xref: /netbsd-src/sys/kern/exec_script.c (revision b7ae68fde0d8ef1c03714e8bbb1ee7c6118ea93b) 
1 /*	$NetBSD: exec_script.c,v 1.52 2006/07/26 09:33:57 dogcow Exp $	*/
2 
3 /*
4  * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. All advertising materials mentioning features or use of this software
16  *    must display the following acknowledgement:
17  *      This product includes software developed by Christopher G. Demetriou.
18  * 4. The name of the author may not be used to endorse or promote products
19  *    derived from this software without specific prior written permission
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #include <sys/cdefs.h>
34 __KERNEL_RCSID(0, "$NetBSD: exec_script.c,v 1.52 2006/07/26 09:33:57 dogcow Exp $");
35 
36 #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS)
37 #define FDSCRIPTS		/* Need this for safe set-id scripts. */
38 #endif
39 
40 #include "veriexec.h"
41 
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/proc.h>
45 #include <sys/malloc.h>
46 #include <sys/vnode.h>
47 #include <sys/namei.h>
48 #include <sys/file.h>
49 #ifdef SETUIDSCRIPTS
50 #include <sys/stat.h>
51 #endif
52 #include <sys/filedesc.h>
53 #include <sys/exec.h>
54 #include <sys/resourcevar.h>
55 
56 #include <sys/exec_script.h>
57 #include <sys/exec_elf.h>
58 
59 #if NVERIEXEC > 0
60 #include <sys/verified_exec.h>
61 #endif /* NVERIEXEC > 0 */
62 
63 #ifdef SYSTRACE
64 #include <sys/systrace.h>
65 #endif /* SYSTRACE */
66 
67 /*
68  * exec_script_makecmds(): Check if it's an executable shell script.
69  *
70  * Given a proc pointer and an exec package pointer, see if the referent
71  * of the epp is in shell script.  If it is, then set thing up so that
72  * the script can be run.  This involves preparing the address space
73  * and arguments for the shell which will run the script.
74  *
75  * This function is ultimately responsible for creating a set of vmcmds
76  * which can be used to build the process's vm space and inserting them
77  * into the exec package.
78  */
79 int
80 exec_script_makecmds(struct lwp *l, struct exec_package *epp)
81 {
82 	int error, hdrlinelen, shellnamelen, shellarglen;
83 	char *hdrstr = epp->ep_hdr;
84 	char *cp, *shellname, *shellarg, *oldpnbuf;
85 	char **shellargp, **tmpsap;
86 	struct vnode *scriptvp;
87 #ifdef SETUIDSCRIPTS
88 	/* Gcc needs those initialized for spurious uninitialized warning */
89 	uid_t script_uid = (uid_t) -1;
90 	gid_t script_gid = NOGROUP;
91 	u_short script_sbits;
92 #endif
93 
94 	/*
95 	 * if the magic isn't that of a shell script, or we've already
96 	 * done shell script processing for this exec, punt on it.
97 	 */
98 	if ((epp->ep_flags & EXEC_INDIR) != 0 ||
99 	    epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN ||
100 	    strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN))
101 		return ENOEXEC;
102 
103 	/*
104 	 * check that the shell spec is terminated by a newline,
105 	 * and that it isn't too large.  Don't modify the
106 	 * buffer unless we're ready to commit to handling it.
107 	 * (The latter requirement means that we have to check
108 	 * for both spaces and tabs later on.)
109 	 */
110 	hdrlinelen = min(epp->ep_hdrvalid, SCRIPT_HDR_SIZE);
111 	for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen;
112 	    cp++) {
113 		if (*cp == '\n') {
114 			*cp = '\0';
115 			break;
116 		}
117 	}
118 	if (cp >= hdrstr + hdrlinelen)
119 		return ENOEXEC;
120 
121 	/*
122 	 * If the script has an ELF header, don't exec it.
123 	 */
124 	if (epp->ep_hdrvalid >= sizeof(ELFMAG)-1 &&
125 	    memcmp(hdrstr, ELFMAG, sizeof(ELFMAG)-1) == 0)
126 		return ENOEXEC;
127 
128 	shellname = NULL;
129 	shellarg = NULL;
130 	shellarglen = 0;
131 
132 	/* strip spaces before the shell name */
133 	for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t';
134 	    cp++)
135 		;
136 
137 	/* collect the shell name; remember it's length for later */
138 	shellname = cp;
139 	shellnamelen = 0;
140 	if (*cp == '\0')
141 		goto check_shell;
142 	for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++)
143 		shellnamelen++;
144 	if (*cp == '\0')
145 		goto check_shell;
146 	*cp++ = '\0';
147 
148 	/* skip spaces before any argument */
149 	for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++)
150 		;
151 	if (*cp == '\0')
152 		goto check_shell;
153 
154 	/*
155 	 * collect the shell argument.  everything after the shell name
156 	 * is passed as ONE argument; that's the correct (historical)
157 	 * behaviour.
158 	 */
159 	shellarg = cp;
160 	for ( /* cp = cp */ ; *cp != '\0'; cp++)
161 		shellarglen++;
162 	*cp++ = '\0';
163 
164 check_shell:
165 #ifdef SETUIDSCRIPTS
166 	/*
167 	 * MNT_NOSUID has already taken care of by check_exec,
168 	 * so we don't need to worry about it now or later.  We
169 	 * will need to check P_TRACED later, however.
170 	 */
171 	script_sbits = epp->ep_vap->va_mode & (S_ISUID | S_ISGID);
172 	if (script_sbits != 0) {
173 		script_uid = epp->ep_vap->va_uid;
174 		script_gid = epp->ep_vap->va_gid;
175 	}
176 #endif
177 #ifdef FDSCRIPTS
178 	/*
179 	 * if the script isn't readable, or it's set-id, then we've
180 	 * gotta supply a "/dev/fd/..." for the shell to read.
181 	 * Note that stupid shells (csh) do the wrong thing, and
182 	 * close all open fd's when the start.  That kills this
183 	 * method of implementing "safe" set-id and x-only scripts.
184 	 */
185 	vn_lock(epp->ep_vp, LK_EXCLUSIVE | LK_RETRY);
186 	error = VOP_ACCESS(epp->ep_vp, VREAD, l->l_cred, l);
187 	VOP_UNLOCK(epp->ep_vp, 0);
188 	if (error == EACCES
189 #ifdef SETUIDSCRIPTS
190 	    || script_sbits
191 #endif
192 	    ) {
193 		struct file *fp;
194 
195 #if defined(DIAGNOSTIC) && defined(FDSCRIPTS)
196 		if (epp->ep_flags & EXEC_HASFD)
197 			panic("exec_script_makecmds: epp already has a fd");
198 #endif
199 
200 		/* falloc() will use the descriptor for us */
201 		if ((error = falloc(l, &fp, &epp->ep_fd)) != 0) {
202 			scriptvp = NULL;
203 			shellargp = NULL;
204 			goto fail;
205 		}
206 
207 		epp->ep_flags |= EXEC_HASFD;
208 		fp->f_type = DTYPE_VNODE;
209 		fp->f_ops = &vnops;
210 		fp->f_data = (caddr_t) epp->ep_vp;
211 		fp->f_flag = FREAD;
212 		FILE_SET_MATURE(fp);
213 		FILE_UNUSE(fp, l);
214 	}
215 #endif
216 
217 	/* set up the parameters for the recursive check_exec() call */
218 	epp->ep_ndp->ni_dirp = shellname;
219 	epp->ep_ndp->ni_segflg = UIO_SYSSPACE;
220 	epp->ep_flags |= EXEC_INDIR;
221 
222 	/* and set up the fake args list, for later */
223 	MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK);
224 	tmpsap = shellargp;
225 	*tmpsap = malloc(shellnamelen + 1, M_EXEC, M_WAITOK);
226 	strlcpy(*tmpsap++, shellname, shellnamelen + 1);
227 	if (shellarg != NULL) {
228 		*tmpsap = malloc(shellarglen + 1, M_EXEC, M_WAITOK);
229 		strlcpy(*tmpsap++, shellarg, shellarglen + 1);
230 	}
231 	MALLOC(*tmpsap, char *, MAXPATHLEN, M_EXEC, M_WAITOK);
232 #ifdef FDSCRIPTS
233 	if ((epp->ep_flags & EXEC_HASFD) == 0) {
234 #endif
235 		/* normally can't fail, but check for it if diagnostic */
236 #ifdef SYSTRACE
237 		error = 1;
238 		if (ISSET(l->l_proc->p_flag, P_SYSTRACE)) {
239 			error = systrace_scriptname(p, *tmpsap);
240 			if (error == 0)
241 				tmpsap++;
242 		}
243 		if (error) {
244 			/*
245 			 * Since systrace_scriptname() provides a
246 			 * convenience, not a security issue, we are
247 			 * safe to do this.
248 			 */
249 			error = copystr(epp->ep_name, *tmpsap++, MAXPATHLEN,
250 					NULL);
251 		}
252 #else
253 		error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
254 		    (size_t *)0);
255 #endif /* SYSTRACE */
256 #ifdef DIAGNOSTIC
257 		if (error != 0)
258 			panic("exec_script: copyinstr couldn't fail");
259 #endif
260 #ifdef FDSCRIPTS
261 	} else
262 		snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd);
263 #endif
264 	*tmpsap = NULL;
265 
266 	/*
267 	 * mark the header we have as invalid; check_exec will read
268 	 * the header from the new executable
269 	 */
270 	epp->ep_hdrvalid = 0;
271 
272 	/*
273 	 * remember the old vp and pnbuf for later, so we can restore
274 	 * them if check_exec() fails.
275 	 */
276 	scriptvp = epp->ep_vp;
277 	oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf;
278 
279 #if NVERIEXEC > 0
280 	if ((error = check_exec(l, epp, VERIEXEC_INDIRECT)) == 0) {
281 #else
282 	if ((error = check_exec(l, epp, 0)) == 0) {
283 #endif /* NVERIEXEC > 0 */
284 		/* note that we've clobbered the header */
285 		epp->ep_flags |= EXEC_DESTR|EXEC_HASES;
286 
287 		/*
288 		 * It succeeded.  Unlock the script and
289 		 * close it if we aren't using it any more.
290 		 * Also, set things up so that the fake args
291 		 * list will be used.
292 		 */
293 		if ((epp->ep_flags & EXEC_HASFD) == 0) {
294 			vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
295 			VOP_CLOSE(scriptvp, FREAD, l->l_cred, l);
296 			vput(scriptvp);
297 		}
298 
299 		/* free the old pathname buffer */
300 		PNBUF_PUT(oldpnbuf);
301 
302 		epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG);
303 		epp->ep_fa = shellargp;
304 #ifdef SETUIDSCRIPTS
305 		/*
306 		 * set thing up so that set-id scripts will be
307 		 * handled appropriately.  P_TRACED will be
308 		 * checked later when the shell is actually
309 		 * exec'd.
310 		 */
311 		epp->ep_vap->va_mode |= script_sbits;
312 		if (script_sbits & S_ISUID)
313 			epp->ep_vap->va_uid = script_uid;
314 		if (script_sbits & S_ISGID)
315 			epp->ep_vap->va_gid = script_gid;
316 #endif
317 		return (0);
318 	}
319 
320 	/* XXX oldpnbuf not set for "goto fail" path */
321 	epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf;
322 #ifdef FDSCRIPTS
323 fail:
324 #endif
325 	/* note that we've clobbered the header */
326 	epp->ep_flags |= EXEC_DESTR;
327 
328 	/* kill the opened file descriptor, else close the file */
329         if (epp->ep_flags & EXEC_HASFD) {
330                 epp->ep_flags &= ~EXEC_HASFD;
331                 (void) fdrelease(l, epp->ep_fd);
332         } else if (scriptvp) {
333 		vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
334 		VOP_CLOSE(scriptvp, FREAD, l->l_cred, l);
335 		vput(scriptvp);
336 	}
337 
338         PNBUF_PUT(epp->ep_ndp->ni_cnd.cn_pnbuf);
339 
340 	/* free the fake arg list, because we're not returning it */
341 	if ((tmpsap = shellargp) != NULL) {
342 		while (*tmpsap != NULL) {
343 			FREE(*tmpsap, M_EXEC);
344 			tmpsap++;
345 		}
346 		FREE(shellargp, M_EXEC);
347 	}
348 
349         /*
350          * free any vmspace-creation commands,
351          * and release their references
352          */
353         kill_vmcmds(&epp->ep_vmcmds);
354 
355         return error;
356 }
357