347 lines
10 KiB
C
347 lines
10 KiB
C
/* $NetBSD: exec_script.c,v 1.57 2007/04/22 08:30:00 dsl Exp $ */
|
|
|
|
/*
|
|
* Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. All advertising materials mentioning features or use of this software
|
|
* must display the following acknowledgement:
|
|
* This product includes software developed by Christopher G. Demetriou.
|
|
* 4. The name of the author may not be used to endorse or promote products
|
|
* derived from this software without specific prior written permission
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#include <sys/cdefs.h>
|
|
__KERNEL_RCSID(0, "$NetBSD: exec_script.c,v 1.57 2007/04/22 08:30:00 dsl Exp $");
|
|
|
|
#if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS)
|
|
#define FDSCRIPTS /* Need this for safe set-id scripts. */
|
|
#endif
|
|
|
|
#include "veriexec.h"
|
|
|
|
#include <sys/param.h>
|
|
#include <sys/systm.h>
|
|
#include <sys/proc.h>
|
|
#include <sys/malloc.h>
|
|
#include <sys/vnode.h>
|
|
#include <sys/namei.h>
|
|
#include <sys/file.h>
|
|
#ifdef SETUIDSCRIPTS
|
|
#include <sys/stat.h>
|
|
#endif
|
|
#include <sys/filedesc.h>
|
|
#include <sys/exec.h>
|
|
#include <sys/resourcevar.h>
|
|
|
|
#include <sys/exec_script.h>
|
|
#include <sys/exec_elf.h>
|
|
|
|
#ifdef SYSTRACE
|
|
#include <sys/systrace.h>
|
|
#endif /* SYSTRACE */
|
|
|
|
/*
|
|
* exec_script_makecmds(): Check if it's an executable shell script.
|
|
*
|
|
* Given a proc pointer and an exec package pointer, see if the referent
|
|
* of the epp is in shell script. If it is, then set thing up so that
|
|
* the script can be run. This involves preparing the address space
|
|
* and arguments for the shell which will run the script.
|
|
*
|
|
* This function is ultimately responsible for creating a set of vmcmds
|
|
* which can be used to build the process's vm space and inserting them
|
|
* into the exec package.
|
|
*/
|
|
int
|
|
exec_script_makecmds(struct lwp *l, struct exec_package *epp)
|
|
{
|
|
int error, hdrlinelen, shellnamelen, shellarglen;
|
|
char *hdrstr = epp->ep_hdr;
|
|
char *cp, *shellname, *shellarg, *oldpnbuf;
|
|
char **shellargp, **tmpsap;
|
|
struct vnode *scriptvp;
|
|
#ifdef SETUIDSCRIPTS
|
|
/* Gcc needs those initialized for spurious uninitialized warning */
|
|
uid_t script_uid = (uid_t) -1;
|
|
gid_t script_gid = NOGROUP;
|
|
u_short script_sbits;
|
|
#endif
|
|
|
|
/*
|
|
* if the magic isn't that of a shell script, or we've already
|
|
* done shell script processing for this exec, punt on it.
|
|
*/
|
|
if ((epp->ep_flags & EXEC_INDIR) != 0 ||
|
|
epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN ||
|
|
strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN))
|
|
return ENOEXEC;
|
|
|
|
/*
|
|
* check that the shell spec is terminated by a newline,
|
|
* and that it isn't too large. Don't modify the
|
|
* buffer unless we're ready to commit to handling it.
|
|
* (The latter requirement means that we have to check
|
|
* for both spaces and tabs later on.)
|
|
*/
|
|
hdrlinelen = min(epp->ep_hdrvalid, SCRIPT_HDR_SIZE);
|
|
for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen;
|
|
cp++) {
|
|
if (*cp == '\n') {
|
|
*cp = '\0';
|
|
break;
|
|
}
|
|
}
|
|
if (cp >= hdrstr + hdrlinelen)
|
|
return ENOEXEC;
|
|
|
|
/*
|
|
* If the script has an ELF header, don't exec it.
|
|
*/
|
|
if (epp->ep_hdrvalid >= sizeof(ELFMAG)-1 &&
|
|
memcmp(hdrstr, ELFMAG, sizeof(ELFMAG)-1) == 0)
|
|
return ENOEXEC;
|
|
|
|
shellname = NULL;
|
|
shellarg = NULL;
|
|
shellarglen = 0;
|
|
|
|
/* strip spaces before the shell name */
|
|
for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t';
|
|
cp++)
|
|
;
|
|
|
|
/* collect the shell name; remember it's length for later */
|
|
shellname = cp;
|
|
shellnamelen = 0;
|
|
if (*cp == '\0')
|
|
goto check_shell;
|
|
for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++)
|
|
shellnamelen++;
|
|
if (*cp == '\0')
|
|
goto check_shell;
|
|
*cp++ = '\0';
|
|
|
|
/* skip spaces before any argument */
|
|
for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++)
|
|
;
|
|
if (*cp == '\0')
|
|
goto check_shell;
|
|
|
|
/*
|
|
* collect the shell argument. everything after the shell name
|
|
* is passed as ONE argument; that's the correct (historical)
|
|
* behaviour.
|
|
*/
|
|
shellarg = cp;
|
|
for ( /* cp = cp */ ; *cp != '\0'; cp++)
|
|
shellarglen++;
|
|
*cp++ = '\0';
|
|
|
|
check_shell:
|
|
#ifdef SETUIDSCRIPTS
|
|
/*
|
|
* MNT_NOSUID has already taken care of by check_exec,
|
|
* so we don't need to worry about it now or later. We
|
|
* will need to check PSL_TRACED later, however.
|
|
*/
|
|
script_sbits = epp->ep_vap->va_mode & (S_ISUID | S_ISGID);
|
|
if (script_sbits != 0) {
|
|
script_uid = epp->ep_vap->va_uid;
|
|
script_gid = epp->ep_vap->va_gid;
|
|
}
|
|
#endif
|
|
#ifdef FDSCRIPTS
|
|
/*
|
|
* if the script isn't readable, or it's set-id, then we've
|
|
* gotta supply a "/dev/fd/..." for the shell to read.
|
|
* Note that stupid shells (csh) do the wrong thing, and
|
|
* close all open fd's when the start. That kills this
|
|
* method of implementing "safe" set-id and x-only scripts.
|
|
*/
|
|
vn_lock(epp->ep_vp, LK_EXCLUSIVE | LK_RETRY);
|
|
error = VOP_ACCESS(epp->ep_vp, VREAD, l->l_cred, l);
|
|
VOP_UNLOCK(epp->ep_vp, 0);
|
|
if (error == EACCES
|
|
#ifdef SETUIDSCRIPTS
|
|
|| script_sbits
|
|
#endif
|
|
) {
|
|
struct file *fp;
|
|
|
|
#if defined(DIAGNOSTIC) && defined(FDSCRIPTS)
|
|
if (epp->ep_flags & EXEC_HASFD)
|
|
panic("exec_script_makecmds: epp already has a fd");
|
|
#endif
|
|
|
|
/* falloc() will use the descriptor for us */
|
|
if ((error = falloc(l, &fp, &epp->ep_fd)) != 0) {
|
|
scriptvp = NULL;
|
|
shellargp = NULL;
|
|
goto fail;
|
|
}
|
|
|
|
epp->ep_flags |= EXEC_HASFD;
|
|
fp->f_type = DTYPE_VNODE;
|
|
fp->f_ops = &vnops;
|
|
fp->f_data = (void *) epp->ep_vp;
|
|
fp->f_flag = FREAD;
|
|
FILE_SET_MATURE(fp);
|
|
FILE_UNUSE(fp, l);
|
|
}
|
|
#endif
|
|
|
|
/* set up the parameters for the recursive check_exec() call */
|
|
epp->ep_ndp->ni_dirp = shellname;
|
|
epp->ep_ndp->ni_segflg = UIO_SYSSPACE;
|
|
epp->ep_flags |= EXEC_INDIR;
|
|
|
|
/* and set up the fake args list, for later */
|
|
MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK);
|
|
tmpsap = shellargp;
|
|
*tmpsap = malloc(shellnamelen + 1, M_EXEC, M_WAITOK);
|
|
strlcpy(*tmpsap++, shellname, shellnamelen + 1);
|
|
if (shellarg != NULL) {
|
|
*tmpsap = malloc(shellarglen + 1, M_EXEC, M_WAITOK);
|
|
strlcpy(*tmpsap++, shellarg, shellarglen + 1);
|
|
}
|
|
MALLOC(*tmpsap, char *, MAXPATHLEN, M_EXEC, M_WAITOK);
|
|
#ifdef FDSCRIPTS
|
|
if ((epp->ep_flags & EXEC_HASFD) == 0) {
|
|
#endif
|
|
/* normally can't fail, but check for it if diagnostic */
|
|
#ifdef SYSTRACE
|
|
error = 1;
|
|
if (ISSET(l->l_proc->p_flag, PK_SYSTRACE)) {
|
|
error = systrace_scriptname(p, *tmpsap);
|
|
if (error == 0)
|
|
tmpsap++;
|
|
}
|
|
if (error) {
|
|
/*
|
|
* Since systrace_scriptname() provides a
|
|
* convenience, not a security issue, we are
|
|
* safe to do this.
|
|
*/
|
|
error = copystr(epp->ep_name, *tmpsap++, MAXPATHLEN,
|
|
NULL);
|
|
}
|
|
#else
|
|
error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
|
|
(size_t *)0);
|
|
#endif /* SYSTRACE */
|
|
#ifdef DIAGNOSTIC
|
|
if (error != 0)
|
|
panic("exec_script: copyinstr couldn't fail");
|
|
#endif
|
|
#ifdef FDSCRIPTS
|
|
} else
|
|
snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd);
|
|
#endif
|
|
*tmpsap = NULL;
|
|
|
|
/*
|
|
* mark the header we have as invalid; check_exec will read
|
|
* the header from the new executable
|
|
*/
|
|
epp->ep_hdrvalid = 0;
|
|
|
|
/*
|
|
* remember the old vp and pnbuf for later, so we can restore
|
|
* them if check_exec() fails.
|
|
*/
|
|
scriptvp = epp->ep_vp;
|
|
oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf;
|
|
|
|
error = check_exec(l, epp);
|
|
/* note that we've clobbered the header */
|
|
epp->ep_flags |= EXEC_DESTR;
|
|
if (error == 0) {
|
|
/*
|
|
* It succeeded. Unlock the script and
|
|
* close it if we aren't using it any more.
|
|
* Also, set things up so that the fake args
|
|
* list will be used.
|
|
*/
|
|
if ((epp->ep_flags & EXEC_HASFD) == 0) {
|
|
vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
|
|
VOP_CLOSE(scriptvp, FREAD, l->l_cred, l);
|
|
vput(scriptvp);
|
|
}
|
|
|
|
/* free the old pathname buffer */
|
|
PNBUF_PUT(oldpnbuf);
|
|
|
|
epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG);
|
|
epp->ep_fa = shellargp;
|
|
#ifdef SETUIDSCRIPTS
|
|
/*
|
|
* set thing up so that set-id scripts will be
|
|
* handled appropriately. PSL_TRACED will be
|
|
* checked later when the shell is actually
|
|
* exec'd.
|
|
*/
|
|
epp->ep_vap->va_mode |= script_sbits;
|
|
if (script_sbits & S_ISUID)
|
|
epp->ep_vap->va_uid = script_uid;
|
|
if (script_sbits & S_ISGID)
|
|
epp->ep_vap->va_gid = script_gid;
|
|
#endif
|
|
return (0);
|
|
}
|
|
|
|
/* XXX oldpnbuf not set for "goto fail" path */
|
|
epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf;
|
|
#ifdef FDSCRIPTS
|
|
fail:
|
|
#endif
|
|
|
|
/* kill the opened file descriptor, else close the file */
|
|
if (epp->ep_flags & EXEC_HASFD) {
|
|
epp->ep_flags &= ~EXEC_HASFD;
|
|
(void) fdrelease(l, epp->ep_fd);
|
|
} else if (scriptvp) {
|
|
vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
|
|
VOP_CLOSE(scriptvp, FREAD, l->l_cred, l);
|
|
vput(scriptvp);
|
|
}
|
|
|
|
PNBUF_PUT(epp->ep_ndp->ni_cnd.cn_pnbuf);
|
|
|
|
/* free the fake arg list, because we're not returning it */
|
|
if ((tmpsap = shellargp) != NULL) {
|
|
while (*tmpsap != NULL) {
|
|
FREE(*tmpsap, M_EXEC);
|
|
tmpsap++;
|
|
}
|
|
FREE(shellargp, M_EXEC);
|
|
}
|
|
|
|
/*
|
|
* free any vmspace-creation commands,
|
|
* and release their references
|
|
*/
|
|
kill_vmcmds(&epp->ep_vmcmds);
|
|
|
|
return error;
|
|
}
|