exec_script.c revision 1.58.6.1
1 /* $NetBSD: exec_script.c,v 1.58.6.1 2008/01/02 21:55:43 bouyer Exp $ */ 2 3 /* 4 * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by Christopher G. Demetriou. 18 * 4. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __KERNEL_RCSID(0, "$NetBSD: exec_script.c,v 1.58.6.1 2008/01/02 21:55:43 bouyer Exp $"); 35 36 #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS) 37 #define FDSCRIPTS /* Need this for safe set-id scripts. */ 38 #endif 39 40 #include "veriexec.h" 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/proc.h> 45 #include <sys/kmem.h> 46 #include <sys/vnode.h> 47 #include <sys/namei.h> 48 #include <sys/file.h> 49 #ifdef SETUIDSCRIPTS 50 #include <sys/stat.h> 51 #endif 52 #include <sys/filedesc.h> 53 #include <sys/exec.h> 54 #include <sys/resourcevar.h> 55 56 #include <sys/exec_script.h> 57 #include <sys/exec_elf.h> 58 59 /* 60 * exec_script_makecmds(): Check if it's an executable shell script. 61 * 62 * Given a proc pointer and an exec package pointer, see if the referent 63 * of the epp is in shell script. If it is, then set thing up so that 64 * the script can be run. This involves preparing the address space 65 * and arguments for the shell which will run the script. 66 * 67 * This function is ultimately responsible for creating a set of vmcmds 68 * which can be used to build the process's vm space and inserting them 69 * into the exec package. 70 */ 71 int 72 exec_script_makecmds(struct lwp *l, struct exec_package *epp) 73 { 74 int error, hdrlinelen, shellnamelen, shellarglen; 75 char *hdrstr = epp->ep_hdr; 76 char *cp, *shellname, *shellarg, *oldpnbuf; 77 size_t shellargp_len; 78 struct exec_fakearg *shellargp; 79 struct exec_fakearg *tmpsap; 80 struct vnode *scriptvp; 81 #ifdef SETUIDSCRIPTS 82 /* Gcc needs those initialized for spurious uninitialized warning */ 83 uid_t script_uid = (uid_t) -1; 84 gid_t script_gid = NOGROUP; 85 u_short script_sbits; 86 #endif 87 88 /* 89 * if the magic isn't that of a shell script, or we've already 90 * done shell script processing for this exec, punt on it. 91 */ 92 if ((epp->ep_flags & EXEC_INDIR) != 0 || 93 epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN || 94 strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN)) 95 return ENOEXEC; 96 97 /* 98 * check that the shell spec is terminated by a newline, 99 * and that it isn't too large. Don't modify the 100 * buffer unless we're ready to commit to handling it. 101 * (The latter requirement means that we have to check 102 * for both spaces and tabs later on.) 103 */ 104 hdrlinelen = min(epp->ep_hdrvalid, SCRIPT_HDR_SIZE); 105 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen; 106 cp++) { 107 if (*cp == '\n') { 108 *cp = '\0'; 109 break; 110 } 111 } 112 if (cp >= hdrstr + hdrlinelen) 113 return ENOEXEC; 114 115 /* 116 * If the script has an ELF header, don't exec it. 117 */ 118 if (epp->ep_hdrvalid >= sizeof(ELFMAG)-1 && 119 memcmp(hdrstr, ELFMAG, sizeof(ELFMAG)-1) == 0) 120 return ENOEXEC; 121 122 shellname = NULL; 123 shellarg = NULL; 124 shellarglen = 0; 125 126 /* strip spaces before the shell name */ 127 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t'; 128 cp++) 129 ; 130 131 /* collect the shell name; remember it's length for later */ 132 shellname = cp; 133 shellnamelen = 0; 134 if (*cp == '\0') 135 goto check_shell; 136 for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++) 137 shellnamelen++; 138 if (*cp == '\0') 139 goto check_shell; 140 *cp++ = '\0'; 141 142 /* skip spaces before any argument */ 143 for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++) 144 ; 145 if (*cp == '\0') 146 goto check_shell; 147 148 /* 149 * collect the shell argument. everything after the shell name 150 * is passed as ONE argument; that's the correct (historical) 151 * behaviour. 152 */ 153 shellarg = cp; 154 for ( /* cp = cp */ ; *cp != '\0'; cp++) 155 shellarglen++; 156 *cp++ = '\0'; 157 158 check_shell: 159 #ifdef SETUIDSCRIPTS 160 /* 161 * MNT_NOSUID has already taken care of by check_exec, 162 * so we don't need to worry about it now or later. We 163 * will need to check PSL_TRACED later, however. 164 */ 165 script_sbits = epp->ep_vap->va_mode & (S_ISUID | S_ISGID); 166 if (script_sbits != 0) { 167 script_uid = epp->ep_vap->va_uid; 168 script_gid = epp->ep_vap->va_gid; 169 } 170 #endif 171 #ifdef FDSCRIPTS 172 /* 173 * if the script isn't readable, or it's set-id, then we've 174 * gotta supply a "/dev/fd/..." for the shell to read. 175 * Note that stupid shells (csh) do the wrong thing, and 176 * close all open fd's when the start. That kills this 177 * method of implementing "safe" set-id and x-only scripts. 178 */ 179 vn_lock(epp->ep_vp, LK_EXCLUSIVE | LK_RETRY); 180 error = VOP_ACCESS(epp->ep_vp, VREAD, l->l_cred); 181 VOP_UNLOCK(epp->ep_vp, 0); 182 if (error == EACCES 183 #ifdef SETUIDSCRIPTS 184 || script_sbits 185 #endif 186 ) { 187 struct file *fp; 188 189 #if defined(DIAGNOSTIC) && defined(FDSCRIPTS) 190 if (epp->ep_flags & EXEC_HASFD) 191 panic("exec_script_makecmds: epp already has a fd"); 192 #endif 193 194 /* falloc() will use the descriptor for us */ 195 if ((error = falloc(l, &fp, &epp->ep_fd)) != 0) { 196 scriptvp = NULL; 197 shellargp = NULL; 198 goto fail; 199 } 200 201 epp->ep_flags |= EXEC_HASFD; 202 fp->f_type = DTYPE_VNODE; 203 fp->f_ops = &vnops; 204 fp->f_data = (void *) epp->ep_vp; 205 fp->f_flag = FREAD; 206 FILE_SET_MATURE(fp); 207 FILE_UNUSE(fp, l); 208 } 209 #endif 210 211 /* set up the parameters for the recursive check_exec() call */ 212 epp->ep_ndp->ni_dirp = shellname; 213 epp->ep_ndp->ni_segflg = UIO_SYSSPACE; 214 epp->ep_flags |= EXEC_INDIR; 215 216 /* and set up the fake args list, for later */ 217 shellargp_len = 4 * sizeof(*shellargp); 218 shellargp = kmem_alloc(shellargp_len, KM_SLEEP); 219 tmpsap = shellargp; 220 tmpsap->fa_len = shellnamelen + 1; 221 tmpsap->fa_arg = kmem_alloc(tmpsap->fa_len, KM_SLEEP); 222 strlcpy(tmpsap->fa_arg, shellname, tmpsap->fa_len); 223 tmpsap++; 224 if (shellarg != NULL) { 225 tmpsap->fa_len = shellarglen + 1; 226 tmpsap->fa_arg = kmem_alloc(tmpsap->fa_len, KM_SLEEP); 227 strlcpy(tmpsap->fa_arg, shellarg, tmpsap->fa_len); 228 tmpsap++; 229 } 230 tmpsap->fa_len = MAXPATHLEN; 231 tmpsap->fa_arg = kmem_alloc(tmpsap->fa_len, KM_SLEEP); 232 #ifdef FDSCRIPTS 233 if ((epp->ep_flags & EXEC_HASFD) == 0) { 234 #endif 235 /* normally can't fail, but check for it if diagnostic */ 236 error = copyinstr(epp->ep_name, tmpsap->fa_arg, MAXPATHLEN, 237 (size_t *)0); 238 tmpsap++; 239 #ifdef DIAGNOSTIC 240 if (error != 0) 241 panic("exec_script: copyinstr couldn't fail"); 242 #endif 243 #ifdef FDSCRIPTS 244 } else { 245 snprintf(tmpsap->fa_arg, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd); 246 tmpsap++; 247 } 248 #endif 249 tmpsap->fa_arg = NULL; 250 251 /* 252 * mark the header we have as invalid; check_exec will read 253 * the header from the new executable 254 */ 255 epp->ep_hdrvalid = 0; 256 257 /* 258 * remember the old vp and pnbuf for later, so we can restore 259 * them if check_exec() fails. 260 */ 261 scriptvp = epp->ep_vp; 262 oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf; 263 264 error = check_exec(l, epp); 265 /* note that we've clobbered the header */ 266 epp->ep_flags |= EXEC_DESTR; 267 if (error == 0) { 268 /* 269 * It succeeded. Unlock the script and 270 * close it if we aren't using it any more. 271 * Also, set things up so that the fake args 272 * list will be used. 273 */ 274 if ((epp->ep_flags & EXEC_HASFD) == 0) { 275 vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY); 276 VOP_CLOSE(scriptvp, FREAD, l->l_cred); 277 vput(scriptvp); 278 } 279 280 /* free the old pathname buffer */ 281 PNBUF_PUT(oldpnbuf); 282 283 epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG); 284 epp->ep_fa = shellargp; 285 epp->ep_fa_len = shellargp_len; 286 #ifdef SETUIDSCRIPTS 287 /* 288 * set thing up so that set-id scripts will be 289 * handled appropriately. PSL_TRACED will be 290 * checked later when the shell is actually 291 * exec'd. 292 */ 293 epp->ep_vap->va_mode |= script_sbits; 294 if (script_sbits & S_ISUID) 295 epp->ep_vap->va_uid = script_uid; 296 if (script_sbits & S_ISGID) 297 epp->ep_vap->va_gid = script_gid; 298 #endif 299 return (0); 300 } 301 302 /* XXX oldpnbuf not set for "goto fail" path */ 303 epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf; 304 #ifdef FDSCRIPTS 305 fail: 306 #endif 307 308 /* kill the opened file descriptor, else close the file */ 309 if (epp->ep_flags & EXEC_HASFD) { 310 epp->ep_flags &= ~EXEC_HASFD; 311 (void) fdrelease(l, epp->ep_fd); 312 } else if (scriptvp) { 313 vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY); 314 VOP_CLOSE(scriptvp, FREAD, l->l_cred); 315 vput(scriptvp); 316 } 317 318 PNBUF_PUT(epp->ep_ndp->ni_cnd.cn_pnbuf); 319 320 /* free the fake arg list, because we're not returning it */ 321 if ((tmpsap = shellargp) != NULL) { 322 while (tmpsap->fa_arg != NULL) { 323 kmem_free(tmpsap->fa_arg, tmpsap->fa_len); 324 tmpsap++; 325 } 326 kmem_free(shellargp, shellargp_len); 327 } 328 329 /* 330 * free any vmspace-creation commands, 331 * and release their references 332 */ 333 kill_vmcmds(&epp->ep_vmcmds); 334 335 return error; 336 } 337
Indexes created Fri Oct 03 14:09:59 GMT 2025