exec_script.c revision 1.36.2.5
1 /* $NetBSD: exec_script.c,v 1.36.2.5 2004/11/14 08:15:57 skrll Exp $ */ 2 3 /* 4 * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by Christopher G. Demetriou. 18 * 4. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __KERNEL_RCSID(0, "$NetBSD: exec_script.c,v 1.36.2.5 2004/11/14 08:15:57 skrll Exp $"); 35 36 #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS) 37 #define FDSCRIPTS /* Need this for safe set-id scripts. */ 38 #endif 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/proc.h> 43 #include <sys/malloc.h> 44 #include <sys/vnode.h> 45 #include <sys/namei.h> 46 #include <sys/file.h> 47 #ifdef SETUIDSCRIPTS 48 #include <sys/stat.h> 49 #endif 50 #include <sys/filedesc.h> 51 #include <sys/exec.h> 52 #include <sys/resourcevar.h> 53 54 #include <sys/exec_script.h> 55 #include <sys/exec_elf.h> 56 57 /* 58 * exec_script_makecmds(): Check if it's an executable shell script. 59 * 60 * Given a proc pointer and an exec package pointer, see if the referent 61 * of the epp is in shell script. If it is, then set thing up so that 62 * the script can be run. This involves preparing the address space 63 * and arguments for the shell which will run the script. 64 * 65 * This function is ultimately responsible for creating a set of vmcmds 66 * which can be used to build the process's vm space and inserting them 67 * into the exec package. 68 */ 69 int 70 exec_script_makecmds(struct lwp *l, struct exec_package *epp) 71 { 72 int error, hdrlinelen, shellnamelen, shellarglen; 73 char *hdrstr = epp->ep_hdr; 74 char *cp, *shellname, *shellarg, *oldpnbuf; 75 char **shellargp, **tmpsap; 76 struct vnode *scriptvp; 77 struct proc *p = l->l_proc; 78 #ifdef SETUIDSCRIPTS 79 /* Gcc needs those initialized for spurious uninitialized warning */ 80 uid_t script_uid = (uid_t) -1; 81 gid_t script_gid = NOGROUP; 82 u_short script_sbits; 83 #endif 84 85 /* 86 * if the magic isn't that of a shell script, or we've already 87 * done shell script processing for this exec, punt on it. 88 */ 89 if ((epp->ep_flags & EXEC_INDIR) != 0 || 90 epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN || 91 strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN)) 92 return ENOEXEC; 93 94 /* 95 * check that the shell spec is terminated by a newline, 96 * and that it isn't too large. Don't modify the 97 * buffer unless we're ready to commit to handling it. 98 * (The latter requirement means that we have to check 99 * for both spaces and tabs later on.) 100 */ 101 hdrlinelen = min(epp->ep_hdrvalid, SCRIPT_HDR_SIZE); 102 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen; 103 cp++) { 104 if (*cp == '\n') { 105 *cp = '\0'; 106 break; 107 } 108 } 109 if (cp >= hdrstr + hdrlinelen) 110 return ENOEXEC; 111 112 /* 113 * If the script has an ELF header, don't exec it. 114 */ 115 if (epp->ep_hdrvalid >= sizeof(ELFMAG)-1 && 116 memcmp(hdrstr, ELFMAG, sizeof(ELFMAG)-1) == 0) 117 return ENOEXEC; 118 119 shellname = NULL; 120 shellarg = NULL; 121 shellarglen = 0; 122 123 /* strip spaces before the shell name */ 124 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t'; 125 cp++) 126 ; 127 128 /* collect the shell name; remember it's length for later */ 129 shellname = cp; 130 shellnamelen = 0; 131 if (*cp == '\0') 132 goto check_shell; 133 for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++) 134 shellnamelen++; 135 if (*cp == '\0') 136 goto check_shell; 137 *cp++ = '\0'; 138 139 /* skip spaces before any argument */ 140 for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++) 141 ; 142 if (*cp == '\0') 143 goto check_shell; 144 145 /* 146 * collect the shell argument. everything after the shell name 147 * is passed as ONE argument; that's the correct (historical) 148 * behaviour. 149 */ 150 shellarg = cp; 151 for ( /* cp = cp */ ; *cp != '\0'; cp++) 152 shellarglen++; 153 *cp++ = '\0'; 154 155 check_shell: 156 #ifdef SETUIDSCRIPTS 157 /* 158 * MNT_NOSUID has already taken care of by check_exec, 159 * so we don't need to worry about it now or later. We 160 * will need to check P_TRACED later, however. 161 */ 162 script_sbits = epp->ep_vap->va_mode & (S_ISUID | S_ISGID); 163 if (script_sbits != 0) { 164 script_uid = epp->ep_vap->va_uid; 165 script_gid = epp->ep_vap->va_gid; 166 } 167 #endif 168 #ifdef FDSCRIPTS 169 /* 170 * if the script isn't readable, or it's set-id, then we've 171 * gotta supply a "/dev/fd/..." for the shell to read. 172 * Note that stupid shells (csh) do the wrong thing, and 173 * close all open fd's when the start. That kills this 174 * method of implementing "safe" set-id and x-only scripts. 175 */ 176 vn_lock(epp->ep_vp, LK_EXCLUSIVE | LK_RETRY); 177 error = VOP_ACCESS(epp->ep_vp, VREAD, p->p_ucred, p); 178 VOP_UNLOCK(epp->ep_vp, 0); 179 if (error == EACCES 180 #ifdef SETUIDSCRIPTS 181 || script_sbits 182 #endif 183 ) { 184 struct file *fp; 185 186 #if defined(DIAGNOSTIC) && defined(FDSCRIPTS) 187 if (epp->ep_flags & EXEC_HASFD) 188 panic("exec_script_makecmds: epp already has a fd"); 189 #endif 190 191 /* falloc() will use the descriptor for us */ 192 if ((error = falloc(p, &fp, &epp->ep_fd)) != 0) { 193 scriptvp = NULL; 194 shellargp = NULL; 195 goto fail; 196 } 197 198 epp->ep_flags |= EXEC_HASFD; 199 fp->f_type = DTYPE_VNODE; 200 fp->f_ops = &vnops; 201 fp->f_data = (caddr_t) epp->ep_vp; 202 fp->f_flag = FREAD; 203 FILE_SET_MATURE(fp); 204 FILE_UNUSE(fp, p); 205 } 206 #endif 207 208 /* set up the parameters for the recursive check_exec() call */ 209 epp->ep_ndp->ni_dirp = shellname; 210 epp->ep_ndp->ni_segflg = UIO_SYSSPACE; 211 epp->ep_flags |= EXEC_INDIR; 212 213 /* and set up the fake args list, for later */ 214 MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK); 215 tmpsap = shellargp; 216 MALLOC(*tmpsap, char *, shellnamelen + 1, M_EXEC, M_WAITOK); 217 strlcpy(*tmpsap++, shellname, shellnamelen + 1); 218 if (shellarg != NULL) { 219 MALLOC(*tmpsap, char *, shellarglen + 1, M_EXEC, M_WAITOK); 220 strlcpy(*tmpsap++, shellarg, shellarglen + 1); 221 } 222 MALLOC(*tmpsap, char *, MAXPATHLEN, M_EXEC, M_WAITOK); 223 #ifdef FDSCRIPTS 224 if ((epp->ep_flags & EXEC_HASFD) == 0) { 225 #endif 226 /* normally can't fail, but check for it if diagnostic */ 227 error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN, 228 (size_t *)0); 229 #ifdef DIAGNOSTIC 230 if (error != 0) 231 panic("exec_script: copyinstr couldn't fail"); 232 #endif 233 #ifdef FDSCRIPTS 234 } else 235 snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd); 236 #endif 237 *tmpsap = NULL; 238 239 /* 240 * mark the header we have as invalid; check_exec will read 241 * the header from the new executable 242 */ 243 epp->ep_hdrvalid = 0; 244 245 /* 246 * remember the old vp and pnbuf for later, so we can restore 247 * them if check_exec() fails. 248 */ 249 scriptvp = epp->ep_vp; 250 oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf; 251 252 #ifdef VERIFIED_EXEC 253 if ((error = check_exec(l, epp, 0)) == 0) { 254 #else 255 if ((error = check_exec(l, epp)) == 0) { 256 #endif 257 /* note that we've clobbered the header */ 258 epp->ep_flags |= EXEC_DESTR|EXEC_HASES; 259 260 /* 261 * It succeeded. Unlock the script and 262 * close it if we aren't using it any more. 263 * Also, set things up so that the fake args 264 * list will be used. 265 */ 266 if ((epp->ep_flags & EXEC_HASFD) == 0) { 267 vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY); 268 VOP_CLOSE(scriptvp, FREAD, p->p_ucred, l); 269 vput(scriptvp); 270 } 271 272 /* free the old pathname buffer */ 273 PNBUF_PUT(oldpnbuf); 274 275 epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG); 276 epp->ep_fa = shellargp; 277 #ifdef SETUIDSCRIPTS 278 /* 279 * set thing up so that set-id scripts will be 280 * handled appropriately. P_TRACED will be 281 * checked later when the shell is actually 282 * exec'd. 283 */ 284 epp->ep_vap->va_mode |= script_sbits; 285 if (script_sbits & S_ISUID) 286 epp->ep_vap->va_uid = script_uid; 287 if (script_sbits & S_ISGID) 288 epp->ep_vap->va_gid = script_gid; 289 #endif 290 return (0); 291 } 292 293 /* XXX oldpnbuf not set for "goto fail" path */ 294 epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf; 295 #ifdef FDSCRIPTS 296 fail: 297 #endif 298 /* note that we've clobbered the header */ 299 epp->ep_flags |= EXEC_DESTR; 300 301 /* kill the opened file descriptor, else close the file */ 302 if (epp->ep_flags & EXEC_HASFD) { 303 epp->ep_flags &= ~EXEC_HASFD; 304 (void) fdrelease(l, epp->ep_fd); 305 } else if (scriptvp) { 306 vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY); 307 VOP_CLOSE(scriptvp, FREAD, p->p_ucred, l); 308 vput(scriptvp); 309 } 310 311 PNBUF_PUT(epp->ep_ndp->ni_cnd.cn_pnbuf); 312 313 /* free the fake arg list, because we're not returning it */ 314 if ((tmpsap = shellargp) != NULL) { 315 while (*tmpsap != NULL) { 316 FREE(*tmpsap, M_EXEC); 317 tmpsap++; 318 } 319 FREE(shellargp, M_EXEC); 320 } 321 322 /* 323 * free any vmspace-creation commands, 324 * and release their references 325 */ 326 kill_vmcmds(&epp->ep_vmcmds); 327 328 return error; 329 } 330
Indexes created Fri Oct 03 17:10:05 GMT 2025