1 /* $OpenBSD: exec_script.c,v 1.24 2006/11/14 18:00:27 jmc Exp $ */
2 /* $NetBSD: exec_script.c,v 1.13 1996/02/04 02:15:06 christos Exp $ */
3
4 /*
5 * Copyright (c) 1993, 1994 Christopher G. Demetriou
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. All advertising materials mentioning features or use of this software
17 * must display the following acknowledgement:
18 * This product includes software developed by Christopher G. Demetriou.
19 * 4. The name of the author may not be used to endorse or promote products
20 * derived from this software without specific prior written permission
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 */
33
34 #include <sys/param.h>
35 #include <sys/systm.h>
36 #include <sys/proc.h>
37 #include <sys/malloc.h>
38 #include <sys/pool.h>
39 #include <sys/vnode.h>
40 #include <sys/namei.h>
41 #include <sys/file.h>
42 #include <sys/filedesc.h>
43 #include <sys/exec.h>
44 #include <sys/resourcevar.h>
45 #include <uvm/uvm_extern.h>
46
47 #include <sys/exec_script.h>
48
49 #include "systrace.h"
50
51 #if NSYSTRACE > 0
52 #include <dev/systrace.h>
53 #endif
54
55 #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS)
56 #define FDSCRIPTS /* Need this for safe set-id scripts. */
57 #endif
58
59 /*
60 * exec_script_makecmds(): Check if it's an executable shell script.
61 *
62 * Given a proc pointer and an exec package pointer, see if the referent
63 * of the epp is in shell script. If it is, then set things up so that
64 * the script can be run. This involves preparing the address space
65 * and arguments for the shell which will run the script.
66 *
67 * This function is ultimately responsible for creating a set of vmcmds
68 * which can be used to build the process's vm space and inserting them
69 * into the exec package.
70 */
71 int
72 exec_script_makecmds(struct proc *p, struct exec_package *epp)
73 {
74 int error, hdrlinelen, shellnamelen, shellarglen;
75 char *hdrstr = epp->ep_hdr;
76 char *cp, *shellname, *shellarg, *oldpnbuf;
77 char **shellargp = NULL, **tmpsap;
78 struct vnode *scriptvp;
79 #ifdef SETUIDSCRIPTS
80 uid_t script_uid = -1;
81 gid_t script_gid = -1;
82 u_short script_sbits;
83 #endif
84
85 /*
86 * remember the old vp and pnbuf for later, so we can restore
87 * them if check_exec() fails.
88 */
89 scriptvp = epp->ep_vp;
90 oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf;
91
92 /*
93 * if the magic isn't that of a shell script, or we've already
94 * done shell script processing for this exec, punt on it.
95 */
96 if ((epp->ep_flags & EXEC_INDIR) != 0 ||
97 epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN ||
98 strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN))
99 return ENOEXEC;
100
101 /*
102 * check that the shell spec is terminated by a newline,
103 * and that it isn't too large. Don't modify the
104 * buffer unless we're ready to commit to handling it.
105 * (The latter requirement means that we have to check
106 * for both spaces and tabs later on.)
107 */
108 hdrlinelen = min(epp->ep_hdrvalid, MAXINTERP);
109 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen;
110 cp++) {
111 if (*cp == '\n') {
112 *cp = '\0';
113 break;
114 }
115 }
116 if (cp >= hdrstr + hdrlinelen)
117 return ENOEXEC;
118
119 shellname = NULL;
120 shellarg = NULL;
121 shellarglen = 0;
122
123 /* strip spaces before the shell name */
124 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t';
125 cp++)
126 ;
127
128 /* collect the shell name; remember its length for later */
129 shellname = cp;
130 shellnamelen = 0;
131 if (*cp == '\0')
132 goto check_shell;
133 for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++)
134 shellnamelen++;
135 if (*cp == '\0')
136 goto check_shell;
137 *cp++ = '\0';
138
139 /* skip spaces before any argument */
140 for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++)
141 ;
142 if (*cp == '\0')
143 goto check_shell;
144
145 /*
146 * collect the shell argument. everything after the shell name
147 * is passed as ONE argument; that's the correct (historical)
148 * behaviour.
149 */
150 shellarg = cp;
151 for ( /* cp = cp */ ; *cp != '\0'; cp++)
152 shellarglen++;
153 *cp++ = '\0';
154
155 check_shell:
156 #ifdef SETUIDSCRIPTS
157 /*
158 * MNT_NOSUID and STRC are already taken care of by check_exec,
159 * so we don't need to worry about them now or later.
160 */
161 script_sbits = epp->ep_vap->va_mode & (VSUID | VSGID);
162 if (script_sbits != 0) {
163 script_uid = epp->ep_vap->va_uid;
164 script_gid = epp->ep_vap->va_gid;
165 }
166 #endif
167 #ifdef FDSCRIPTS
168 /*
169 * if the script isn't readable, or it's set-id, then we've
170 * gotta supply a "/dev/fd/..." for the shell to read.
171 * Note that stupid shells (csh) do the wrong thing, and
172 * close all open fd's when they start. That kills this
173 * method of implementing "safe" set-id and x-only scripts.
174 */
175 vn_lock(scriptvp, LK_EXCLUSIVE|LK_RETRY, p);
176 error = VOP_ACCESS(scriptvp, VREAD, p->p_ucred, p);
177 VOP_UNLOCK(scriptvp, 0, p);
178 if (error == EACCES
179 #ifdef SETUIDSCRIPTS
180 || script_sbits
181 #endif
182 ) {
183 struct file *fp;
184
185 #ifdef DIAGNOSTIC
186 if (epp->ep_flags & EXEC_HASFD)
187 panic("exec_script_makecmds: epp already has a fd");
188 #endif
189
190 if ((error = falloc(p, &fp, &epp->ep_fd)))
191 goto fail;
192
193 epp->ep_flags |= EXEC_HASFD;
194 fp->f_type = DTYPE_VNODE;
195 fp->f_ops = &vnops;
196 fp->f_data = (caddr_t) scriptvp;
197 fp->f_flag = FREAD;
198 FILE_SET_MATURE(fp);
199 }
200 #endif
201
202 /* set up the parameters for the recursive check_exec() call */
203 epp->ep_ndp->ni_dirp = shellname;
204 epp->ep_ndp->ni_segflg = UIO_SYSSPACE;
205 epp->ep_flags |= EXEC_INDIR;
206
207 /* and set up the fake args list, for later */
208 MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK);
209 tmpsap = shellargp;
210 *tmpsap = malloc(shellnamelen + 1, M_EXEC, M_WAITOK);
211 strlcpy(*tmpsap++, shellname, shellnamelen + 1);
212 if (shellarg != NULL) {
213 *tmpsap = malloc(shellarglen + 1, M_EXEC, M_WAITOK);
214 strlcpy(*tmpsap++, shellarg, shellarglen + 1);
215 }
216 *tmpsap = malloc(MAXPATHLEN, M_EXEC, M_WAITOK);
217 #ifdef FDSCRIPTS
218 if ((epp->ep_flags & EXEC_HASFD) == 0) {
219 #endif
220 /* normally can't fail, but check for it if diagnostic */
221 #if NSYSTRACE > 0
222 if (ISSET(p->p_flag, P_SYSTRACE)) {
223 error = systrace_scriptname(p, *tmpsap);
224 if (error == 0)
225 tmpsap++;
226 else
227 /*
228 * Since systrace_scriptname() provides a
229 * convenience, not a security issue, we are
230 * safe to do this.
231 */
232 error = copystr(epp->ep_name, *tmpsap++,
233 MAXPATHLEN, NULL);
234 } else
235 error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
236 NULL);
237 #else
238 error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
239 (size_t *)0);
240 #endif
241 #ifdef DIAGNOSTIC
242 if (error != 0)
243 panic("exec_script: copyinstr couldn't fail");
244 #endif
245 #ifdef FDSCRIPTS
246 } else
247 snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd);
248 #endif
249 *tmpsap = NULL;
250
251 /*
252 * mark the header we have as invalid; check_exec will read
253 * the header from the new executable
254 */
255 epp->ep_hdrvalid = 0;
256
257 if ((error = check_exec(p, epp)) == 0) {
258 /* note that we've clobbered the header */
259 epp->ep_flags |= EXEC_DESTR;
260
261 /*
262 * It succeeded. Unlock the script and
263 * close it if we aren't using it any more.
264 * Also, set things up so that the fake args
265 * list will be used.
266 */
267 if ((epp->ep_flags & EXEC_HASFD) == 0)
268 vn_close(scriptvp, FREAD, p->p_ucred, p);
269
270 /* free the old pathname buffer */
271 pool_put(&namei_pool, oldpnbuf);
272
273 epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG);
274 epp->ep_fa = shellargp;
275 #ifdef SETUIDSCRIPTS
276 /*
277 * set things up so that set-id scripts will be
278 * handled appropriately
279 */
280 epp->ep_vap->va_mode |= script_sbits;
281 if (script_sbits & VSUID)
282 epp->ep_vap->va_uid = script_uid;
283 if (script_sbits & VSGID)
284 epp->ep_vap->va_gid = script_gid;
285 #endif
286 return (0);
287 }
288
289 /* XXX oldpnbuf not set for "goto fail" path */
290 epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf;
291 #ifdef FDSCRIPTS
292 fail:
293 #endif
294 /* note that we've clobbered the header */
295 epp->ep_flags |= EXEC_DESTR;
296
297 /* kill the opened file descriptor, else close the file */
298 if (epp->ep_flags & EXEC_HASFD) {
299 epp->ep_flags &= ~EXEC_HASFD;
300 (void) fdrelease(p, epp->ep_fd);
301 } else
302 vn_close(scriptvp, FREAD, p->p_ucred, p);
303
304 pool_put(&namei_pool, epp->ep_ndp->ni_cnd.cn_pnbuf);
305
306 /* free the fake arg list, because we're not returning it */
307 if ((tmpsap = shellargp) != NULL) {
308 while (*tmpsap != NULL) {
309 free(*tmpsap, M_EXEC);
310 tmpsap++;
311 }
312 FREE(shellargp, M_EXEC);
313 }
314
315 /*
316 * free any vmspace-creation commands,
317 * and release their references
318 */
319 kill_vmcmds(&epp->ep_vmcmds);
320
321 return error;
322 }