1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  23  * Use is subject to license terms.
  24  * Copyright 2012 Milan Jurik. All rights reserved.
  25  */
  26 
  27 /*      Copyright (c) 1988 AT&T     */
  28 /*        All Rights Reserved   */
  29 
  30 
  31 /* from S5R4 1.6 */
  32 
  33 #include <sys/types.h>
  34 #include <sys/param.h>
  35 #include <sys/sysmacros.h>
  36 #include <sys/signal.h>
  37 #include <sys/cred.h>
  38 #include <sys/user.h>
  39 #include <sys/errno.h>
  40 #include <sys/vnode.h>
  41 #include <sys/proc.h>
  42 #include <sys/cmn_err.h>
  43 #include <sys/debug.h>
  44 #include <sys/pathname.h>
  45 #include <sys/disp.h>
  46 #include <sys/exec.h>
  47 #include <sys/kmem.h>
  48 #include <sys/note.h>
  49 #include <sys/sdt.h>
  50 
  51 /*
  52  * This is the loadable module wrapper.
  53  */
  54 #include <sys/modctl.h>
  55 
  56 extern int intpexec(struct vnode *, struct execa *, struct uarg *,
  57     struct intpdata *, int, long *, int, caddr_t, struct cred *, int);
  58 
  59 static struct execsw esw = {
  60         intpmagicstr,
  61         0,
  62         2,
  63         intpexec,
  64         NULL
  65 };
  66 
  67 /*
  68  * Module linkage information for the kernel.
  69  */
  70 extern struct mod_ops mod_execops;
  71 
  72 static struct modlexec modlexec = {
  73         &mod_execops, "exec mod for interp", &esw
  74 };
  75 
  76 static struct modlinkage modlinkage = {
  77         MODREV_1, (void *)&modlexec, NULL
  78 };
  79 
  80 int
  81 _init()
  82 {
  83         return (mod_install(&modlinkage));
  84 }
  85 
  86 int
  87 _fini()
  88 {
  89         return (mod_remove(&modlinkage));
  90 }
  91 
  92 int
  93 _info(struct modinfo *modinfop)
  94 {
  95         return (mod_info(&modlinkage, modinfop));
  96 }
  97 
  98 
  99 /*
 100  * Crack open a '#!' line.
 101  */
 102 static int
 103 getintphead(struct vnode *vp, struct intpdata *idatap)
 104 {
 105         int error;
 106         char *cp, *linep = idatap->intp;
 107         ssize_t resid;
 108 
 109         /*
 110          * Read the entire line and confirm that it starts with '#!'.
 111          */
 112         if (error = vn_rdwr(UIO_READ, vp, linep, INTPSZ, (offset_t)0,
 113             UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
 114                 return (error);
 115         if (resid > INTPSZ-2 || linep[0] != '#' || linep[1] != '!')
 116                 return (ENOEXEC);
 117         /*
 118          * Blank all white space and find the newline.
 119          */
 120         for (cp = &linep[2]; cp < &linep[INTPSZ] && *cp != '\n'; cp++)
 121                 if (*cp == '\t')
 122                         *cp = ' ';
 123         if (cp >= &linep[INTPSZ])
 124                 return (ENOEXEC);
 125         ASSERT(*cp == '\n');
 126         *cp = '\0';
 127 
 128         /*
 129          * Locate the beginning and end of the interpreter name.
 130          * In addition to the name, one additional argument may
 131          * optionally be included here, to be prepended to the
 132          * arguments provided on the command line.  Thus, for
 133          * example, you can say
 134          *
 135          *      #! /usr/bin/awk -f
 136          */
 137         for (cp = &linep[2]; *cp == ' '; cp++)
 138                 ;
 139         if (*cp == '\0')
 140                 return (ENOEXEC);
 141         idatap->intp_name[0] = cp;
 142         while (*cp && *cp != ' ')
 143                 cp++;
 144         if (*cp == '\0') {
 145                 idatap->intp_arg[0] = NULL;
 146         } else {
 147                 *cp++ = '\0';
 148                 while (*cp == ' ')
 149                         cp++;
 150                 if (*cp == '\0')
 151                         idatap->intp_arg[0] = NULL;
 152                 else {
 153                         idatap->intp_arg[0] = cp;
 154                         while (*cp && *cp != ' ')
 155                                 cp++;
 156                         *cp = '\0';
 157                 }
 158         }
 159         return (0);
 160 }
 161 
 162 /*
 163  * We support nested interpreters up to a depth of INTP_MAXDEPTH (this value
 164  * matches the depth on Linux). When a nested interpreter is in use, the
 165  * previous name and argument must be passed along. We use the intpdata_t
 166  * name and argument arrays for this. In the normal, non-nested case, only the
 167  * first element in those arrays will be populated.
 168  *
 169  * For setid scripts the "script hole" is a security race condition between
 170  * when we exec the interpreter and when the interpreter reads the script. We
 171  * handle this below for the initial script, but we don't allow setid scripts
 172  * when using nested interpreters. Because gexec only modifies the credentials
 173  * for a setid script at level 0, then if we come back through for a nested
 174  * interpreter we know that args->fname will be set (the first script is setid)
 175  * and we can return an error. If an intermediate nested interpreter is setid
 176  * then it will not be run with different credentials because of the gexec
 177  * handling, so it is effectively no longer setid and we don't have to worry
 178  * about the "script hole".
 179  */
 180 int
 181 intpexec(
 182         struct vnode *vp,
 183         struct execa *uap,
 184         struct uarg *args,
 185         struct intpdata *idatap,
 186         int level,
 187         long *execsz,
 188         int setid,
 189         caddr_t exec_file,
 190         struct cred *cred,
 191         int brand_action)
 192 {
 193         _NOTE(ARGUNUSED(brand_action))
 194         vnode_t *nvp;
 195         int error = 0;
 196         struct intpdata idata;
 197         struct pathname intppn;
 198         struct pathname resolvepn;
 199         char *opath;
 200         char devfd[19]; /* 32-bit int fits in 10 digits + 8 for "/dev/fd/" */
 201         int fd = -1;
 202 
 203         if (level >= INTP_MAXDEPTH) {        /* Can't recurse past maxdepth */
 204                 error = ELOOP;
 205                 goto bad;
 206         }
 207 
 208         if (level == 0)
 209                 ASSERT(idatap == (struct intpdata *)NULL);
 210 
 211         bzero(&idata, sizeof (intpdata_t));
 212 
 213         /*
 214          * Allocate a buffer to read in the interpreter pathname.
 215          */
 216         idata.intp = kmem_alloc(INTPSZ, KM_SLEEP);
 217         if (error = getintphead(vp, &idata))
 218                 goto fail;
 219 
 220         /*
 221          * Look the new vnode up.
 222          */
 223         if (error = pn_get(idata.intp_name[0], UIO_SYSSPACE, &intppn))
 224                 goto fail;
 225         pn_alloc(&resolvepn);
 226         if (error = lookuppn(&intppn, &resolvepn, FOLLOW, NULLVPP, &nvp)) {
 227                 pn_free(&resolvepn);
 228                 pn_free(&intppn);
 229                 goto fail;
 230         }
 231 
 232         if (level > 0) {
 233                 /*
 234                  * We have a nested interpreter. The previous name(s) and
 235                  * argument(s) need to be passed along. We also keep track
 236                  * of how often this zone uses nested interpreters.
 237                  */
 238                 int i;
 239 
 240                 atomic_inc_32(&curproc->p_zone->zone_nested_intp);
 241 
 242                 ASSERT(idatap != NULL);
 243                 /* since we're shifting up, loop stops one short */
 244                 for (i = 0; i < (INTP_MAXDEPTH - 1); i++) {
 245                         idata.intp_name[i + 1] = idatap->intp_name[i];
 246                         idata.intp_arg[i + 1] = idatap->intp_arg[i];
 247                 }
 248 
 249                 DTRACE_PROBE3(nested__intp, int, level, void *, &idata,
 250                     void *, nvp);
 251         }
 252 
 253         opath = args->pathname;
 254         args->pathname = resolvepn.pn_path;
 255         /* don't free resolvepn until we are done with args */
 256         pn_free(&intppn);
 257 
 258         /*
 259          * Disallow setuid or additional privilege execution for nested
 260          * interpreters.
 261          */
 262         if (level > 0 && args->fname != NULL) {
 263                 error = ENOEXEC;
 264                 goto done;
 265         }
 266 
 267         /*
 268          * When we're executing a set-uid script resulting in uids
 269          * mismatching or when we execute with additional privileges,
 270          * we close the "replace script between exec and open by shell"
 271          * hole by passing the script as /dev/fd parameter.
 272          */
 273         if ((setid & EXECSETID_PRIVS) != 0 ||
 274             (setid & (EXECSETID_UGIDS|EXECSETID_SETID)) ==
 275             (EXECSETID_UGIDS|EXECSETID_SETID)) {
 276                 (void) strcpy(devfd, "/dev/fd/");
 277                 if (error = execopen(&vp, &fd))
 278                         goto done;
 279                 numtos(fd, &devfd[8]);
 280                 args->fname = devfd;
 281         }
 282 
 283         error = gexec(&nvp, uap, args, &idata, ++level, execsz, exec_file, cred,
 284             EBA_NONE);
 285 
 286         if (!error) {
 287                 /*
 288                  * Close this executable as the interpreter
 289                  * will open and close it later on.
 290                  */
 291                 (void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL);
 292         }
 293 done:
 294         VN_RELE(nvp);
 295         args->pathname = opath;
 296         pn_free(&resolvepn);
 297 fail:
 298         kmem_free(idata.intp, INTPSZ);
 299         if (error && fd != -1)
 300                 (void) execclose(fd);
 301 bad:
 302         return (error);
 303 }