1/* $NetBSD: exec_script.c,v 1.74 2014/09/05 09:20:59 matt Exp $ */
2
3/*
4 * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. All advertising materials mentioning features or use of this software
16 * must display the following acknowledgement:
17 * This product includes software developed by Christopher G. Demetriou.
18 * 4. The name of the author may not be used to endorse or promote products
19 * derived from this software without specific prior written permission
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33#include <sys/cdefs.h>
34__KERNEL_RCSID(0, "$NetBSD: exec_script.c,v 1.74 2014/09/05 09:20:59 matt Exp $");
35
36#if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS)
37#define FDSCRIPTS /* Need this for safe set-id scripts. */
38#endif
39
40#include <sys/param.h>
41#include <sys/systm.h>
42#include <sys/proc.h>
43#include <sys/kmem.h>
44#include <sys/vnode.h>
45#include <sys/namei.h>
46#include <sys/file.h>
47#ifdef SETUIDSCRIPTS
48#include <sys/stat.h>
49#endif
50#include <sys/filedesc.h>
51#include <sys/exec.h>
52#include <sys/resourcevar.h>
53#include <sys/module.h>
54#include <sys/exec_script.h>
55#include <sys/exec_elf.h>
56
57MODULE(MODULE_CLASS_EXEC, exec_script, NULL);
58
59static struct execsw exec_script_execsw = {
60 .es_hdrsz = SCRIPT_HDR_SIZE,
61 .es_makecmds = exec_script_makecmds,
62 .u = {
63 .elf_probe_func = NULL,
64 },
65 .es_emul = NULL,
66 .es_prio = EXECSW_PRIO_ANY,
67 .es_arglen = 0,
68 .es_copyargs = NULL,
69 .es_setregs = NULL,
70 .es_coredump = NULL,
71 .es_setup_stack = exec_setup_stack,
72};
73
74static int
75exec_script_modcmd(modcmd_t cmd, void *arg)
76{
77
78 switch (cmd) {
79 case MODULE_CMD_INIT:
80 return exec_add(&exec_script_execsw, 1);
81
82 case MODULE_CMD_FINI:
83 return exec_remove(&exec_script_execsw, 1);
84
85 case MODULE_CMD_AUTOUNLOAD:
86 /*
87 * We don't want to be autounloaded because our use is
88 * transient: no executables with p_execsw equal to
89 * exec_script_execsw will exist, so FINI will never
90 * return EBUSY. However, the system will run scripts
91 * often. Return EBUSY here to prevent this module from
92 * ping-ponging in and out of the kernel.
93 */
94 return EBUSY;
95
96 default:
97 return ENOTTY;
98 }
99}
100
101/*
102 * exec_script_makecmds(): Check if it's an executable shell script.
103 *
104 * Given a proc pointer and an exec package pointer, see if the referent
105 * of the epp is in shell script. If it is, then set thing up so that
106 * the script can be run. This involves preparing the address space
107 * and arguments for the shell which will run the script.
108 *
109 * This function is ultimately responsible for creating a set of vmcmds
110 * which can be used to build the process's vm space and inserting them
111 * into the exec package.
112 */
113int
114exec_script_makecmds(struct lwp *l, struct exec_package *epp)
115{
116 int error, hdrlinelen, shellnamelen, shellarglen;
117 char *hdrstr = epp->ep_hdr;
118 char *cp, *shellname, *shellarg;
119 size_t shellargp_len;
120 struct exec_fakearg *shellargp;
121 struct exec_fakearg *tmpsap;
122 struct pathbuf *shell_pathbuf;
123 struct vnode *scriptvp;
124#ifdef SETUIDSCRIPTS
125 /* Gcc needs those initialized for spurious uninitialized warning */
126 uid_t script_uid = (uid_t) -1;
127 gid_t script_gid = NOGROUP;
128 u_short script_sbits;
129#endif
130
131 /*
132 * if the magic isn't that of a shell script, or we've already
133 * done shell script processing for this exec, punt on it.
134 */
135 if ((epp->ep_flags & EXEC_INDIR) != 0 ||
136 epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN ||
137 strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN))
138 return ENOEXEC;
139
140 /*
141 * Check that the shell spec is terminated by a newline, and that
142 * it isn't too large.
143 */
144 hdrlinelen = min(epp->ep_hdrvalid, SCRIPT_HDR_SIZE);
145 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen;
146 cp++) {
147 if (*cp == '\n') {
148 *cp = '\0';
149 break;
150 }
151 }
152 if (cp >= hdrstr + hdrlinelen)
153 return ENOEXEC;
154
155 /* strip spaces before the shell name */
156 for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t';
157 cp++)
158 ;
159 if (*cp == '\0')
160 return ENOEXEC;
161
162 shellarg = NULL;
163 shellarglen = 0;
164
165 /* collect the shell name; remember its length for later */
166 shellname = cp;
167 shellnamelen = 0;
168 for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++)
169 shellnamelen++;
170 if (*cp == '\0')
171 goto check_shell;
172 *cp++ = '\0';
173
174 /* skip spaces before any argument */
175 for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++)
176 ;
177 if (*cp == '\0')
178 goto check_shell;
179
180 /*
181 * collect the shell argument. everything after the shell name
182 * is passed as ONE argument; that's the correct (historical)
183 * behaviour.
184 */
185 shellarg = cp;
186 for ( /* cp = cp */ ; *cp != '\0'; cp++)
187 shellarglen++;
188 *cp++ = '\0';
189
190check_shell:
191#ifdef SETUIDSCRIPTS
192 /*
193 * MNT_NOSUID has already taken care of by check_exec,
194 * so we don't need to worry about it now or later. We
195 * will need to check PSL_TRACED later, however.
196 */
197 script_sbits = epp->ep_vap->va_mode & (S_ISUID | S_ISGID);
198 if (script_sbits != 0) {
199 script_uid = epp->ep_vap->va_uid;
200 script_gid = epp->ep_vap->va_gid;
201 }
202#endif
203#ifdef FDSCRIPTS
204 /*
205 * if the script isn't readable, or it's set-id, then we've
206 * gotta supply a "/dev/fd/..." for the shell to read.
207 * Note that stupid shells (csh) do the wrong thing, and
208 * close all open fd's when the start. That kills this
209 * method of implementing "safe" set-id and x-only scripts.
210 */
211 vn_lock(epp->ep_vp, LK_EXCLUSIVE | LK_RETRY);
212 error = VOP_ACCESS(epp->ep_vp, VREAD, l->l_cred);
213 VOP_UNLOCK(epp->ep_vp);
214 if (error == EACCES
215#ifdef SETUIDSCRIPTS
216 || script_sbits
217#endif
218 ) {
219 struct file *fp;
220
221 KASSERT(!(epp->ep_flags & EXEC_HASFD));
222
223 if ((error = fd_allocfile(&fp, &epp->ep_fd)) != 0) {
224 scriptvp = NULL;
225 shellargp = NULL;
226 goto fail;
227 }
228 epp->ep_flags |= EXEC_HASFD;
229 fp->f_type = DTYPE_VNODE;
230 fp->f_ops = &vnops;
231 fp->f_vnode = epp->ep_vp;
232 fp->f_flag = FREAD;
233 fd_affix(curproc, fp, epp->ep_fd);
234 }
235#endif
236
237 /* set up the fake args list */
238 shellargp_len = 4 * sizeof(*shellargp);
239 shellargp = kmem_alloc(shellargp_len, KM_SLEEP);
240 tmpsap = shellargp;
241 tmpsap->fa_len = shellnamelen + 1;
242 tmpsap->fa_arg = kmem_alloc(tmpsap->fa_len, KM_SLEEP);
243 strlcpy(tmpsap->fa_arg, shellname, tmpsap->fa_len);
244 tmpsap++;
245 if (shellarg != NULL) {
246 tmpsap->fa_len = shellarglen + 1;
247 tmpsap->fa_arg = kmem_alloc(tmpsap->fa_len, KM_SLEEP);
248 strlcpy(tmpsap->fa_arg, shellarg, tmpsap->fa_len);
249 tmpsap++;
250 }
251 tmpsap->fa_len = MAXPATHLEN;
252 tmpsap->fa_arg = kmem_alloc(tmpsap->fa_len, KM_SLEEP);
253#ifdef FDSCRIPTS
254 if ((epp->ep_flags & EXEC_HASFD) == 0) {
255#endif
256 /* normally can't fail, but check for it if diagnostic */
257 error = copystr(epp->ep_kname, tmpsap->fa_arg, MAXPATHLEN,
258 NULL);
259 KASSERT(error == 0);
260 tmpsap++;
261#ifdef FDSCRIPTS
262 } else {
263 snprintf(tmpsap->fa_arg, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd);
264 tmpsap++;
265 }
266#endif
267 tmpsap->fa_arg = NULL;
268
269 /* Save the old vnode so we can clean it up later. */
270 scriptvp = epp->ep_vp;
271 epp->ep_vp = NULL;
272
273 /* Note that we're trying recursively. */
274 epp->ep_flags |= EXEC_INDIR;
275
276 /*
277 * mark the header we have as invalid; check_exec will read
278 * the header from the new executable
279 */
280 epp->ep_hdrvalid = 0;
281
282 /* try loading the interpreter */
283 shell_pathbuf = pathbuf_create(shellname);
284 if (shell_pathbuf == NULL) {
285 error = ENOMEM;
286 } else {
287 error = check_exec(l, epp, shell_pathbuf);
288 pathbuf_destroy(shell_pathbuf);
289 }
290
291 /* note that we've clobbered the header */
292 epp->ep_flags |= EXEC_DESTR;
293
294 if (error == 0) {
295 /*
296 * It succeeded. Unlock the script and
297 * close it if we aren't using it any more.
298 * Also, set things up so that the fake args
299 * list will be used.
300 */
301 if ((epp->ep_flags & EXEC_HASFD) == 0) {
302 vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
303 VOP_CLOSE(scriptvp, FREAD, l->l_cred);
304 vput(scriptvp);
305 }
306
307 epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG);
308 epp->ep_fa = shellargp;
309 epp->ep_fa_len = shellargp_len;
310#ifdef SETUIDSCRIPTS
311 /*
312 * set thing up so that set-id scripts will be
313 * handled appropriately. PSL_TRACED will be
314 * checked later when the shell is actually
315 * exec'd.
316 */
317 epp->ep_vap->va_mode |= script_sbits;
318 if (script_sbits & S_ISUID)
319 epp->ep_vap->va_uid = script_uid;
320 if (script_sbits & S_ISGID)
321 epp->ep_vap->va_gid = script_gid;
322#endif
323 return (0);
324 }
325
326#ifdef FDSCRIPTS
327fail:
328#endif
329
330 /* kill the opened file descriptor, else close the file */
331 if (epp->ep_flags & EXEC_HASFD) {
332 epp->ep_flags &= ~EXEC_HASFD;
333 fd_close(epp->ep_fd);
334 } else if (scriptvp) {
335 vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
336 VOP_CLOSE(scriptvp, FREAD, l->l_cred);
337 vput(scriptvp);
338 }
339
340 /* free the fake arg list, because we're not returning it */
341 if ((tmpsap = shellargp) != NULL) {
342 while (tmpsap->fa_arg != NULL) {
343 kmem_free(tmpsap->fa_arg, tmpsap->fa_len);
344 tmpsap++;
345 }
346 kmem_free(shellargp, shellargp_len);
347 }
348
349 /*
350 * free any vmspace-creation commands,
351 * and release their references
352 */
353 kill_vmcmds(&epp->ep_vmcmds);
354
355 return error;
356}
357