initial import of NetBSD tree

1 files changed, 294 insertions, 0 deletions

diff --git a/sys/kern/exec_script.c b/sys/kern/exec_script.c
new file mode 100644
index 00000000000..dfd1a405f00
--- /dev/null
+++ b/sys/kern/exec_script.c
@@ -0,0 +1,294 @@
+/*	$NetBSD: exec_script.c,v 1.12 1995/04/10 18:27:59 mycroft Exp $	*/
+
+/*
+ * Copyright (c) 1993, 1994 Christopher G. Demetriou
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Christopher G. Demetriou.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#if defined(SETUIDSCRIPTS) && !defined(FDSCRIPTS)
+#define FDSCRIPTS		/* Need this for safe set-id scripts. */
+#endif
+
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/proc.h>
+#include <sys/malloc.h>
+#include <sys/vnode.h>
+#include <sys/namei.h>
+#include <sys/file.h>
+#include <sys/filedesc.h>
+#include <sys/exec.h>
+#include <sys/resourcevar.h>
+#include <vm/vm.h>
+
+#include <sys/exec_script.h>
+
+/*
+ * exec_script_makecmds(): Check if it's an executable shell script.
+ *
+ * Given a proc pointer and an exec package pointer, see if the referent
+ * of the epp is in shell script.  If it is, then set thing up so that
+ * the script can be run.  This involves preparing the address space
+ * and arguments for the shell which will run the script.
+ *
+ * This function is ultimately responsible for creating a set of vmcmds
+ * which can be used to build the process's vm space and inserting them
+ * into the exec package.
+ */
+int
+exec_script_makecmds(p, epp)
+	struct proc *p;
+	struct exec_package *epp;
+{
+	int error, hdrlinelen, shellnamelen, shellarglen;
+	char *hdrstr = epp->ep_hdr;
+	char *cp, *shellname, *shellarg, *oldpnbuf;
+	char **shellargp, **tmpsap;
+	struct vnode *scriptvp;
+#ifdef SETUIDSCRIPTS
+	uid_t script_uid;
+	gid_t script_gid;
+	u_short script_sbits;
+#endif
+
+	/*
+	 * if the magic isn't that of a shell script, or we've already
+	 * done shell script processing for this exec, punt on it.
+	 */
+	if ((epp->ep_flags & EXEC_INDIR) != 0 ||
+	    epp->ep_hdrvalid < EXEC_SCRIPT_MAGICLEN ||
+	    strncmp(hdrstr, EXEC_SCRIPT_MAGIC, EXEC_SCRIPT_MAGICLEN))
+		return ENOEXEC;
+
+	/*
+	 * check that the shell spec is terminated by a newline,
+	 * and that it isn't too large.  Don't modify the
+	 * buffer unless we're ready to commit to handling it.
+	 * (The latter requirement means that we have to check
+	 * for both spaces and tabs later on.)
+	 */
+	hdrlinelen = min(epp->ep_hdrvalid, MAXINTERP);
+	for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; cp < hdrstr + hdrlinelen;
+	    cp++) {
+		if (*cp == '\n') {
+			*cp = '\0';
+			break;
+		}
+	}
+	if (cp >= hdrstr + hdrlinelen)
+		return ENOEXEC;
+
+	shellname = NULL;
+	shellarg = NULL;
+
+	/* strip spaces before the shell name */
+	for (cp = hdrstr + EXEC_SCRIPT_MAGICLEN; *cp == ' ' || *cp == '\t';
+	    cp++)
+		;
+
+	/* collect the shell name; remember it's length for later */
+	shellname = cp;
+	shellnamelen = 0;
+	if (*cp == '\0')
+		goto check_shell;
+	for ( /* cp = cp */ ; *cp != '\0' && *cp != ' ' && *cp != '\t'; cp++)
+		shellnamelen++;
+	if (*cp == '\0')
+		goto check_shell;
+	*cp++ = '\0';
+
+	/* skip spaces before any argument */
+	for ( /* cp = cp */ ; *cp == ' ' || *cp == '\t'; cp++)
+		;
+	if (*cp == '\0')
+		goto check_shell;
+
+	/*
+	 * collect the shell argument.  everything after the shell name
+	 * is passed as ONE argument; that's the correct (historical)
+	 * behaviour.
+	 */
+	shellarg = cp;
+	shellarglen = 0;
+	for ( /* cp = cp */ ; *cp != '\0'; cp++)
+		shellarglen++;
+	*cp++ = '\0';
+
+check_shell:
+#ifdef SETUIDSCRIPTS
+	/*
+	 * MNT_NOSUID and STRC are already taken care of by check_exec,
+	 * so we don't need to worry about them now or later.
+	 */
+	script_sbits = epp->ep_vap->va_mode & (VSUID | VSGID);
+	if (script_sbits != 0) {
+		script_uid = epp->ep_vap->va_uid;
+		script_gid = epp->ep_vap->va_gid;
+	}
+#endif
+#ifdef FDSCRIPTS
+	/*
+	 * if the script isn't readable, or it's set-id, then we've
+	 * gotta supply a "/dev/fd/..." for the shell to read.
+	 * Note that stupid shells (csh) do the wrong thing, and
+	 * close all open fd's when the start.  That kills this
+	 * method of implementing "safe" set-id and x-only scripts.
+	 */
+	if (VOP_ACCESS(epp->ep_vp, VREAD, p->p_ucred, p) == EACCES
+#ifdef SETUIDSCRIPTS
+	    || script_sbits
+#endif
+	    ) {
+		struct file *fp;
+		extern struct fileops vnops;
+
+#if defined(DIAGNOSTIC) && defined(FDSCRIPTS)
+		if (epp->ep_flags & EXEC_HASFD)
+			panic("exec_script_makecmds: epp already has a fd");
+#endif
+
+		if (error = falloc(p, &fp, &epp->ep_fd))
+			goto fail;
+
+		epp->ep_flags |= EXEC_HASFD;
+		fp->f_type = DTYPE_VNODE;
+		fp->f_ops = &vnops;
+		fp->f_data = (caddr_t) epp->ep_vp;
+		fp->f_flag = FREAD;
+	}
+#endif
+
+	/* set up the parameters for the recursive check_exec() call */
+	epp->ep_ndp->ni_dirp = shellname;
+	epp->ep_ndp->ni_segflg = UIO_SYSSPACE;
+	epp->ep_flags |= EXEC_INDIR;
+
+	/* and set up the fake args list, for later */
+	MALLOC(shellargp, char **, 4 * sizeof(char *), M_EXEC, M_WAITOK);
+	tmpsap = shellargp;
+	MALLOC(*tmpsap, char *, shellnamelen + 1, M_EXEC, M_WAITOK);
+	strcpy(*tmpsap++, shellname);
+	if (shellarg != NULL) {
+		MALLOC(*tmpsap, char *, shellarglen + 1, M_EXEC, M_WAITOK);
+		strcpy(*tmpsap++, shellarg);
+	}
+	MALLOC(*tmpsap, char *, MAXPATHLEN, M_EXEC, M_WAITOK);
+#ifdef FDSCRIPTS
+	if ((epp->ep_flags & EXEC_HASFD) == 0) {
+#endif
+		/* normally can't fail, but check for it if diagnostic */
+		error = copyinstr(epp->ep_name, *tmpsap++, MAXPATHLEN,
+		    (size_t *)0);
+#ifdef DIAGNOSTIC
+		if (error != 0)
+			panic("exec_script: copyinstr couldn't fail\n");
+#endif
+#ifdef FDSCRIPTS
+	} else
+		sprintf(*tmpsap++, "/dev/fd/%d", epp->ep_fd);
+#endif
+	*tmpsap = NULL;
+
+	/*
+	 * mark the header we have as invalid; check_exec will read
+	 * the header from the new executable
+	 */
+	epp->ep_hdrvalid = 0;
+
+	/*
+	 * remember the old vp and pnbuf for later, so we can restore
+	 * them if check_exec() fails.
+	 */
+	scriptvp = epp->ep_vp;
+	oldpnbuf = epp->ep_ndp->ni_cnd.cn_pnbuf;
+
+	VOP_UNLOCK(scriptvp);
+
+	if ((error = check_exec(p, epp)) == 0) {
+		/* note that we've clobbered the header */
+		epp->ep_flags |= EXEC_DESTR;
+
+		/*
+		 * It succeeded.  Unlock the script and
+		 * close it if we aren't using it any more.
+		 * Also, set things up so that the fake args
+		 * list will be used.
+		 */
+		if ((epp->ep_flags & EXEC_HASFD) == 0)
+			vn_close(scriptvp, FREAD, p->p_ucred, p);
+
+		/* free the old pathname buffer */
+		FREE(oldpnbuf, M_NAMEI);
+
+		epp->ep_flags |= (EXEC_HASARGL | EXEC_SKIPARG);
+		epp->ep_fa = shellargp;
+#ifdef SETUIDSCRIPTS
+		/*
+		 * set thing up so that set-id scripts will be
+		 * handled appropriately
+		 */
+		epp->ep_vap->va_mode |= script_sbits;
+		if (script_sbits & VSUID)
+			epp->ep_vap->va_uid = script_uid;
+		if (script_sbits & VSGID)
+			epp->ep_vap->va_gid = script_gid;
+#endif
+		return (0);
+	}
+
+	/* XXX oldpnbuf not set for "goto fail" path */
+	epp->ep_ndp->ni_cnd.cn_pnbuf = oldpnbuf;
+fail:
+	/* note that we've clobbered the header */
+	epp->ep_flags |= EXEC_DESTR;
+
+	/* kill the opened file descriptor, else close the file */
+        if (epp->ep_flags & EXEC_HASFD) {
+                epp->ep_flags &= ~EXEC_HASFD;
+                (void) fdrelease(p, epp->ep_fd);
+        } else
+		vn_close(scriptvp, FREAD, p->p_ucred, p);
+
+        FREE(epp->ep_ndp->ni_cnd.cn_pnbuf, M_NAMEI);
+
+	/* free the fake arg list, because we're not returning it */
+	tmpsap = shellargp;
+	while (*tmpsap != NULL) {
+		FREE(*tmpsap, M_EXEC);
+		tmpsap++;
+	}
+	FREE(shellargp, M_EXEC);
+
+        /*
+         * free any vmspace-creation commands,
+         * and release their references
+         */
+        kill_vmcmds(&epp->ep_vmcmds);
+
+        return error;
+}