd * 19 1.1 cgd * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 20 1.1 cgd * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 21 1.1 cgd * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 22 1.1 cgd * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 23 1.1 cgd * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 24 1.1 cgd * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 25 1.1 cgd * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 26 1.1 cgd * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 27 1.1 cgd * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 28 1.1 cgd * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 1.1 cgd * 30 1.7 mycroft * $Id: exec_script.c,v 1.7 1994/06/08 11:28:29 mycroft Exp $ 31 1.1 cgd */ 32 1.1 cgd 33 1.1 cgd #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS) 34 1.1 cgd #define FDSCRIPTS /* Need this for safe set-id scripts. */ 35 1.1 cgd #endif 36 1.1 cgd 37 1.1 cgd #include <sys/param.h> 38 1.1 cgd #include <sys/systm.h> 39 1.1 cgd #include <sys/proc.h> 40 1.1 cgd #include <sys/malloc.h> 41 1.1 cgd #include <sys/vnode.h> 42 1.1 cgd #include <sys/namei.h> 43 1.1 cgd #include <sys/file.h> 44 1.1 cgd #include <sys/filedesc.h> 45 1.1 cgd #include <sys/exec.h> 46 1.1 cgd #include <sys/resourcevar.h> 47 1.1 cgd #include <vm/vm.h> 48 1.1 cgd 49 1.1 cgd #include <sys/exec_script.h> 50 1.1 cgd 51 1.1 cgd /* 52 1.1 cgd * exec_script_makecmds(): Check if it's an executable shell script. 53 1.1 cgd * 54 1.1 cgd * Given a proc pointer and an exec package pointer, see if the referent 55 1.1 cgd * of the epp is in shell script. If it is, then set thing up so that 56 1.1 cgd * the script can be run. This involves preparing the address space 57 1.1 cgd * and arguments for the shell which will run the script. 58 1.1 cgd * 59 1.1 cgd * This function is ultimately responsible for creating a set of vmcmds 60 1.1 cgd * which can be used to build the process's vm space and inserting them 61 1.1 cgd * into the exec package. 62 1.1 cgd */ 63 1.1 cgd int 64 1.1 cgd exec_script_makecmds(p, epp) 65 1.1 cgd struct proc *p; 66 1.1 cgd struct exec_package *epp; 67 1.1 cgd { 68 1.1 cgd int error, hdrlinelen, shellnamelen, shellarglen; 69 1.1 cgd char *hdrstr = epp->ep_hdr; 70 1.1 cgd char *cp, *shellname, *shellarg, *oldpnbuf; 71 1.1 cgd char **shellargp, **tmpsap; 72 1.1 cgd struct vnode *scriptvp; 73 1.1 cgd #ifdef SETUIDSCRIPTS 74 1.1 cgd uid_t script_uid; 75 1.1 cgd gid_t script_gid; 76 1.1 cgd u_short script_sbits; 77 1.1 cgd #endif 78 1.1 cgd 79 1.1 cgd /* 80 1.1 cgd * if the magic isn't that of a shell script, or we've already 81 1.1 cgd * done shell script processing for this exec, punt on it. 82 1.1 cgd */ 83 1.1 cgd if ((epp->ep_flags & EXEC_INDIR) != 0 || 84 1.1 cgd epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN || 85 1.1 cgd strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN)) 86 1.1 cgd return ENOEXEC; 87 1.1 cgd 88 1.1 cgd /* 89 1.1 cgd * check that the shell spec is terminated by a newline, 90 1.1 cgd * and that it isn't too large. Don't modify the 91 1.1 cgd * buffer unless we're ready to commit to handling it. 92 1.1 cgd * (The latter requirement means that we have to check 93 1.1 cgd * for both spaces and tabs later on.) 94 1.1 cgd */ 95 1.6 cgd hdrlinelen = min(epp->ep_hdrvalid, MAXINTERP); 96 1.1 cgd for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen; 97 1.1 cgd cp++) { 98 1.1 cgd if (*cp == '\n') { 99 1.1 cgd *cp = '\0'; 100 1.1 cgd break; 101 1.1 cgd } 102 1.1 cgd } 103 1.1 cgd if (cp >= hdrstr + hdrlinelen) 104 1.1 cgd return ENOEXEC; 105 1.1 cgd 106 1.1 cgd shellname = NULL; 107 1.1 cgd shellarg = NULL; 108 1.1 cgd 109 1.1 cgd /* strip spaces before the shell name */ 110 1.1 cgd for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t'; 111 1.1 cgd cp++) 112 1.1 cgd ; 113 1.1 cgd 114 1.1 cgd /* collect the shell name; remember it's length for later */ 115 1.1 cgd shellname = cp; 116 1.1 cgd shellnamelen = 0; 117 1.1 cgd if (*cp == '\0') 118 1.1 cgd goto check_shell; 119 1.1 cgd for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++) 120 1.1 cgd shellnamelen++; 121 1.1 cgd if (*cp == '\0') 122 1.1 cgd goto check_shell; 123 1.1 cgd *cp++ = '\0'; 124 1.1 cgd 125 1.1 cgd /* skip spaces before any argument */ 126 1.1 cgd for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++) 127 1.1 cgd ; 128 1.1 cgd if (*cp == '\0') 129 1.1 cgd goto check_shell; 130 1.1 cgd 131 1.1 cgd /* 132 1.1 cgd * collect the shell argument. everything after the shell name 133 1.1 cgd * is passed as ONE argument; that's the correct (historical) 134 1.1 cgd * behaviour. 135 1.1 cgd */ 136 1.1 cgd shellarg = cp; 137 1.1 cgd shellarglen = 0; 138 1.1 cgd for ( /* cp = cp */ ; *cp != '\0'; cp++) 139 1.1 cgd shellarglen++; 140 1.1 cgd *cp++ = '\0'; 141 1.1 cgd 142 1.1 cgd check_shell: 143 1.1 cgd #ifdef SETUIDSCRIPTS 144 1.1 cgd /* 145 1.1 cgd * MNT_NOSUID and STRC are already taken care of by check_exec, 146 1.1 cgd * so we don't need to worry about them now or later. 147 1.1 cgd */ 148 1.1 cgd script_sbits = epp->ep_vap->va_mode & (VSUID | VSGID); 149 1.1 cgd if (script_sbits != 0) { 150 1.1 cgd script_uid = epp->ep_vap->va_uid; 151 1.1 cgd script_gid = epp->ep_vap->va_gid; 152 1.1 cgd } 153 1.1 cgd #endif 154 1.1 cgd #ifdef FDSCRIPTS 155 1.1 cgd /* 156 1.1 cgd * if the script isn't readable, or it's set-id, then we've 157 1.1 cgd * gotta supply a "/dev/fd/..." for the shell to read. 158 1.1 cgd * Note that stupid shells (csh) do the wrong thing, and 159 1.1 cgd * close all open fd's when the start. That kills this 160 1.1 cgd * method of implementing "safe" set-id and x-only scripts. 161 1.1 cgd */ 162 1.1 cgd if (VOP_ACCESS(epp->ep_vp, VREAD, p->p_ucred, p) == EACCES || 163 1.1 cgd script_sbits) { 164 1.1 cgd struct file *fp; 165 1.1 cgd extern struct fileops vnops; 166 1.1 cgd 167 1.1 cgd #if defined(DIAGNOSTIC) && defined(FDSCRIPTS) 168 1.1 cgd if (epp->ep_flags & EXEC_HASFD) 169 1.1 cgd panic("exec_script_makecmds: epp already has a fd"); 170 1.1 cgd #endif 171 1.1 cgd 172 1.1 cgd if (error = falloc(p, &fp, &epp->ep_fd)) 173 1.4 cgd goto fail; 174 1.1 cgd 175 1.1 cgd epp->ep_flags |= EXEC_HASFD; 176 1.1 cgd fp->f_type = DTYPE_VNODE; 177 1.1 cgd fp->f_ops = &vnops; 178 1.1 cgd fp->f_data = (caddr_t) epp->ep_vp; 179 1.1 cgd fp->f_flag = FREAD; 180 1.1 cgd } 181 1.1 cgd #endif 182 1.1 cgd 183 1.1 cgd /* set up the parameters for the recursive check_exec() call */ 184 1.1 cgd epp->ep_ndp->ni_dirp = shellname; 185 1.1 cgd epp->ep_ndp->ni_segflg = UIO_SYSSPACE; 186 1.1 cgd epp->ep_flags |= EXEC_INDIR; 187 1.1 cgd 188 1.1 cgd /* and set up the fake args list, for later */ 189 1.1 cgd MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK); 190 1.1 cgd tmpsap = shellargp; 191 1.1 cgd MALLOC(*tmpsap, char *, shellnamelen + 1, M_EXEC, M_WAITOK); 192 1.1 cgd strcpy(*tmpsap++, shellname); 193 1.1 cgd if (shellarg != NULL) { 194 1.1 cgd MALLOC(*tmpsap, char *, shellarglen + 1, M_EXEC, M_WAITOK); 195 1.1 cgd strcpy(*tmpsap++, shellarg); 196 1.1 cgd } 197 1.1 cgd MALLOC(*tmpsap, char *, MAXPATHLEN, M_EXEC, M_WAITOK); 198 1.1 cgd #ifdef FDSCRIPTS 199 1.1 cgd if ((epp->ep_flags & EXEC_HASFD) == 0) { 200 1.1 cgd #endif 201 1.1 cgd /* normally can't fail, but check for it if diagnostic */ 202 1.1 cgd error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN, 0); 203 1.1 cgd #ifdef DIAGNOSTIC 204 1.1 cgd if (error != 0) 205 1.1 cgd panic("exec_script: copyinstr couldn't fail\n"); 206 1.1 cgd #endif 207 1.1 cgd #ifdef FDSCRIPTS 208 1.1 cgd } else 209 1.1 cgd sprintf(*tmpsap++, "/dev/fd/%d", epp->ep_fd); 210 1.1 cgd #endif 211 1.1 cgd *tmpsap = NULL; 212 1.1 cgd 213 1.1 cgd /* 214 1.1 cgd * mark the header we have as invalid; check_exec will read 215 1.1 cgd * the header from the new executable 216 1.1 cgd */ 217 1.1 cgd epp->ep_hdrvalid = 0; 218 1.1 cgd 219 1.1 cgd /* 220 1.1 cgd * remember the old vp and pnbuf for later, so we can restore 221 1.1 cgd * them if check_exec() fails. 222 1.1 cgd */ 223 1.1 cgd scriptvp = epp->ep_vp; 224 1.7 mycroft oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf; 225 1.1 cgd 226 1.4 cgd VOP_UNLOCK(scriptvp); 227 1.4 cgd 228 1.1 cgd if ((error = check_exec(p, epp)) == 0) { 229 1.4 cgd /* note that we've clobbered the header */ 230 1.4 cgd epp->ep_flags |= EXEC_DESTR; 231 1.4 cgd 232 1.1 cgd /* 233 1.1 cgd * It succeeded. Unlock the script and 234 1.1 cgd * close it if we aren't using it any more. 235 1.4 cgd * Also, set things up so that the fake args 236 1.1 cgd * list will be used. 237 1.1 cgd */ 238 1.1 cgd if ((epp->ep_flags & EXEC_HASFD) == 0) 239 1.1 cgd vn_close(scriptvp, FREAD, p->p_ucred, p); 240 1.2 cgd 241 1.2 cgd /* free the old pathname buffer */ 242 1.2 cgd FREE(oldpnbuf, M_NAMEI); 243 1.1 cgd 244 1.1 cgd epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG); 245 1.1 cgd epp->ep_fa = shellargp; 246 1.1 cgd #ifdef SETUIDSCRIPTS 247 1.1 cgd /* 248 1.1 cgd * set thing up so that set-id scripts will be 249 1.1 cgd * handled appropriately 250 1.1 cgd */ 251 1.1 cgd epp->ep_vap->va_mode |= script_sbits; 252 1.1 cgd if (script_sbits & VSUID) 253 1.1 cgd epp->ep_vap->va_uid = script_uid; 254 1.1 cgd if (script_sbits & VSGID) 255 1.1 cgd epp->ep_vap->va_gid = script_gid; 256 1.1 cgd #endif 257 1.4 cgd return (0); 258 1.4 cgd } 259 1.4 cgd 260 1.5 cgd /* XXX oldpnbuf not set for "goto fail" path */ 261 1.7 mycroft epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf; 262 1.4 cgd fail: 263 1.4 cgd /* note that we've clobbered the header */ 264 1.4 cgd epp->ep_flags |= EXEC_DESTR; 265 1.4 cgd 266 1.4 cgd /* kill the opened file descriptor, else close the file */ 267 1.4 cgd if (epp->ep_flags & EXEC_HASFD) { 268 1.4 cgd epp->ep_flags &= ~EXEC_HASFD; 269 1.4 cgd exec_closefd(p, epp->ep_fd); 270 1.4 cgd } else 271 1.4 cgd vn_close(scriptvp, FREAD, p->p_ucred, p); 272 1.4 cgd 273 1.7 mycroft FREE(epp->ep_ndp->ni_cnd.cn_pnbuf, M_NAMEI); 274 1.1 cgd 275 1.4 cgd /* free the fake arg list, because we're not returning it */ 276 1.4 cgd tmpsap = shellargp; 277 1.4 cgd while (*tmpsap != NULL) { 278 1.4 cgd FREE(*tmpsap, M_EXEC); 279 1.4 cgd tmpsap++; 280 1.1 cgd } 281 1.4 cgd FREE(shellargp, M_EXEC); 282 1.4 cgd 283 1.4 cgd /* 284 1.4 cgd * free any vmspace-creation commands, 285 1.4 cgd * and release their references 286 1.4 cgd */ 287 1.4 cgd kill_vmcmds(&epp->ep_vmcmds); 288 1.1 cgd 289 1.4 cgd return error; 290 1.1 cgd } 291
Indexes created Fri Oct 03 17:10:05 GMT 2025