| 1 | /* $NetBSD: exec_script.c,v 1.74 2014/09/05 09:20:59 matt Exp $ */ |
| 2 | |
| 3 | /* |
| 4 | * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou |
| 5 | * All rights reserved. |
| 6 | * |
| 7 | * Redistribution and use in source and binary forms, with or without |
| 8 | * modification, are permitted provided that the following conditions |
| 9 | * are met: |
| 10 | * 1. Redistributions of source code must retain the above copyright |
| 11 | * notice, this list of conditions and the following disclaimer. |
| 12 | * 2. Redistributions in binary form must reproduce the above copyright |
| 13 | * notice, this list of conditions and the following disclaimer in the |
| 14 | * documentation and/or other materials provided with the distribution. |
| 15 | * 3. All advertising materials mentioning features or use of this software |
| 16 | * must display the following acknowledgement: |
| 17 | * This product includes software developed by Christopher G. Demetriou. |
| 18 | * 4. The name of the author may not be used to endorse or promote products |
| 19 | * derived from this software without specific prior written permission |
| 20 | * |
| 21 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
| 22 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
| 23 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
| 24 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
| 25 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 26 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| 27 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| 28 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 29 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 30 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 31 | */ |
| 32 | |
| 33 | #include <sys/cdefs.h> |
| 34 | __KERNEL_RCSID(0, "$NetBSD: exec_script.c,v 1.74 2014/09/05 09:20:59 matt Exp $" ); |
| 35 | |
| 36 | #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS) |
| 37 | #define FDSCRIPTS /* Need this for safe set-id scripts. */ |
| 38 | #endif |
| 39 | |
| 40 | #include <sys/param.h> |
| 41 | #include <sys/systm.h> |
| 42 | #include <sys/proc.h> |
| 43 | #include <sys/kmem.h> |
| 44 | #include <sys/vnode.h> |
| 45 | #include <sys/namei.h> |
| 46 | #include <sys/file.h> |
| 47 | #ifdef SETUIDSCRIPTS |
| 48 | #include <sys/stat.h> |
| 49 | #endif |
| 50 | #include <sys/filedesc.h> |
| 51 | #include <sys/exec.h> |
| 52 | #include <sys/resourcevar.h> |
| 53 | #include <sys/module.h> |
| 54 | #include <sys/exec_script.h> |
| 55 | #include <sys/exec_elf.h> |
| 56 | |
| 57 | MODULE(MODULE_CLASS_EXEC, exec_script, NULL); |
| 58 | |
| 59 | static struct execsw exec_script_execsw = { |
| 60 | .es_hdrsz = SCRIPT_HDR_SIZE, |
| 61 | .es_makecmds = exec_script_makecmds, |
| 62 | .u = { |
| 63 | .elf_probe_func = NULL, |
| 64 | }, |
| 65 | .es_emul = NULL, |
| 66 | .es_prio = EXECSW_PRIO_ANY, |
| 67 | .es_arglen = 0, |
| 68 | .es_copyargs = NULL, |
| 69 | .es_setregs = NULL, |
| 70 | .es_coredump = NULL, |
| 71 | .es_setup_stack = exec_setup_stack, |
| 72 | }; |
| 73 | |
| 74 | static int |
| 75 | exec_script_modcmd(modcmd_t cmd, void *arg) |
| 76 | { |
| 77 | |
| 78 | switch (cmd) { |
| 79 | case MODULE_CMD_INIT: |
| 80 | return exec_add(&exec_script_execsw, 1); |
| 81 | |
| 82 | case MODULE_CMD_FINI: |
| 83 | return exec_remove(&exec_script_execsw, 1); |
| 84 | |
| 85 | case MODULE_CMD_AUTOUNLOAD: |
| 86 | /* |
| 87 | * We don't want to be autounloaded because our use is |
| 88 | * transient: no executables with p_execsw equal to |
| 89 | * exec_script_execsw will exist, so FINI will never |
| 90 | * return EBUSY. However, the system will run scripts |
| 91 | * often. Return EBUSY here to prevent this module from |
| 92 | * ping-ponging in and out of the kernel. |
| 93 | */ |
| 94 | return EBUSY; |
| 95 | |
| 96 | default: |
| 97 | return ENOTTY; |
| 98 | } |
| 99 | } |
| 100 | |
| 101 | /* |
| 102 | * exec_script_makecmds(): Check if it's an executable shell script. |
| 103 | * |
| 104 | * Given a proc pointer and an exec package pointer, see if the referent |
| 105 | * of the epp is in shell script. If it is, then set thing up so that |
| 106 | * the script can be run. This involves preparing the address space |
| 107 | * and arguments for the shell which will run the script. |
| 108 | * |
| 109 | * This function is ultimately responsible for creating a set of vmcmds |
| 110 | * which can be used to build the process's vm space and inserting them |
| 111 | * into the exec package. |
| 112 | */ |
| 113 | int |
| 114 | exec_script_makecmds(struct lwp *l, struct exec_package *epp) |
| 115 | { |
| 116 | int error, hdrlinelen, shellnamelen, shellarglen; |
| 117 | char *hdrstr = epp->ep_hdr; |
| 118 | char *cp, *shellname, *shellarg; |
| 119 | size_t shellargp_len; |
| 120 | struct exec_fakearg *shellargp; |
| 121 | struct exec_fakearg *tmpsap; |
| 122 | struct pathbuf *shell_pathbuf; |
| 123 | struct vnode *scriptvp; |
| 124 | #ifdef SETUIDSCRIPTS |
| 125 | /* Gcc needs those initialized for spurious uninitialized warning */ |
| 126 | uid_t script_uid = (uid_t) -1; |
| 127 | gid_t script_gid = NOGROUP; |
| 128 | u_short script_sbits; |
| 129 | #endif |
| 130 | |
| 131 | /* |
| 132 | * if the magic isn't that of a shell script, or we've already |
| 133 | * done shell script processing for this exec, punt on it. |
| 134 | */ |
| 135 | if ((epp->ep_flags & EXEC_INDIR) != 0 || |
| 136 | epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN || |
| 137 | strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN)) |
| 138 | return ENOEXEC; |
| 139 | |
| 140 | /* |
| 141 | * Check that the shell spec is terminated by a newline, and that |
| 142 | * it isn't too large. |
| 143 | */ |
| 144 | hdrlinelen = min(epp->ep_hdrvalid, SCRIPT_HDR_SIZE); |
| 145 | for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen; |
| 146 | cp++) { |
| 147 | if (*cp == '\n') { |
| 148 | *cp = '\0'; |
| 149 | break; |
| 150 | } |
| 151 | } |
| 152 | if (cp >= hdrstr + hdrlinelen) |
| 153 | return ENOEXEC; |
| 154 | |
| 155 | /* strip spaces before the shell name */ |
| 156 | for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t'; |
| 157 | cp++) |
| 158 | ; |
| 159 | if (*cp == '\0') |
| 160 | return ENOEXEC; |
| 161 | |
| 162 | shellarg = NULL; |
| 163 | shellarglen = 0; |
| 164 | |
| 165 | /* collect the shell name; remember its length for later */ |
| 166 | shellname = cp; |
| 167 | shellnamelen = 0; |
| 168 | for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++) |
| 169 | shellnamelen++; |
| 170 | if (*cp == '\0') |
| 171 | goto check_shell; |
| 172 | *cp++ = '\0'; |
| 173 | |
| 174 | /* skip spaces before any argument */ |
| 175 | for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++) |
| 176 | ; |
| 177 | if (*cp == '\0') |
| 178 | goto check_shell; |
| 179 | |
| 180 | /* |
| 181 | * collect the shell argument. everything after the shell name |
| 182 | * is passed as ONE argument; that's the correct (historical) |
| 183 | * behaviour. |
| 184 | */ |
| 185 | shellarg = cp; |
| 186 | for ( /* cp = cp */ ; *cp != '\0'; cp++) |
| 187 | shellarglen++; |
| 188 | *cp++ = '\0'; |
| 189 | |
| 190 | check_shell: |
| 191 | #ifdef SETUIDSCRIPTS |
| 192 | /* |
| 193 | * MNT_NOSUID has already taken care of by check_exec, |
| 194 | * so we don't need to worry about it now or later. We |
| 195 | * will need to check PSL_TRACED later, however. |
| 196 | */ |
| 197 | script_sbits = epp->ep_vap->va_mode & (S_ISUID | S_ISGID); |
| 198 | if (script_sbits != 0) { |
| 199 | script_uid = epp->ep_vap->va_uid; |
| 200 | script_gid = epp->ep_vap->va_gid; |
| 201 | } |
| 202 | #endif |
| 203 | #ifdef FDSCRIPTS |
| 204 | /* |
| 205 | * if the script isn't readable, or it's set-id, then we've |
| 206 | * gotta supply a "/dev/fd/..." for the shell to read. |
| 207 | * Note that stupid shells (csh) do the wrong thing, and |
| 208 | * close all open fd's when the start. That kills this |
| 209 | * method of implementing "safe" set-id and x-only scripts. |
| 210 | */ |
| 211 | vn_lock(epp->ep_vp, LK_EXCLUSIVE | LK_RETRY); |
| 212 | error = VOP_ACCESS(epp->ep_vp, VREAD, l->l_cred); |
| 213 | VOP_UNLOCK(epp->ep_vp); |
| 214 | if (error == EACCES |
| 215 | #ifdef SETUIDSCRIPTS |
| 216 | || script_sbits |
| 217 | #endif |
| 218 | ) { |
| 219 | struct file *fp; |
| 220 | |
| 221 | KASSERT(!(epp->ep_flags & EXEC_HASFD)); |
| 222 | |
| 223 | if ((error = fd_allocfile(&fp, &epp->ep_fd)) != 0) { |
| 224 | scriptvp = NULL; |
| 225 | shellargp = NULL; |
| 226 | goto fail; |
| 227 | } |
| 228 | epp->ep_flags |= EXEC_HASFD; |
| 229 | fp->f_type = DTYPE_VNODE; |
| 230 | fp->f_ops = &vnops; |
| 231 | fp->f_vnode = epp->ep_vp; |
| 232 | fp->f_flag = FREAD; |
| 233 | fd_affix(curproc, fp, epp->ep_fd); |
| 234 | } |
| 235 | #endif |
| 236 | |
| 237 | /* set up the fake args list */ |
| 238 | shellargp_len = 4 * sizeof(*shellargp); |
| 239 | shellargp = kmem_alloc(shellargp_len, KM_SLEEP); |
| 240 | tmpsap = shellargp; |
| 241 | tmpsap->fa_len = shellnamelen + 1; |
| 242 | tmpsap->fa_arg = kmem_alloc(tmpsap->fa_len, KM_SLEEP); |
| 243 | strlcpy(tmpsap->fa_arg, shellname, tmpsap->fa_len); |
| 244 | tmpsap++; |
| 245 | if (shellarg != NULL) { |
| 246 | tmpsap->fa_len = shellarglen + 1; |
| 247 | tmpsap->fa_arg = kmem_alloc(tmpsap->fa_len, KM_SLEEP); |
| 248 | strlcpy(tmpsap->fa_arg, shellarg, tmpsap->fa_len); |
| 249 | tmpsap++; |
| 250 | } |
| 251 | tmpsap->fa_len = MAXPATHLEN; |
| 252 | tmpsap->fa_arg = kmem_alloc(tmpsap->fa_len, KM_SLEEP); |
| 253 | #ifdef FDSCRIPTS |
| 254 | if ((epp->ep_flags & EXEC_HASFD) == 0) { |
| 255 | #endif |
| 256 | /* normally can't fail, but check for it if diagnostic */ |
| 257 | error = copystr(epp->ep_kname, tmpsap->fa_arg, MAXPATHLEN, |
| 258 | NULL); |
| 259 | KASSERT(error == 0); |
| 260 | tmpsap++; |
| 261 | #ifdef FDSCRIPTS |
| 262 | } else { |
| 263 | snprintf(tmpsap->fa_arg, MAXPATHLEN, "/dev/fd/%d" , epp->ep_fd); |
| 264 | tmpsap++; |
| 265 | } |
| 266 | #endif |
| 267 | tmpsap->fa_arg = NULL; |
| 268 | |
| 269 | /* Save the old vnode so we can clean it up later. */ |
| 270 | scriptvp = epp->ep_vp; |
| 271 | epp->ep_vp = NULL; |
| 272 | |
| 273 | /* Note that we're trying recursively. */ |
| 274 | epp->ep_flags |= EXEC_INDIR; |
| 275 | |
| 276 | /* |
| 277 | * mark the header we have as invalid; check_exec will read |
| 278 | * the header from the new executable |
| 279 | */ |
| 280 | epp->ep_hdrvalid = 0; |
| 281 | |
| 282 | /* try loading the interpreter */ |
| 283 | shell_pathbuf = pathbuf_create(shellname); |
| 284 | if (shell_pathbuf == NULL) { |
| 285 | error = ENOMEM; |
| 286 | } else { |
| 287 | error = check_exec(l, epp, shell_pathbuf); |
| 288 | pathbuf_destroy(shell_pathbuf); |
| 289 | } |
| 290 | |
| 291 | /* note that we've clobbered the header */ |
| 292 | epp->ep_flags |= EXEC_DESTR; |
| 293 | |
| 294 | if (error == 0) { |
| 295 | /* |
| 296 | * It succeeded. Unlock the script and |
| 297 | * close it if we aren't using it any more. |
| 298 | * Also, set things up so that the fake args |
| 299 | * list will be used. |
| 300 | */ |
| 301 | if ((epp->ep_flags & EXEC_HASFD) == 0) { |
| 302 | vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY); |
| 303 | VOP_CLOSE(scriptvp, FREAD, l->l_cred); |
| 304 | vput(scriptvp); |
| 305 | } |
| 306 | |
| 307 | epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG); |
| 308 | epp->ep_fa = shellargp; |
| 309 | epp->ep_fa_len = shellargp_len; |
| 310 | #ifdef SETUIDSCRIPTS |
| 311 | /* |
| 312 | * set thing up so that set-id scripts will be |
| 313 | * handled appropriately. PSL_TRACED will be |
| 314 | * checked later when the shell is actually |
| 315 | * exec'd. |
| 316 | */ |
| 317 | epp->ep_vap->va_mode |= script_sbits; |
| 318 | if (script_sbits & S_ISUID) |
| 319 | epp->ep_vap->va_uid = script_uid; |
| 320 | if (script_sbits & S_ISGID) |
| 321 | epp->ep_vap->va_gid = script_gid; |
| 322 | #endif |
| 323 | return (0); |
| 324 | } |
| 325 | |
| 326 | #ifdef FDSCRIPTS |
| 327 | fail: |
| 328 | #endif |
| 329 | |
| 330 | /* kill the opened file descriptor, else close the file */ |
| 331 | if (epp->ep_flags & EXEC_HASFD) { |
| 332 | epp->ep_flags &= ~EXEC_HASFD; |
| 333 | fd_close(epp->ep_fd); |
| 334 | } else if (scriptvp) { |
| 335 | vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY); |
| 336 | VOP_CLOSE(scriptvp, FREAD, l->l_cred); |
| 337 | vput(scriptvp); |
| 338 | } |
| 339 | |
| 340 | /* free the fake arg list, because we're not returning it */ |
| 341 | if ((tmpsap = shellargp) != NULL) { |
| 342 | while (tmpsap->fa_arg != NULL) { |
| 343 | kmem_free(tmpsap->fa_arg, tmpsap->fa_len); |
| 344 | tmpsap++; |
| 345 | } |
| 346 | kmem_free(shellargp, shellargp_len); |
| 347 | } |
| 348 | |
| 349 | /* |
| 350 | * free any vmspace-creation commands, |
| 351 | * and release their references |
| 352 | */ |
| 353 | kill_vmcmds(&epp->ep_vmcmds); |
| 354 | |
| 355 | return error; |
| 356 | } |
| 357 | |