Annotation of sys/kern/exec_script.c, Revision 1.1
1.1 ! nbrk 1: /* $OpenBSD: exec_script.c,v 1.24 2006/11/14 18:00:27 jmc Exp $ */
! 2: /* $NetBSD: exec_script.c,v 1.13 1996/02/04 02:15:06 christos Exp $ */
! 3:
! 4: /*
! 5: * Copyright (c) 1993, 1994 Christopher G. Demetriou
! 6: * All rights reserved.
! 7: *
! 8: * Redistribution and use in source and binary forms, with or without
! 9: * modification, are permitted provided that the following conditions
! 10: * are met:
! 11: * 1. Redistributions of source code must retain the above copyright
! 12: * notice, this list of conditions and the following disclaimer.
! 13: * 2. Redistributions in binary form must reproduce the above copyright
! 14: * notice, this list of conditions and the following disclaimer in the
! 15: * documentation and/or other materials provided with the distribution.
! 16: * 3. All advertising materials mentioning features or use of this software
! 17: * must display the following acknowledgement:
! 18: * This product includes software developed by Christopher G. Demetriou.
! 19: * 4. The name of the author may not be used to endorse or promote products
! 20: * derived from this software without specific prior written permission
! 21: *
! 22: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
! 23: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
! 24: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
! 25: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
! 26: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
! 27: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
! 28: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
! 29: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
! 30: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
! 31: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
! 32: */
! 33:
! 34: #include <sys/param.h>
! 35: #include <sys/systm.h>
! 36: #include <sys/proc.h>
! 37: #include <sys/malloc.h>
! 38: #include <sys/pool.h>
! 39: #include <sys/vnode.h>
! 40: #include <sys/namei.h>
! 41: #include <sys/file.h>
! 42: #include <sys/filedesc.h>
! 43: #include <sys/exec.h>
! 44: #include <sys/resourcevar.h>
! 45: #include <uvm/uvm_extern.h>
! 46:
! 47: #include <sys/exec_script.h>
! 48:
! 49: #include "systrace.h"
! 50:
! 51: #if NSYSTRACE > 0
! 52: #include <dev/systrace.h>
! 53: #endif
! 54:
! 55: #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS)
! 56: #define FDSCRIPTS /* Need this for safe set-id scripts. */
! 57: #endif
! 58:
! 59: /*
! 60: * exec_script_makecmds(): Check if it's an executable shell script.
! 61: *
! 62: * Given a proc pointer and an exec package pointer, see if the referent
! 63: * of the epp is in shell script. If it is, then set things up so that
! 64: * the script can be run. This involves preparing the address space
! 65: * and arguments for the shell which will run the script.
! 66: *
! 67: * This function is ultimately responsible for creating a set of vmcmds
! 68: * which can be used to build the process's vm space and inserting them
! 69: * into the exec package.
! 70: */
! 71: int
! 72: exec_script_makecmds(struct proc *p, struct exec_package *epp)
! 73: {
! 74: int error, hdrlinelen, shellnamelen, shellarglen;
! 75: char *hdrstr = epp->ep_hdr;
! 76: char *cp, *shellname, *shellarg, *oldpnbuf;
! 77: char **shellargp = NULL, **tmpsap;
! 78: struct vnode *scriptvp;
! 79: #ifdef SETUIDSCRIPTS
! 80: uid_t script_uid = -1;
! 81: gid_t script_gid = -1;
! 82: u_short script_sbits;
! 83: #endif
! 84:
! 85: /*
! 86: * remember the old vp and pnbuf for later, so we can restore
! 87: * them if check_exec() fails.
! 88: */
! 89: scriptvp = epp->ep_vp;
! 90: oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf;
! 91:
! 92: /*
! 93: * if the magic isn't that of a shell script, or we've already
! 94: * done shell script processing for this exec, punt on it.
! 95: */
! 96: if ((epp->ep_flags & EXEC_INDIR) != 0 ||
! 97: epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN ||
! 98: strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN))
! 99: return ENOEXEC;
! 100:
! 101: /*
! 102: * check that the shell spec is terminated by a newline,
! 103: * and that it isn't too large. Don't modify the
! 104: * buffer unless we're ready to commit to handling it.
! 105: * (The latter requirement means that we have to check
! 106: * for both spaces and tabs later on.)
! 107: */
! 108: hdrlinelen = min(epp->ep_hdrvalid, MAXINTERP);
! 109: for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen;
! 110: cp++) {
! 111: if (*cp == '\n') {
! 112: *cp = '\0';
! 113: break;
! 114: }
! 115: }
! 116: if (cp >= hdrstr + hdrlinelen)
! 117: return ENOEXEC;
! 118:
! 119: shellname = NULL;
! 120: shellarg = NULL;
! 121: shellarglen = 0;
! 122:
! 123: /* strip spaces before the shell name */
! 124: for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t';
! 125: cp++)
! 126: ;
! 127:
! 128: /* collect the shell name; remember its length for later */
! 129: shellname = cp;
! 130: shellnamelen = 0;
! 131: if (*cp == '\0')
! 132: goto check_shell;
! 133: for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++)
! 134: shellnamelen++;
! 135: if (*cp == '\0')
! 136: goto check_shell;
! 137: *cp++ = '\0';
! 138:
! 139: /* skip spaces before any argument */
! 140: for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++)
! 141: ;
! 142: if (*cp == '\0')
! 143: goto check_shell;
! 144:
! 145: /*
! 146: * collect the shell argument. everything after the shell name
! 147: * is passed as ONE argument; that's the correct (historical)
! 148: * behaviour.
! 149: */
! 150: shellarg = cp;
! 151: for ( /* cp = cp */ ; *cp != '\0'; cp++)
! 152: shellarglen++;
! 153: *cp++ = '\0';
! 154:
! 155: check_shell:
! 156: #ifdef SETUIDSCRIPTS
! 157: /*
! 158: * MNT_NOSUID and STRC are already taken care of by check_exec,
! 159: * so we don't need to worry about them now or later.
! 160: */
! 161: script_sbits = epp->ep_vap->va_mode & (VSUID | VSGID);
! 162: if (script_sbits != 0) {
! 163: script_uid = epp->ep_vap->va_uid;
! 164: script_gid = epp->ep_vap->va_gid;
! 165: }
! 166: #endif
! 167: #ifdef FDSCRIPTS
! 168: /*
! 169: * if the script isn't readable, or it's set-id, then we've
! 170: * gotta supply a "/dev/fd/..." for the shell to read.
! 171: * Note that stupid shells (csh) do the wrong thing, and
! 172: * close all open fd's when they start. That kills this
! 173: * method of implementing "safe" set-id and x-only scripts.
! 174: */
! 175: vn_lock(scriptvp, LK_EXCLUSIVE|LK_RETRY, p);
! 176: error = VOP_ACCESS(scriptvp, VREAD, p->p_ucred, p);
! 177: VOP_UNLOCK(scriptvp, 0, p);
! 178: if (error == EACCES
! 179: #ifdef SETUIDSCRIPTS
! 180: || script_sbits
! 181: #endif
! 182: ) {
! 183: struct file *fp;
! 184:
! 185: #ifdef DIAGNOSTIC
! 186: if (epp->ep_flags & EXEC_HASFD)
! 187: panic("exec_script_makecmds: epp already has a fd");
! 188: #endif
! 189:
! 190: if ((error = falloc(p, &fp, &epp->ep_fd)))
! 191: goto fail;
! 192:
! 193: epp->ep_flags |= EXEC_HASFD;
! 194: fp->f_type = DTYPE_VNODE;
! 195: fp->f_ops = &vnops;
! 196: fp->f_data = (caddr_t) scriptvp;
! 197: fp->f_flag = FREAD;
! 198: FILE_SET_MATURE(fp);
! 199: }
! 200: #endif
! 201:
! 202: /* set up the parameters for the recursive check_exec() call */
! 203: epp->ep_ndp->ni_dirp = shellname;
! 204: epp->ep_ndp->ni_segflg = UIO_SYSSPACE;
! 205: epp->ep_flags |= EXEC_INDIR;
! 206:
! 207: /* and set up the fake args list, for later */
! 208: MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK);
! 209: tmpsap = shellargp;
! 210: *tmpsap = malloc(shellnamelen + 1, M_EXEC, M_WAITOK);
! 211: strlcpy(*tmpsap++, shellname, shellnamelen + 1);
! 212: if (shellarg != NULL) {
! 213: *tmpsap = malloc(shellarglen + 1, M_EXEC, M_WAITOK);
! 214: strlcpy(*tmpsap++, shellarg, shellarglen + 1);
! 215: }
! 216: *tmpsap = malloc(MAXPATHLEN, M_EXEC, M_WAITOK);
! 217: #ifdef FDSCRIPTS
! 218: if ((epp->ep_flags & EXEC_HASFD) == 0) {
! 219: #endif
! 220: /* normally can't fail, but check for it if diagnostic */
! 221: #if NSYSTRACE > 0
! 222: if (ISSET(p->p_flag, P_SYSTRACE)) {
! 223: error = systrace_scriptname(p, *tmpsap);
! 224: if (error == 0)
! 225: tmpsap++;
! 226: else
! 227: /*
! 228: * Since systrace_scriptname() provides a
! 229: * convenience, not a security issue, we are
! 230: * safe to do this.
! 231: */
! 232: error = copystr(epp->ep_name, *tmpsap++,
! 233: MAXPATHLEN, NULL);
! 234: } else
! 235: error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
! 236: NULL);
! 237: #else
! 238: error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
! 239: (size_t *)0);
! 240: #endif
! 241: #ifdef DIAGNOSTIC
! 242: if (error != 0)
! 243: panic("exec_script: copyinstr couldn't fail");
! 244: #endif
! 245: #ifdef FDSCRIPTS
! 246: } else
! 247: snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd);
! 248: #endif
! 249: *tmpsap = NULL;
! 250:
! 251: /*
! 252: * mark the header we have as invalid; check_exec will read
! 253: * the header from the new executable
! 254: */
! 255: epp->ep_hdrvalid = 0;
! 256:
! 257: if ((error = check_exec(p, epp)) == 0) {
! 258: /* note that we've clobbered the header */
! 259: epp->ep_flags |= EXEC_DESTR;
! 260:
! 261: /*
! 262: * It succeeded. Unlock the script and
! 263: * close it if we aren't using it any more.
! 264: * Also, set things up so that the fake args
! 265: * list will be used.
! 266: */
! 267: if ((epp->ep_flags & EXEC_HASFD) == 0)
! 268: vn_close(scriptvp, FREAD, p->p_ucred, p);
! 269:
! 270: /* free the old pathname buffer */
! 271: pool_put(&namei_pool, oldpnbuf);
! 272:
! 273: epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG);
! 274: epp->ep_fa = shellargp;
! 275: #ifdef SETUIDSCRIPTS
! 276: /*
! 277: * set things up so that set-id scripts will be
! 278: * handled appropriately
! 279: */
! 280: epp->ep_vap->va_mode |= script_sbits;
! 281: if (script_sbits & VSUID)
! 282: epp->ep_vap->va_uid = script_uid;
! 283: if (script_sbits & VSGID)
! 284: epp->ep_vap->va_gid = script_gid;
! 285: #endif
! 286: return (0);
! 287: }
! 288:
! 289: /* XXX oldpnbuf not set for "goto fail" path */
! 290: epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf;
! 291: #ifdef FDSCRIPTS
! 292: fail:
! 293: #endif
! 294: /* note that we've clobbered the header */
! 295: epp->ep_flags |= EXEC_DESTR;
! 296:
! 297: /* kill the opened file descriptor, else close the file */
! 298: if (epp->ep_flags & EXEC_HASFD) {
! 299: epp->ep_flags &= ~EXEC_HASFD;
! 300: (void) fdrelease(p, epp->ep_fd);
! 301: } else
! 302: vn_close(scriptvp, FREAD, p->p_ucred, p);
! 303:
! 304: pool_put(&namei_pool, epp->ep_ndp->ni_cnd.cn_pnbuf);
! 305:
! 306: /* free the fake arg list, because we're not returning it */
! 307: if ((tmpsap = shellargp) != NULL) {
! 308: while (*tmpsap != NULL) {
! 309: free(*tmpsap, M_EXEC);
! 310: tmpsap++;
! 311: }
! 312: FREE(shellargp, M_EXEC);
! 313: }
! 314:
! 315: /*
! 316: * free any vmspace-creation commands,
! 317: * and release their references
! 318: */
! 319: kill_vmcmds(&epp->ep_vmcmds);
! 320:
! 321: return error;
! 322: }
CVSweb