Annotation of src/sys/kern/exec_script.c, Revision 1.36.2.5
1.36.2.5! skrll 1: /* $NetBSD: exec_script.c,v 1.36.2.4 2004/09/21 13:35:03 skrll Exp $ */
1.8 cgd 2:
1.1 cgd 3: /*
1.14 cgd 4: * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou
1.1 cgd 5: * All rights reserved.
6: *
7: * Redistribution and use in source and binary forms, with or without
8: * modification, are permitted provided that the following conditions
9: * are met:
10: * 1. Redistributions of source code must retain the above copyright
11: * notice, this list of conditions and the following disclaimer.
12: * 2. Redistributions in binary form must reproduce the above copyright
13: * notice, this list of conditions and the following disclaimer in the
14: * documentation and/or other materials provided with the distribution.
15: * 3. All advertising materials mentioning features or use of this software
16: * must display the following acknowledgement:
17: * This product includes software developed by Christopher G. Demetriou.
18: * 4. The name of the author may not be used to endorse or promote products
1.3 jtc 19: * derived from this software without specific prior written permission
1.1 cgd 20: *
21: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31: */
1.30 lukem 32:
33: #include <sys/cdefs.h>
1.36.2.5! skrll 34: __KERNEL_RCSID(0, "$NetBSD: exec_script.c,v 1.36.2.4 2004/09/21 13:35:03 skrll Exp $");
1.1 cgd 35:
36: #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS)
37: #define FDSCRIPTS /* Need this for safe set-id scripts. */
38: #endif
39:
40: #include <sys/param.h>
41: #include <sys/systm.h>
42: #include <sys/proc.h>
43: #include <sys/malloc.h>
44: #include <sys/vnode.h>
45: #include <sys/namei.h>
46: #include <sys/file.h>
1.18 christos 47: #ifdef SETUIDSCRIPTS
48: #include <sys/stat.h>
49: #endif
1.1 cgd 50: #include <sys/filedesc.h>
51: #include <sys/exec.h>
52: #include <sys/resourcevar.h>
53:
54: #include <sys/exec_script.h>
1.36.2.5! skrll 55: #include <sys/exec_elf.h>
1.1 cgd 56:
57: /*
58: * exec_script_makecmds(): Check if it's an executable shell script.
59: *
60: * Given a proc pointer and an exec package pointer, see if the referent
61: * of the epp is in shell script. If it is, then set thing up so that
62: * the script can be run. This involves preparing the address space
63: * and arguments for the shell which will run the script.
64: *
65: * This function is ultimately responsible for creating a set of vmcmds
66: * which can be used to build the process's vm space and inserting them
67: * into the exec package.
68: */
69: int
1.36.2.4 skrll 70: exec_script_makecmds(struct lwp *l, struct exec_package *epp)
1.1 cgd 71: {
72: int error, hdrlinelen, shellnamelen, shellarglen;
73: char *hdrstr = epp->ep_hdr;
74: char *cp, *shellname, *shellarg, *oldpnbuf;
75: char **shellargp, **tmpsap;
76: struct vnode *scriptvp;
1.36.2.4 skrll 77: struct proc *p = l->l_proc;
1.1 cgd 78: #ifdef SETUIDSCRIPTS
1.18 christos 79: /* Gcc needs those initialized for spurious uninitialized warning */
80: uid_t script_uid = (uid_t) -1;
81: gid_t script_gid = NOGROUP;
1.1 cgd 82: u_short script_sbits;
83: #endif
84:
85: /*
86: * if the magic isn't that of a shell script, or we've already
87: * done shell script processing for this exec, punt on it.
88: */
89: if ((epp->ep_flags & EXEC_INDIR) != 0 ||
90: epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN ||
91: strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN))
92: return ENOEXEC;
93:
94: /*
95: * check that the shell spec is terminated by a newline,
96: * and that it isn't too large. Don't modify the
97: * buffer unless we're ready to commit to handling it.
98: * (The latter requirement means that we have to check
99: * for both spaces and tabs later on.)
100: */
1.33 perry 101: hdrlinelen = min(epp->ep_hdrvalid, SCRIPT_HDR_SIZE);
1.1 cgd 102: for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen;
103: cp++) {
104: if (*cp == '\n') {
105: *cp = '\0';
106: break;
107: }
108: }
109: if (cp >= hdrstr + hdrlinelen)
110: return ENOEXEC;
111:
1.36.2.5! skrll 112: /*
! 113: * If the script has an ELF header, don't exec it.
! 114: */
! 115: if (epp->ep_hdrvalid >= sizeof(ELFMAG)-1 &&
! 116: memcmp(hdrstr, ELFMAG, sizeof(ELFMAG)-1) == 0)
! 117: return ENOEXEC;
! 118:
1.1 cgd 119: shellname = NULL;
120: shellarg = NULL;
1.13 christos 121: shellarglen = 0;
1.1 cgd 122:
123: /* strip spaces before the shell name */
124: for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t';
125: cp++)
126: ;
127:
128: /* collect the shell name; remember it's length for later */
129: shellname = cp;
130: shellnamelen = 0;
131: if (*cp == '\0')
132: goto check_shell;
133: for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++)
134: shellnamelen++;
135: if (*cp == '\0')
136: goto check_shell;
137: *cp++ = '\0';
138:
139: /* skip spaces before any argument */
140: for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++)
141: ;
142: if (*cp == '\0')
143: goto check_shell;
144:
145: /*
146: * collect the shell argument. everything after the shell name
147: * is passed as ONE argument; that's the correct (historical)
148: * behaviour.
149: */
150: shellarg = cp;
151: for ( /* cp = cp */ ; *cp != '\0'; cp++)
152: shellarglen++;
153: *cp++ = '\0';
154:
155: check_shell:
156: #ifdef SETUIDSCRIPTS
157: /*
1.29 thorpej 158: * MNT_NOSUID has already taken care of by check_exec,
159: * so we don't need to worry about it now or later. We
160: * will need to check P_TRACED later, however.
1.1 cgd 161: */
1.17 mycroft 162: script_sbits = epp->ep_vap->va_mode & (S_ISUID | S_ISGID);
1.1 cgd 163: if (script_sbits != 0) {
164: script_uid = epp->ep_vap->va_uid;
165: script_gid = epp->ep_vap->va_gid;
166: }
167: #endif
168: #ifdef FDSCRIPTS
169: /*
170: * if the script isn't readable, or it's set-id, then we've
171: * gotta supply a "/dev/fd/..." for the shell to read.
172: * Note that stupid shells (csh) do the wrong thing, and
173: * close all open fd's when the start. That kills this
174: * method of implementing "safe" set-id and x-only scripts.
175: */
1.19 fvdl 176: vn_lock(epp->ep_vp, LK_EXCLUSIVE | LK_RETRY);
1.14 cgd 177: error = VOP_ACCESS(epp->ep_vp, VREAD, p->p_ucred, p);
1.19 fvdl 178: VOP_UNLOCK(epp->ep_vp, 0);
1.14 cgd 179: if (error == EACCES
1.9 cgd 180: #ifdef SETUIDSCRIPTS
181: || script_sbits
182: #endif
183: ) {
1.1 cgd 184: struct file *fp;
185:
186: #if defined(DIAGNOSTIC) && defined(FDSCRIPTS)
187: if (epp->ep_flags & EXEC_HASFD)
188: panic("exec_script_makecmds: epp already has a fd");
189: #endif
190:
1.21 thorpej 191: /* falloc() will use the descriptor for us */
1.18 christos 192: if ((error = falloc(p, &fp, &epp->ep_fd)) != 0) {
193: scriptvp = NULL;
194: shellargp = NULL;
1.4 cgd 195: goto fail;
1.18 christos 196: }
1.1 cgd 197:
198: epp->ep_flags |= EXEC_HASFD;
199: fp->f_type = DTYPE_VNODE;
200: fp->f_ops = &vnops;
201: fp->f_data = (caddr_t) epp->ep_vp;
202: fp->f_flag = FREAD;
1.28 thorpej 203: FILE_SET_MATURE(fp);
1.22 tv 204: FILE_UNUSE(fp, p);
1.1 cgd 205: }
206: #endif
207:
208: /* set up the parameters for the recursive check_exec() call */
209: epp->ep_ndp->ni_dirp = shellname;
210: epp->ep_ndp->ni_segflg = UIO_SYSSPACE;
211: epp->ep_flags |= EXEC_INDIR;
212:
213: /* and set up the fake args list, for later */
214: MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK);
215: tmpsap = shellargp;
216: MALLOC(*tmpsap, char *, shellnamelen + 1, M_EXEC, M_WAITOK);
1.34 itojun 217: strlcpy(*tmpsap++, shellname, shellnamelen + 1);
1.1 cgd 218: if (shellarg != NULL) {
219: MALLOC(*tmpsap, char *, shellarglen + 1, M_EXEC, M_WAITOK);
1.34 itojun 220: strlcpy(*tmpsap++, shellarg, shellarglen + 1);
1.1 cgd 221: }
222: MALLOC(*tmpsap, char *, MAXPATHLEN, M_EXEC, M_WAITOK);
223: #ifdef FDSCRIPTS
224: if ((epp->ep_flags & EXEC_HASFD) == 0) {
225: #endif
226: /* normally can't fail, but check for it if diagnostic */
1.11 mycroft 227: error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
228: (size_t *)0);
1.1 cgd 229: #ifdef DIAGNOSTIC
230: if (error != 0)
1.31 provos 231: panic("exec_script: copyinstr couldn't fail");
1.1 cgd 232: #endif
233: #ifdef FDSCRIPTS
234: } else
1.36.2.2 skrll 235: snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd);
1.1 cgd 236: #endif
237: *tmpsap = NULL;
238:
239: /*
240: * mark the header we have as invalid; check_exec will read
241: * the header from the new executable
242: */
243: epp->ep_hdrvalid = 0;
244:
245: /*
246: * remember the old vp and pnbuf for later, so we can restore
247: * them if check_exec() fails.
248: */
249: scriptvp = epp->ep_vp;
1.7 mycroft 250: oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf;
1.1 cgd 251:
1.32 blymn 252: #ifdef VERIFIED_EXEC
1.36.2.4 skrll 253: if ((error = check_exec(l, epp, 0)) == 0) {
1.32 blymn 254: #else
1.36.2.4 skrll 255: if ((error = check_exec(l, epp)) == 0) {
1.32 blymn 256: #endif
1.4 cgd 257: /* note that we've clobbered the header */
1.27 jdolecek 258: epp->ep_flags |= EXEC_DESTR|EXEC_HASES;
1.4 cgd 259:
1.1 cgd 260: /*
261: * It succeeded. Unlock the script and
262: * close it if we aren't using it any more.
1.4 cgd 263: * Also, set things up so that the fake args
1.1 cgd 264: * list will be used.
265: */
1.14 cgd 266: if ((epp->ep_flags & EXEC_HASFD) == 0) {
1.20 wrstuden 267: vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
1.36.2.4 skrll 268: VOP_CLOSE(scriptvp, FREAD, p->p_ucred, l);
1.20 wrstuden 269: vput(scriptvp);
1.14 cgd 270: }
1.2 cgd 271:
272: /* free the old pathname buffer */
1.26 thorpej 273: PNBUF_PUT(oldpnbuf);
1.1 cgd 274:
275: epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG);
276: epp->ep_fa = shellargp;
277: #ifdef SETUIDSCRIPTS
278: /*
279: * set thing up so that set-id scripts will be
1.29 thorpej 280: * handled appropriately. P_TRACED will be
281: * checked later when the shell is actually
282: * exec'd.
1.1 cgd 283: */
284: epp->ep_vap->va_mode |= script_sbits;
1.17 mycroft 285: if (script_sbits & S_ISUID)
1.1 cgd 286: epp->ep_vap->va_uid = script_uid;
1.17 mycroft 287: if (script_sbits & S_ISGID)
1.1 cgd 288: epp->ep_vap->va_gid = script_gid;
289: #endif
1.4 cgd 290: return (0);
291: }
292:
1.5 cgd 293: /* XXX oldpnbuf not set for "goto fail" path */
1.7 mycroft 294: epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf;
1.13 christos 295: #ifdef FDSCRIPTS
1.4 cgd 296: fail:
1.13 christos 297: #endif
1.4 cgd 298: /* note that we've clobbered the header */
299: epp->ep_flags |= EXEC_DESTR;
300:
301: /* kill the opened file descriptor, else close the file */
302: if (epp->ep_flags & EXEC_HASFD) {
303: epp->ep_flags &= ~EXEC_HASFD;
1.36.2.4 skrll 304: (void) fdrelease(l, epp->ep_fd);
1.18 christos 305: } else if (scriptvp) {
1.20 wrstuden 306: vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
1.36.2.4 skrll 307: VOP_CLOSE(scriptvp, FREAD, p->p_ucred, l);
1.20 wrstuden 308: vput(scriptvp);
1.14 cgd 309: }
1.4 cgd 310:
1.26 thorpej 311: PNBUF_PUT(epp->ep_ndp->ni_cnd.cn_pnbuf);
1.1 cgd 312:
1.4 cgd 313: /* free the fake arg list, because we're not returning it */
1.18 christos 314: if ((tmpsap = shellargp) != NULL) {
315: while (*tmpsap != NULL) {
316: FREE(*tmpsap, M_EXEC);
317: tmpsap++;
318: }
319: FREE(shellargp, M_EXEC);
1.1 cgd 320: }
1.4 cgd 321:
322: /*
323: * free any vmspace-creation commands,
324: * and release their references
325: */
326: kill_vmcmds(&epp->ep_vmcmds);
1.1 cgd 327:
1.4 cgd 328: return error;
1.1 cgd 329: }
CVSweb <webmaster@jp.NetBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to exec_script.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / sys / kern