1 /* $OpenBSD: exec_script.c,v 1.22 2005/08/01 07:02:39 art Exp $ */ 2 /* $NetBSD: exec_script.c,v 1.13 1996/02/04 02:15:06 christos Exp $ */ 3 4 /* 5 * Copyright (c) 1993, 1994 Christopher G. Demetriou 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. All advertising materials mentioning features or use of this software 17 * must display the following acknowledgement: 18 * This product includes software developed by Christopher G. Demetriou. 19 * 4. The name of the author may not be used to endorse or promote products 20 * derived from this software without specific prior written permission 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/proc.h> 37 #include <sys/malloc.h> 38 #include <sys/pool.h> 39 #include <sys/vnode.h> 40 #include <sys/namei.h> 41 #include <sys/file.h> 42 #include <sys/filedesc.h> 43 #include <sys/exec.h> 44 #include <sys/resourcevar.h> 45 #include <uvm/uvm_extern.h> 46 47 #include <sys/exec_script.h> 48 49 #include "systrace.h" 50 51 #if NSYSTRACE > 0 52 #include <dev/systrace.h> 53 #endif 54 55 #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS) 56 #define FDSCRIPTS /* Need this for safe set-id scripts. */ 57 #endif 58 59 /* 60 * exec_script_makecmds(): Check if it's an executable shell script. 61 * 62 * Given a proc pointer and an exec package pointer, see if the referent 63 * of the epp is in shell script. If it is, then set thing up so that 64 * the script can be run. This involves preparing the address space 65 * and arguments for the shell which will run the script. 66 * 67 * This function is ultimately responsible for creating a set of vmcmds 68 * which can be used to build the process's vm space and inserting them 69 * into the exec package. 70 */ 71 int 72 exec_script_makecmds(p, epp) 73 struct proc *p; 74 struct exec_package *epp; 75 { 76 int error, hdrlinelen, shellnamelen, shellarglen; 77 char *hdrstr = epp->ep_hdr; 78 char *cp, *shellname, *shellarg, *oldpnbuf; 79 char **shellargp = NULL, **tmpsap; 80 struct vnode *scriptvp; 81 #ifdef SETUIDSCRIPTS 82 uid_t script_uid = -1; 83 gid_t script_gid = -1; 84 u_short script_sbits; 85 #endif 86 87 /* 88 * remember the old vp and pnbuf for later, so we can restore 89 * them if check_exec() fails. 90 */ 91 scriptvp = epp->ep_vp; 92 oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf; 93 94 /* 95 * if the magic isn't that of a shell script, or we've already 96 * done shell script processing for this exec, punt on it. 97 */ 98 if ((epp->ep_flags & EXEC_INDIR) != 0 || 99 epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN || 100 strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN)) 101 return ENOEXEC; 102 103 /* 104 * check that the shell spec is terminated by a newline, 105 * and that it isn't too large. Don't modify the 106 * buffer unless we're ready to commit to handling it. 107 * (The latter requirement means that we have to check 108 * for both spaces and tabs later on.) 109 */ 110 hdrlinelen = min(epp->ep_hdrvalid, MAXINTERP); 111 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen; 112 cp++) { 113 if (*cp == '\n') { 114 *cp = '\0'; 115 break; 116 } 117 } 118 if (cp >= hdrstr + hdrlinelen) 119 return ENOEXEC; 120 121 shellname = NULL; 122 shellarg = NULL; 123 shellarglen = 0; 124 125 /* strip spaces before the shell name */ 126 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t'; 127 cp++) 128 ; 129 130 /* collect the shell name; remember it's length for later */ 131 shellname = cp; 132 shellnamelen = 0; 133 if (*cp == '\0') 134 goto check_shell; 135 for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++) 136 shellnamelen++; 137 if (*cp == '\0') 138 goto check_shell; 139 *cp++ = '\0'; 140 141 /* skip spaces before any argument */ 142 for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++) 143 ; 144 if (*cp == '\0') 145 goto check_shell; 146 147 /* 148 * collect the shell argument. everything after the shell name 149 * is passed as ONE argument; that's the correct (historical) 150 * behaviour. 151 */ 152 shellarg = cp; 153 for ( /* cp = cp */ ; *cp != '\0'; cp++) 154 shellarglen++; 155 *cp++ = '\0'; 156 157 check_shell: 158 #ifdef SETUIDSCRIPTS 159 /* 160 * MNT_NOSUID and STRC are already taken care of by check_exec, 161 * so we don't need to worry about them now or later. 162 */ 163 script_sbits = epp->ep_vap->va_mode & (VSUID | VSGID); 164 if (script_sbits != 0) { 165 script_uid = epp->ep_vap->va_uid; 166 script_gid = epp->ep_vap->va_gid; 167 } 168 #endif 169 #ifdef FDSCRIPTS 170 /* 171 * if the script isn't readable, or it's set-id, then we've 172 * gotta supply a "/dev/fd/..." for the shell to read. 173 * Note that stupid shells (csh) do the wrong thing, and 174 * close all open fd's when the start. That kills this 175 * method of implementing "safe" set-id and x-only scripts. 176 */ 177 vn_lock(scriptvp, LK_EXCLUSIVE|LK_RETRY, p); 178 error = VOP_ACCESS(scriptvp, VREAD, p->p_ucred, p); 179 VOP_UNLOCK(scriptvp, 0, p); 180 if (error == EACCES 181 #ifdef SETUIDSCRIPTS 182 || script_sbits 183 #endif 184 ) { 185 struct file *fp; 186 187 #ifdef DIAGNOSTIC 188 if (epp->ep_flags & EXEC_HASFD) 189 panic("exec_script_makecmds: epp already has a fd"); 190 #endif 191 192 if ((error = falloc(p, &fp, &epp->ep_fd))) 193 goto fail; 194 195 epp->ep_flags |= EXEC_HASFD; 196 fp->f_type = DTYPE_VNODE; 197 fp->f_ops = &vnops; 198 fp->f_data = (caddr_t) scriptvp; 199 fp->f_flag = FREAD; 200 FILE_SET_MATURE(fp); 201 } 202 #endif 203 204 /* set up the parameters for the recursive check_exec() call */ 205 epp->ep_ndp->ni_dirp = shellname; 206 epp->ep_ndp->ni_segflg = UIO_SYSSPACE; 207 epp->ep_flags |= EXEC_INDIR; 208 209 /* and set up the fake args list, for later */ 210 MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK); 211 tmpsap = shellargp; 212 *tmpsap = malloc(shellnamelen + 1, M_EXEC, M_WAITOK); 213 strlcpy(*tmpsap++, shellname, shellnamelen + 1); 214 if (shellarg != NULL) { 215 *tmpsap = malloc(shellarglen + 1, M_EXEC, M_WAITOK); 216 strlcpy(*tmpsap++, shellarg, shellarglen + 1); 217 } 218 *tmpsap = malloc(MAXPATHLEN, M_EXEC, M_WAITOK); 219 #ifdef FDSCRIPTS 220 if ((epp->ep_flags & EXEC_HASFD) == 0) { 221 #endif 222 /* normally can't fail, but check for it if diagnostic */ 223 #if NSYSTRACE > 0 224 if (ISSET(p->p_flag, P_SYSTRACE)) { 225 error = systrace_scriptname(p, *tmpsap); 226 if (error == 0) 227 tmpsap++; 228 else 229 /* 230 * Since systrace_scriptname() provides a 231 * convenience, not a security issue, we are 232 * safe to do this. 233 */ 234 error = copystr(epp->ep_name, *tmpsap++, 235 MAXPATHLEN, NULL); 236 } else 237 error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN, 238 NULL); 239 #else 240 error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN, 241 (size_t *)0); 242 #endif 243 #ifdef DIAGNOSTIC 244 if (error != 0) 245 panic("exec_script: copyinstr couldn't fail"); 246 #endif 247 #ifdef FDSCRIPTS 248 } else 249 snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd); 250 #endif 251 *tmpsap = NULL; 252 253 /* 254 * mark the header we have as invalid; check_exec will read 255 * the header from the new executable 256 */ 257 epp->ep_hdrvalid = 0; 258 259 if ((error = check_exec(p, epp)) == 0) { 260 /* note that we've clobbered the header */ 261 epp->ep_flags |= EXEC_DESTR; 262 263 /* 264 * It succeeded. Unlock the script and 265 * close it if we aren't using it any more. 266 * Also, set things up so that the fake args 267 * list will be used. 268 */ 269 if ((epp->ep_flags & EXEC_HASFD) == 0) 270 vn_close(scriptvp, FREAD, p->p_ucred, p); 271 272 /* free the old pathname buffer */ 273 pool_put(&namei_pool, oldpnbuf); 274 275 epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG); 276 epp->ep_fa = shellargp; 277 #ifdef SETUIDSCRIPTS 278 /* 279 * set thing up so that set-id scripts will be 280 * handled appropriately 281 */ 282 epp->ep_vap->va_mode |= script_sbits; 283 if (script_sbits & VSUID) 284 epp->ep_vap->va_uid = script_uid; 285 if (script_sbits & VSGID) 286 epp->ep_vap->va_gid = script_gid; 287 #endif 288 return (0); 289 } 290 291 /* XXX oldpnbuf not set for "goto fail" path */ 292 epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf; 293 #ifdef FDSCRIPTS 294 fail: 295 #endif 296 /* note that we've clobbered the header */ 297 epp->ep_flags |= EXEC_DESTR; 298 299 /* kill the opened file descriptor, else close the file */ 300 if (epp->ep_flags & EXEC_HASFD) { 301 epp->ep_flags &= ~EXEC_HASFD; 302 (void) fdrelease(p, epp->ep_fd); 303 } else 304 vn_close(scriptvp, FREAD, p->p_ucred, p); 305 306 pool_put(&namei_pool, epp->ep_ndp->ni_cnd.cn_pnbuf); 307 308 /* free the fake arg list, because we're not returning it */ 309 if ((tmpsap = shellargp) != NULL) { 310 while (*tmpsap != NULL) { 311 free(*tmpsap, M_EXEC); 312 tmpsap++; 313 } 314 FREE(shellargp, M_EXEC); 315 } 316 317 /* 318 * free any vmspace-creation commands, 319 * and release their references 320 */ 321 kill_vmcmds(&epp->ep_vmcmds); 322 323 return error; 324 } 325