On Thu, Mar 25, 2010 at 06:13:24PM +0100, ????? ???????????? wrote: > Did you test the patch with compiled shell scripts, too? > What is the output if you compile t1.ksh/t2.ksh with shcomp: > /bin/shcomp t1.ksh t1 > /bin/shcomp t2.ksh t2 > and make t1/t2 setuid and run it?
This is interesting. Both the compiled shell scripts (with or without options in the #! line) fail with Exec format errors. $ ls -l t[12] -rwsr-sr-x 1 root root 22 Mar 26 06:05 t1 -rwsr-sr-x 1 root root 22 Mar 26 06:06 t2 $ ./t1 /usr/bin/sparcv9/ksh93: /usr/bin/sparcv9/ksh93: cannot execute [Exec format error] $ ./t2 /usr/bin/sparcv9/ksh93: /usr/bin/sparcv9/ksh93: cannot execute [Exec format error] With the hack I mentioned to fix the mangled execv arguments, both the compiled scripts work, but return /dev/fd/XX as the $0 value. $ ./t1 /dev/fd/4 $ ./t2 /dev/fd/4 Venky. > > Olga > > On Wed, Mar 24, 2010 at 2:20 PM, Venky <venkytv at opensolaris.org> wrote: > > Hi Olga, > > > >> > Venky, does this issue occur even if you bypass isaexec, i.e. > > > > Yes, tried this with /usr/bin/sparcv9/ksh93 to make sure isaexec > > does not complicate things. It does seem to be because of the > > arguments getting mangled in line 1217 of libshell/common/sh/init.c. > > > > A quick hack to restore the mangled arguments before exec (patch > > attached) seems to fix this issue. The $0 value remains messed up, > > though. It displays /dev/fd/XX as the script name, while a #! line > > without arguments displays the correct script name. > > > > # cat >t1.ksh <<EOF > > #!/usr/bin/sparcv9/ksh93 -p > > echo \$0 > > EOF > > > > # cat >t2.ksh <<EOF > > #!/usr/bin/sparcv9/ksh93 > > echo \$0 > > EOF > > > > # chmod +xs t[12].ksh > > # ls -l t* > > -rwsr-sr-x 1 root root 36 Mar 24 05:51 t1.ksh > > -rwsr-sr-x 1 root root 33 Mar 24 05:51 t2.ksh > > # exit > > > > $ ./t1.ksh > > /dev/fd/4 > > $ ./t2.ksh > > t2.ksh > > > > Venky. > > > > On Wed, Mar 24, 2010 at 03:13:08AM +0100, ????? ???????????? wrote: > >> 2010/3/24 ?????????? ???????????????????????? <olga.kryzhanovska at > >> gmail.com>: > >> > Venky, does this issue occur even if you bypass isaexec, i.e. > >> > #!/usr/bin/i86/ksh -p > >> > >> Correction: > >> #!/usr/bin/i86/ksh93 -p > >> > >> > or > >> > #!/usr/bin/sparcv0/ksh -p > >> > >> Correction: > >> #!/usr/bin/sparcv9/ksh93 -p > >> > >> > > >> > Olga > >> > > >> > On Fri, Mar 19, 2010 at 4:06 PM, Venky <venkytv at opensolaris.org> > >> > wrote: > >> >> Have been investigating CR 6934836. > >> >> > >> >> 6934836 set-uid script with -p in magic number gets Exec format error > >> >> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6934836 > >> >> > >> >> Have a few questions I'm hoping the ksh93 folks here will be able > >> >> to help me with. > >> >> > >> >> It looks like the bug is due to the fact that set-uid scripts get > >> >> passed to the shell as a /dev/fd/XX parameter instead of the actual > >> >> path. This has problems with ksh93 *only* if there are any options > >> >> passed on the command line. > >> >> > >> >> The test program below demonstrates this: > >> >> > >> >> ---------- > >> >> > >> >> $ cat testexec.c > >> >> #include <stdio.h> > >> >> #include <fcntl.h> > >> >> #include <unistd.h> > >> >> > >> >> int > >> >> main() > >> >> { > >> >> int fd = -1; > >> >> char devfd[32]; > >> >> char *script = "/tmp/ok.ksh"; /* Can be any simple script */ > >> >> > >> >> fd = open(script, O_RDONLY); > >> >> sprintf(devfd, "/dev/fd/%d", fd); > >> >> execl("/usr/bin/sparcv9/ksh93", "ksh", "-v", devfd, NULL); > >> >> } > >> >> $ ./testexec > >> >> /usr/bin/ksh: /usr/bin/ksh: cannot execute [Exec format error] > >> >> > >> >> ---------- > >> >> > >> >> The culprit seems to be the code below: > >> >> > >> >> <lib/libshell/common/sh/init.c> > >> >> http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libshell/common/sh/init.c#1216 > >> >> > >> >> 1216 shp->st.dolv=argv+(argc-1)-shp->st.dolc; > >> >> 1217 shp->st.dolv[0] = argv[0]; > >> >> > >> >> Here, we are overwriting one of the arguments of argv (because > >> >> shp->st.dolv indexes into the argv vector). > >> >> > >> >> In this particular case, argv which originally looked like this: > >> >> > >> >> ksh, -v, /dev/fd/3 > >> >> > >> >> ends up looking like this: > >> >> > >> >> ksh, ksh, /dev/fd/3 > >> >> > >> >> We then pass the mangled argv to execv(): > >> >> > >> >> <lib/libshell/common/sh/main.c> > >> >> http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libshell/common/sh/main.c#298 > >> >> > >> >> 298 /* exec to change $0 for ps */ > >> >> 299 execv(pathshell(),av); > >> >> > >> >> As a consequence, ksh tries to load the ksh binary as a shell script and > >> >> fails with an "Exec format" error. > >> >> > >> >> Have been digging around trying to figure out what is the right > >> >> thing to do in this situation. Figured some of the people more > >> >> familiar with the ksh93 source might be able to help. > >> >> > >> >> Also, the execv() call above uses pathshell() which seems plain wrong. > >> >> The whole exec hack here seems to be to make sure $0 is set correctly > >> >> for ps. But pathshell() looks at the SHELL variable and might end up > >> >> executing the script with a different shell altogether. > >> >> > >> >> Any help appreciated. > >> >> > >> >> Thanks, > >> >> Venky. > >> >> _______________________________________________ > >> >> ksh93-integration-discuss mailing list > >> >> ksh93-integration-discuss at opensolaris.org > >> >> http://mail.opensolaris.org/mailman/listinfo/ksh93-integration-discuss > >> >> > >> > > >> > > >> > > >> > -- > >> > , _ _ , > >> > { \/`o;====- Olga Kryzhanovska -====;o`\/ } > >> > .----'-/`-/ olga.kryzhanovska at gmail.com \-`\-'----. > >> > `'-..-| / Solaris/BSD//C/C++ programmer \ |-..-'` > >> > /\/\ /\/\ > >> > `--` `--` > >> > > >> > >> > >> > >> -- > >> , _ _ , > >> { \/`o;====- Olga Kryzhanovska -====;o`\/ } > >> .----'-/`-/ olga.kryzhanovska at gmail.com \-`\-'----. > >> `'-..-| / Solaris/BSD//C/C++ programmer \ |-..-'` > >> /\/\ /\/\ > >> `--` `--` > > > > > > -- > , _ _ , > { \/`o;====- Olga Kryzhanovska -====;o`\/ } > .----'-/`-/ olga.kryzhanovska at gmail.com \-`\-'----. > `'-..-| / Solaris/BSD//C/C++ programmer \ |-..-'` > /\/\ /\/\ > `--` `--`
