1 | /* $NetBSD: exec_script.c,v 1.74 2014/09/05 09:20:59 matt Exp $ */ |
2 | |
3 | /* |
4 | * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou |
5 | * All rights reserved. |
6 | * |
7 | * Redistribution and use in source and binary forms, with or without |
8 | * modification, are permitted provided that the following conditions |
9 | * are met: |
10 | * 1. Redistributions of source code must retain the above copyright |
11 | * notice, this list of conditions and the following disclaimer. |
12 | * 2. Redistributions in binary form must reproduce the above copyright |
13 | * notice, this list of conditions and the following disclaimer in the |
14 | * documentation and/or other materials provided with the distribution. |
15 | * 3. All advertising materials mentioning features or use of this software |
16 | * must display the following acknowledgement: |
17 | * This product includes software developed by Christopher G. Demetriou. |
18 | * 4. The name of the author may not be used to endorse or promote products |
19 | * derived from this software without specific prior written permission |
20 | * |
21 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
22 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
23 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
24 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
25 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
26 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
27 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
28 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
29 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
30 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
31 | */ |
32 | |
33 | #include <sys/cdefs.h> |
34 | __KERNEL_RCSID(0, "$NetBSD: exec_script.c,v 1.74 2014/09/05 09:20:59 matt Exp $" ); |
35 | |
36 | #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS) |
37 | #define FDSCRIPTS /* Need this for safe set-id scripts. */ |
38 | #endif |
39 | |
40 | #include <sys/param.h> |
41 | #include <sys/systm.h> |
42 | #include <sys/proc.h> |
43 | #include <sys/kmem.h> |
44 | #include <sys/vnode.h> |
45 | #include <sys/namei.h> |
46 | #include <sys/file.h> |
47 | #ifdef SETUIDSCRIPTS |
48 | #include <sys/stat.h> |
49 | #endif |
50 | #include <sys/filedesc.h> |
51 | #include <sys/exec.h> |
52 | #include <sys/resourcevar.h> |
53 | #include <sys/module.h> |
54 | #include <sys/exec_script.h> |
55 | #include <sys/exec_elf.h> |
56 | |
57 | MODULE(MODULE_CLASS_EXEC, exec_script, NULL); |
58 | |
59 | static struct execsw exec_script_execsw = { |
60 | .es_hdrsz = SCRIPT_HDR_SIZE, |
61 | .es_makecmds = exec_script_makecmds, |
62 | .u = { |
63 | .elf_probe_func = NULL, |
64 | }, |
65 | .es_emul = NULL, |
66 | .es_prio = EXECSW_PRIO_ANY, |
67 | .es_arglen = 0, |
68 | .es_copyargs = NULL, |
69 | .es_setregs = NULL, |
70 | .es_coredump = NULL, |
71 | .es_setup_stack = exec_setup_stack, |
72 | }; |
73 | |
74 | static int |
75 | exec_script_modcmd(modcmd_t cmd, void *arg) |
76 | { |
77 | |
78 | switch (cmd) { |
79 | case MODULE_CMD_INIT: |
80 | return exec_add(&exec_script_execsw, 1); |
81 | |
82 | case MODULE_CMD_FINI: |
83 | return exec_remove(&exec_script_execsw, 1); |
84 | |
85 | case MODULE_CMD_AUTOUNLOAD: |
86 | /* |
87 | * We don't want to be autounloaded because our use is |
88 | * transient: no executables with p_execsw equal to |
89 | * exec_script_execsw will exist, so FINI will never |
90 | * return EBUSY. However, the system will run scripts |
91 | * often. Return EBUSY here to prevent this module from |
92 | * ping-ponging in and out of the kernel. |
93 | */ |
94 | return EBUSY; |
95 | |
96 | default: |
97 | return ENOTTY; |
98 | } |
99 | } |
100 | |
101 | /* |
102 | * exec_script_makecmds(): Check if it's an executable shell script. |
103 | * |
104 | * Given a proc pointer and an exec package pointer, see if the referent |
105 | * of the epp is in shell script. If it is, then set thing up so that |
106 | * the script can be run. This involves preparing the address space |
107 | * and arguments for the shell which will run the script. |
108 | * |
109 | * This function is ultimately responsible for creating a set of vmcmds |
110 | * which can be used to build the process's vm space and inserting them |
111 | * into the exec package. |
112 | */ |
113 | int |
114 | exec_script_makecmds(struct lwp *l, struct exec_package *epp) |
115 | { |
116 | int error, hdrlinelen, shellnamelen, shellarglen; |
117 | char *hdrstr = epp->ep_hdr; |
118 | char *cp, *shellname, *shellarg; |
119 | size_t shellargp_len; |
120 | struct exec_fakearg *shellargp; |
121 | struct exec_fakearg *tmpsap; |
122 | struct pathbuf *shell_pathbuf; |
123 | struct vnode *scriptvp; |
124 | #ifdef SETUIDSCRIPTS |
125 | /* Gcc needs those initialized for spurious uninitialized warning */ |
126 | uid_t script_uid = (uid_t) -1; |
127 | gid_t script_gid = NOGROUP; |
128 | u_short script_sbits; |
129 | #endif |
130 | |
131 | /* |
132 | * if the magic isn't that of a shell script, or we've already |
133 | * done shell script processing for this exec, punt on it. |
134 | */ |
135 | if ((epp->ep_flags & EXEC_INDIR) != 0 || |
136 | epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN || |
137 | strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN)) |
138 | return ENOEXEC; |
139 | |
140 | /* |
141 | * Check that the shell spec is terminated by a newline, and that |
142 | * it isn't too large. |
143 | */ |
144 | hdrlinelen = min(epp->ep_hdrvalid, SCRIPT_HDR_SIZE); |
145 | for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen; |
146 | cp++) { |
147 | if (*cp == '\n') { |
148 | *cp = '\0'; |
149 | break; |
150 | } |
151 | } |
152 | if (cp >= hdrstr + hdrlinelen) |
153 | return ENOEXEC; |
154 | |
155 | /* strip spaces before the shell name */ |
156 | for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t'; |
157 | cp++) |
158 | ; |
159 | if (*cp == '\0') |
160 | return ENOEXEC; |
161 | |
162 | shellarg = NULL; |
163 | shellarglen = 0; |
164 | |
165 | /* collect the shell name; remember its length for later */ |
166 | shellname = cp; |
167 | shellnamelen = 0; |
168 | for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++) |
169 | shellnamelen++; |
170 | if (*cp == '\0') |
171 | goto check_shell; |
172 | *cp++ = '\0'; |
173 | |
174 | /* skip spaces before any argument */ |
175 | for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++) |
176 | ; |
177 | if (*cp == '\0') |
178 | goto check_shell; |
179 | |
180 | /* |
181 | * collect the shell argument. everything after the shell name |
182 | * is passed as ONE argument; that's the correct (historical) |
183 | * behaviour. |
184 | */ |
185 | shellarg = cp; |
186 | for ( /* cp = cp */ ; *cp != '\0'; cp++) |
187 | shellarglen++; |
188 | *cp++ = '\0'; |
189 | |
190 | check_shell: |
191 | #ifdef SETUIDSCRIPTS |
192 | /* |
193 | * MNT_NOSUID has already taken care of by check_exec, |
194 | * so we don't need to worry about it now or later. We |
195 | * will need to check PSL_TRACED later, however. |
196 | */ |
197 | script_sbits = epp->ep_vap->va_mode & (S_ISUID | S_ISGID); |
198 | if (script_sbits != 0) { |
199 | script_uid = epp->ep_vap->va_uid; |
200 | script_gid = epp->ep_vap->va_gid; |
201 | } |
202 | #endif |
203 | #ifdef FDSCRIPTS |
204 | /* |
205 | * if the script isn't readable, or it's set-id, then we've |
206 | * gotta supply a "/dev/fd/..." for the shell to read. |
207 | * Note that stupid shells (csh) do the wrong thing, and |
208 | * close all open fd's when the start. That kills this |
209 | * method of implementing "safe" set-id and x-only scripts. |
210 | */ |
211 | vn_lock(epp->ep_vp, LK_EXCLUSIVE | LK_RETRY); |
212 | error = VOP_ACCESS(epp->ep_vp, VREAD, l->l_cred); |
213 | VOP_UNLOCK(epp->ep_vp); |
214 | if (error == EACCES |
215 | #ifdef SETUIDSCRIPTS |
216 | || script_sbits |
217 | #endif |
218 | ) { |
219 | struct file *fp; |
220 | |
221 | KASSERT(!(epp->ep_flags & EXEC_HASFD)); |
222 | |
223 | if ((error = fd_allocfile(&fp, &epp->ep_fd)) != 0) { |
224 | scriptvp = NULL; |
225 | shellargp = NULL; |
226 | goto fail; |
227 | } |
228 | epp->ep_flags |= EXEC_HASFD; |
229 | fp->f_type = DTYPE_VNODE; |
230 | fp->f_ops = &vnops; |
231 | fp->f_vnode = epp->ep_vp; |
232 | fp->f_flag = FREAD; |
233 | fd_affix(curproc, fp, epp->ep_fd); |
234 | } |
235 | #endif |
236 | |
237 | /* set up the fake args list */ |
238 | shellargp_len = 4 * sizeof(*shellargp); |
239 | shellargp = kmem_alloc(shellargp_len, KM_SLEEP); |
240 | tmpsap = shellargp; |
241 | tmpsap->fa_len = shellnamelen + 1; |
242 | tmpsap->fa_arg = kmem_alloc(tmpsap->fa_len, KM_SLEEP); |
243 | strlcpy(tmpsap->fa_arg, shellname, tmpsap->fa_len); |
244 | tmpsap++; |
245 | if (shellarg != NULL) { |
246 | tmpsap->fa_len = shellarglen + 1; |
247 | tmpsap->fa_arg = kmem_alloc(tmpsap->fa_len, KM_SLEEP); |
248 | strlcpy(tmpsap->fa_arg, shellarg, tmpsap->fa_len); |
249 | tmpsap++; |
250 | } |
251 | tmpsap->fa_len = MAXPATHLEN; |
252 | tmpsap->fa_arg = kmem_alloc(tmpsap->fa_len, KM_SLEEP); |
253 | #ifdef FDSCRIPTS |
254 | if ((epp->ep_flags & EXEC_HASFD) == 0) { |
255 | #endif |
256 | /* normally can't fail, but check for it if diagnostic */ |
257 | error = copystr(epp->ep_kname, tmpsap->fa_arg, MAXPATHLEN, |
258 | NULL); |
259 | KASSERT(error == 0); |
260 | tmpsap++; |
261 | #ifdef FDSCRIPTS |
262 | } else { |
263 | snprintf(tmpsap->fa_arg, MAXPATHLEN, "/dev/fd/%d" , epp->ep_fd); |
264 | tmpsap++; |
265 | } |
266 | #endif |
267 | tmpsap->fa_arg = NULL; |
268 | |
269 | /* Save the old vnode so we can clean it up later. */ |
270 | scriptvp = epp->ep_vp; |
271 | epp->ep_vp = NULL; |
272 | |
273 | /* Note that we're trying recursively. */ |
274 | epp->ep_flags |= EXEC_INDIR; |
275 | |
276 | /* |
277 | * mark the header we have as invalid; check_exec will read |
278 | * the header from the new executable |
279 | */ |
280 | epp->ep_hdrvalid = 0; |
281 | |
282 | /* try loading the interpreter */ |
283 | shell_pathbuf = pathbuf_create(shellname); |
284 | if (shell_pathbuf == NULL) { |
285 | error = ENOMEM; |
286 | } else { |
287 | error = check_exec(l, epp, shell_pathbuf); |
288 | pathbuf_destroy(shell_pathbuf); |
289 | } |
290 | |
291 | /* note that we've clobbered the header */ |
292 | epp->ep_flags |= EXEC_DESTR; |
293 | |
294 | if (error == 0) { |
295 | /* |
296 | * It succeeded. Unlock the script and |
297 | * close it if we aren't using it any more. |
298 | * Also, set things up so that the fake args |
299 | * list will be used. |
300 | */ |
301 | if ((epp->ep_flags & EXEC_HASFD) == 0) { |
302 | vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY); |
303 | VOP_CLOSE(scriptvp, FREAD, l->l_cred); |
304 | vput(scriptvp); |
305 | } |
306 | |
307 | epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG); |
308 | epp->ep_fa = shellargp; |
309 | epp->ep_fa_len = shellargp_len; |
310 | #ifdef SETUIDSCRIPTS |
311 | /* |
312 | * set thing up so that set-id scripts will be |
313 | * handled appropriately. PSL_TRACED will be |
314 | * checked later when the shell is actually |
315 | * exec'd. |
316 | */ |
317 | epp->ep_vap->va_mode |= script_sbits; |
318 | if (script_sbits & S_ISUID) |
319 | epp->ep_vap->va_uid = script_uid; |
320 | if (script_sbits & S_ISGID) |
321 | epp->ep_vap->va_gid = script_gid; |
322 | #endif |
323 | return (0); |
324 | } |
325 | |
326 | #ifdef FDSCRIPTS |
327 | fail: |
328 | #endif |
329 | |
330 | /* kill the opened file descriptor, else close the file */ |
331 | if (epp->ep_flags & EXEC_HASFD) { |
332 | epp->ep_flags &= ~EXEC_HASFD; |
333 | fd_close(epp->ep_fd); |
334 | } else if (scriptvp) { |
335 | vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY); |
336 | VOP_CLOSE(scriptvp, FREAD, l->l_cred); |
337 | vput(scriptvp); |
338 | } |
339 | |
340 | /* free the fake arg list, because we're not returning it */ |
341 | if ((tmpsap = shellargp) != NULL) { |
342 | while (tmpsap->fa_arg != NULL) { |
343 | kmem_free(tmpsap->fa_arg, tmpsap->fa_len); |
344 | tmpsap++; |
345 | } |
346 | kmem_free(shellargp, shellargp_len); |
347 | } |
348 | |
349 | /* |
350 | * free any vmspace-creation commands, |
351 | * and release their references |
352 | */ |
353 | kill_vmcmds(&epp->ep_vmcmds); |
354 | |
355 | return error; |
356 | } |
357 | |