xref: /openbsd-src/sys/kern/exec_script.c (revision 8cc2fc565664ba2dd04a48c2b1093fd84d34db8f)
1 /*	$OpenBSD: exec_script.c,v 1.31 2014/07/13 23:59:58 tedu Exp $	*/
2 /*	$NetBSD: exec_script.c,v 1.13 1996/02/04 02:15:06 christos Exp $	*/
3 
4 /*
5  * Copyright (c) 1993, 1994 Christopher G. Demetriou
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  * 3. All advertising materials mentioning features or use of this software
17  *    must display the following acknowledgement:
18  *      This product includes software developed by Christopher G. Demetriou.
19  * 4. The name of the author may not be used to endorse or promote products
20  *    derived from this software without specific prior written permission
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
23  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
24  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
25  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
26  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
27  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
31  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32  */
33 
34 #include <sys/param.h>
35 #include <sys/systm.h>
36 #include <sys/proc.h>
37 #include <sys/malloc.h>
38 #include <sys/pool.h>
39 #include <sys/vnode.h>
40 #include <sys/namei.h>
41 #include <sys/file.h>
42 #include <sys/filedesc.h>
43 #include <sys/exec.h>
44 #include <sys/resourcevar.h>
45 
46 #include <sys/exec_script.h>
47 
48 #include "systrace.h"
49 
50 #if NSYSTRACE > 0
51 #include <dev/systrace.h>
52 #endif
53 
54 #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS)
55 #define FDSCRIPTS		/* Need this for safe set-id scripts. */
56 #endif
57 
58 /*
59  * exec_script_makecmds(): Check if it's an executable shell script.
60  *
61  * Given a proc pointer and an exec package pointer, see if the referent
62  * of the epp is in shell script.  If it is, then set things up so that
63  * the script can be run.  This involves preparing the address space
64  * and arguments for the shell which will run the script.
65  *
66  * This function is ultimately responsible for creating a set of vmcmds
67  * which can be used to build the process's vm space and inserting them
68  * into the exec package.
69  */
70 int
71 exec_script_makecmds(struct proc *p, struct exec_package *epp)
72 {
73 	int error, hdrlinelen, shellnamelen, shellarglen;
74 	char *hdrstr = epp->ep_hdr;
75 	char *cp, *shellname, *shellarg, *oldpnbuf;
76 	char **shellargp = NULL, **tmpsap;
77 	struct vnode *scriptvp;
78 #ifdef SETUIDSCRIPTS
79 	uid_t script_uid = -1;
80 	gid_t script_gid = -1;
81 	u_short script_sbits;
82 #endif
83 
84 	/*
85 	 * remember the old vp and pnbuf for later, so we can restore
86 	 * them if check_exec() fails.
87 	 */
88 	scriptvp = epp->ep_vp;
89 	oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf;
90 
91 	/*
92 	 * if the magic isn't that of a shell script, or we've already
93 	 * done shell script processing for this exec, punt on it.
94 	 */
95 	if ((epp->ep_flags & EXEC_INDIR) != 0 ||
96 	    epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN ||
97 	    strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN))
98 		return ENOEXEC;
99 
100 	/*
101 	 * check that the shell spec is terminated by a newline,
102 	 * and that it isn't too large.  Don't modify the
103 	 * buffer unless we're ready to commit to handling it.
104 	 * (The latter requirement means that we have to check
105 	 * for both spaces and tabs later on.)
106 	 */
107 	hdrlinelen = min(epp->ep_hdrvalid, MAXINTERP);
108 	for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen;
109 	    cp++) {
110 		if (*cp == '\n') {
111 			*cp = '\0';
112 			break;
113 		}
114 	}
115 	if (cp >= hdrstr + hdrlinelen)
116 		return ENOEXEC;
117 
118 	shellname = NULL;
119 	shellarg = NULL;
120 	shellarglen = 0;
121 
122 	/* strip spaces before the shell name */
123 	for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t';
124 	    cp++)
125 		;
126 
127 	/* collect the shell name; remember its length for later */
128 	shellname = cp;
129 	shellnamelen = 0;
130 	if (*cp == '\0')
131 		goto check_shell;
132 	for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++)
133 		shellnamelen++;
134 	if (*cp == '\0')
135 		goto check_shell;
136 	*cp++ = '\0';
137 
138 	/* skip spaces before any argument */
139 	for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++)
140 		;
141 	if (*cp == '\0')
142 		goto check_shell;
143 
144 	/*
145 	 * collect the shell argument.  everything after the shell name
146 	 * is passed as ONE argument; that's the correct (historical)
147 	 * behaviour.
148 	 */
149 	shellarg = cp;
150 	for ( /* cp = cp */ ; *cp != '\0'; cp++)
151 		shellarglen++;
152 	*cp++ = '\0';
153 
154 check_shell:
155 #ifdef SETUIDSCRIPTS
156 	/*
157 	 * MNT_NOSUID and STRC are already taken care of by check_exec,
158 	 * so we don't need to worry about them now or later.
159 	 */
160 	script_sbits = epp->ep_vap->va_mode & (VSUID | VSGID);
161 	if (script_sbits != 0) {
162 		script_uid = epp->ep_vap->va_uid;
163 		script_gid = epp->ep_vap->va_gid;
164 	}
165 #endif
166 #ifdef FDSCRIPTS
167 	/*
168 	 * if the script isn't readable, or it's set-id, then we've
169 	 * gotta supply a "/dev/fd/..." for the shell to read.
170 	 * Note that stupid shells (csh) do the wrong thing, and
171 	 * close all open fd's when they start.  That kills this
172 	 * method of implementing "safe" set-id and x-only scripts.
173 	 */
174 	vn_lock(scriptvp, LK_EXCLUSIVE|LK_RETRY, p);
175 	error = VOP_ACCESS(scriptvp, VREAD, p->p_ucred, p);
176 	VOP_UNLOCK(scriptvp, 0, p);
177 	if (error == EACCES
178 #ifdef SETUIDSCRIPTS
179 	    || script_sbits
180 #endif
181 	    ) {
182 		struct file *fp;
183 
184 #ifdef DIAGNOSTIC
185 		if (epp->ep_flags & EXEC_HASFD)
186 			panic("exec_script_makecmds: epp already has a fd");
187 #endif
188 
189 		fdplock(p->p_fd);
190 		error = falloc(p, &fp, &epp->ep_fd);
191 		fdpunlock(p->p_fd);
192 		if (error)
193 			goto fail;
194 
195 		epp->ep_flags |= EXEC_HASFD;
196 		fp->f_type = DTYPE_VNODE;
197 		fp->f_ops = &vnops;
198 		fp->f_data = (caddr_t) scriptvp;
199 		fp->f_flag = FREAD;
200 		FILE_SET_MATURE(fp, p);
201 	}
202 #endif
203 
204 	/* set up the parameters for the recursive check_exec() call */
205 	epp->ep_ndp->ni_dirfd = AT_FDCWD;
206 	epp->ep_ndp->ni_dirp = shellname;
207 	epp->ep_ndp->ni_segflg = UIO_SYSSPACE;
208 	epp->ep_flags |= EXEC_INDIR;
209 
210 	/* and set up the fake args list, for later */
211 	shellargp = mallocarray(4, sizeof(char *), M_EXEC, M_WAITOK);
212 	tmpsap = shellargp;
213 	*tmpsap = malloc(shellnamelen + 1, M_EXEC, M_WAITOK);
214 	strlcpy(*tmpsap++, shellname, shellnamelen + 1);
215 	if (shellarg != NULL) {
216 		*tmpsap = malloc(shellarglen + 1, M_EXEC, M_WAITOK);
217 		strlcpy(*tmpsap++, shellarg, shellarglen + 1);
218 	}
219 	*tmpsap = malloc(MAXPATHLEN, M_EXEC, M_WAITOK);
220 #ifdef FDSCRIPTS
221 	if ((epp->ep_flags & EXEC_HASFD) == 0) {
222 #endif
223 		/* normally can't fail, but check for it if diagnostic */
224 #if NSYSTRACE > 0
225 		if (ISSET(p->p_flag, P_SYSTRACE)) {
226 			error = systrace_scriptname(p, *tmpsap);
227 			if (error == 0)
228 				tmpsap++;
229 			else
230 				/*
231 				 * Since systrace_scriptname() provides a
232 				 * convenience, not a security issue, we are
233 				 * safe to do this.
234 				 */
235 				error = copystr(epp->ep_name, *tmpsap++,
236 				    MAXPATHLEN, NULL);
237 		} else
238 			error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
239 			    NULL);
240 #else
241 		error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
242 		    (size_t *)0);
243 #endif
244 #ifdef DIAGNOSTIC
245 		if (error != 0)
246 			panic("exec_script: copyinstr couldn't fail");
247 #endif
248 #ifdef FDSCRIPTS
249 	} else
250 		snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd);
251 #endif
252 	*tmpsap = NULL;
253 
254 	/*
255 	 * mark the header we have as invalid; check_exec will read
256 	 * the header from the new executable
257 	 */
258 	epp->ep_hdrvalid = 0;
259 
260 	if ((error = check_exec(p, epp)) == 0) {
261 		/* note that we've clobbered the header */
262 		epp->ep_flags |= EXEC_DESTR;
263 
264 		/*
265 		 * It succeeded.  Unlock the script and
266 		 * close it if we aren't using it any more.
267 		 * Also, set things up so that the fake args
268 		 * list will be used.
269 		 */
270 		if ((epp->ep_flags & EXEC_HASFD) == 0)
271 			vn_close(scriptvp, FREAD, p->p_ucred, p);
272 
273 		/* free the old pathname buffer */
274 		pool_put(&namei_pool, oldpnbuf);
275 
276 		epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG);
277 		epp->ep_fa = shellargp;
278 #ifdef SETUIDSCRIPTS
279 		/*
280 		 * set things up so that set-id scripts will be
281 		 * handled appropriately
282 		 */
283 		epp->ep_vap->va_mode |= script_sbits;
284 		if (script_sbits & VSUID)
285 			epp->ep_vap->va_uid = script_uid;
286 		if (script_sbits & VSGID)
287 			epp->ep_vap->va_gid = script_gid;
288 #endif
289 		return (0);
290 	}
291 
292 	/* XXX oldpnbuf not set for "goto fail" path */
293 	epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf;
294 #ifdef FDSCRIPTS
295 fail:
296 #endif
297 	/* note that we've clobbered the header */
298 	epp->ep_flags |= EXEC_DESTR;
299 
300 	/* kill the opened file descriptor, else close the file */
301 	if (epp->ep_flags & EXEC_HASFD) {
302 		epp->ep_flags &= ~EXEC_HASFD;
303 		fdplock(p->p_fd);
304 		(void) fdrelease(p, epp->ep_fd);
305 		fdpunlock(p->p_fd);
306 	} else
307 		vn_close(scriptvp, FREAD, p->p_ucred, p);
308 
309 	pool_put(&namei_pool, epp->ep_ndp->ni_cnd.cn_pnbuf);
310 
311 	/* free the fake arg list, because we're not returning it */
312 	if ((tmpsap = shellargp) != NULL) {
313 		while (*tmpsap != NULL) {
314 			free(*tmpsap, M_EXEC, 0);
315 			tmpsap++;
316 		}
317 		free(shellargp, M_EXEC, 0);
318 	}
319 
320 	/*
321 	 * free any vmspace-creation commands,
322 	 * and release their references
323 	 */
324 	kill_vmcmds(&epp->ep_vmcmds);
325 
326 	return error;
327 }
328