[BACK]Return to exec_script.c CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / src / sys / kern

Annotation of src/sys/kern/exec_script.c, Revision 1.59

1.59    ! pooka       1: /*     $NetBSD: exec_script.c,v 1.58 2007/11/26 19:02:00 pooka Exp $   */
1.8       cgd         2:
1.1       cgd         3: /*
1.14      cgd         4:  * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou
1.1       cgd         5:  * All rights reserved.
                      6:  *
                      7:  * Redistribution and use in source and binary forms, with or without
                      8:  * modification, are permitted provided that the following conditions
                      9:  * are met:
                     10:  * 1. Redistributions of source code must retain the above copyright
                     11:  *    notice, this list of conditions and the following disclaimer.
                     12:  * 2. Redistributions in binary form must reproduce the above copyright
                     13:  *    notice, this list of conditions and the following disclaimer in the
                     14:  *    documentation and/or other materials provided with the distribution.
                     15:  * 3. All advertising materials mentioning features or use of this software
                     16:  *    must display the following acknowledgement:
                     17:  *      This product includes software developed by Christopher G. Demetriou.
                     18:  * 4. The name of the author may not be used to endorse or promote products
1.3       jtc        19:  *    derived from this software without specific prior written permission
1.1       cgd        20:  *
                     21:  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
                     22:  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
                     23:  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
                     24:  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
                     25:  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
                     26:  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
                     27:  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
                     28:  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
                     29:  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
                     30:  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
                     31:  */
1.30      lukem      32:
                     33: #include <sys/cdefs.h>
1.59    ! pooka      34: __KERNEL_RCSID(0, "$NetBSD: exec_script.c,v 1.58 2007/11/26 19:02:00 pooka Exp $");
1.1       cgd        35:
                     36: #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS)
                     37: #define FDSCRIPTS              /* Need this for safe set-id scripts. */
                     38: #endif
                     39:
1.52      dogcow     40: #include "veriexec.h"
1.42      christos   41:
1.1       cgd        42: #include <sys/param.h>
                     43: #include <sys/systm.h>
                     44: #include <sys/proc.h>
                     45: #include <sys/malloc.h>
                     46: #include <sys/vnode.h>
                     47: #include <sys/namei.h>
                     48: #include <sys/file.h>
1.18      christos   49: #ifdef SETUIDSCRIPTS
                     50: #include <sys/stat.h>
                     51: #endif
1.1       cgd        52: #include <sys/filedesc.h>
                     53: #include <sys/exec.h>
                     54: #include <sys/resourcevar.h>
                     55:
                     56: #include <sys/exec_script.h>
1.38      matt       57: #include <sys/exec_elf.h>
1.1       cgd        58:
1.40      elad       59: #ifdef SYSTRACE
                     60: #include <sys/systrace.h>
                     61: #endif /* SYSTRACE */
                     62:
1.1       cgd        63: /*
                     64:  * exec_script_makecmds(): Check if it's an executable shell script.
                     65:  *
                     66:  * Given a proc pointer and an exec package pointer, see if the referent
                     67:  * of the epp is in shell script.  If it is, then set thing up so that
                     68:  * the script can be run.  This involves preparing the address space
                     69:  * and arguments for the shell which will run the script.
                     70:  *
                     71:  * This function is ultimately responsible for creating a set of vmcmds
                     72:  * which can be used to build the process's vm space and inserting them
                     73:  * into the exec package.
                     74:  */
                     75: int
1.45      christos   76: exec_script_makecmds(struct lwp *l, struct exec_package *epp)
1.1       cgd        77: {
                     78:        int error, hdrlinelen, shellnamelen, shellarglen;
                     79:        char *hdrstr = epp->ep_hdr;
                     80:        char *cp, *shellname, *shellarg, *oldpnbuf;
                     81:        char **shellargp, **tmpsap;
                     82:        struct vnode *scriptvp;
                     83: #ifdef SETUIDSCRIPTS
1.18      christos   84:        /* Gcc needs those initialized for spurious uninitialized warning */
                     85:        uid_t script_uid = (uid_t) -1;
                     86:        gid_t script_gid = NOGROUP;
1.1       cgd        87:        u_short script_sbits;
                     88: #endif
                     89:
                     90:        /*
                     91:         * if the magic isn't that of a shell script, or we've already
                     92:         * done shell script processing for this exec, punt on it.
                     93:         */
                     94:        if ((epp->ep_flags & EXEC_INDIR) != 0 ||
                     95:            epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN ||
                     96:            strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN))
                     97:                return ENOEXEC;
                     98:
                     99:        /*
                    100:         * check that the shell spec is terminated by a newline,
                    101:         * and that it isn't too large.  Don't modify the
                    102:         * buffer unless we're ready to commit to handling it.
                    103:         * (The latter requirement means that we have to check
                    104:         * for both spaces and tabs later on.)
                    105:         */
1.33      perry     106:        hdrlinelen = min(epp->ep_hdrvalid, SCRIPT_HDR_SIZE);
1.1       cgd       107:        for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen;
                    108:            cp++) {
                    109:                if (*cp == '\n') {
                    110:                        *cp = '\0';
                    111:                        break;
                    112:                }
                    113:        }
                    114:        if (cp >= hdrstr + hdrlinelen)
                    115:                return ENOEXEC;
                    116:
1.38      matt      117:        /*
                    118:         * If the script has an ELF header, don't exec it.
                    119:         */
                    120:        if (epp->ep_hdrvalid >= sizeof(ELFMAG)-1 &&
                    121:            memcmp(hdrstr, ELFMAG, sizeof(ELFMAG)-1) == 0)
                    122:                return ENOEXEC;
                    123:
1.1       cgd       124:        shellname = NULL;
                    125:        shellarg = NULL;
1.13      christos  126:        shellarglen = 0;
1.1       cgd       127:
                    128:        /* strip spaces before the shell name */
                    129:        for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t';
                    130:            cp++)
                    131:                ;
                    132:
                    133:        /* collect the shell name; remember it's length for later */
                    134:        shellname = cp;
                    135:        shellnamelen = 0;
                    136:        if (*cp == '\0')
                    137:                goto check_shell;
                    138:        for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++)
                    139:                shellnamelen++;
                    140:        if (*cp == '\0')
                    141:                goto check_shell;
                    142:        *cp++ = '\0';
                    143:
                    144:        /* skip spaces before any argument */
                    145:        for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++)
                    146:                ;
                    147:        if (*cp == '\0')
                    148:                goto check_shell;
                    149:
                    150:        /*
                    151:         * collect the shell argument.  everything after the shell name
                    152:         * is passed as ONE argument; that's the correct (historical)
                    153:         * behaviour.
                    154:         */
                    155:        shellarg = cp;
                    156:        for ( /* cp = cp */ ; *cp != '\0'; cp++)
                    157:                shellarglen++;
                    158:        *cp++ = '\0';
                    159:
                    160: check_shell:
                    161: #ifdef SETUIDSCRIPTS
                    162:        /*
1.29      thorpej   163:         * MNT_NOSUID has already taken care of by check_exec,
                    164:         * so we don't need to worry about it now or later.  We
1.54      ad        165:         * will need to check PSL_TRACED later, however.
1.1       cgd       166:         */
1.17      mycroft   167:        script_sbits = epp->ep_vap->va_mode & (S_ISUID | S_ISGID);
1.1       cgd       168:        if (script_sbits != 0) {
                    169:                script_uid = epp->ep_vap->va_uid;
                    170:                script_gid = epp->ep_vap->va_gid;
                    171:        }
                    172: #endif
                    173: #ifdef FDSCRIPTS
                    174:        /*
                    175:         * if the script isn't readable, or it's set-id, then we've
                    176:         * gotta supply a "/dev/fd/..." for the shell to read.
                    177:         * Note that stupid shells (csh) do the wrong thing, and
                    178:         * close all open fd's when the start.  That kills this
                    179:         * method of implementing "safe" set-id and x-only scripts.
                    180:         */
1.19      fvdl      181:        vn_lock(epp->ep_vp, LK_EXCLUSIVE | LK_RETRY);
1.59    ! pooka     182:        error = VOP_ACCESS(epp->ep_vp, VREAD, l->l_cred);
1.19      fvdl      183:        VOP_UNLOCK(epp->ep_vp, 0);
1.14      cgd       184:        if (error == EACCES
1.9       cgd       185: #ifdef SETUIDSCRIPTS
                    186:            || script_sbits
                    187: #endif
                    188:            ) {
1.1       cgd       189:                struct file *fp;
                    190:
                    191: #if defined(DIAGNOSTIC) && defined(FDSCRIPTS)
                    192:                if (epp->ep_flags & EXEC_HASFD)
                    193:                        panic("exec_script_makecmds: epp already has a fd");
                    194: #endif
                    195:
1.21      thorpej   196:                /* falloc() will use the descriptor for us */
1.49      ad        197:                if ((error = falloc(l, &fp, &epp->ep_fd)) != 0) {
1.18      christos  198:                        scriptvp = NULL;
                    199:                        shellargp = NULL;
1.4       cgd       200:                        goto fail;
1.18      christos  201:                }
1.1       cgd       202:
                    203:                epp->ep_flags |= EXEC_HASFD;
                    204:                fp->f_type = DTYPE_VNODE;
                    205:                fp->f_ops = &vnops;
1.56      christos  206:                fp->f_data = (void *) epp->ep_vp;
1.1       cgd       207:                fp->f_flag = FREAD;
1.28      thorpej   208:                FILE_SET_MATURE(fp);
1.45      christos  209:                FILE_UNUSE(fp, l);
1.1       cgd       210:        }
                    211: #endif
                    212:
                    213:        /* set up the parameters for the recursive check_exec() call */
                    214:        epp->ep_ndp->ni_dirp = shellname;
                    215:        epp->ep_ndp->ni_segflg = UIO_SYSSPACE;
                    216:        epp->ep_flags |= EXEC_INDIR;
                    217:
                    218:        /* and set up the fake args list, for later */
                    219:        MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK);
                    220:        tmpsap = shellargp;
1.46      christos  221:        *tmpsap = malloc(shellnamelen + 1, M_EXEC, M_WAITOK);
1.34      itojun    222:        strlcpy(*tmpsap++, shellname, shellnamelen + 1);
1.1       cgd       223:        if (shellarg != NULL) {
1.46      christos  224:                *tmpsap = malloc(shellarglen + 1, M_EXEC, M_WAITOK);
1.34      itojun    225:                strlcpy(*tmpsap++, shellarg, shellarglen + 1);
1.1       cgd       226:        }
                    227:        MALLOC(*tmpsap, char *, MAXPATHLEN, M_EXEC, M_WAITOK);
                    228: #ifdef FDSCRIPTS
                    229:        if ((epp->ep_flags & EXEC_HASFD) == 0) {
                    230: #endif
                    231:                /* normally can't fail, but check for it if diagnostic */
1.40      elad      232: #ifdef SYSTRACE
1.41      elad      233:                error = 1;
1.55      pavel     234:                if (ISSET(l->l_proc->p_flag, PK_SYSTRACE)) {
1.41      elad      235:                        error = systrace_scriptname(p, *tmpsap);
                    236:                        if (error == 0)
                    237:                                tmpsap++;
                    238:                }
                    239:                if (error) {
                    240:                        /*
                    241:                         * Since systrace_scriptname() provides a
                    242:                         * convenience, not a security issue, we are
                    243:                         * safe to do this.
                    244:                         */
                    245:                        error = copystr(epp->ep_name, *tmpsap++, MAXPATHLEN,
                    246:                                        NULL);
                    247:                }
1.40      elad      248: #else
1.11      mycroft   249:                error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
                    250:                    (size_t *)0);
1.40      elad      251: #endif /* SYSTRACE */
1.1       cgd       252: #ifdef DIAGNOSTIC
                    253:                if (error != 0)
1.31      provos    254:                        panic("exec_script: copyinstr couldn't fail");
1.1       cgd       255: #endif
                    256: #ifdef FDSCRIPTS
                    257:        } else
1.37      itojun    258:                snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd);
1.1       cgd       259: #endif
                    260:        *tmpsap = NULL;
                    261:
                    262:        /*
                    263:         * mark the header we have as invalid; check_exec will read
                    264:         * the header from the new executable
                    265:         */
                    266:        epp->ep_hdrvalid = 0;
                    267:
                    268:        /*
                    269:         * remember the old vp and pnbuf for later, so we can restore
                    270:         * them if check_exec() fails.
                    271:         */
                    272:        scriptvp = epp->ep_vp;
1.7       mycroft   273:        oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf;
1.1       cgd       274:
1.57      dsl       275:        error = check_exec(l, epp);
                    276:        /* note that we've clobbered the header */
                    277:        epp->ep_flags |= EXEC_DESTR;
                    278:        if (error == 0) {
1.1       cgd       279:                /*
                    280:                 * It succeeded.  Unlock the script and
                    281:                 * close it if we aren't using it any more.
1.4       cgd       282:                 * Also, set things up so that the fake args
1.1       cgd       283:                 * list will be used.
                    284:                 */
1.14      cgd       285:                if ((epp->ep_flags & EXEC_HASFD) == 0) {
1.20      wrstuden  286:                        vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
1.58      pooka     287:                        VOP_CLOSE(scriptvp, FREAD, l->l_cred);
1.20      wrstuden  288:                        vput(scriptvp);
1.14      cgd       289:                }
1.2       cgd       290:
                    291:                /* free the old pathname buffer */
1.26      thorpej   292:                PNBUF_PUT(oldpnbuf);
1.1       cgd       293:
                    294:                epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG);
                    295:                epp->ep_fa = shellargp;
                    296: #ifdef SETUIDSCRIPTS
                    297:                /*
                    298:                 * set thing up so that set-id scripts will be
1.54      ad        299:                 * handled appropriately.  PSL_TRACED will be
1.29      thorpej   300:                 * checked later when the shell is actually
                    301:                 * exec'd.
1.1       cgd       302:                 */
                    303:                epp->ep_vap->va_mode |= script_sbits;
1.17      mycroft   304:                if (script_sbits & S_ISUID)
1.1       cgd       305:                        epp->ep_vap->va_uid = script_uid;
1.17      mycroft   306:                if (script_sbits & S_ISGID)
1.1       cgd       307:                        epp->ep_vap->va_gid = script_gid;
                    308: #endif
1.4       cgd       309:                return (0);
                    310:        }
                    311:
1.5       cgd       312:        /* XXX oldpnbuf not set for "goto fail" path */
1.7       mycroft   313:        epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf;
1.13      christos  314: #ifdef FDSCRIPTS
1.4       cgd       315: fail:
1.13      christos  316: #endif
1.4       cgd       317:
                    318:        /* kill the opened file descriptor, else close the file */
                    319:         if (epp->ep_flags & EXEC_HASFD) {
                    320:                 epp->ep_flags &= ~EXEC_HASFD;
1.45      christos  321:                 (void) fdrelease(l, epp->ep_fd);
1.18      christos  322:         } else if (scriptvp) {
1.20      wrstuden  323:                vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
1.58      pooka     324:                VOP_CLOSE(scriptvp, FREAD, l->l_cred);
1.20      wrstuden  325:                vput(scriptvp);
1.14      cgd       326:        }
1.4       cgd       327:
1.26      thorpej   328:         PNBUF_PUT(epp->ep_ndp->ni_cnd.cn_pnbuf);
1.1       cgd       329:
1.4       cgd       330:        /* free the fake arg list, because we're not returning it */
1.18      christos  331:        if ((tmpsap = shellargp) != NULL) {
                    332:                while (*tmpsap != NULL) {
                    333:                        FREE(*tmpsap, M_EXEC);
                    334:                        tmpsap++;
                    335:                }
                    336:                FREE(shellargp, M_EXEC);
1.1       cgd       337:        }
1.4       cgd       338:
                    339:         /*
                    340:          * free any vmspace-creation commands,
                    341:          * and release their references
                    342:          */
                    343:         kill_vmcmds(&epp->ep_vmcmds);
1.1       cgd       344:
1.4       cgd       345:         return error;
1.1       cgd       346: }

CVSweb <webmaster@jp.NetBSD.org>