[BACK]Return to exec_script.c CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / src / sys / kern

Annotation of src/sys/kern/exec_script.c, Revision 1.26

1.26    ! thorpej     1: /*     $NetBSD: exec_script.c,v 1.25 2000/08/01 04:57:29 thorpej Exp $ */
1.8       cgd         2:
1.1       cgd         3: /*
1.14      cgd         4:  * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou
1.1       cgd         5:  * All rights reserved.
                      6:  *
                      7:  * Redistribution and use in source and binary forms, with or without
                      8:  * modification, are permitted provided that the following conditions
                      9:  * are met:
                     10:  * 1. Redistributions of source code must retain the above copyright
                     11:  *    notice, this list of conditions and the following disclaimer.
                     12:  * 2. Redistributions in binary form must reproduce the above copyright
                     13:  *    notice, this list of conditions and the following disclaimer in the
                     14:  *    documentation and/or other materials provided with the distribution.
                     15:  * 3. All advertising materials mentioning features or use of this software
                     16:  *    must display the following acknowledgement:
                     17:  *      This product includes software developed by Christopher G. Demetriou.
                     18:  * 4. The name of the author may not be used to endorse or promote products
1.3       jtc        19:  *    derived from this software without specific prior written permission
1.1       cgd        20:  *
                     21:  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
                     22:  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
                     23:  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
                     24:  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
                     25:  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
                     26:  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
                     27:  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
                     28:  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
                     29:  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
                     30:  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
                     31:  */
                     32:
                     33: #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS)
                     34: #define FDSCRIPTS              /* Need this for safe set-id scripts. */
                     35: #endif
                     36:
                     37: #include <sys/param.h>
                     38: #include <sys/systm.h>
                     39: #include <sys/proc.h>
                     40: #include <sys/malloc.h>
                     41: #include <sys/vnode.h>
                     42: #include <sys/namei.h>
                     43: #include <sys/file.h>
1.18      christos   44: #ifdef SETUIDSCRIPTS
                     45: #include <sys/stat.h>
                     46: #endif
1.1       cgd        47: #include <sys/filedesc.h>
                     48: #include <sys/exec.h>
                     49: #include <sys/resourcevar.h>
                     50:
                     51: #include <sys/exec_script.h>
                     52:
                     53: /*
                     54:  * exec_script_makecmds(): Check if it's an executable shell script.
                     55:  *
                     56:  * Given a proc pointer and an exec package pointer, see if the referent
                     57:  * of the epp is in shell script.  If it is, then set thing up so that
                     58:  * the script can be run.  This involves preparing the address space
                     59:  * and arguments for the shell which will run the script.
                     60:  *
                     61:  * This function is ultimately responsible for creating a set of vmcmds
                     62:  * which can be used to build the process's vm space and inserting them
                     63:  * into the exec package.
                     64:  */
                     65: int
1.25      thorpej    66: exec_script_makecmds(struct proc *p, struct exec_package *epp)
1.1       cgd        67: {
                     68:        int error, hdrlinelen, shellnamelen, shellarglen;
                     69:        char *hdrstr = epp->ep_hdr;
                     70:        char *cp, *shellname, *shellarg, *oldpnbuf;
                     71:        char **shellargp, **tmpsap;
                     72:        struct vnode *scriptvp;
                     73: #ifdef SETUIDSCRIPTS
1.18      christos   74:        /* Gcc needs those initialized for spurious uninitialized warning */
                     75:        uid_t script_uid = (uid_t) -1;
                     76:        gid_t script_gid = NOGROUP;
1.1       cgd        77:        u_short script_sbits;
                     78: #endif
                     79:
                     80:        /*
                     81:         * if the magic isn't that of a shell script, or we've already
                     82:         * done shell script processing for this exec, punt on it.
                     83:         */
                     84:        if ((epp->ep_flags & EXEC_INDIR) != 0 ||
                     85:            epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN ||
                     86:            strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN))
                     87:                return ENOEXEC;
                     88:
                     89:        /*
                     90:         * check that the shell spec is terminated by a newline,
                     91:         * and that it isn't too large.  Don't modify the
                     92:         * buffer unless we're ready to commit to handling it.
                     93:         * (The latter requirement means that we have to check
                     94:         * for both spaces and tabs later on.)
                     95:         */
1.6       cgd        96:        hdrlinelen = min(epp->ep_hdrvalid, MAXINTERP);
1.1       cgd        97:        for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen;
                     98:            cp++) {
                     99:                if (*cp == '\n') {
                    100:                        *cp = '\0';
                    101:                        break;
                    102:                }
                    103:        }
                    104:        if (cp >= hdrstr + hdrlinelen)
                    105:                return ENOEXEC;
                    106:
                    107:        shellname = NULL;
                    108:        shellarg = NULL;
1.13      christos  109:        shellarglen = 0;
1.1       cgd       110:
                    111:        /* strip spaces before the shell name */
                    112:        for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t';
                    113:            cp++)
                    114:                ;
                    115:
                    116:        /* collect the shell name; remember it's length for later */
                    117:        shellname = cp;
                    118:        shellnamelen = 0;
                    119:        if (*cp == '\0')
                    120:                goto check_shell;
                    121:        for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++)
                    122:                shellnamelen++;
                    123:        if (*cp == '\0')
                    124:                goto check_shell;
                    125:        *cp++ = '\0';
                    126:
                    127:        /* skip spaces before any argument */
                    128:        for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++)
                    129:                ;
                    130:        if (*cp == '\0')
                    131:                goto check_shell;
                    132:
                    133:        /*
                    134:         * collect the shell argument.  everything after the shell name
                    135:         * is passed as ONE argument; that's the correct (historical)
                    136:         * behaviour.
                    137:         */
                    138:        shellarg = cp;
                    139:        for ( /* cp = cp */ ; *cp != '\0'; cp++)
                    140:                shellarglen++;
                    141:        *cp++ = '\0';
                    142:
                    143: check_shell:
                    144: #ifdef SETUIDSCRIPTS
                    145:        /*
                    146:         * MNT_NOSUID and STRC are already taken care of by check_exec,
                    147:         * so we don't need to worry about them now or later.
                    148:         */
1.17      mycroft   149:        script_sbits = epp->ep_vap->va_mode & (S_ISUID | S_ISGID);
1.1       cgd       150:        if (script_sbits != 0) {
                    151:                script_uid = epp->ep_vap->va_uid;
                    152:                script_gid = epp->ep_vap->va_gid;
                    153:        }
                    154: #endif
                    155: #ifdef FDSCRIPTS
                    156:        /*
                    157:         * if the script isn't readable, or it's set-id, then we've
                    158:         * gotta supply a "/dev/fd/..." for the shell to read.
                    159:         * Note that stupid shells (csh) do the wrong thing, and
                    160:         * close all open fd's when the start.  That kills this
                    161:         * method of implementing "safe" set-id and x-only scripts.
                    162:         */
1.19      fvdl      163:        vn_lock(epp->ep_vp, LK_EXCLUSIVE | LK_RETRY);
1.14      cgd       164:        error = VOP_ACCESS(epp->ep_vp, VREAD, p->p_ucred, p);
1.19      fvdl      165:        VOP_UNLOCK(epp->ep_vp, 0);
1.14      cgd       166:        if (error == EACCES
1.9       cgd       167: #ifdef SETUIDSCRIPTS
                    168:            || script_sbits
                    169: #endif
                    170:            ) {
1.1       cgd       171:                struct file *fp;
                    172:
                    173: #if defined(DIAGNOSTIC) && defined(FDSCRIPTS)
                    174:                if (epp->ep_flags & EXEC_HASFD)
                    175:                        panic("exec_script_makecmds: epp already has a fd");
                    176: #endif
                    177:
1.21      thorpej   178:                /* falloc() will use the descriptor for us */
1.18      christos  179:                if ((error = falloc(p, &fp, &epp->ep_fd)) != 0) {
                    180:                        scriptvp = NULL;
                    181:                        shellargp = NULL;
1.4       cgd       182:                        goto fail;
1.18      christos  183:                }
1.1       cgd       184:
                    185:                epp->ep_flags |= EXEC_HASFD;
                    186:                fp->f_type = DTYPE_VNODE;
                    187:                fp->f_ops = &vnops;
                    188:                fp->f_data = (caddr_t) epp->ep_vp;
                    189:                fp->f_flag = FREAD;
1.22      tv        190:                FILE_UNUSE(fp, p);
1.1       cgd       191:        }
                    192: #endif
                    193:
                    194:        /* set up the parameters for the recursive check_exec() call */
                    195:        epp->ep_ndp->ni_dirp = shellname;
                    196:        epp->ep_ndp->ni_segflg = UIO_SYSSPACE;
                    197:        epp->ep_flags |= EXEC_INDIR;
                    198:
                    199:        /* and set up the fake args list, for later */
                    200:        MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK);
                    201:        tmpsap = shellargp;
                    202:        MALLOC(*tmpsap, char *, shellnamelen + 1, M_EXEC, M_WAITOK);
                    203:        strcpy(*tmpsap++, shellname);
                    204:        if (shellarg != NULL) {
                    205:                MALLOC(*tmpsap, char *, shellarglen + 1, M_EXEC, M_WAITOK);
                    206:                strcpy(*tmpsap++, shellarg);
                    207:        }
                    208:        MALLOC(*tmpsap, char *, MAXPATHLEN, M_EXEC, M_WAITOK);
                    209: #ifdef FDSCRIPTS
                    210:        if ((epp->ep_flags & EXEC_HASFD) == 0) {
                    211: #endif
                    212:                /* normally can't fail, but check for it if diagnostic */
1.11      mycroft   213:                error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
                    214:                    (size_t *)0);
1.1       cgd       215: #ifdef DIAGNOSTIC
                    216:                if (error != 0)
                    217:                        panic("exec_script: copyinstr couldn't fail\n");
                    218: #endif
                    219: #ifdef FDSCRIPTS
                    220:        } else
1.16      christos  221:                sprintf(*tmpsap++, "/dev/fd/%d", epp->ep_fd);
1.1       cgd       222: #endif
                    223:        *tmpsap = NULL;
                    224:
                    225:        /*
                    226:         * mark the header we have as invalid; check_exec will read
                    227:         * the header from the new executable
                    228:         */
                    229:        epp->ep_hdrvalid = 0;
                    230:
                    231:        /*
                    232:         * remember the old vp and pnbuf for later, so we can restore
                    233:         * them if check_exec() fails.
                    234:         */
                    235:        scriptvp = epp->ep_vp;
1.7       mycroft   236:        oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf;
1.1       cgd       237:
                    238:        if ((error = check_exec(p, epp)) == 0) {
1.4       cgd       239:                /* note that we've clobbered the header */
                    240:                epp->ep_flags |= EXEC_DESTR;
                    241:
1.1       cgd       242:                /*
                    243:                 * It succeeded.  Unlock the script and
                    244:                 * close it if we aren't using it any more.
1.4       cgd       245:                 * Also, set things up so that the fake args
1.1       cgd       246:                 * list will be used.
                    247:                 */
1.14      cgd       248:                if ((epp->ep_flags & EXEC_HASFD) == 0) {
1.20      wrstuden  249:                        vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
1.14      cgd       250:                        VOP_CLOSE(scriptvp, FREAD, p->p_ucred, p);
1.20      wrstuden  251:                        vput(scriptvp);
1.14      cgd       252:                }
1.2       cgd       253:
                    254:                /* free the old pathname buffer */
1.26    ! thorpej   255:                PNBUF_PUT(oldpnbuf);
1.1       cgd       256:
                    257:                epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG);
                    258:                epp->ep_fa = shellargp;
                    259: #ifdef SETUIDSCRIPTS
                    260:                /*
                    261:                 * set thing up so that set-id scripts will be
                    262:                 * handled appropriately
                    263:                 */
                    264:                epp->ep_vap->va_mode |= script_sbits;
1.17      mycroft   265:                if (script_sbits & S_ISUID)
1.1       cgd       266:                        epp->ep_vap->va_uid = script_uid;
1.17      mycroft   267:                if (script_sbits & S_ISGID)
1.1       cgd       268:                        epp->ep_vap->va_gid = script_gid;
                    269: #endif
1.4       cgd       270:                return (0);
                    271:        }
                    272:
1.5       cgd       273:        /* XXX oldpnbuf not set for "goto fail" path */
1.7       mycroft   274:        epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf;
1.13      christos  275: #ifdef FDSCRIPTS
1.4       cgd       276: fail:
1.13      christos  277: #endif
1.4       cgd       278:        /* note that we've clobbered the header */
                    279:        epp->ep_flags |= EXEC_DESTR;
                    280:
                    281:        /* kill the opened file descriptor, else close the file */
                    282:         if (epp->ep_flags & EXEC_HASFD) {
                    283:                 epp->ep_flags &= ~EXEC_HASFD;
1.12      mycroft   284:                 (void) fdrelease(p, epp->ep_fd);
1.18      christos  285:         } else if (scriptvp) {
1.20      wrstuden  286:                vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
1.14      cgd       287:                VOP_CLOSE(scriptvp, FREAD, p->p_ucred, p);
1.20      wrstuden  288:                vput(scriptvp);
1.14      cgd       289:        }
1.4       cgd       290:
1.26    ! thorpej   291:         PNBUF_PUT(epp->ep_ndp->ni_cnd.cn_pnbuf);
1.1       cgd       292:
1.4       cgd       293:        /* free the fake arg list, because we're not returning it */
1.18      christos  294:        if ((tmpsap = shellargp) != NULL) {
                    295:                while (*tmpsap != NULL) {
                    296:                        FREE(*tmpsap, M_EXEC);
                    297:                        tmpsap++;
                    298:                }
                    299:                FREE(shellargp, M_EXEC);
1.1       cgd       300:        }
1.4       cgd       301:
                    302:         /*
                    303:          * free any vmspace-creation commands,
                    304:          * and release their references
                    305:          */
                    306:         kill_vmcmds(&epp->ep_vmcmds);
1.1       cgd       307:
1.4       cgd       308:         return error;
1.1       cgd       309: }

CVSweb <webmaster@jp.NetBSD.org>