xref: /openbsd/sys/kern/exec_script.c (revision 2ed745d2) 
1 /*	$OpenBSD: exec_script.c,v 1.39 2016/04/25 20:00:33 tedu Exp $	*/
2 /*	$NetBSD: exec_script.c,v 1.13 1996/02/04 02:15:06 christos Exp $	*/
3 
4 /*
5  * Copyright (c) 1993, 1994 Christopher G. Demetriou
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  * 3. All advertising materials mentioning features or use of this software
17  *    must display the following acknowledgement:
18  *      This product includes software developed by Christopher G. Demetriou.
19  * 4. The name of the author may not be used to endorse or promote products
20  *    derived from this software without specific prior written permission
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
23  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
24  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
25  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
26  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
27  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
31  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32  */
33 
34 #include <sys/param.h>
35 #include <sys/systm.h>
36 #include <sys/proc.h>
37 #include <sys/malloc.h>
38 #include <sys/pool.h>
39 #include <sys/vnode.h>
40 #include <sys/lock.h>
41 #include <sys/namei.h>
42 #include <sys/file.h>
43 #include <sys/filedesc.h>
44 #include <sys/exec.h>
45 
46 #include <sys/exec_script.h>
47 
48 
49 /*
50  * exec_script_makecmds(): Check if it's an executable shell script.
51  *
52  * Given a proc pointer and an exec package pointer, see if the referent
53  * of the epp is in shell script.  If it is, then set things up so that
54  * the script can be run.  This involves preparing the address space
55  * and arguments for the shell which will run the script.
56  *
57  * This function is ultimately responsible for creating a set of vmcmds
58  * which can be used to build the process's vm space and inserting them
59  * into the exec package.
60  */
61 int
62 exec_script_makecmds(struct proc *p, struct exec_package *epp)
63 {
64 	int error, hdrlinelen, shellnamelen, shellarglen;
65 	char *hdrstr = epp->ep_hdr;
66 	char *cp, *shellname, *shellarg, *oldpnbuf;
67 	char **shellargp = NULL, **tmpsap;
68 	struct vnode *scriptvp;
69 	uid_t script_uid = -1;
70 	gid_t script_gid = -1;
71 	u_short script_sbits;
72 
73 	/*
74 	 * remember the old vp and pnbuf for later, so we can restore
75 	 * them if check_exec() fails.
76 	 */
77 	scriptvp = epp->ep_vp;
78 	oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf;
79 
80 	/*
81 	 * if the magic isn't that of a shell script, or we've already
82 	 * done shell script processing for this exec, punt on it.
83 	 */
84 	if ((epp->ep_flags & EXEC_INDIR) != 0 ||
85 	    epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN ||
86 	    strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN))
87 		return ENOEXEC;
88 
89 	/*
90 	 * check that the shell spec is terminated by a newline,
91 	 * and that it isn't too large.  Don't modify the
92 	 * buffer unless we're ready to commit to handling it.
93 	 * (The latter requirement means that we have to check
94 	 * for both spaces and tabs later on.)
95 	 */
96 	hdrlinelen = min(epp->ep_hdrvalid, MAXINTERP);
97 	for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen;
98 	    cp++) {
99 		if (*cp == '\n') {
100 			*cp = '\0';
101 			break;
102 		}
103 	}
104 	if (cp >= hdrstr + hdrlinelen)
105 		return ENOEXEC;
106 
107 	shellname = NULL;
108 	shellarg = NULL;
109 	shellarglen = 0;
110 
111 	/* strip spaces before the shell name */
112 	for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t';
113 	    cp++)
114 		;
115 
116 	/* collect the shell name; remember its length for later */
117 	shellname = cp;
118 	shellnamelen = 0;
119 	if (*cp == '\0')
120 		goto check_shell;
121 	for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++)
122 		shellnamelen++;
123 	if (*cp == '\0')
124 		goto check_shell;
125 	*cp++ = '\0';
126 
127 	/* skip spaces before any argument */
128 	for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++)
129 		;
130 	if (*cp == '\0')
131 		goto check_shell;
132 
133 	/*
134 	 * collect the shell argument.  everything after the shell name
135 	 * is passed as ONE argument; that's the correct (historical)
136 	 * behaviour.
137 	 */
138 	shellarg = cp;
139 	for ( /* cp = cp */ ; *cp != '\0'; cp++)
140 		shellarglen++;
141 	*cp++ = '\0';
142 
143 check_shell:
144 	/*
145 	 * MNT_NOSUID and STRC are already taken care of by check_exec,
146 	 * so we don't need to worry about them now or later.
147 	 */
148 	script_sbits = epp->ep_vap->va_mode & (VSUID | VSGID);
149 	if (script_sbits != 0) {
150 		script_uid = epp->ep_vap->va_uid;
151 		script_gid = epp->ep_vap->va_gid;
152 	}
153 	/*
154 	 * if the script isn't readable, or it's set-id, then we've
155 	 * gotta supply a "/dev/fd/..." for the shell to read.
156 	 * Note that stupid shells (csh) do the wrong thing, and
157 	 * close all open fd's when they start.  That kills this
158 	 * method of implementing "safe" set-id and x-only scripts.
159 	 */
160 	vn_lock(scriptvp, LK_EXCLUSIVE|LK_RETRY, p);
161 	error = VOP_ACCESS(scriptvp, VREAD, p->p_ucred, p);
162 	VOP_UNLOCK(scriptvp, p);
163 	if (error == EACCES || script_sbits) {
164 		struct file *fp;
165 
166 #ifdef DIAGNOSTIC
167 		if (epp->ep_flags & EXEC_HASFD)
168 			panic("exec_script_makecmds: epp already has a fd");
169 #endif
170 
171 		fdplock(p->p_fd);
172 		error = falloc(p, &fp, &epp->ep_fd);
173 		fdpunlock(p->p_fd);
174 		if (error)
175 			goto fail;
176 
177 		epp->ep_flags |= EXEC_HASFD;
178 		fp->f_type = DTYPE_VNODE;
179 		fp->f_ops = &vnops;
180 		fp->f_data = (caddr_t) scriptvp;
181 		fp->f_flag = FREAD;
182 		FILE_SET_MATURE(fp, p);
183 	}
184 
185 	/* set up the parameters for the recursive check_exec() call */
186 	epp->ep_ndp->ni_dirfd = AT_FDCWD;
187 	epp->ep_ndp->ni_dirp = shellname;
188 	epp->ep_ndp->ni_segflg = UIO_SYSSPACE;
189 	epp->ep_flags |= EXEC_INDIR;
190 
191 	/* and set up the fake args list, for later */
192 	shellargp = mallocarray(4, sizeof(char *), M_EXEC, M_WAITOK);
193 	tmpsap = shellargp;
194 	*tmpsap = malloc(shellnamelen + 1, M_EXEC, M_WAITOK);
195 	strlcpy(*tmpsap++, shellname, shellnamelen + 1);
196 	if (shellarg != NULL) {
197 		*tmpsap = malloc(shellarglen + 1, M_EXEC, M_WAITOK);
198 		strlcpy(*tmpsap++, shellarg, shellarglen + 1);
199 	}
200 	*tmpsap = malloc(MAXPATHLEN, M_EXEC, M_WAITOK);
201 	if ((epp->ep_flags & EXEC_HASFD) == 0) {
202 		error = copyinstr(epp->ep_name, *tmpsap, MAXPATHLEN,
203 		    NULL);
204 		if (error != 0) {
205 			*(tmpsap + 1) = NULL;
206 			goto fail;
207 		}
208 	} else
209 		snprintf(*tmpsap, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd);
210 	tmpsap++;
211 	*tmpsap = NULL;
212 
213 	/*
214 	 * mark the header we have as invalid; check_exec will read
215 	 * the header from the new executable
216 	 */
217 	epp->ep_hdrvalid = 0;
218 
219 	if ((error = check_exec(p, epp)) == 0) {
220 		/* note that we've clobbered the header */
221 		epp->ep_flags |= EXEC_DESTR;
222 
223 		/*
224 		 * It succeeded.  Unlock the script and
225 		 * close it if we aren't using it any more.
226 		 * Also, set things up so that the fake args
227 		 * list will be used.
228 		 */
229 		if ((epp->ep_flags & EXEC_HASFD) == 0)
230 			vn_close(scriptvp, FREAD, p->p_ucred, p);
231 
232 		/* free the old pathname buffer */
233 		pool_put(&namei_pool, oldpnbuf);
234 
235 		epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG);
236 		epp->ep_fa = shellargp;
237 		/*
238 		 * set things up so that set-id scripts will be
239 		 * handled appropriately
240 		 */
241 		epp->ep_vap->va_mode |= script_sbits;
242 		if (script_sbits & VSUID)
243 			epp->ep_vap->va_uid = script_uid;
244 		if (script_sbits & VSGID)
245 			epp->ep_vap->va_gid = script_gid;
246 		return (0);
247 	}
248 
249 	/* XXX oldpnbuf not set for "goto fail" path */
250 	epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf;
251 fail:
252 	/* note that we've clobbered the header */
253 	epp->ep_flags |= EXEC_DESTR;
254 
255 	/* kill the opened file descriptor, else close the file */
256 	if (epp->ep_flags & EXEC_HASFD) {
257 		epp->ep_flags &= ~EXEC_HASFD;
258 		fdplock(p->p_fd);
259 		(void) fdrelease(p, epp->ep_fd);
260 		fdpunlock(p->p_fd);
261 	} else
262 		vn_close(scriptvp, FREAD, p->p_ucred, p);
263 
264 	pool_put(&namei_pool, epp->ep_ndp->ni_cnd.cn_pnbuf);
265 
266 	/* free the fake arg list, because we're not returning it */
267 	if ((tmpsap = shellargp) != NULL) {
268 		while (*tmpsap != NULL) {
269 			free(*tmpsap, M_EXEC, 0);
270 			tmpsap++;
271 		}
272 		free(shellargp, M_EXEC, 4 * sizeof(char *));
273 	}
274 
275 	/*
276 	 * free any vmspace-creation commands,
277 	 * and release their references
278 	 */
279 	kill_vmcmds(&epp->ep_vmcmds);
280 
281 	return error;
282 }
283