1 /** $MirOS: src/sys/kern/exec_script.c,v 1.5 2007/04/17 22:13:24 tg Exp $ */
2 /* $OpenBSD: exec_script.c,v 1.21 2004/07/07 07:31:40 marius Exp $ */
3 /* $NetBSD: exec_script.c,v 1.13 1996/02/04 02:15:06 christos Exp $ */
4
5 /*
6 * Copyright (c) 1993, 1994 Christopher G. Demetriou
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. All advertising materials mentioning features or use of this software
18 * must display the following acknowledgement:
19 * This product includes software developed by Christopher G. Demetriou.
20 * 4. The name of the author may not be used to endorse or promote products
21 * derived from this software without specific prior written permission
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 */
34
35 #include <sys/param.h>
36 #include <sys/systm.h>
37 #include <sys/proc.h>
38 #include <sys/malloc.h>
39 #include <sys/pool.h>
40 #include <sys/vnode.h>
41 #include <sys/namei.h>
42 #include <sys/file.h>
43 #include <sys/filedesc.h>
44 #include <sys/exec.h>
45 #include <sys/resourcevar.h>
46 #include <uvm/uvm_extern.h>
47
48 #include <sys/exec_script.h>
49
50 #include "systrace.h"
51
52 #if NSYSTRACE > 0
53 #include <dev/systrace.h>
54 #endif
55
56 #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS)
57 #define FDSCRIPTS /* Need this for safe set-id scripts. */
58 #endif
59
60 /*
61 * exec_script_makecmds(): Check if it's an executable shell script.
62 *
63 * Given a proc pointer and an exec package pointer, see if the referent
64 * of the epp is in shell script. If it is, then set thing up so that
65 * the script can be run. This involves preparing the address space
66 * and arguments for the shell which will run the script.
67 *
68 * This function is ultimately responsible for creating a set of vmcmds
69 * which can be used to build the process's vm space and inserting them
70 * into the exec package.
71 */
72 int
exec_script_makecmds(p,epp)73 exec_script_makecmds(p, epp)
74 struct proc *p;
75 struct exec_package *epp;
76 {
77 int error, hdrlinelen, shellnamelen, shellarglen;
78 char *hdrstr = epp->ep_hdr;
79 char *cp, *shellname, *shellarg, *oldpnbuf;
80 char **shellargp = NULL, **tmpsap;
81 struct vnode *scriptvp;
82 #ifdef SETUIDSCRIPTS
83 uid_t script_uid = -1;
84 gid_t script_gid = -1;
85 u_short script_sbits;
86 #endif
87
88 /*
89 * remember the old vp and pnbuf for later, so we can restore
90 * them if check_exec() fails.
91 */
92 scriptvp = epp->ep_vp;
93 oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf;
94
95 /*
96 * if the magic isn't that of a shell script, or we've already
97 * done shell script processing for this exec, punt on it.
98 */
99 if ((epp->ep_flags & EXEC_INDIR) != 0)
100 return (ENOEXEC);
101 hdrlinelen = min(epp->ep_hdrvalid, MAXINTERP);
102 if (hdrlinelen >= 3)
103 if ((((unsigned char *)hdrstr)[0] == 0xEF) &&
104 (((unsigned char *)hdrstr)[1] == 0xBB) &&
105 (((unsigned char *)hdrstr)[2] == 0xBF)) {
106 /* skip UTF-8 Byte Order Mark at beginning of file */
107 hdrlinelen -= 3;
108 hdrstr += 3;
109 }
110 if (hdrlinelen < EXEC_SCRIPT_MAGICLEN ||
111 strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN))
112 return ENOEXEC;
113
114 /*
115 * check that the shell spec is terminated by a newline (or CR),
116 * and that it isn't too large. Don't modify the
117 * buffer unless we're ready to commit to handling it.
118 * (The latter requirement means that we have to check
119 * for both spaces and tabs later on.)
120 */
121 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen;
122 cp++) {
123 if (*cp == '\n' || *cp == '\r') {
124 *cp = '\0';
125 break;
126 }
127 }
128 if (cp >= hdrstr + hdrlinelen)
129 return ENOEXEC;
130
131 shellname = NULL;
132 shellarg = NULL;
133 shellarglen = 0;
134
135 /* strip spaces before the shell name */
136 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t';
137 cp++)
138 ;
139
140 /* collect the shell name; remember its length for later */
141 shellname = cp;
142 shellnamelen = 0;
143 if (*cp == '\0')
144 goto check_shell;
145 for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++)
146 shellnamelen++;
147 if (*cp == '\0')
148 goto check_shell;
149 *cp++ = '\0';
150
151 /* skip spaces before any argument */
152 for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++)
153 ;
154 if (*cp == '\0')
155 goto check_shell;
156
157 /*
158 * collect the shell argument. everything after the shell name
159 * is passed as ONE argument; that's the correct (historical)
160 * behaviour.
161 */
162 shellarg = cp;
163 for ( /* cp = cp */ ; *cp != '\0'; cp++)
164 shellarglen++;
165 *cp++ = '\0';
166
167 check_shell:
168 #ifdef SETUIDSCRIPTS
169 /*
170 * MNT_NOSUID and STRC are already taken care of by check_exec,
171 * so we don't need to worry about them now or later.
172 */
173 script_sbits = epp->ep_vap->va_mode & (VSUID | VSGID);
174 if (script_sbits != 0) {
175 script_uid = epp->ep_vap->va_uid;
176 script_gid = epp->ep_vap->va_gid;
177 }
178 #endif
179 #ifdef FDSCRIPTS
180 /*
181 * if the script isn't readable, or it's set-id, then we've
182 * gotta supply a "/dev/fd/..." for the shell to read.
183 * Note that stupid shells (csh) do the wrong thing, and
184 * close all open fds when the start. That kills this
185 * method of implementing "safe" set-id and x-only scripts.
186 */
187 vn_lock(scriptvp, LK_EXCLUSIVE|LK_RETRY, p);
188 error = VOP_ACCESS(scriptvp, VREAD, p->p_ucred, p);
189 VOP_UNLOCK(scriptvp, 0, p);
190 if (error == EACCES
191 #ifdef SETUIDSCRIPTS
192 || script_sbits
193 #endif
194 ) {
195 struct file *fp;
196
197 #ifdef DIAGNOSTIC
198 if (epp->ep_flags & EXEC_HASFD)
199 panic("exec_script_makecmds: epp already has a fd");
200 #endif
201
202 if ((error = falloc(p, &fp, &epp->ep_fd)))
203 goto fail;
204
205 epp->ep_flags |= EXEC_HASFD;
206 fp->f_type = DTYPE_VNODE;
207 fp->f_ops = &vnops;
208 fp->f_data = (caddr_t) scriptvp;
209 fp->f_flag = FREAD;
210 FILE_SET_MATURE(fp);
211 }
212 #endif
213
214 /* set up the parameters for the recursive check_exec() call */
215 epp->ep_ndp->ni_dirp = shellname;
216 epp->ep_ndp->ni_segflg = UIO_SYSSPACE;
217 epp->ep_flags |= EXEC_INDIR;
218
219 /* and set up the fake args list, for later */
220 MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK);
221 tmpsap = shellargp;
222 *tmpsap = malloc(shellnamelen + 1, M_EXEC, M_WAITOK);
223 strlcpy(*tmpsap++, shellname, shellnamelen + 1);
224 if (shellarg != NULL) {
225 *tmpsap = malloc(shellarglen + 1, M_EXEC, M_WAITOK);
226 strlcpy(*tmpsap++, shellarg, shellarglen + 1);
227 }
228 *tmpsap = malloc(MAXPATHLEN, M_EXEC, M_WAITOK);
229 #ifdef FDSCRIPTS
230 if ((epp->ep_flags & EXEC_HASFD) == 0) {
231 #endif
232 /* normally can't fail, but check for it if diagnostic */
233 #if NSYSTRACE > 0
234 error = 1;
235 if (ISSET(p->p_flag, P_SYSTRACE)) {
236 error = systrace_scriptname(p, *tmpsap);
237 if (error == 0)
238 tmpsap++;
239 }
240 if (error != 0)
241 /*
242 * Since systrace_scriptname() provides a
243 * convenience, not a security issue, we are
244 * safe to do this.
245 */
246 error = copystr(epp->ep_name, *tmpsap++,
247 MAXPATHLEN, NULL);
248 #else
249 error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
250 (size_t *)0);
251 #endif
252 #ifdef DIAGNOSTIC
253 if (error != 0)
254 panic("exec_script: copyinstr couldn't fail");
255 #endif
256 #ifdef FDSCRIPTS
257 } else
258 snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd);
259 #endif
260 *tmpsap = NULL;
261
262 /*
263 * mark the header we have as invalid; check_exec will read
264 * the header from the new executable
265 */
266 epp->ep_hdrvalid = 0;
267
268 if ((error = check_exec(p, epp)) == 0) {
269 /* note that we've clobbered the header */
270 epp->ep_flags |= EXEC_DESTR;
271
272 /*
273 * It succeeded. Unlock the script and
274 * close it if we aren't using it any more.
275 * Also, set things up so that the fake args
276 * list will be used.
277 */
278 if ((epp->ep_flags & EXEC_HASFD) == 0)
279 vn_close(scriptvp, FREAD, p->p_ucred, p);
280
281 /* free the old pathname buffer */
282 pool_put(&namei_pool, oldpnbuf);
283
284 epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG);
285 epp->ep_fa = shellargp;
286 #ifdef SETUIDSCRIPTS
287 /*
288 * set thing up so that set-id scripts will be
289 * handled appropriately
290 */
291 epp->ep_vap->va_mode |= script_sbits;
292 if (script_sbits & VSUID)
293 epp->ep_vap->va_uid = script_uid;
294 if (script_sbits & VSGID)
295 epp->ep_vap->va_gid = script_gid;
296 #endif
297 return (0);
298 }
299
300 /* XXX oldpnbuf not set for "goto fail" path */
301 epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf;
302 #ifdef FDSCRIPTS
303 fail:
304 #endif
305 /* note that we've clobbered the header */
306 epp->ep_flags |= EXEC_DESTR;
307
308 /* kill the opened file descriptor, else close the file */
309 if (epp->ep_flags & EXEC_HASFD) {
310 epp->ep_flags &= ~EXEC_HASFD;
311 (void) fdrelease(p, epp->ep_fd);
312 } else
313 vn_close(scriptvp, FREAD, p->p_ucred, p);
314
315 pool_put(&namei_pool, epp->ep_ndp->ni_cnd.cn_pnbuf);
316
317 /* free the fake arg list, because we're not returning it */
318 if ((tmpsap = shellargp) != NULL) {
319 while (*tmpsap != NULL) {
320 free(*tmpsap, M_EXEC);
321 tmpsap++;
322 }
323 FREE(shellargp, M_EXEC);
324 }
325
326 /*
327 * free any vmspace-creation commands,
328 * and release their references
329 */
330 kill_vmcmds(&epp->ep_vmcmds);
331
332 return error;
333 }
334