exec_script.c revision 1.58
1 /* $NetBSD: exec_script.c,v 1.58 2007/11/26 19:02:00 pooka Exp $ */ 2 3 /* 4 * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by Christopher G. Demetriou. 18 * 4. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __KERNEL_RCSID(0, "$NetBSD: exec_script.c,v 1.58 2007/11/26 19:02:00 pooka Exp $"); 35 36 #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS) 37 #define FDSCRIPTS /* Need this for safe set-id scripts. */ 38 #endif 39 40 #include "veriexec.h" 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/proc.h> 45 #include <sys/malloc.h> 46 #include <sys/vnode.h> 47 #include <sys/namei.h> 48 #include <sys/file.h> 49 #ifdef SETUIDSCRIPTS 50 #include <sys/stat.h> 51 #endif 52 #include <sys/filedesc.h> 53 #include <sys/exec.h> 54 #include <sys/resourcevar.h> 55 56 #include <sys/exec_script.h> 57 #include <sys/exec_elf.h> 58 59 #ifdef SYSTRACE 60 #include <sys/systrace.h> 61 #endif /* SYSTRACE */ 62 63 /* 64 * exec_script_makecmds(): Check if it's an executable shell script. 65 * 66 * Given a proc pointer and an exec package pointer, see if the referent 67 * of the epp is in shell script. If it is, then set thing up so that 68 * the script can be run. This involves preparing the address space 69 * and arguments for the shell which will run the script. 70 * 71 * This function is ultimately responsible for creating a set of vmcmds 72 * which can be used to build the process's vm space and inserting them 73 * into the exec package. 74 */ 75 int 76 exec_script_makecmds(struct lwp *l, struct exec_package *epp) 77 { 78 int error, hdrlinelen, shellnamelen, shellarglen; 79 char *hdrstr = epp->ep_hdr; 80 char *cp, *shellname, *shellarg, *oldpnbuf; 81 char **shellargp, **tmpsap; 82 struct vnode *scriptvp; 83 #ifdef SETUIDSCRIPTS 84 /* Gcc needs those initialized for spurious uninitialized warning */ 85 uid_t script_uid = (uid_t) -1; 86 gid_t script_gid = NOGROUP; 87 u_short script_sbits; 88 #endif 89 90 /* 91 * if the magic isn't that of a shell script, or we've already 92 * done shell script processing for this exec, punt on it. 93 */ 94 if ((epp->ep_flags & EXEC_INDIR) != 0 || 95 epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN || 96 strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN)) 97 return ENOEXEC; 98 99 /* 100 * check that the shell spec is terminated by a newline, 101 * and that it isn't too large. Don't modify the 102 * buffer unless we're ready to commit to handling it. 103 * (The latter requirement means that we have to check 104 * for both spaces and tabs later on.) 105 */ 106 hdrlinelen = min(epp->ep_hdrvalid, SCRIPT_HDR_SIZE); 107 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen; 108 cp++) { 109 if (*cp == '\n') { 110 *cp = '\0'; 111 break; 112 } 113 } 114 if (cp >= hdrstr + hdrlinelen) 115 return ENOEXEC; 116 117 /* 118 * If the script has an ELF header, don't exec it. 119 */ 120 if (epp->ep_hdrvalid >= sizeof(ELFMAG)-1 && 121 memcmp(hdrstr, ELFMAG, sizeof(ELFMAG)-1) == 0) 122 return ENOEXEC; 123 124 shellname = NULL; 125 shellarg = NULL; 126 shellarglen = 0; 127 128 /* strip spaces before the shell name */ 129 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t'; 130 cp++) 131 ; 132 133 /* collect the shell name; remember it's length for later */ 134 shellname = cp; 135 shellnamelen = 0; 136 if (*cp == '\0') 137 goto check_shell; 138 for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++) 139 shellnamelen++; 140 if (*cp == '\0') 141 goto check_shell; 142 *cp++ = '\0'; 143 144 /* skip spaces before any argument */ 145 for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++) 146 ; 147 if (*cp == '\0') 148 goto check_shell; 149 150 /* 151 * collect the shell argument. everything after the shell name 152 * is passed as ONE argument; that's the correct (historical) 153 * behaviour. 154 */ 155 shellarg = cp; 156 for ( /* cp = cp */ ; *cp != '\0'; cp++) 157 shellarglen++; 158 *cp++ = '\0'; 159 160 check_shell: 161 #ifdef SETUIDSCRIPTS 162 /* 163 * MNT_NOSUID has already taken care of by check_exec, 164 * so we don't need to worry about it now or later. We 165 * will need to check PSL_TRACED later, however. 166 */ 167 script_sbits = epp->ep_vap->va_mode & (S_ISUID | S_ISGID); 168 if (script_sbits != 0) { 169 script_uid = epp->ep_vap->va_uid; 170 script_gid = epp->ep_vap->va_gid; 171 } 172 #endif 173 #ifdef FDSCRIPTS 174 /* 175 * if the script isn't readable, or it's set-id, then we've 176 * gotta supply a "/dev/fd/..." for the shell to read. 177 * Note that stupid shells (csh) do the wrong thing, and 178 * close all open fd's when the start. That kills this 179 * method of implementing "safe" set-id and x-only scripts. 180 */ 181 vn_lock(epp->ep_vp, LK_EXCLUSIVE | LK_RETRY); 182 error = VOP_ACCESS(epp->ep_vp, VREAD, l->l_cred, l); 183 VOP_UNLOCK(epp->ep_vp, 0); 184 if (error == EACCES 185 #ifdef SETUIDSCRIPTS 186 || script_sbits 187 #endif 188 ) { 189 struct file *fp; 190 191 #if defined(DIAGNOSTIC) && defined(FDSCRIPTS) 192 if (epp->ep_flags & EXEC_HASFD) 193 panic("exec_script_makecmds: epp already has a fd"); 194 #endif 195 196 /* falloc() will use the descriptor for us */ 197 if ((error = falloc(l, &fp, &epp->ep_fd)) != 0) { 198 scriptvp = NULL; 199 shellargp = NULL; 200 goto fail; 201 } 202 203 epp->ep_flags |= EXEC_HASFD; 204 fp->f_type = DTYPE_VNODE; 205 fp->f_ops = &vnops; 206 fp->f_data = (void *) epp->ep_vp; 207 fp->f_flag = FREAD; 208 FILE_SET_MATURE(fp); 209 FILE_UNUSE(fp, l); 210 } 211 #endif 212 213 /* set up the parameters for the recursive check_exec() call */ 214 epp->ep_ndp->ni_dirp = shellname; 215 epp->ep_ndp->ni_segflg = UIO_SYSSPACE; 216 epp->ep_flags |= EXEC_INDIR; 217 218 /* and set up the fake args list, for later */ 219 MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK); 220 tmpsap = shellargp; 221 *tmpsap = malloc(shellnamelen + 1, M_EXEC, M_WAITOK); 222 strlcpy(*tmpsap++, shellname, shellnamelen + 1); 223 if (shellarg != NULL) { 224 *tmpsap = malloc(shellarglen + 1, M_EXEC, M_WAITOK); 225 strlcpy(*tmpsap++, shellarg, shellarglen + 1); 226 } 227 MALLOC(*tmpsap, char *, MAXPATHLEN, M_EXEC, M_WAITOK); 228 #ifdef FDSCRIPTS 229 if ((epp->ep_flags & EXEC_HASFD) == 0) { 230 #endif 231 /* normally can't fail, but check for it if diagnostic */ 232 #ifdef SYSTRACE 233 error = 1; 234 if (ISSET(l->l_proc->p_flag, PK_SYSTRACE)) { 235 error = systrace_scriptname(p, *tmpsap); 236 if (error == 0) 237 tmpsap++; 238 } 239 if (error) { 240 /* 241 * Since systrace_scriptname() provides a 242 * convenience, not a security issue, we are 243 * safe to do this. 244 */ 245 error = copystr(epp->ep_name, *tmpsap++, MAXPATHLEN, 246 NULL); 247 } 248 #else 249 error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN, 250 (size_t *)0); 251 #endif /* SYSTRACE */ 252 #ifdef DIAGNOSTIC 253 if (error != 0) 254 panic("exec_script: copyinstr couldn't fail"); 255 #endif 256 #ifdef FDSCRIPTS 257 } else 258 snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd); 259 #endif 260 *tmpsap = NULL; 261 262 /* 263 * mark the header we have as invalid; check_exec will read 264 * the header from the new executable 265 */ 266 epp->ep_hdrvalid = 0; 267 268 /* 269 * remember the old vp and pnbuf for later, so we can restore 270 * them if check_exec() fails. 271 */ 272 scriptvp = epp->ep_vp; 273 oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf; 274 275 error = check_exec(l, epp); 276 /* note that we've clobbered the header */ 277 epp->ep_flags |= EXEC_DESTR; 278 if (error == 0) { 279 /* 280 * It succeeded. Unlock the script and 281 * close it if we aren't using it any more. 282 * Also, set things up so that the fake args 283 * list will be used. 284 */ 285 if ((epp->ep_flags & EXEC_HASFD) == 0) { 286 vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY); 287 VOP_CLOSE(scriptvp, FREAD, l->l_cred); 288 vput(scriptvp); 289 } 290 291 /* free the old pathname buffer */ 292 PNBUF_PUT(oldpnbuf); 293 294 epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG); 295 epp->ep_fa = shellargp; 296 #ifdef SETUIDSCRIPTS 297 /* 298 * set thing up so that set-id scripts will be 299 * handled appropriately. PSL_TRACED will be 300 * checked later when the shell is actually 301 * exec'd. 302 */ 303 epp->ep_vap->va_mode |= script_sbits; 304 if (script_sbits & S_ISUID) 305 epp->ep_vap->va_uid = script_uid; 306 if (script_sbits & S_ISGID) 307 epp->ep_vap->va_gid = script_gid; 308 #endif 309 return (0); 310 } 311 312 /* XXX oldpnbuf not set for "goto fail" path */ 313 epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf; 314 #ifdef FDSCRIPTS 315 fail: 316 #endif 317 318 /* kill the opened file descriptor, else close the file */ 319 if (epp->ep_flags & EXEC_HASFD) { 320 epp->ep_flags &= ~EXEC_HASFD; 321 (void) fdrelease(l, epp->ep_fd); 322 } else if (scriptvp) { 323 vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY); 324 VOP_CLOSE(scriptvp, FREAD, l->l_cred); 325 vput(scriptvp); 326 } 327 328 PNBUF_PUT(epp->ep_ndp->ni_cnd.cn_pnbuf); 329 330 /* free the fake arg list, because we're not returning it */ 331 if ((tmpsap = shellargp) != NULL) { 332 while (*tmpsap != NULL) { 333 FREE(*tmpsap, M_EXEC); 334 tmpsap++; 335 } 336 FREE(shellargp, M_EXEC); 337 } 338 339 /* 340 * free any vmspace-creation commands, 341 * and release their references 342 */ 343 kill_vmcmds(&epp->ep_vmcmds); 344 345 return error; 346 } 347
Indexes created Fri Oct 03 17:10:05 GMT 2025