The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/kern/exec_script.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*      $NetBSD: exec_script.c,v 1.52.8.1 2006/12/21 14:25:45 tron Exp $        */
    2 
    3 /*
    4  * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou
    5  * All rights reserved.
    6  *
    7  * Redistribution and use in source and binary forms, with or without
    8  * modification, are permitted provided that the following conditions
    9  * are met:
   10  * 1. Redistributions of source code must retain the above copyright
   11  *    notice, this list of conditions and the following disclaimer.
   12  * 2. Redistributions in binary form must reproduce the above copyright
   13  *    notice, this list of conditions and the following disclaimer in the
   14  *    documentation and/or other materials provided with the distribution.
   15  * 3. All advertising materials mentioning features or use of this software
   16  *    must display the following acknowledgement:
   17  *      This product includes software developed by Christopher G. Demetriou.
   18  * 4. The name of the author may not be used to endorse or promote products
   19  *    derived from this software without specific prior written permission
   20  *
   21  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
   22  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   23  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
   24  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
   25  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
   26  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
   27  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
   28  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
   29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   30  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   31  */
   32 
   33 #include <sys/cdefs.h>
   34 __KERNEL_RCSID(0, "$NetBSD: exec_script.c,v 1.52.8.1 2006/12/21 14:25:45 tron Exp $");
   35 
   36 #if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS)
   37 #define FDSCRIPTS               /* Need this for safe set-id scripts. */
   38 #endif
   39 
   40 #include "veriexec.h"
   41 
   42 #include <sys/param.h>
   43 #include <sys/systm.h>
   44 #include <sys/proc.h>
   45 #include <sys/malloc.h>
   46 #include <sys/vnode.h>
   47 #include <sys/namei.h>
   48 #include <sys/file.h>
   49 #ifdef SETUIDSCRIPTS
   50 #include <sys/stat.h>
   51 #endif
   52 #include <sys/filedesc.h>
   53 #include <sys/exec.h>
   54 #include <sys/resourcevar.h>
   55 
   56 #include <sys/exec_script.h>
   57 #include <sys/exec_elf.h>
   58 
   59 #ifdef SYSTRACE
   60 #include <sys/systrace.h>
   61 #endif /* SYSTRACE */
   62 
   63 /*
   64  * exec_script_makecmds(): Check if it's an executable shell script.
   65  *
   66  * Given a proc pointer and an exec package pointer, see if the referent
   67  * of the epp is in shell script.  If it is, then set thing up so that
   68  * the script can be run.  This involves preparing the address space
   69  * and arguments for the shell which will run the script.
   70  *
   71  * This function is ultimately responsible for creating a set of vmcmds
   72  * which can be used to build the process's vm space and inserting them
   73  * into the exec package.
   74  */
   75 int
   76 exec_script_makecmds(struct lwp *l, struct exec_package *epp)
   77 {
   78         int error, hdrlinelen, shellnamelen, shellarglen;
   79         char *hdrstr = epp->ep_hdr;
   80         char *cp, *shellname, *shellarg, *oldpnbuf;
   81         char **shellargp, **tmpsap;
   82         struct vnode *scriptvp;
   83 #ifdef SETUIDSCRIPTS
   84         /* Gcc needs those initialized for spurious uninitialized warning */
   85         uid_t script_uid = (uid_t) -1;
   86         gid_t script_gid = NOGROUP;
   87         u_short script_sbits;
   88 #endif
   89 
   90         /*
   91          * if the magic isn't that of a shell script, or we've already
   92          * done shell script processing for this exec, punt on it.
   93          */
   94         if ((epp->ep_flags & EXEC_INDIR) != 0 ||
   95             epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN ||
   96             strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN))
   97                 return ENOEXEC;
   98 
   99         /*
  100          * check that the shell spec is terminated by a newline,
  101          * and that it isn't too large.  Don't modify the
  102          * buffer unless we're ready to commit to handling it.
  103          * (The latter requirement means that we have to check
  104          * for both spaces and tabs later on.)
  105          */
  106         hdrlinelen = min(epp->ep_hdrvalid, SCRIPT_HDR_SIZE);
  107         for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen;
  108             cp++) {
  109                 if (*cp == '\n') {
  110                         *cp = '\0';
  111                         break;
  112                 }
  113         }
  114         if (cp >= hdrstr + hdrlinelen)
  115                 return ENOEXEC;
  116 
  117         /*
  118          * If the script has an ELF header, don't exec it.
  119          */
  120         if (epp->ep_hdrvalid >= sizeof(ELFMAG)-1 &&
  121             memcmp(hdrstr, ELFMAG, sizeof(ELFMAG)-1) == 0)
  122                 return ENOEXEC;
  123 
  124         shellname = NULL;
  125         shellarg = NULL;
  126         shellarglen = 0;
  127 
  128         /* strip spaces before the shell name */
  129         for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t';
  130             cp++)
  131                 ;
  132 
  133         /* collect the shell name; remember it's length for later */
  134         shellname = cp;
  135         shellnamelen = 0;
  136         if (*cp == '\0')
  137                 goto check_shell;
  138         for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++)
  139                 shellnamelen++;
  140         if (*cp == '\0')
  141                 goto check_shell;
  142         *cp++ = '\0';
  143 
  144         /* skip spaces before any argument */
  145         for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++)
  146                 ;
  147         if (*cp == '\0')
  148                 goto check_shell;
  149 
  150         /*
  151          * collect the shell argument.  everything after the shell name
  152          * is passed as ONE argument; that's the correct (historical)
  153          * behaviour.
  154          */
  155         shellarg = cp;
  156         for ( /* cp = cp */ ; *cp != '\0'; cp++)
  157                 shellarglen++;
  158         *cp++ = '\0';
  159 
  160 check_shell:
  161 #ifdef SETUIDSCRIPTS
  162         /*
  163          * MNT_NOSUID has already taken care of by check_exec,
  164          * so we don't need to worry about it now or later.  We
  165          * will need to check P_TRACED later, however.
  166          */
  167         script_sbits = epp->ep_vap->va_mode & (S_ISUID | S_ISGID);
  168         if (script_sbits != 0) {
  169                 script_uid = epp->ep_vap->va_uid;
  170                 script_gid = epp->ep_vap->va_gid;
  171         }
  172 #endif
  173 #ifdef FDSCRIPTS
  174         /*
  175          * if the script isn't readable, or it's set-id, then we've
  176          * gotta supply a "/dev/fd/..." for the shell to read.
  177          * Note that stupid shells (csh) do the wrong thing, and
  178          * close all open fd's when the start.  That kills this
  179          * method of implementing "safe" set-id and x-only scripts.
  180          */
  181         vn_lock(epp->ep_vp, LK_EXCLUSIVE | LK_RETRY);
  182         error = VOP_ACCESS(epp->ep_vp, VREAD, l->l_cred, l);
  183         VOP_UNLOCK(epp->ep_vp, 0);
  184         if (error == EACCES
  185 #ifdef SETUIDSCRIPTS
  186             || script_sbits
  187 #endif
  188             ) {
  189                 struct file *fp;
  190 
  191 #if defined(DIAGNOSTIC) && defined(FDSCRIPTS)
  192                 if (epp->ep_flags & EXEC_HASFD)
  193                         panic("exec_script_makecmds: epp already has a fd");
  194 #endif
  195 
  196                 /* falloc() will use the descriptor for us */
  197                 if ((error = falloc(l, &fp, &epp->ep_fd)) != 0) {
  198                         scriptvp = NULL;
  199                         shellargp = NULL;
  200                         goto fail;
  201                 }
  202 
  203                 epp->ep_flags |= EXEC_HASFD;
  204                 fp->f_type = DTYPE_VNODE;
  205                 fp->f_ops = &vnops;
  206                 fp->f_data = (caddr_t) epp->ep_vp;
  207                 fp->f_flag = FREAD;
  208                 FILE_SET_MATURE(fp);
  209                 FILE_UNUSE(fp, l);
  210         }
  211 #endif
  212 
  213         /* set up the parameters for the recursive check_exec() call */
  214         epp->ep_ndp->ni_dirp = shellname;
  215         epp->ep_ndp->ni_segflg = UIO_SYSSPACE;
  216         epp->ep_flags |= EXEC_INDIR;
  217 
  218         /* and set up the fake args list, for later */
  219         MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK);
  220         tmpsap = shellargp;
  221         *tmpsap = malloc(shellnamelen + 1, M_EXEC, M_WAITOK);
  222         strlcpy(*tmpsap++, shellname, shellnamelen + 1);
  223         if (shellarg != NULL) {
  224                 *tmpsap = malloc(shellarglen + 1, M_EXEC, M_WAITOK);
  225                 strlcpy(*tmpsap++, shellarg, shellarglen + 1);
  226         }
  227         MALLOC(*tmpsap, char *, MAXPATHLEN, M_EXEC, M_WAITOK);
  228 #ifdef FDSCRIPTS
  229         if ((epp->ep_flags & EXEC_HASFD) == 0) {
  230 #endif
  231                 /* normally can't fail, but check for it if diagnostic */
  232 #ifdef SYSTRACE
  233                 error = 1;
  234                 if (ISSET(l->l_proc->p_flag, P_SYSTRACE)) {
  235                         error = systrace_scriptname(p, *tmpsap);
  236                         if (error == 0)
  237                                 tmpsap++;
  238                 }
  239                 if (error) {
  240                         /*
  241                          * Since systrace_scriptname() provides a
  242                          * convenience, not a security issue, we are
  243                          * safe to do this.
  244                          */
  245                         error = copystr(epp->ep_name, *tmpsap++, MAXPATHLEN,
  246                                         NULL);
  247                 }
  248 #else
  249                 error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
  250                     (size_t *)0);
  251 #endif /* SYSTRACE */
  252 #ifdef DIAGNOSTIC
  253                 if (error != 0)
  254                         panic("exec_script: copyinstr couldn't fail");
  255 #endif
  256 #ifdef FDSCRIPTS
  257         } else
  258                 snprintf(*tmpsap++, MAXPATHLEN, "/dev/fd/%d", epp->ep_fd);
  259 #endif
  260         *tmpsap = NULL;
  261 
  262         /*
  263          * mark the header we have as invalid; check_exec will read
  264          * the header from the new executable
  265          */
  266         epp->ep_hdrvalid = 0;
  267 
  268         /*
  269          * remember the old vp and pnbuf for later, so we can restore
  270          * them if check_exec() fails.
  271          */
  272         scriptvp = epp->ep_vp;
  273         oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf;
  274 
  275         if ((error = check_exec(l, epp)) == 0) {
  276                 /* note that we've clobbered the header */
  277                 epp->ep_flags |= EXEC_DESTR|EXEC_HASES;
  278 
  279                 /*
  280                  * It succeeded.  Unlock the script and
  281                  * close it if we aren't using it any more.
  282                  * Also, set things up so that the fake args
  283                  * list will be used.
  284                  */
  285                 if ((epp->ep_flags & EXEC_HASFD) == 0) {
  286                         vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
  287                         VOP_CLOSE(scriptvp, FREAD, l->l_cred, l);
  288                         vput(scriptvp);
  289                 }
  290 
  291                 /* free the old pathname buffer */
  292                 PNBUF_PUT(oldpnbuf);
  293 
  294                 epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG);
  295                 epp->ep_fa = shellargp;
  296 #ifdef SETUIDSCRIPTS
  297                 /*
  298                  * set thing up so that set-id scripts will be
  299                  * handled appropriately.  P_TRACED will be
  300                  * checked later when the shell is actually
  301                  * exec'd.
  302                  */
  303                 epp->ep_vap->va_mode |= script_sbits;
  304                 if (script_sbits & S_ISUID)
  305                         epp->ep_vap->va_uid = script_uid;
  306                 if (script_sbits & S_ISGID)
  307                         epp->ep_vap->va_gid = script_gid;
  308 #endif
  309                 return (0);
  310         }
  311 
  312         /* XXX oldpnbuf not set for "goto fail" path */
  313         epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf;
  314 #ifdef FDSCRIPTS
  315 fail:
  316 #endif
  317         /* note that we've clobbered the header */
  318         epp->ep_flags |= EXEC_DESTR;
  319 
  320         /* kill the opened file descriptor, else close the file */
  321         if (epp->ep_flags & EXEC_HASFD) {
  322                 epp->ep_flags &= ~EXEC_HASFD;
  323                 (void) fdrelease(l, epp->ep_fd);
  324         } else if (scriptvp) {
  325                 vn_lock(scriptvp, LK_EXCLUSIVE | LK_RETRY);
  326                 VOP_CLOSE(scriptvp, FREAD, l->l_cred, l);
  327                 vput(scriptvp);
  328         }
  329 
  330         PNBUF_PUT(epp->ep_ndp->ni_cnd.cn_pnbuf);
  331 
  332         /* free the fake arg list, because we're not returning it */
  333         if ((tmpsap = shellargp) != NULL) {
  334                 while (*tmpsap != NULL) {
  335                         FREE(*tmpsap, M_EXEC);
  336                         tmpsap++;
  337                 }
  338                 FREE(shellargp, M_EXEC);
  339         }
  340 
  341         /*
  342          * free any vmspace-creation commands,
  343          * and release their references
  344          */
  345         kill_vmcmds(&epp->ep_vmcmds);
  346 
  347         return error;
  348 }

Cache object: a39469a3b07b7948ed5d5a30a4deacb1


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.