1
0
Fork 0
mirror of https://gitlab.com/sortix/sortix.git synced 2023-02-13 20:55:38 -05:00

Improve execvpe(3) logic and run shell on ENOEXEC.

This commit is contained in:
Jonas 'Sortie' Termansen 2014-05-12 19:49:30 +02:00
parent f44e46cde5
commit 3577cb81fe
2 changed files with 174 additions and 68 deletions

View file

@ -23,11 +23,13 @@
*******************************************************************************/
#include <errno.h>
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
// TODO: Move this to some generic environment interface!
// TODO: Move this to some generic environment interface.
static const char* LookupEnvironment(const char* name, char* const* envp)
{
size_t equalpos = strcspn(name, "=");
@ -45,21 +47,66 @@ static const char* LookupEnvironment(const char* name, char* const* envp)
return NULL;
}
// TODO: Provide an interface that allows user-space to find out which command
// would have been executed (according to PATH) had execvpe been called now.
// This is of value to programs such as which(1), instead of repeating much of
// this logic there.
extern "C" int execvpe(const char* filename, char* const* argv,
static
int execvpe_attempt(const char* filename,
const char* original,
char* const* argv,
char* const* envp)
{
execve(filename, argv, envp);
if ( errno != ENOEXEC )
return -1;
// Prevent attempting to run the shell using itself in an endless loop if it
// happens to be an unknown format or a shell script itself.
if ( !strcmp(original, "sh") )
return errno = ENOEXEC, -1;
int argc = 0;
while ( argv[argc] )
argc++;
if ( INT_MAX - argc < 1 + 1 )
return errno = EOVERFLOW, -1;
int new_argc = 1 + argc;
char** new_argv = (char**) malloc(sizeof(char*) * (new_argc + 1));
if ( !new_argv )
return -1;
new_argv[0] = (char*) "sh";
new_argv[1] = (char*) filename;
for ( int i = 1; i < argc; i++ )
new_argv[1 + i] = argv[i];
new_argv[new_argc] = (char*) NULL;
execvpe(new_argv[0], new_argv, envp);
free(new_argv);
return errno = ENOEXEC, -1;
}
// NOTE: The PATH-searching logic is repeated multiple places. Until this logic
// can be shared somehow, you need to keep this comment in sync as well
// as the logic in these files:
// * libc/unistd/execvpe.cpp
// * utils/which.cpp
extern "C"
int execvpe(const char* filename, char* const* argv, char* const* envp)
{
if ( !filename || !filename[0] )
return errno = ENOENT;
const char* path = LookupEnvironment("PATH", envp);
// TODO: Should there be a default PATH value?
if ( strchr(filename, '/') || !path )
return execve(filename, argv, envp);
bool search_path = !strchr(filename, '/') && path;
bool any_tries = false;
bool any_eacces = false;
// Search each directory in the PATH variable for a suitable file.
size_t filename_len = strlen(filename);
while ( *path )
while ( search_path && *path )
{
size_t len = strcspn(path, ":");
if ( !len )
@ -68,33 +115,61 @@ extern "C" int execvpe(const char* filename, char* const* argv,
// directory. While it does inductively make sense, the common
// kernel interfaces such as openat doesn't accept it and software
// often just prefix their directories and a colon to PATH without
// regard to whether it's already empty. S
// regard to whether it's already empty.
path++;
continue;
}
// Determine the full path to the file if it is in the directory.
size_t fullpath_len = len + 1 + filename_len + 1;
char* fullpath = (char*) malloc(fullpath_len * sizeof(char));
if ( !fullpath )
any_tries = true;
// Determine the directory prefix.
char* dirpath = strndup(path, len);
if ( !dirpath )
return -1;
stpcpy(stpcpy(stpncpy(fullpath, path, len), "/"), filename);
if ( (path += len)[0] == ':' )
path++;
while ( len && dirpath[len - 1] == '/' )
dirpath[--len] = '\0';
// Determine the full path to the file inside the directory.
char* fullpath;
if ( asprintf(&fullpath, "%s/%s", dirpath, filename) < 0 )
return free(dirpath), -1;
execvpe_attempt(fullpath, filename, argv, envp);
execve(fullpath, argv, envp);
free(fullpath);
free(dirpath);
// TODO: There may be some security concerns here as to whether to
// continue or abort execution. For instance, if a directory in the
// start of the PATH has permissions set up too restrictively, then
// it would never look in the later directories (and you can't execute
// anything without absolute paths). And other situations.
if ( errno == EACCES )
return -1;
// Proceed to the next PATH entry if the file didn't exist.
if ( errno == ENOENT )
continue;
// Ignore errors related to path resolution where the cause is a bad
// entry in the PATH as opposed to security issues.
if ( errno == ELOOP ||
errno == EISDIR ||
errno == ENAMETOOLONG ||
errno == ENOTDIR )
continue;
// Remember permission denied errors and report that errno value if the
// entire PATH search fails rather than the error of the last attempt.
if ( errno == EACCES )
{
any_eacces = true;
continue;
}
// Any other errors are treated as fatal and we stop the search.
break;
}
if ( !any_tries )
execvpe_attempt(filename, filename, argv, envp);
if ( any_eacces )
errno = EACCES;
return -1;
}

View file

@ -1,6 +1,6 @@
/*******************************************************************************
Copyright(C) Jonas 'Sortie' Termansen 2012.
Copyright(C) Jonas 'Sortie' Termansen 2012, 2014.
This program is free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the Free
@ -35,54 +35,90 @@
#define VERSIONSTR "unknown version"
#endif
bool Which(const char* cmd, const char* path, bool all)
// NOTE: The PATH-searching logic is repeated multiple places. Until this logic
// can be shared somehow, you need to keep this comment in sync as well
// as the logic in these files:
// * libc/unistd/execvpe.cpp
// * utils/which.cpp
// NOTO: See comments in execvpe() for algorithmic commentary.
bool Which(const char* filename, const char* path, bool all)
{
if ( strchr(cmd, '/') )
bool found = false;
bool search_path = !strchr(filename, '/') && path;
bool any_tries = false;
bool any_eacces = false;
while ( search_path && *path )
{
struct stat st;
if ( stat(path, &st) )
size_t len = strcspn(path, ":");
if ( !len )
{
printf("%s\n", cmd);
return true;
}
return false;
path++;
continue;
}
// Sortix doesn't support that the empty string means current directory.
bool found = false;
char* dirname = NULL;
while ( *path )
{
if ( dirname ) { free(dirname); dirname = NULL; }
size_t len = strcspn(path, ":");
if ( !len ) { path++; continue; }
dirname = (char*) malloc((len+1) * sizeof(char));
if ( !dirname )
error(1, errno, "malloc");
memcpy(dirname, path, len * sizeof(char));
dirname[len] = '\0';
any_tries = true;
char* dirpath = strndup(path, len);
if ( !dirpath )
return -1;
if ( (path += len)[0] == ':' )
path++;
int dirfd = open(dirname, O_RDONLY | O_DIRECTORY);
if ( dirfd < 0 )
while ( len && dirpath[len - 1] == '/' )
dirpath[--len] = '\0';
char* fullpath;
if ( asprintf(&fullpath, "%s/%s", dirpath, filename) < 0 )
return free(dirpath), -1;
if ( access(fullpath, X_OK) == 0 )
{
if ( errno == EACCES )
error(1, errno, "%s", dirname);
// TODO: May be a security concern to continue;
if ( errno == ENOENT )
continue;
continue;
}
struct stat st;
int ret = fstatat(dirfd, cmd, &st, 0);
if ( ret != 0 )
continue;
printf("%s/%s\n", dirname, cmd);
found = true;
if ( !all )
printf("%s\n", fullpath);
free(fullpath);
free(dirpath);
if ( all )
continue;
break;
}
free(dirname);
free(fullpath);
free(dirpath);
if ( errno == ENOENT )
continue;
if ( errno == ELOOP ||
errno == EISDIR ||
errno == ENAMETOOLONG ||
errno == ENOTDIR )
continue;
if ( errno == EACCES )
{
any_eacces = true;
continue;
}
if ( all )
continue;
break;
}
if ( !any_tries )
{
if ( access(filename, X_OK) == 0 )
{
found = true;
printf("%s\n", filename);
}
}
(void) any_eacces;
return found;
}
@ -144,11 +180,6 @@ int main(int argc, char* argv[])
}
const char* path = getenv("PATH");
if ( !path )
{
fprintf(stderr, "%s: PATH variable is not set\n", argv0);
exit(1);
}
bool success = true;
for ( int i = 1; i < argc; i++ )