1 /* $OpenBSD: exec_script.c,v 1.35 2015/03/14 03:38:50 jsg Exp $ */ 2 /* $NetBSD: exec_script.c,v 1.13 1996/02/04 02:15:06 christos Exp $ */ 3 4 /* 5 * Copyright (c) 1993, 1994 Christopher G. Demetriou 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. All advertising materials mentioning features or use of this software 17 * must display the following acknowledgement: 18 * This product includes software developed by Christopher G. Demetriou. 19 * 4. The name of the author may not be used to endorse or promote products 20 * derived from this software without specific prior written permission 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/proc.h> 37 #include <sys/malloc.h> 38 #include <sys/pool.h> 39 #include <sys/vnode.h> 40 #include <sys/lock.h> 41 #include <sys/namei.h> 42 #include <sys/file.h> 43 #include <sys/filedesc.h> 44 #include <sys/exec.h> 45 46 #include <sys/exec_script.h> 47 48 #include "systrace.h" 49 50 #if NSYSTRACE > 0 51 #include <dev/systrace.h> 52 #endif 53 54 55 /* 56 * exec_script_makecmds(): Check if it's an executable shell script. 57 * 58 * Given a proc pointer and an exec package pointer, see if the referent 59 * of the epp is in shell script. If it is, then set things up so that 60 * the script can be run. This involves preparing the address space 61 * and arguments for the shell which will run the script. 62 * 63 * This function is ultimately responsible for creating a set of vmcmds 64 * which can be used to build the process's vm space and inserting them 65 * into the exec package. 66 */ 67 int 68 exec_script_makecmds(struct proc *p, struct exec_package *epp) 69 { 70 int error, hdrlinelen, shellnamelen, shellarglen; 71 char *hdrstr = epp->ep_hdr; 72 char *cp, *shellname, *shellarg, *oldpnbuf; 73 char **shellargp = NULL, **tmpsap; 74 struct vnode *scriptvp; 75 uid_t script_uid = -1; 76 gid_t script_gid = -1; 77 u_short script_sbits; 78 79 /* 80 * remember the old vp and pnbuf for later, so we can restore 81 * them if check_exec() fails. 82 */ 83 scriptvp = epp->ep_vp; 84 oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf; 85 86 /* 87 * if the magic isn't that of a shell script, or we've already 88 * done shell script processing for this exec, punt on it. 89 */ 90 if ((epp->ep_flags & EXEC_INDIR) != 0 || 91 epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN || 92 strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN)) 93 return ENOEXEC; 94 95 /* 96 * check that the shell spec is terminated by a newline, 97 * and that it isn't too large. Don't modify the 98 * buffer unless we're ready to commit to handling it. 99 * (The latter requirement means that we have to check 100 * for both spaces and tabs later on.) 101 */ 102 hdrlinelen = min(epp->ep_hdrvalid, MAXINTERP); 103 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen; 104 cp++) { 105 if (*cp == '\n') { 106 *cp = '\0'; 107 break; 108 } 109 } 110 if (cp >= hdrstr + hdrlinelen) 111 return ENOEXEC; 112 113 shellname = NULL; 114 shellarg = NULL; 115 shellarglen = 0; 116 117 /* strip spaces before the shell name */ 118 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t'; 119 cp++) 120 ; 121 122 /* collect the shell name; remember its length for later */ 123 shellname = cp; 124 shellnamelen = 0; 125 if (*cp == '\0') 126 goto check_shell; 127 for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++) 128 shellnamelen++; 129 if (*cp == '\0') 130 goto check_shell; 131 *cp++ = '\0'; 132 133 /* skip spaces before any argument */ 134 for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++) 135 ; 136 if (*cp == '\0') 137 goto check_shell; 138 139 /* 140 * collect the shell argument. everything after the shell name 141 * is passed as ONE argument; that's the correct (historical) 142 * behaviour. 143 */ 144 shellarg = cp; 145 for ( /* cp = cp */ ; *cp != '\0'; cp++) 146 shellarglen++; 147 *cp++ = '\0'; 148 149 check_shell: 150 /* 151 * MNT_NOSUID and STRC are already taken care of by check_exec, 152 * so we don't need to worry about them now or later. 153 */ 154 script_sbits = epp->ep_vap->va_mode & (VSUID | VSGID); 155 if (script_sbits != 0) { 156 script_uid = epp->ep_vap->va_uid; 157 script_gid = epp->ep_vap->va_gid; 158 } 159 /* 160 * if the script isn't readable, or it's set-id, then we've 161 * gotta supply a "/dev/fd/..." for the shell to read. 162 * Note that stupid shells (csh) do the wrong thing, and 163 * close all open fd's when they start. That kills this 164 * method of implementing "safe" set-id and x-only scripts. 165 */ 166 vn_lock(scriptvp, LK_EXCLUSIVE|LK_RETRY, p); 167 error = VOP_ACCESS(scriptvp, VREAD, p->p_ucred, p); 168 VOP_UNLOCK(scriptvp, 0, p); 169 if (error == EACCES || script_sbits) { 170 struct file *fp; 171 172 #ifdef DIAGNOSTIC 173 if (epp->ep_flags & EXEC_HASFD) 174 panic("exec_script_makecmds: epp already has a fd"); 175 #endif 176 177 fdplock(p->p_fd); 178 error = falloc(p, &fp, &epp->ep_fd); 179 fdpunlock(p->p_fd); 180 if (error) 181 goto fail; 182 183 epp->ep_flags |= EXEC_HASFD; 184 fp->f_type = DTYPE_VNODE; 185 fp->f_ops = &vnops; 186 fp->f_data = (caddr_t) scriptvp; 187 fp->f_flag = FREAD; 188 FILE_SET_MATURE(fp, p); 189 } 190 191 /* set up the parameters for the recursive check_exec() call */ 192 epp->ep_ndp->ni_dirfd = AT_FDCWD; 193 epp->ep_ndp->ni_dirp = shellname; 194 epp->ep_ndp->ni_segflg = UIO_SYSSPACE; 195 epp->ep_flags |= EXEC_INDIR; 196 197 /* and set up the fake args list, for later */ 198 shellargp = mallocarray(4, sizeof(char *), M_EXEC, M_WAITOK); 199 tmpsap = shellargp; 200 *tmpsap = malloc(shellnamelen + 1, M_EXEC, M_WAITOK); 201 strlcpy(*tmpsap++, shellname, shellnamelen + 1); 202 if (shellarg != NULL) { 203 *tmpsap = malloc(shellarglen + 1, M_EXEC, M_WAITOK); 204 strlcpy(*tmpsap++, shellarg, shellarglen + 1); 205 } 206 *tmpsap = malloc(MAXPATHLEN, M_EXEC, M_WAITOK); 207 if ((epp->ep_flags & EXEC_HASFD) == 0) { 208 #if NSYSTRACE > 0 209 if (ISSET(p->p_flag, P_SYSTRACE)) { 210 error = systrace_scriptname(p, *tmpsap); 211 if (error == 0) 212 tmpsap++; 213 else 214 /* 215 * Since systrace_scriptname() provides a 216 * convenience, not a security issue, we are 217 * safe to do this. 218 */ 219 error = copystr(epp->ep_name, *tmpsap++, 220 MAXPATHLEN, NULL); 221 } else 222 #endif 223 error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN, 224 NULL); 225 if (error != 0) 226 goto fail; 227 } else 228 snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd); 229 *tmpsap = NULL; 230 231 /* 232 * mark the header we have as invalid; check_exec will read 233 * the header from the new executable 234 */ 235 epp->ep_hdrvalid = 0; 236 237 if ((error = check_exec(p, epp)) == 0) { 238 /* note that we've clobbered the header */ 239 epp->ep_flags |= EXEC_DESTR; 240 241 /* 242 * It succeeded. Unlock the script and 243 * close it if we aren't using it any more. 244 * Also, set things up so that the fake args 245 * list will be used. 246 */ 247 if ((epp->ep_flags & EXEC_HASFD) == 0) 248 vn_close(scriptvp, FREAD, p->p_ucred, p); 249 250 /* free the old pathname buffer */ 251 pool_put(&namei_pool, oldpnbuf); 252 253 epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG); 254 epp->ep_fa = shellargp; 255 /* 256 * set things up so that set-id scripts will be 257 * handled appropriately 258 */ 259 epp->ep_vap->va_mode |= script_sbits; 260 if (script_sbits & VSUID) 261 epp->ep_vap->va_uid = script_uid; 262 if (script_sbits & VSGID) 263 epp->ep_vap->va_gid = script_gid; 264 return (0); 265 } 266 267 /* XXX oldpnbuf not set for "goto fail" path */ 268 epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf; 269 fail: 270 /* note that we've clobbered the header */ 271 epp->ep_flags |= EXEC_DESTR; 272 273 /* kill the opened file descriptor, else close the file */ 274 if (epp->ep_flags & EXEC_HASFD) { 275 epp->ep_flags &= ~EXEC_HASFD; 276 fdplock(p->p_fd); 277 (void) fdrelease(p, epp->ep_fd); 278 fdpunlock(p->p_fd); 279 } else 280 vn_close(scriptvp, FREAD, p->p_ucred, p); 281 282 pool_put(&namei_pool, epp->ep_ndp->ni_cnd.cn_pnbuf); 283 284 /* free the fake arg list, because we're not returning it */ 285 if ((tmpsap = shellargp) != NULL) { 286 while (*tmpsap != NULL) { 287 free(*tmpsap, M_EXEC, 0); 288 tmpsap++; 289 } 290 free(shellargp, M_EXEC, 0); 291 } 292 293 /* 294 * free any vmspace-creation commands, 295 * and release their references 296 */ 297 kill_vmcmds(&epp->ep_vmcmds); 298 299 return error; 300 } 301