/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2010 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * Copyright 2012 Milan Jurik. All rights reserved. */ /* Copyright (c) 1988 AT&T */ /* All Rights Reserved */ /* from S5R4 1.6 */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* * This is the loadable module wrapper. */ #include extern int intpexec(struct vnode *, struct execa *, struct uarg *, struct intpdata *, int, long *, int, caddr_t, struct cred *, int); static struct execsw esw = { intpmagicstr, 0, 2, intpexec, NULL }; /* * Module linkage information for the kernel. */ extern struct mod_ops mod_execops; static struct modlexec modlexec = { &mod_execops, "exec mod for interp", &esw }; static struct modlinkage modlinkage = { MODREV_1, (void *)&modlexec, NULL }; int _init() { return (mod_install(&modlinkage)); } int _fini() { return (mod_remove(&modlinkage)); } int _info(struct modinfo *modinfop) { return (mod_info(&modlinkage, modinfop)); } /* * Crack open a '#!' line. */ static int getintphead(struct vnode *vp, struct intpdata *idatap) { int error; char *cp, *linep = idatap->intp; ssize_t resid; /* * Read the entire line and confirm that it starts with '#!'. */ if (error = vn_rdwr(UIO_READ, vp, linep, INTPSZ, (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid)) return (error); if (resid > INTPSZ-2 || linep[0] != '#' || linep[1] != '!') return (ENOEXEC); /* * Blank all white space and find the newline. */ for (cp = &linep[2]; cp < &linep[INTPSZ] && *cp != '\n'; cp++) if (*cp == '\t') *cp = ' '; if (cp >= &linep[INTPSZ]) return (ENOEXEC); ASSERT(*cp == '\n'); *cp = '\0'; /* * Locate the beginning and end of the interpreter name. * In addition to the name, one additional argument may * optionally be included here, to be prepended to the * arguments provided on the command line. Thus, for * example, you can say * * #! /usr/bin/awk -f */ for (cp = &linep[2]; *cp == ' '; cp++) ; if (*cp == '\0') return (ENOEXEC); idatap->intp_name[0] = cp; while (*cp && *cp != ' ') cp++; if (*cp == '\0') { idatap->intp_arg[0] = NULL; } else { *cp++ = '\0'; while (*cp == ' ') cp++; if (*cp == '\0') idatap->intp_arg[0] = NULL; else { idatap->intp_arg[0] = cp; while (*cp && *cp != ' ') cp++; *cp = '\0'; } } return (0); } /* * We support nested interpreters up to a depth of INTP_MAXDEPTH (this value * matches the depth on Linux). When a nested interpreter is in use, the * previous name and argument must be passed along. We use the intpdata_t * name and argument arrays for this. In the normal, non-nested case, only the * first element in those arrays will be populated. * * For setid scripts the "script hole" is a security race condition between * when we exec the interpreter and when the interpreter reads the script. We * handle this below for the initial script, but we don't allow setid scripts * when using nested interpreters. Because gexec only modifies the credentials * for a setid script at level 0, then if we come back through for a nested * interpreter we know that args->fname will be set (the first script is setid) * and we can return an error. If an intermediate nested interpreter is setid * then it will not be run with different credentials because of the gexec * handling, so it is effectively no longer setid and we don't have to worry * about the "script hole". */ int intpexec( struct vnode *vp, struct execa *uap, struct uarg *args, struct intpdata *idatap, int level, long *execsz, int setid, caddr_t exec_file, struct cred *cred, int brand_action) { _NOTE(ARGUNUSED(brand_action)) vnode_t *nvp; int error = 0; struct intpdata idata; struct pathname intppn; struct pathname resolvepn; char *opath; char devfd[19]; /* 32-bit int fits in 10 digits + 8 for "/dev/fd/" */ int fd = -1; if (level >= INTP_MAXDEPTH) { /* Can't recurse past maxdepth */ error = ELOOP; goto bad; } if (level == 0) ASSERT(idatap == (struct intpdata *)NULL); bzero(&idata, sizeof (intpdata_t)); /* * Allocate a buffer to read in the interpreter pathname. */ idata.intp = kmem_alloc(INTPSZ, KM_SLEEP); if (error = getintphead(vp, &idata)) goto fail; /* * Look the new vnode up. */ if (error = pn_get(idata.intp_name[0], UIO_SYSSPACE, &intppn)) goto fail; pn_alloc(&resolvepn); if (error = lookuppn(&intppn, &resolvepn, FOLLOW, NULLVPP, &nvp)) { pn_free(&resolvepn); pn_free(&intppn); goto fail; } if (level > 0) { /* * We have a nested interpreter. The previous name(s) and * argument(s) need to be passed along. We also keep track * of how often this zone uses nested interpreters. */ int i; atomic_inc_32(&curproc->p_zone->zone_nested_intp); ASSERT(idatap != NULL); /* since we're shifting up, loop stops one short */ for (i = 0; i < (INTP_MAXDEPTH - 1); i++) { idata.intp_name[i + 1] = idatap->intp_name[i]; idata.intp_arg[i + 1] = idatap->intp_arg[i]; } DTRACE_PROBE3(nested__intp, int, level, void *, &idata, void *, nvp); } opath = args->pathname; args->pathname = resolvepn.pn_path; /* don't free resolvepn until we are done with args */ pn_free(&intppn); /* * Disallow setuid or additional privilege execution for nested * interpreters. */ if (level > 0 && args->fname != NULL) { error = ENOEXEC; goto done; } /* * When we're executing a set-uid script resulting in uids * mismatching or when we execute with additional privileges, * we close the "replace script between exec and open by shell" * hole by passing the script as /dev/fd parameter. */ if ((setid & EXECSETID_PRIVS) != 0 || (setid & (EXECSETID_UGIDS|EXECSETID_SETID)) == (EXECSETID_UGIDS|EXECSETID_SETID)) { (void) strcpy(devfd, "/dev/fd/"); if (error = execopen(&vp, &fd)) goto done; numtos(fd, &devfd[8]); args->fname = devfd; } error = gexec(&nvp, uap, args, &idata, ++level, execsz, exec_file, cred, EBA_NONE); if (!error) { /* * Close this executable as the interpreter * will open and close it later on. */ (void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL); } done: VN_RELE(nvp); args->pathname = opath; pn_free(&resolvepn); fail: kmem_free(idata.intp, INTPSZ); if (error && fd != -1) (void) execclose(fd); bad: return (error); }