OS-5369: $0 shows /dev/fd/3 instead of the actual script name

Details

Issue Type:Bug
Priority:4 - Normal
Status:Open
Created at:2016-04-28T11:46:20.000Z
Updated at:2019-08-28T17:26:52.622Z

People

Created by:Former user
Reported by:Former user

Labels

lxbrand

Description

$0 in a bash script gives the name of the script, and some software rely on that to get the folder name of the script. However, this could be broken within an LX branded zone; /dev/fd/3 is returned when the script belongs to a different user and the "s" bit is set. For example, as root in a LX zone,

# echo -e '#!/bin/bash\nid\necho $0' > test.sh; chmod +x test.sh; ./test.sh
uid=0(root) gid=0(root) groups=0(root)
./test.sh

# chown bin test.sh; chmod +s test.sh; ./test.sh
uid=0(root) gid=0(root) groups=0(root)
/dev/fd/3

I tested on the latest SmartOS (20160422) and the latest LX centos-7 dataset. The above command print both ./test.sh on a "real" CentOS box.

For what it's worth, /dev/fd/4 is printed when run in a SmartOS GZ.

Comments

Comment by Former user
Created at 2016-04-29T19:12:52.000Z

This is a security measure enforced by the illumos intpexec facility:

        /*
         * When we're executing a set-uid script resulting in uids
         * mismatching or when we execute with additional privileges,
         * we close the "replace script between exec and open by shell"
         * hole by passing the script as /dev/fd parameter.
         */
        if ((setid & EXECSETID_PRIVS) != 0 ||
            (setid & (EXECSETID_UGIDS|EXECSETID_SETID)) ==
            (EXECSETID_UGIDS|EXECSETID_SETID)) {
                (void) strcpy(devfd, "/dev/fd/");
                if (error = execopen(&vp, &fd))
                        goto done;
                numtos(fd, &devfd[8]);
                args->fname = devfd;
        }