1 /* $NetBSD: exec_script.c,v 1.10 1994/12/04 03:10:40 mycroft Exp $ */ 2 3 /* 4 * Copyright (c) 1993, 1994 Christopher G. Demetriou 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by Christopher G. Demetriou. 18 * 4. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS) 34 #define FDSCRIPTS /* Need this for safe set-id scripts. */ 35 #endif 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/proc.h> 40 #include <sys/malloc.h> 41 #include <sys/vnode.h> 42 #include <sys/namei.h> 43 #include <sys/file.h> 44 #include <sys/filedesc.h> 45 #include <sys/exec.h> 46 #include <sys/resourcevar.h> 47 #include <vm/vm.h> 48 49 #include <sys/exec_script.h> 50 51 /* 52 * exec_script_makecmds(): Check if it's an executable shell script. 53 * 54 * Given a proc pointer and an exec package pointer, see if the referent 55 * of the epp is in shell script. If it is, then set thing up so that 56 * the script can be run. This involves preparing the address space 57 * and arguments for the shell which will run the script. 58 * 59 * This function is ultimately responsible for creating a set of vmcmds 60 * which can be used to build the process's vm space and inserting them 61 * into the exec package. 62 */ 63 int 64 exec_script_makecmds(p, epp) 65 struct proc *p; 66 struct exec_package *epp; 67 { 68 int error, hdrlinelen, shellnamelen, shellarglen; 69 char *hdrstr = epp->ep_hdr; 70 char *cp, *shellname, *shellarg, *oldpnbuf; 71 char **shellargp, **tmpsap; 72 struct vnode *scriptvp; 73 #ifdef SETUIDSCRIPTS 74 uid_t script_uid; 75 gid_t script_gid; 76 u_short script_sbits; 77 #endif 78 79 /* 80 * if the magic isn't that of a shell script, or we've already 81 * done shell script processing for this exec, punt on it. 82 */ 83 if ((epp->ep_flags & EXEC_INDIR) != 0 || 84 epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN || 85 strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN)) 86 return ENOEXEC; 87 88 /* 89 * check that the shell spec is terminated by a newline, 90 * and that it isn't too large. Don't modify the 91 * buffer unless we're ready to commit to handling it. 92 * (The latter requirement means that we have to check 93 * for both spaces and tabs later on.) 94 */ 95 hdrlinelen = min(epp->ep_hdrvalid, MAXINTERP); 96 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen; 97 cp++) { 98 if (*cp == '\n') { 99 *cp = '\0'; 100 break; 101 } 102 } 103 if (cp >= hdrstr + hdrlinelen) 104 return ENOEXEC; 105 106 shellname = NULL; 107 shellarg = NULL; 108 109 /* strip spaces before the shell name */ 110 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t'; 111 cp++) 112 ; 113 114 /* collect the shell name; remember it's length for later */ 115 shellname = cp; 116 shellnamelen = 0; 117 if (*cp == '\0') 118 goto check_shell; 119 for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++) 120 shellnamelen++; 121 if (*cp == '\0') 122 goto check_shell; 123 *cp++ = '\0'; 124 125 /* skip spaces before any argument */ 126 for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++) 127 ; 128 if (*cp == '\0') 129 goto check_shell; 130 131 /* 132 * collect the shell argument. everything after the shell name 133 * is passed as ONE argument; that's the correct (historical) 134 * behaviour. 135 */ 136 shellarg = cp; 137 shellarglen = 0; 138 for ( /* cp = cp */ ; *cp != '\0'; cp++) 139 shellarglen++; 140 *cp++ = '\0'; 141 142 check_shell: 143 #ifdef SETUIDSCRIPTS 144 /* 145 * MNT_NOSUID and STRC are already taken care of by check_exec, 146 * so we don't need to worry about them now or later. 147 */ 148 script_sbits = epp->ep_vap->va_mode & (VSUID | VSGID); 149 if (script_sbits != 0) { 150 script_uid = epp->ep_vap->va_uid; 151 script_gid = epp->ep_vap->va_gid; 152 } 153 #endif 154 #ifdef FDSCRIPTS 155 /* 156 * if the script isn't readable, or it's set-id, then we've 157 * gotta supply a "/dev/fd/..." for the shell to read. 158 * Note that stupid shells (csh) do the wrong thing, and 159 * close all open fd's when the start. That kills this 160 * method of implementing "safe" set-id and x-only scripts. 161 */ 162 if (VOP_ACCESS(epp->ep_vp, VREAD, p->p_ucred, p) == EACCES 163 #ifdef SETUIDSCRIPTS 164 || script_sbits 165 #endif 166 ) { 167 struct file *fp; 168 extern struct fileops vnops; 169 170 #if defined(DIAGNOSTIC) && defined(FDSCRIPTS) 171 if (epp->ep_flags & EXEC_HASFD) 172 panic("exec_script_makecmds: epp already has a fd"); 173 #endif 174 175 if (error = falloc(p, &fp, &epp->ep_fd)) 176 goto fail; 177 178 epp->ep_flags |= EXEC_HASFD; 179 fp->f_type = DTYPE_VNODE; 180 fp->f_ops = &vnops; 181 fp->f_data = (caddr_t) epp->ep_vp; 182 fp->f_flag = FREAD; 183 } 184 #endif 185 186 /* set up the parameters for the recursive check_exec() call */ 187 epp->ep_ndp->ni_dirp = shellname; 188 epp->ep_ndp->ni_segflg = UIO_SYSSPACE; 189 epp->ep_flags |= EXEC_INDIR; 190 191 /* and set up the fake args list, for later */ 192 MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK); 193 tmpsap = shellargp; 194 MALLOC(*tmpsap, char *, shellnamelen + 1, M_EXEC, M_WAITOK); 195 strcpy(*tmpsap++, shellname); 196 if (shellarg != NULL) { 197 MALLOC(*tmpsap, char *, shellarglen + 1, M_EXEC, M_WAITOK); 198 strcpy(*tmpsap++, shellarg); 199 } 200 MALLOC(*tmpsap, char *, MAXPATHLEN, M_EXEC, M_WAITOK); 201 #ifdef FDSCRIPTS 202 if ((epp->ep_flags & EXEC_HASFD) == 0) { 203 #endif 204 /* normally can't fail, but check for it if diagnostic */ 205 error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN, 0); 206 #ifdef DIAGNOSTIC 207 if (error != 0) 208 panic("exec_script: copyinstr couldn't fail\n"); 209 #endif 210 #ifdef FDSCRIPTS 211 } else 212 sprintf(*tmpsap++, "/dev/fd/%d", epp->ep_fd); 213 #endif 214 *tmpsap = NULL; 215 216 /* 217 * mark the header we have as invalid; check_exec will read 218 * the header from the new executable 219 */ 220 epp->ep_hdrvalid = 0; 221 222 /* 223 * remember the old vp and pnbuf for later, so we can restore 224 * them if check_exec() fails. 225 */ 226 scriptvp = epp->ep_vp; 227 oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf; 228 229 VOP_UNLOCK(scriptvp); 230 231 if ((error = check_exec(p, epp)) == 0) { 232 /* note that we've clobbered the header */ 233 epp->ep_flags |= EXEC_DESTR; 234 235 /* 236 * It succeeded. Unlock the script and 237 * close it if we aren't using it any more. 238 * Also, set things up so that the fake args 239 * list will be used. 240 */ 241 if ((epp->ep_flags & EXEC_HASFD) == 0) 242 vn_close(scriptvp, FREAD, p->p_ucred, p); 243 244 /* free the old pathname buffer */ 245 FREE(oldpnbuf, M_NAMEI); 246 247 epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG); 248 epp->ep_fa = shellargp; 249 #ifdef SETUIDSCRIPTS 250 /* 251 * set thing up so that set-id scripts will be 252 * handled appropriately 253 */ 254 epp->ep_vap->va_mode |= script_sbits; 255 if (script_sbits & VSUID) 256 epp->ep_vap->va_uid = script_uid; 257 if (script_sbits & VSGID) 258 epp->ep_vap->va_gid = script_gid; 259 #endif 260 return (0); 261 } 262 263 /* XXX oldpnbuf not set for "goto fail" path */ 264 epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf; 265 fail: 266 /* note that we've clobbered the header */ 267 epp->ep_flags |= EXEC_DESTR; 268 269 /* kill the opened file descriptor, else close the file */ 270 if (epp->ep_flags & EXEC_HASFD) { 271 epp->ep_flags &= ~EXEC_HASFD; 272 (void) fdclose(p, epp->ep_fd); 273 } else 274 vn_close(scriptvp, FREAD, p->p_ucred, p); 275 276 FREE(epp->ep_ndp->ni_cnd.cn_pnbuf, M_NAMEI); 277 278 /* free the fake arg list, because we're not returning it */ 279 tmpsap = shellargp; 280 while (*tmpsap != NULL) { 281 FREE(*tmpsap, M_EXEC); 282 tmpsap++; 283 } 284 FREE(shellargp, M_EXEC); 285 286 /* 287 * free any vmspace-creation commands, 288 * and release their references 289 */ 290 kill_vmcmds(&epp->ep_vmcmds); 291 292 return error; 293 } 294