Annotation of src/sys/kern/exec_script.c, Revision 1.49
1.49 ! ad 1: /* $NetBSD: exec_script.c,v 1.48 2006/07/22 10:34:26 elad Exp $ */
1.8 cgd 2:
1.1 cgd 3: /*
1.14 cgd 4: * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou
1.1 cgd 5: * All rights reserved.
6: *
7: * Redistribution and use in source and binary forms, with or without
8: * modification, are permitted provided that the following conditions
9: * are met:
10: * 1. Redistributions of source code must retain the above copyright
11: * notice, this list of conditions and the following disclaimer.
12: * 2. Redistributions in binary form must reproduce the above copyright
13: * notice, this list of conditions and the following disclaimer in the
14: * documentation and/or other materials provided with the distribution.
15: * 3. All advertising materials mentioning features or use of this software
16: * must display the following acknowledgement:
17: * This product includes software developed by Christopher G. Demetriou.
18: * 4. The name of the author may not be used to endorse or promote products
1.3 jtc 19: * derived from this software without specific prior written permission
1.1 cgd 20: *
21: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31: */
1.30 lukem 32:
33: #include <sys/cdefs.h>
1.49 ! ad 34: __KERNEL_RCSID(0, "$NetBSD: exec_script.c,v 1.48 2006/07/22 10:34:26 elad Exp $");
1.1 cgd 35:
36: #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS)
37: #define FDSCRIPTS /* Need this for safe set-id scripts. */
38: #endif
39:
1.42 christos 40: #include "opt_verified_exec.h"
41:
1.1 cgd 42: #include <sys/param.h>
43: #include <sys/systm.h>
44: #include <sys/proc.h>
45: #include <sys/malloc.h>
46: #include <sys/vnode.h>
47: #include <sys/namei.h>
48: #include <sys/file.h>
1.18 christos 49: #ifdef SETUIDSCRIPTS
50: #include <sys/stat.h>
51: #endif
1.1 cgd 52: #include <sys/filedesc.h>
53: #include <sys/exec.h>
54: #include <sys/resourcevar.h>
55:
56: #include <sys/exec_script.h>
1.38 matt 57: #include <sys/exec_elf.h>
1.1 cgd 58:
1.48 elad 59: #if NVERIEXEC > 0
1.39 elad 60: #include <sys/verified_exec.h>
1.48 elad 61: #endif /* NVERIEXEC > 0 */
1.39 elad 62:
1.40 elad 63: #ifdef SYSTRACE
64: #include <sys/systrace.h>
65: #endif /* SYSTRACE */
66:
1.1 cgd 67: /*
68: * exec_script_makecmds(): Check if it's an executable shell script.
69: *
70: * Given a proc pointer and an exec package pointer, see if the referent
71: * of the epp is in shell script. If it is, then set thing up so that
72: * the script can be run. This involves preparing the address space
73: * and arguments for the shell which will run the script.
74: *
75: * This function is ultimately responsible for creating a set of vmcmds
76: * which can be used to build the process's vm space and inserting them
77: * into the exec package.
78: */
79: int
1.45 christos 80: exec_script_makecmds(struct lwp *l, struct exec_package *epp)
1.1 cgd 81: {
82: int error, hdrlinelen, shellnamelen, shellarglen;
83: char *hdrstr = epp->ep_hdr;
84: char *cp, *shellname, *shellarg, *oldpnbuf;
85: char **shellargp, **tmpsap;
86: struct vnode *scriptvp;
87: #ifdef SETUIDSCRIPTS
1.18 christos 88: /* Gcc needs those initialized for spurious uninitialized warning */
89: uid_t script_uid = (uid_t) -1;
90: gid_t script_gid = NOGROUP;
1.1 cgd 91: u_short script_sbits;
92: #endif
93:
94: /*
95: * if the magic isn't that of a shell script, or we've already
96: * done shell script processing for this exec, punt on it.
97: */
98: if ((epp->ep_flags & EXEC_INDIR) != 0 ||
99: epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN ||
100: strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN))
101: return ENOEXEC;
102:
103: /*
104: * check that the shell spec is terminated by a newline,
105: * and that it isn't too large. Don't modify the
106: * buffer unless we're ready to commit to handling it.
107: * (The latter requirement means that we have to check
108: * for both spaces and tabs later on.)
109: */
1.33 perry 110: hdrlinelen = min(epp->ep_hdrvalid, SCRIPT_HDR_SIZE);
1.1 cgd 111: for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen;
112: cp++) {
113: if (*cp == '\n') {
114: *cp = '\0';
115: break;
116: }
117: }
118: if (cp >= hdrstr + hdrlinelen)
119: return ENOEXEC;
120:
1.38 matt 121: /*
122: * If the script has an ELF header, don't exec it.
123: */
124: if (epp->ep_hdrvalid >= sizeof(ELFMAG)-1 &&
125: memcmp(hdrstr, ELFMAG, sizeof(ELFMAG)-1) == 0)
126: return ENOEXEC;
127:
1.1 cgd 128: shellname = NULL;
129: shellarg = NULL;
1.13 christos 130: shellarglen = 0;
1.1 cgd 131:
132: /* strip spaces before the shell name */
133: for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t';
134: cp++)
135: ;
136:
137: /* collect the shell name; remember it's length for later */
138: shellname = cp;
139: shellnamelen = 0;
140: if (*cp == '\0')
141: goto check_shell;
142: for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++)
143: shellnamelen++;
144: if (*cp == '\0')
145: goto check_shell;
146: *cp++ = '\0';
147:
148: /* skip spaces before any argument */
149: for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++)
150: ;
151: if (*cp == '\0')
152: goto check_shell;
153:
154: /*
155: * collect the shell argument. everything after the shell name
156: * is passed as ONE argument; that's the correct (historical)
157: * behaviour.
158: */
159: shellarg = cp;
160: for ( /* cp = cp */ ; *cp != '\0'; cp++)
161: shellarglen++;
162: *cp++ = '\0';
163:
164: check_shell:
165: #ifdef SETUIDSCRIPTS
166: /*
1.29 thorpej 167: * MNT_NOSUID has already taken care of by check_exec,
168: * so we don't need to worry about it now or later. We
169: * will need to check P_TRACED later, however.
1.1 cgd 170: */
1.17 mycroft 171: script_sbits = epp->ep_vap->va_mode & (S_ISUID | S_ISGID);
1.1 cgd 172: if (script_sbits != 0) {
173: script_uid = epp->ep_vap->va_uid;
174: script_gid = epp->ep_vap->va_gid;
175: }
176: #endif
177: #ifdef FDSCRIPTS
178: /*
179: * if the script isn't readable, or it's set-id, then we've
180: * gotta supply a "/dev/fd/..." for the shell to read.
181: * Note that stupid shells (csh) do the wrong thing, and
182: * close all open fd's when the start. That kills this
183: * method of implementing "safe" set-id and x-only scripts.
184: */
1.19 fvdl 185: vn_lock(epp->ep_vp, LK_EXCLUSIVE | LK_RETRY);
1.49 ! ad 186: error = VOP_ACCESS(epp->ep_vp, VREAD, l->l_cred, l);
1.19 fvdl 187: VOP_UNLOCK(epp->ep_vp, 0);
1.14 cgd 188: if (error == EACCES
1.9 cgd 189: #ifdef SETUIDSCRIPTS
190: || script_sbits
191: #endif
192: ) {
1.1 cgd 193: struct file *fp;
194:
195: #if defined(DIAGNOSTIC) && defined(FDSCRIPTS)
196: if (epp->ep_flags & EXEC_HASFD)
197: panic("exec_script_makecmds: epp already has a fd");
198: #endif
199:
1.21 thorpej 200: /* falloc() will use the descriptor for us */
1.49 ! ad 201: if ((error = falloc(l, &fp, &epp->ep_fd)) != 0) {
1.18 christos 202: scriptvp = NULL;
203: shellargp = NULL;
1.4 cgd 204: goto fail;
1.18 christos 205: }
1.1 cgd 206:
207: epp->ep_flags |= EXEC_HASFD;
208: fp->f_type = DTYPE_VNODE;
209: fp->f_ops = &vnops;
210: fp->f_data = (caddr_t) epp->ep_vp;
211: fp->f_flag = FREAD;
1.28 thorpej 212: FILE_SET_MATURE(fp);
1.45 christos 213: FILE_UNUSE(fp, l);
1.1 cgd 214: }
215: #endif
216:
217: /* set up the parameters for the recursive check_exec() call */
218: epp->ep_ndp->ni_dirp = shellname;
219: epp->ep_ndp->ni_segflg = UIO_SYSSPACE;
220: epp->ep_flags |= EXEC_INDIR;
221:
222: /* and set up the fake args list, for later */
223: MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK);
224: tmpsap = shellargp;
1.46 christos 225: *tmpsap = malloc(shellnamelen + 1, M_EXEC, M_WAITOK);
1.34 itojun 226: strlcpy(*tmpsap++, shellname, shellnamelen + 1);
1.1 cgd 227: if (shellarg != NULL) {
1.46 christos 228: *tmpsap = malloc(shellarglen + 1, M_EXEC, M_WAITOK);
1.34 itojun 229: strlcpy(*tmpsap++, shellarg, shellarglen + 1);
1.1 cgd 230: }
231: MALLOC(*tmpsap, char *, MAXPATHLEN, M_EXEC, M_WAITOK);
232: #ifdef FDSCRIPTS
233: if ((epp->ep_flags & EXEC_HASFD) == 0) {
234: #endif
235: /* normally can't fail, but check for it if diagnostic */
1.40 elad 236: #ifdef SYSTRACE
1.41 elad 237: error = 1;
1.49 ! ad 238: if (ISSET(l->l_proc->p_flag, P_SYSTRACE)) {
1.41 elad 239: error = systrace_scriptname(p, *tmpsap);
240: if (error == 0)
241: tmpsap++;
242: }
243: if (error) {
244: /*
245: * Since systrace_scriptname() provides a
246: * convenience, not a security issue, we are
247: * safe to do this.
248: */
249: error = copystr(epp->ep_name, *tmpsap++, MAXPATHLEN,
250: NULL);
251: }
1.40 elad 252: #else
1.11 mycroft 253: error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
254: (size_t *)0);
1.40 elad 255: #endif /* SYSTRACE */
1.1 cgd 256: #ifdef DIAGNOSTIC
257: if (error != 0)
1.31 provos 258: panic("exec_script: copyinstr couldn't fail");
1.1 cgd 259: #endif
260: #ifdef FDSCRIPTS
261: } else
1.37 itojun 262: snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd);
1.1 cgd 263: #endif
264: *tmpsap = NULL;
265:
266: /*
267: * mark the header we have as invalid; check_exec will read
268: * the header from the new executable
269: */
270: epp->ep_hdrvalid = 0;
271:
272: /*
273: * remember the old vp and pnbuf for later, so we can restore
274: * them if check_exec() fails.
275: */
276: scriptvp = epp->ep_vp;
1.7 mycroft 277: oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf;
1.1 cgd 278:
1.48 elad 279: #if NVERIEXEC > 0
1.45 christos 280: if ((error = check_exec(l, epp, VERIEXEC_INDIRECT)) == 0) {
1.32 blymn 281: #else
1.45 christos 282: if ((error = check_exec(l, epp, 0)) == 0) {
1.48 elad 283: #endif /* NVERIEXEC > 0 */
1.4 cgd 284: /* note that we've clobbered the header */
1.27 jdolecek 285: epp->ep_flags |= EXEC_DESTR|EXEC_HASES;
1.4 cgd 286:
1.1 cgd 287: /*
288: * It succeeded. Unlock the script and
289: * close it if we aren't using it any more.
1.4 cgd 290: * Also, set things up so that the fake args
1.1 cgd 291: * list will be used.
292: */
1.14 cgd 293: if ((epp->ep_flags & EXEC_HASFD) == 0) {
1.20 wrstuden 294: vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
1.49 ! ad 295: VOP_CLOSE(scriptvp, FREAD, l->l_cred, l);
1.20 wrstuden 296: vput(scriptvp);
1.14 cgd 297: }
1.2 cgd 298:
299: /* free the old pathname buffer */
1.26 thorpej 300: PNBUF_PUT(oldpnbuf);
1.1 cgd 301:
302: epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG);
303: epp->ep_fa = shellargp;
304: #ifdef SETUIDSCRIPTS
305: /*
306: * set thing up so that set-id scripts will be
1.29 thorpej 307: * handled appropriately. P_TRACED will be
308: * checked later when the shell is actually
309: * exec'd.
1.1 cgd 310: */
311: epp->ep_vap->va_mode |= script_sbits;
1.17 mycroft 312: if (script_sbits & S_ISUID)
1.1 cgd 313: epp->ep_vap->va_uid = script_uid;
1.17 mycroft 314: if (script_sbits & S_ISGID)
1.1 cgd 315: epp->ep_vap->va_gid = script_gid;
316: #endif
1.4 cgd 317: return (0);
318: }
319:
1.5 cgd 320: /* XXX oldpnbuf not set for "goto fail" path */
1.7 mycroft 321: epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf;
1.13 christos 322: #ifdef FDSCRIPTS
1.4 cgd 323: fail:
1.13 christos 324: #endif
1.4 cgd 325: /* note that we've clobbered the header */
326: epp->ep_flags |= EXEC_DESTR;
327:
328: /* kill the opened file descriptor, else close the file */
329: if (epp->ep_flags & EXEC_HASFD) {
330: epp->ep_flags &= ~EXEC_HASFD;
1.45 christos 331: (void) fdrelease(l, epp->ep_fd);
1.18 christos 332: } else if (scriptvp) {
1.20 wrstuden 333: vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
1.49 ! ad 334: VOP_CLOSE(scriptvp, FREAD, l->l_cred, l);
1.20 wrstuden 335: vput(scriptvp);
1.14 cgd 336: }
1.4 cgd 337:
1.26 thorpej 338: PNBUF_PUT(epp->ep_ndp->ni_cnd.cn_pnbuf);
1.1 cgd 339:
1.4 cgd 340: /* free the fake arg list, because we're not returning it */
1.18 christos 341: if ((tmpsap = shellargp) != NULL) {
342: while (*tmpsap != NULL) {
343: FREE(*tmpsap, M_EXEC);
344: tmpsap++;
345: }
346: FREE(shellargp, M_EXEC);
1.1 cgd 347: }
1.4 cgd 348:
349: /*
350: * free any vmspace-creation commands,
351: * and release their references
352: */
353: kill_vmcmds(&epp->ep_vmcmds);
1.1 cgd 354:
1.4 cgd 355: return error;
1.1 cgd 356: }
CVSweb <webmaster@jp.NetBSD.org>