Annotation of sys/kern/exec_script.c, Revision 1.1.1.1
1.1 nbrk 1: /* $OpenBSD: exec_script.c,v 1.24 2006/11/14 18:00:27 jmc Exp $ */
2: /* $NetBSD: exec_script.c,v 1.13 1996/02/04 02:15:06 christos Exp $ */
3:
4: /*
5: * Copyright (c) 1993, 1994 Christopher G. Demetriou
6: * All rights reserved.
7: *
8: * Redistribution and use in source and binary forms, with or without
9: * modification, are permitted provided that the following conditions
10: * are met:
11: * 1. Redistributions of source code must retain the above copyright
12: * notice, this list of conditions and the following disclaimer.
13: * 2. Redistributions in binary form must reproduce the above copyright
14: * notice, this list of conditions and the following disclaimer in the
15: * documentation and/or other materials provided with the distribution.
16: * 3. All advertising materials mentioning features or use of this software
17: * must display the following acknowledgement:
18: * This product includes software developed by Christopher G. Demetriou.
19: * 4. The name of the author may not be used to endorse or promote products
20: * derived from this software without specific prior written permission
21: *
22: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
23: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
24: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
25: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
26: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
27: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
31: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32: */
33:
34: #include <sys/param.h>
35: #include <sys/systm.h>
36: #include <sys/proc.h>
37: #include <sys/malloc.h>
38: #include <sys/pool.h>
39: #include <sys/vnode.h>
40: #include <sys/namei.h>
41: #include <sys/file.h>
42: #include <sys/filedesc.h>
43: #include <sys/exec.h>
44: #include <sys/resourcevar.h>
45: #include <uvm/uvm_extern.h>
46:
47: #include <sys/exec_script.h>
48:
49: #include "systrace.h"
50:
51: #if NSYSTRACE > 0
52: #include <dev/systrace.h>
53: #endif
54:
55: #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS)
56: #define FDSCRIPTS /* Need this for safe set-id scripts. */
57: #endif
58:
59: /*
60: * exec_script_makecmds(): Check if it's an executable shell script.
61: *
62: * Given a proc pointer and an exec package pointer, see if the referent
63: * of the epp is in shell script. If it is, then set things up so that
64: * the script can be run. This involves preparing the address space
65: * and arguments for the shell which will run the script.
66: *
67: * This function is ultimately responsible for creating a set of vmcmds
68: * which can be used to build the process's vm space and inserting them
69: * into the exec package.
70: */
71: int
72: exec_script_makecmds(struct proc *p, struct exec_package *epp)
73: {
74: int error, hdrlinelen, shellnamelen, shellarglen;
75: char *hdrstr = epp->ep_hdr;
76: char *cp, *shellname, *shellarg, *oldpnbuf;
77: char **shellargp = NULL, **tmpsap;
78: struct vnode *scriptvp;
79: #ifdef SETUIDSCRIPTS
80: uid_t script_uid = -1;
81: gid_t script_gid = -1;
82: u_short script_sbits;
83: #endif
84:
85: /*
86: * remember the old vp and pnbuf for later, so we can restore
87: * them if check_exec() fails.
88: */
89: scriptvp = epp->ep_vp;
90: oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf;
91:
92: /*
93: * if the magic isn't that of a shell script, or we've already
94: * done shell script processing for this exec, punt on it.
95: */
96: if ((epp->ep_flags & EXEC_INDIR) != 0 ||
97: epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN ||
98: strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN))
99: return ENOEXEC;
100:
101: /*
102: * check that the shell spec is terminated by a newline,
103: * and that it isn't too large. Don't modify the
104: * buffer unless we're ready to commit to handling it.
105: * (The latter requirement means that we have to check
106: * for both spaces and tabs later on.)
107: */
108: hdrlinelen = min(epp->ep_hdrvalid, MAXINTERP);
109: for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen;
110: cp++) {
111: if (*cp == '\n') {
112: *cp = '\0';
113: break;
114: }
115: }
116: if (cp >= hdrstr + hdrlinelen)
117: return ENOEXEC;
118:
119: shellname = NULL;
120: shellarg = NULL;
121: shellarglen = 0;
122:
123: /* strip spaces before the shell name */
124: for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t';
125: cp++)
126: ;
127:
128: /* collect the shell name; remember its length for later */
129: shellname = cp;
130: shellnamelen = 0;
131: if (*cp == '\0')
132: goto check_shell;
133: for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++)
134: shellnamelen++;
135: if (*cp == '\0')
136: goto check_shell;
137: *cp++ = '\0';
138:
139: /* skip spaces before any argument */
140: for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++)
141: ;
142: if (*cp == '\0')
143: goto check_shell;
144:
145: /*
146: * collect the shell argument. everything after the shell name
147: * is passed as ONE argument; that's the correct (historical)
148: * behaviour.
149: */
150: shellarg = cp;
151: for ( /* cp = cp */ ; *cp != '\0'; cp++)
152: shellarglen++;
153: *cp++ = '\0';
154:
155: check_shell:
156: #ifdef SETUIDSCRIPTS
157: /*
158: * MNT_NOSUID and STRC are already taken care of by check_exec,
159: * so we don't need to worry about them now or later.
160: */
161: script_sbits = epp->ep_vap->va_mode & (VSUID | VSGID);
162: if (script_sbits != 0) {
163: script_uid = epp->ep_vap->va_uid;
164: script_gid = epp->ep_vap->va_gid;
165: }
166: #endif
167: #ifdef FDSCRIPTS
168: /*
169: * if the script isn't readable, or it's set-id, then we've
170: * gotta supply a "/dev/fd/..." for the shell to read.
171: * Note that stupid shells (csh) do the wrong thing, and
172: * close all open fd's when they start. That kills this
173: * method of implementing "safe" set-id and x-only scripts.
174: */
175: vn_lock(scriptvp, LK_EXCLUSIVE|LK_RETRY, p);
176: error = VOP_ACCESS(scriptvp, VREAD, p->p_ucred, p);
177: VOP_UNLOCK(scriptvp, 0, p);
178: if (error == EACCES
179: #ifdef SETUIDSCRIPTS
180: || script_sbits
181: #endif
182: ) {
183: struct file *fp;
184:
185: #ifdef DIAGNOSTIC
186: if (epp->ep_flags & EXEC_HASFD)
187: panic("exec_script_makecmds: epp already has a fd");
188: #endif
189:
190: if ((error = falloc(p, &fp, &epp->ep_fd)))
191: goto fail;
192:
193: epp->ep_flags |= EXEC_HASFD;
194: fp->f_type = DTYPE_VNODE;
195: fp->f_ops = &vnops;
196: fp->f_data = (caddr_t) scriptvp;
197: fp->f_flag = FREAD;
198: FILE_SET_MATURE(fp);
199: }
200: #endif
201:
202: /* set up the parameters for the recursive check_exec() call */
203: epp->ep_ndp->ni_dirp = shellname;
204: epp->ep_ndp->ni_segflg = UIO_SYSSPACE;
205: epp->ep_flags |= EXEC_INDIR;
206:
207: /* and set up the fake args list, for later */
208: MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK);
209: tmpsap = shellargp;
210: *tmpsap = malloc(shellnamelen + 1, M_EXEC, M_WAITOK);
211: strlcpy(*tmpsap++, shellname, shellnamelen + 1);
212: if (shellarg != NULL) {
213: *tmpsap = malloc(shellarglen + 1, M_EXEC, M_WAITOK);
214: strlcpy(*tmpsap++, shellarg, shellarglen + 1);
215: }
216: *tmpsap = malloc(MAXPATHLEN, M_EXEC, M_WAITOK);
217: #ifdef FDSCRIPTS
218: if ((epp->ep_flags & EXEC_HASFD) == 0) {
219: #endif
220: /* normally can't fail, but check for it if diagnostic */
221: #if NSYSTRACE > 0
222: if (ISSET(p->p_flag, P_SYSTRACE)) {
223: error = systrace_scriptname(p, *tmpsap);
224: if (error == 0)
225: tmpsap++;
226: else
227: /*
228: * Since systrace_scriptname() provides a
229: * convenience, not a security issue, we are
230: * safe to do this.
231: */
232: error = copystr(epp->ep_name, *tmpsap++,
233: MAXPATHLEN, NULL);
234: } else
235: error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
236: NULL);
237: #else
238: error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
239: (size_t *)0);
240: #endif
241: #ifdef DIAGNOSTIC
242: if (error != 0)
243: panic("exec_script: copyinstr couldn't fail");
244: #endif
245: #ifdef FDSCRIPTS
246: } else
247: snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd);
248: #endif
249: *tmpsap = NULL;
250:
251: /*
252: * mark the header we have as invalid; check_exec will read
253: * the header from the new executable
254: */
255: epp->ep_hdrvalid = 0;
256:
257: if ((error = check_exec(p, epp)) == 0) {
258: /* note that we've clobbered the header */
259: epp->ep_flags |= EXEC_DESTR;
260:
261: /*
262: * It succeeded. Unlock the script and
263: * close it if we aren't using it any more.
264: * Also, set things up so that the fake args
265: * list will be used.
266: */
267: if ((epp->ep_flags & EXEC_HASFD) == 0)
268: vn_close(scriptvp, FREAD, p->p_ucred, p);
269:
270: /* free the old pathname buffer */
271: pool_put(&namei_pool, oldpnbuf);
272:
273: epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG);
274: epp->ep_fa = shellargp;
275: #ifdef SETUIDSCRIPTS
276: /*
277: * set things up so that set-id scripts will be
278: * handled appropriately
279: */
280: epp->ep_vap->va_mode |= script_sbits;
281: if (script_sbits & VSUID)
282: epp->ep_vap->va_uid = script_uid;
283: if (script_sbits & VSGID)
284: epp->ep_vap->va_gid = script_gid;
285: #endif
286: return (0);
287: }
288:
289: /* XXX oldpnbuf not set for "goto fail" path */
290: epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf;
291: #ifdef FDSCRIPTS
292: fail:
293: #endif
294: /* note that we've clobbered the header */
295: epp->ep_flags |= EXEC_DESTR;
296:
297: /* kill the opened file descriptor, else close the file */
298: if (epp->ep_flags & EXEC_HASFD) {
299: epp->ep_flags &= ~EXEC_HASFD;
300: (void) fdrelease(p, epp->ep_fd);
301: } else
302: vn_close(scriptvp, FREAD, p->p_ucred, p);
303:
304: pool_put(&namei_pool, epp->ep_ndp->ni_cnd.cn_pnbuf);
305:
306: /* free the fake arg list, because we're not returning it */
307: if ((tmpsap = shellargp) != NULL) {
308: while (*tmpsap != NULL) {
309: free(*tmpsap, M_EXEC);
310: tmpsap++;
311: }
312: FREE(shellargp, M_EXEC);
313: }
314:
315: /*
316: * free any vmspace-creation commands,
317: * and release their references
318: */
319: kill_vmcmds(&epp->ep_vmcmds);
320:
321: return error;
322: }
CVSweb