1 /* $NetBSD: exec_script.c,v 1.18 1997/07/08 02:32:02 christos Exp $ */ 2 3 /* 4 * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by Christopher G. Demetriou. 18 * 4. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS) 34 #define FDSCRIPTS /* Need this for safe set-id scripts. */ 35 #endif 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/proc.h> 40 #include <sys/malloc.h> 41 #include <sys/vnode.h> 42 #include <sys/namei.h> 43 #include <sys/file.h> 44 #ifdef SETUIDSCRIPTS 45 #include <sys/stat.h> 46 #endif 47 #include <sys/filedesc.h> 48 #include <sys/exec.h> 49 #include <sys/resourcevar.h> 50 #include <vm/vm.h> 51 52 #include <sys/exec_script.h> 53 54 /* 55 * exec_script_makecmds(): Check if it's an executable shell script. 56 * 57 * Given a proc pointer and an exec package pointer, see if the referent 58 * of the epp is in shell script. If it is, then set thing up so that 59 * the script can be run. This involves preparing the address space 60 * and arguments for the shell which will run the script. 61 * 62 * This function is ultimately responsible for creating a set of vmcmds 63 * which can be used to build the process's vm space and inserting them 64 * into the exec package. 65 */ 66 int 67 exec_script_makecmds(p, epp) 68 struct proc *p; 69 struct exec_package *epp; 70 { 71 int error, hdrlinelen, shellnamelen, shellarglen; 72 char *hdrstr = epp->ep_hdr; 73 char *cp, *shellname, *shellarg, *oldpnbuf; 74 char **shellargp, **tmpsap; 75 struct vnode *scriptvp; 76 #ifdef SETUIDSCRIPTS 77 /* Gcc needs those initialized for spurious uninitialized warning */ 78 uid_t script_uid = (uid_t) -1; 79 gid_t script_gid = NOGROUP; 80 u_short script_sbits; 81 #endif 82 83 /* 84 * if the magic isn't that of a shell script, or we've already 85 * done shell script processing for this exec, punt on it. 86 */ 87 if ((epp->ep_flags & EXEC_INDIR) != 0 || 88 epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN || 89 strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN)) 90 return ENOEXEC; 91 92 /* 93 * check that the shell spec is terminated by a newline, 94 * and that it isn't too large. Don't modify the 95 * buffer unless we're ready to commit to handling it. 96 * (The latter requirement means that we have to check 97 * for both spaces and tabs later on.) 98 */ 99 hdrlinelen = min(epp->ep_hdrvalid, MAXINTERP); 100 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen; 101 cp++) { 102 if (*cp == '\n') { 103 *cp = '\0'; 104 break; 105 } 106 } 107 if (cp >= hdrstr + hdrlinelen) 108 return ENOEXEC; 109 110 shellname = NULL; 111 shellarg = NULL; 112 shellarglen = 0; 113 114 /* strip spaces before the shell name */ 115 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t'; 116 cp++) 117 ; 118 119 /* collect the shell name; remember it's length for later */ 120 shellname = cp; 121 shellnamelen = 0; 122 if (*cp == '\0') 123 goto check_shell; 124 for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++) 125 shellnamelen++; 126 if (*cp == '\0') 127 goto check_shell; 128 *cp++ = '\0'; 129 130 /* skip spaces before any argument */ 131 for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++) 132 ; 133 if (*cp == '\0') 134 goto check_shell; 135 136 /* 137 * collect the shell argument. everything after the shell name 138 * is passed as ONE argument; that's the correct (historical) 139 * behaviour. 140 */ 141 shellarg = cp; 142 for ( /* cp = cp */ ; *cp != '\0'; cp++) 143 shellarglen++; 144 *cp++ = '\0'; 145 146 check_shell: 147 #ifdef SETUIDSCRIPTS 148 /* 149 * MNT_NOSUID and STRC are already taken care of by check_exec, 150 * so we don't need to worry about them now or later. 151 */ 152 script_sbits = epp->ep_vap->va_mode & (S_ISUID | S_ISGID); 153 if (script_sbits != 0) { 154 script_uid = epp->ep_vap->va_uid; 155 script_gid = epp->ep_vap->va_gid; 156 } 157 #endif 158 #ifdef FDSCRIPTS 159 /* 160 * if the script isn't readable, or it's set-id, then we've 161 * gotta supply a "/dev/fd/..." for the shell to read. 162 * Note that stupid shells (csh) do the wrong thing, and 163 * close all open fd's when the start. That kills this 164 * method of implementing "safe" set-id and x-only scripts. 165 */ 166 VOP_LOCK(epp->ep_vp); 167 error = VOP_ACCESS(epp->ep_vp, VREAD, p->p_ucred, p); 168 VOP_UNLOCK(epp->ep_vp); 169 if (error == EACCES 170 #ifdef SETUIDSCRIPTS 171 || script_sbits 172 #endif 173 ) { 174 struct file *fp; 175 extern struct fileops vnops; 176 177 #if defined(DIAGNOSTIC) && defined(FDSCRIPTS) 178 if (epp->ep_flags & EXEC_HASFD) 179 panic("exec_script_makecmds: epp already has a fd"); 180 #endif 181 182 if ((error = falloc(p, &fp, &epp->ep_fd)) != 0) { 183 scriptvp = NULL; 184 shellargp = NULL; 185 goto fail; 186 } 187 188 epp->ep_flags |= EXEC_HASFD; 189 fp->f_type = DTYPE_VNODE; 190 fp->f_ops = &vnops; 191 fp->f_data = (caddr_t) epp->ep_vp; 192 fp->f_flag = FREAD; 193 } 194 #endif 195 196 /* set up the parameters for the recursive check_exec() call */ 197 epp->ep_ndp->ni_dirp = shellname; 198 epp->ep_ndp->ni_segflg = UIO_SYSSPACE; 199 epp->ep_flags |= EXEC_INDIR; 200 201 /* and set up the fake args list, for later */ 202 MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK); 203 tmpsap = shellargp; 204 MALLOC(*tmpsap, char *, shellnamelen + 1, M_EXEC, M_WAITOK); 205 strcpy(*tmpsap++, shellname); 206 if (shellarg != NULL) { 207 MALLOC(*tmpsap, char *, shellarglen + 1, M_EXEC, M_WAITOK); 208 strcpy(*tmpsap++, shellarg); 209 } 210 MALLOC(*tmpsap, char *, MAXPATHLEN, M_EXEC, M_WAITOK); 211 #ifdef FDSCRIPTS 212 if ((epp->ep_flags & EXEC_HASFD) == 0) { 213 #endif 214 /* normally can't fail, but check for it if diagnostic */ 215 error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN, 216 (size_t *)0); 217 #ifdef DIAGNOSTIC 218 if (error != 0) 219 panic("exec_script: copyinstr couldn't fail\n"); 220 #endif 221 #ifdef FDSCRIPTS 222 } else 223 sprintf(*tmpsap++, "/dev/fd/%d", epp->ep_fd); 224 #endif 225 *tmpsap = NULL; 226 227 /* 228 * mark the header we have as invalid; check_exec will read 229 * the header from the new executable 230 */ 231 epp->ep_hdrvalid = 0; 232 233 /* 234 * remember the old vp and pnbuf for later, so we can restore 235 * them if check_exec() fails. 236 */ 237 scriptvp = epp->ep_vp; 238 oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf; 239 240 if ((error = check_exec(p, epp)) == 0) { 241 /* note that we've clobbered the header */ 242 epp->ep_flags |= EXEC_DESTR; 243 244 /* 245 * It succeeded. Unlock the script and 246 * close it if we aren't using it any more. 247 * Also, set things up so that the fake args 248 * list will be used. 249 */ 250 if ((epp->ep_flags & EXEC_HASFD) == 0) { 251 VOP_CLOSE(scriptvp, FREAD, p->p_ucred, p); 252 vrele(scriptvp); 253 } 254 255 /* free the old pathname buffer */ 256 FREE(oldpnbuf, M_NAMEI); 257 258 epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG); 259 epp->ep_fa = shellargp; 260 #ifdef SETUIDSCRIPTS 261 /* 262 * set thing up so that set-id scripts will be 263 * handled appropriately 264 */ 265 epp->ep_vap->va_mode |= script_sbits; 266 if (script_sbits & S_ISUID) 267 epp->ep_vap->va_uid = script_uid; 268 if (script_sbits & S_ISGID) 269 epp->ep_vap->va_gid = script_gid; 270 #endif 271 return (0); 272 } 273 274 /* XXX oldpnbuf not set for "goto fail" path */ 275 epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf; 276 #ifdef FDSCRIPTS 277 fail: 278 #endif 279 /* note that we've clobbered the header */ 280 epp->ep_flags |= EXEC_DESTR; 281 282 /* kill the opened file descriptor, else close the file */ 283 if (epp->ep_flags & EXEC_HASFD) { 284 epp->ep_flags &= ~EXEC_HASFD; 285 (void) fdrelease(p, epp->ep_fd); 286 } else if (scriptvp) { 287 VOP_CLOSE(scriptvp, FREAD, p->p_ucred, p); 288 vrele(scriptvp); 289 } 290 291 FREE(epp->ep_ndp->ni_cnd.cn_pnbuf, M_NAMEI); 292 293 /* free the fake arg list, because we're not returning it */ 294 if ((tmpsap = shellargp) != NULL) { 295 while (*tmpsap != NULL) { 296 FREE(*tmpsap, M_EXEC); 297 tmpsap++; 298 } 299 FREE(shellargp, M_EXEC); 300 } 301 302 /* 303 * free any vmspace-creation commands, 304 * and release their references 305 */ 306 kill_vmcmds(&epp->ep_vmcmds); 307 308 return error; 309 } 310