1 /* $OpenBSD: exec_script.c,v 1.15 2001/11/06 19:53:20 miod Exp $ */ 2 /* $NetBSD: exec_script.c,v 1.13 1996/02/04 02:15:06 christos Exp $ */ 3 4 /* 5 * Copyright (c) 1993, 1994 Christopher G. Demetriou 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. All advertising materials mentioning features or use of this software 17 * must display the following acknowledgement: 18 * This product includes software developed by Christopher G. Demetriou. 19 * 4. The name of the author may not be used to endorse or promote products 20 * derived from this software without specific prior written permission 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/proc.h> 37 #include <sys/malloc.h> 38 #include <sys/vnode.h> 39 #include <sys/namei.h> 40 #include <sys/file.h> 41 #include <sys/filedesc.h> 42 #include <sys/exec.h> 43 #include <sys/resourcevar.h> 44 #include <uvm/uvm_extern.h> 45 46 #include <sys/exec_script.h> 47 48 #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS) 49 #define FDSCRIPTS /* Need this for safe set-id scripts. */ 50 #endif 51 52 /* 53 * exec_script_makecmds(): Check if it's an executable shell script. 54 * 55 * Given a proc pointer and an exec package pointer, see if the referent 56 * of the epp is in shell script. If it is, then set thing up so that 57 * the script can be run. This involves preparing the address space 58 * and arguments for the shell which will run the script. 59 * 60 * This function is ultimately responsible for creating a set of vmcmds 61 * which can be used to build the process's vm space and inserting them 62 * into the exec package. 63 */ 64 int 65 exec_script_makecmds(p, epp) 66 struct proc *p; 67 struct exec_package *epp; 68 { 69 int error, hdrlinelen, shellnamelen, shellarglen; 70 char *hdrstr = epp->ep_hdr; 71 char *cp, *shellname, *shellarg, *oldpnbuf; 72 char **shellargp, **tmpsap; 73 struct vnode *scriptvp; 74 #ifdef SETUIDSCRIPTS 75 uid_t script_uid = -1; 76 gid_t script_gid = -1; 77 u_short script_sbits; 78 #endif 79 80 /* 81 * if the magic isn't that of a shell script, or we've already 82 * done shell script processing for this exec, punt on it. 83 */ 84 if ((epp->ep_flags & EXEC_INDIR) != 0 || 85 epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN || 86 strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN)) 87 return ENOEXEC; 88 89 /* 90 * check that the shell spec is terminated by a newline, 91 * and that it isn't too large. Don't modify the 92 * buffer unless we're ready to commit to handling it. 93 * (The latter requirement means that we have to check 94 * for both spaces and tabs later on.) 95 */ 96 hdrlinelen = min(epp->ep_hdrvalid, MAXINTERP); 97 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen; 98 cp++) { 99 if (*cp == '\n') { 100 *cp = '\0'; 101 break; 102 } 103 } 104 if (cp >= hdrstr + hdrlinelen) 105 return ENOEXEC; 106 107 shellname = NULL; 108 shellarg = NULL; 109 shellarglen = 0; 110 111 /* strip spaces before the shell name */ 112 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t'; 113 cp++) 114 ; 115 116 /* collect the shell name; remember it's length for later */ 117 shellname = cp; 118 shellnamelen = 0; 119 if (*cp == '\0') 120 goto check_shell; 121 for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++) 122 shellnamelen++; 123 if (*cp == '\0') 124 goto check_shell; 125 *cp++ = '\0'; 126 127 /* skip spaces before any argument */ 128 for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++) 129 ; 130 if (*cp == '\0') 131 goto check_shell; 132 133 /* 134 * collect the shell argument. everything after the shell name 135 * is passed as ONE argument; that's the correct (historical) 136 * behaviour. 137 */ 138 shellarg = cp; 139 for ( /* cp = cp */ ; *cp != '\0'; cp++) 140 shellarglen++; 141 *cp++ = '\0'; 142 143 check_shell: 144 #ifdef SETUIDSCRIPTS 145 /* 146 * MNT_NOSUID and STRC are already taken care of by check_exec, 147 * so we don't need to worry about them now or later. 148 */ 149 script_sbits = epp->ep_vap->va_mode & (VSUID | VSGID); 150 if (script_sbits != 0) { 151 script_uid = epp->ep_vap->va_uid; 152 script_gid = epp->ep_vap->va_gid; 153 } 154 #endif 155 #ifdef FDSCRIPTS 156 /* 157 * if the script isn't readable, or it's set-id, then we've 158 * gotta supply a "/dev/fd/..." for the shell to read. 159 * Note that stupid shells (csh) do the wrong thing, and 160 * close all open fd's when the start. That kills this 161 * method of implementing "safe" set-id and x-only scripts. 162 */ 163 if (VOP_ACCESS(epp->ep_vp, VREAD, p->p_ucred, p) == EACCES 164 #ifdef SETUIDSCRIPTS 165 || script_sbits 166 #endif 167 ) { 168 struct file *fp; 169 170 #ifdef DIAGNOSTIC 171 if (epp->ep_flags & EXEC_HASFD) 172 panic("exec_script_makecmds: epp already has a fd"); 173 #endif 174 175 if ((error = falloc(p, &fp, &epp->ep_fd))) 176 goto fail; 177 178 epp->ep_flags |= EXEC_HASFD; 179 fp->f_type = DTYPE_VNODE; 180 fp->f_ops = &vnops; 181 fp->f_data = (caddr_t) epp->ep_vp; 182 fp->f_flag = FREAD; 183 FILE_SET_MATURE(fp); 184 } 185 #endif 186 187 /* set up the parameters for the recursive check_exec() call */ 188 epp->ep_ndp->ni_dirp = shellname; 189 epp->ep_ndp->ni_segflg = UIO_SYSSPACE; 190 epp->ep_flags |= EXEC_INDIR; 191 192 /* and set up the fake args list, for later */ 193 MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK); 194 tmpsap = shellargp; 195 *tmpsap = malloc(shellnamelen + 1, M_EXEC, M_WAITOK); 196 strcpy(*tmpsap++, shellname); 197 if (shellarg != NULL) { 198 *tmpsap = malloc(shellarglen + 1, M_EXEC, M_WAITOK); 199 strcpy(*tmpsap++, shellarg); 200 } 201 *tmpsap = malloc(MAXPATHLEN, M_EXEC, M_WAITOK); 202 #ifdef FDSCRIPTS 203 if ((epp->ep_flags & EXEC_HASFD) == 0) { 204 #endif 205 /* normally can't fail, but check for it if diagnostic */ 206 error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN, 207 (size_t *)0); 208 #ifdef DIAGNOSTIC 209 if (error != 0) 210 panic("exec_script: copyinstr couldn't fail"); 211 #endif 212 #ifdef FDSCRIPTS 213 } else 214 sprintf(*tmpsap++, "/dev/fd/%d", epp->ep_fd); 215 #endif 216 *tmpsap = NULL; 217 218 /* 219 * mark the header we have as invalid; check_exec will read 220 * the header from the new executable 221 */ 222 epp->ep_hdrvalid = 0; 223 224 /* 225 * remember the old vp and pnbuf for later, so we can restore 226 * them if check_exec() fails. 227 */ 228 scriptvp = epp->ep_vp; 229 oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf; 230 231 VOP_UNLOCK(scriptvp, 0, p); 232 233 if ((error = check_exec(p, epp)) == 0) { 234 /* note that we've clobbered the header */ 235 epp->ep_flags |= EXEC_DESTR; 236 237 /* 238 * It succeeded. Unlock the script and 239 * close it if we aren't using it any more. 240 * Also, set things up so that the fake args 241 * list will be used. 242 */ 243 if ((epp->ep_flags & EXEC_HASFD) == 0) 244 vn_close(scriptvp, FREAD, p->p_ucred, p); 245 246 /* free the old pathname buffer */ 247 FREE(oldpnbuf, M_NAMEI); 248 249 epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG); 250 epp->ep_fa = shellargp; 251 #ifdef SETUIDSCRIPTS 252 /* 253 * set thing up so that set-id scripts will be 254 * handled appropriately 255 */ 256 epp->ep_vap->va_mode |= script_sbits; 257 if (script_sbits & VSUID) 258 epp->ep_vap->va_uid = script_uid; 259 if (script_sbits & VSGID) 260 epp->ep_vap->va_gid = script_gid; 261 #endif 262 return (0); 263 } 264 265 /* XXX oldpnbuf not set for "goto fail" path */ 266 epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf; 267 #ifdef FDSCRIPTS 268 fail: 269 #endif 270 /* note that we've clobbered the header */ 271 epp->ep_flags |= EXEC_DESTR; 272 273 /* kill the opened file descriptor, else close the file */ 274 if (epp->ep_flags & EXEC_HASFD) { 275 epp->ep_flags &= ~EXEC_HASFD; 276 (void) fdrelease(p, epp->ep_fd); 277 } else 278 vn_close(scriptvp, FREAD, p->p_ucred, p); 279 280 FREE(epp->ep_ndp->ni_cnd.cn_pnbuf, M_NAMEI); 281 282 /* free the fake arg list, because we're not returning it */ 283 tmpsap = shellargp; 284 while (*tmpsap != NULL) { 285 free(*tmpsap, M_EXEC); 286 tmpsap++; 287 } 288 FREE(shellargp, M_EXEC); 289 290 /* 291 * free any vmspace-creation commands, 292 * and release their references 293 */ 294 kill_vmcmds(&epp->ep_vmcmds); 295 296 return error; 297 } 298