isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add closefrom sudoers option to start closing at a point other than 3.

Browse Source 
Add closefrom_override sudoers option and -C sudo flag to allow the
user to specify a different closefrom starting point.
This commit is contained in:
Todd C. Miller
2004-12-16 18:33:49 +00:00
parent 74c19b024a
commit 051a2110a4
8 changed files with 96 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
def_data.c
View File

@@ -243,6 +243,22 @@ struct sudo_defs_types sudo_defs_table[] = {
"noexec_file", T_STR|T_PATH, "noexec_file", T_STR|T_PATH,
"File containing dummy exec functions: %s", "File containing dummy exec functions: %s",
NULL, NULL,
}, {
"ignore_local_sudoers", T_FLAG,
"If LDAP directory is up, do we ignore local sudoers file",
NULL,
}, {
"monitor", T_FLAG,
"Monitor children of cmnd and apply sudoers restrictions to them",
NULL,
}, {
"closefrom", T_INT,
"File descriptors >= %d will be closed before executing a command",
NULL,
}, {
"closefrom_override", T_FLAG,
"If set, users may override the value of `closefrom' with the -O option",
NULL,
}, { }, {
"env_check", T_LIST|T_BOOL, "env_check", T_LIST|T_BOOL,
"Environment variables to check for sanity:", "Environment variables to check for sanity:",
@@ -255,14 +271,6 @@ struct sudo_defs_types sudo_defs_table[] = {
"env_keep", T_LIST|T_BOOL, "env_keep", T_LIST|T_BOOL,
"Environment variables to preserve:", "Environment variables to preserve:",
NULL, NULL,
}, {
"ignore_local_sudoers", T_FLAG,
"If LDAP directory is up, do we ignore local sudoers file",
NULL,
}, {
"monitor", T_FLAG,
"Monitor children of cmnd and apply sudoers restrictions to them",
NULL,
}, { }, {
NULL, 0, NULL NULL, 0, NULL
} }

24
def_data.h
View File

@@ -108,16 +108,20 @@
#define I_NOEXEC 53 #define I_NOEXEC 53
#define def_noexec_file (sudo_defs_table[54].sd_un.str) #define def_noexec_file (sudo_defs_table[54].sd_un.str)
#define I_NOEXEC_FILE 54 #define I_NOEXEC_FILE 54
#define def_env_check (sudo_defs_table[55].sd_un.list) #define def_ignore_local_sudoers (sudo_defs_table[55].sd_un.flag)
#define I_ENV_CHECK 55 #define I_IGNORE_LOCAL_SUDOERS 55
#define def_env_delete (sudo_defs_table[56].sd_un.list) #define def_monitor (sudo_defs_table[56].sd_un.flag)
#define I_ENV_DELETE 56 #define I_MONITOR 56
#define def_env_keep (sudo_defs_table[57].sd_un.list) #define def_closefrom (sudo_defs_table[57].sd_un.ival)
#define I_ENV_KEEP 57 #define I_CLOSEFROM 57
#define def_ignore_local_sudoers (sudo_defs_table[58].sd_un.flag) #define def_closefrom_override (sudo_defs_table[58].sd_un.flag)
#define I_IGNORE_LOCAL_SUDOERS 58 #define I_CLOSEFROM_OVERRIDE 58
#define def_monitor (sudo_defs_table[59].sd_un.flag) #define def_env_check (sudo_defs_table[59].sd_un.list)
#define I_MONITOR 59 #define I_ENV_CHECK 59
#define def_env_delete (sudo_defs_table[60].sd_un.list)
#define I_ENV_DELETE 60
#define def_env_keep (sudo_defs_table[61].sd_un.list)
#define I_ENV_KEEP 61
enum def_tupple { enum def_tupple {
never, never,

18
def_data.in
View File

@@ -179,6 +179,18 @@ noexec
noexec_file noexec_file
T_STR|T_PATH T_STR|T_PATH
"File containing dummy exec functions: %s" "File containing dummy exec functions: %s"
ignore_local_sudoers
T_FLAG
"If LDAP directory is up, do we ignore local sudoers file"
monitor
T_FLAG
"Monitor children of cmnd and apply sudoers restrictions to them"
closefrom
T_INT
"File descriptors >= %d will be closed before executing a command"
closefrom_override
T_FLAG
"If set, users may override the value of `closefrom' with the -O option"
env_check env_check
T_LIST|T_BOOL T_LIST|T_BOOL
"Environment variables to check for sanity:" "Environment variables to check for sanity:"
@@ -188,9 +200,3 @@ env_delete
env_keep env_keep
T_LIST|T_BOOL T_LIST|T_BOOL
"Environment variables to preserve:" "Environment variables to preserve:"
ignore_local_sudoers
T_FLAG
"If LDAP directory is up, do we ignore local sudoers file"
monitor
T_FLAG
"Monitor children of cmnd and apply sudoers restrictions to them"

1
defaults.c
View File

@@ -428,6 +428,7 @@ init_defaults()
def_env_editor = TRUE; def_env_editor = TRUE;
#endif #endif
def_set_logname = TRUE; def_set_logname = TRUE;
def_closefrom = STDERR_FILENO + 1;
/* Syslog options need special care since they both strings and ints */ /* Syslog options need special care since they both strings and ints */
#if (LOGGING & SLOG_SYSLOG) #if (LOGGING & SLOG_SYSLOG)

3
logging.c
View File

@@ -490,9 +490,10 @@ send_mail(line)
} }
argv[i] = NULL; argv[i] = NULL;
/* Close password and group files so we don't leak fds. */ /* Close password, group and other fds so we don't leak. */
sudo_endpwent(); sudo_endpwent();
sudo_endgrent(); sudo_endgrent();
closefrom(STDERR_FILENO + 1);
/* /*
* Depending on the config, either run the mailer as root * Depending on the config, either run the mailer as root

27
sudo.c
View File

@@ -116,6 +116,7 @@ extern char **zero_env __P((char **));
int Argc, NewArgc; int Argc, NewArgc;
char **Argv, **NewArgv; char **Argv, **NewArgv;
char *prev_user; char *prev_user;
static int user_closefrom = -1;
struct sudo_user sudo_user; struct sudo_user sudo_user;
struct passwd *auth_pw, *list_pw; struct passwd *auth_pw, *list_pw;
struct interface *interfaces; struct interface *interfaces;
@@ -189,7 +190,7 @@ main(argc, argv, envp)
(void) sigaction(SIGCHLD, &sa, &saved_sa_chld); (void) sigaction(SIGCHLD, &sa, &saved_sa_chld);
/* /*
* Turn off core dumps and close open files. * Turn off core dumps and make sure fds 0-2 are open.
*/ */
initial_setup(); initial_setup();
sudo_setpwent(); sudo_setpwent();
@@ -280,6 +281,14 @@ main(argc, argv, envp)
exit(1); exit(1);
} }
/* Check for -C overriding def_closefrom. */
if (user_closefrom >= 0 && user_closefrom != def_closefrom) {
if (!def_closefrom_override)
errorx(1, "you are not permitted to use the -O option");
else
def_closefrom = user_closefrom;
}
cmnd_status = set_cmnd(sudo_mode); cmnd_status = set_cmnd(sudo_mode);
#ifdef HAVE_LDAP #ifdef HAVE_LDAP
@@ -426,6 +435,8 @@ main(argc, argv, envp)
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
(void) sigaction(SIGCHLD, &saved_sa_chld, NULL); (void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
closefrom(def_closefrom + 1);
#ifndef PROFILING #ifndef PROFILING
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)
exit(0); exit(0);
@@ -753,6 +764,16 @@ parse_args(argc, argv)
NewArgv++; NewArgv++;
break; break;
#endif #endif
case 'C':
if (NewArgv[1] == NULL)
usage(1);
if ((user_closefrom = atoi(NewArgv[1])) < 3) {
warningx("the argument to -O must be at least 3");
usage(1);
}
NewArgc--;
NewArgv++;
break;
case 'b': case 'b':
SET(rval, MODE_BACKGROUND); SET(rval, MODE_BACKGROUND);
break; break;
@@ -993,9 +1014,10 @@ initial_setup()
(void) dup2(devnull, STDOUT_FILENO); (void) dup2(devnull, STDOUT_FILENO);
if (miss[STDERR_FILENO]) if (miss[STDERR_FILENO])
(void) dup2(devnull, STDERR_FILENO); (void) dup2(devnull, STDERR_FILENO);
if (devnull > STDERR_FILENO)
close(devnull);
} }
} }
closefrom(STDERR_FILENO + 1);
} }
#ifdef HAVE_LOGIN_CAP_H #ifdef HAVE_LOGIN_CAP_H
@@ -1151,6 +1173,7 @@ usage(exit_val)
#ifdef HAVE_BSD_AUTH_H #ifdef HAVE_BSD_AUTH_H
" [-a auth_type]", " [-a auth_type]",
#endif #endif
" [-C fd]",
#ifdef HAVE_LOGIN_CAP_H #ifdef HAVE_LOGIN_CAP_H
" [-c class|-]", " [-c class|-]",
#endif #endif

14
sudo.pod
View File

@@ -31,8 +31,8 @@ B<sudo> B<-K> | B<-L> | B<-V> | B<-h> | B<-k> | B<-v>
B<sudo> S<[B<-U> I<username>]> S<[B<-u> I<username>|I<#uid>]> B<-l> [I<command>] B<sudo> S<[B<-U> I<username>]> S<[B<-u> I<username>|I<#uid>]> B<-l> [I<command>]
B<sudo> [B<-HPSb>] S<[B<-a> I<auth_type>]> S<[B<-c> I<class>|I<->]> B<sudo> [B<-HPSb>] S<[B<-a> I<auth_type>]> S<[B<-C> I<fd>]>
S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]> S<[B<-c> I<class>|I<->]> S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]>
S<{B<-e> file [...] | B<-i> | B<-s> | I<command>}> S<{B<-e> file [...] | B<-i> | B<-s> | I<command>}>
B<sudoedit> [B<-S>] S<[B<-a> I<auth_type>]> B<sudoedit> [B<-S>] S<[B<-a> I<auth_type>]>
@@ -92,6 +92,16 @@ B<sudo> accepts the following command line options:
=over 4 =over 4
=item -C fd
Normally, B<sudo> will close all open file descriptors other than
standard input, standard output and standard error. The B<-C>
(I<close from>) option allows the user to specify a starting point
above the standard error (file descriptor three). Values less than
three are not permitted. This option is only available if the
administrator has enabled the I<closefrom_override> option in
L<sudoers(@mansectform@)>.
=item -H =item -H
The B<-H> (I<HOME>) option sets the C<HOME> environment variable The B<-H> (I<HOME>) option sets the C<HOME> environment variable

14
sudoers.pod
View File

@@ -477,6 +477,12 @@ Since this options tells B<sudo> how to behave when no specific LDAP entries
have been matched, this sudoOption is only meaningful for the cn=defaults have been matched, this sudoOption is only meaningful for the cn=defaults
section. This flag is I<off> by default. section. This flag is I<off> by default.
=item closefrom_override
If set, the user may use B<sudo>'s B<-O> option which
overrides the default starting point at which B<sudo> begins
closing open file descriptors. This flag is I<off> by default.
=back =back
B<Integers>: B<Integers>:
@@ -520,6 +526,14 @@ The default is C<@password_timeout@>, set this to C<0> for no password timeout.
Umask to use when running the command. Negate this option or set Umask to use when running the command. Negate this option or set
it to 0777 to preserve the user's umask. The default is C<@sudo_umask@>. it to 0777 to preserve the user's umask. The default is C<@sudo_umask@>.
=item closefrom
Before it executes a command, B<sudo> will close all open file
descriptors other than standard input, standard output and standard
error (ie: file descriptors 0-2). The I<closefrom> option can be used
to specify a different file descriptor at which to start closing.
The default is 3.
=back =back
B<Strings>: B<Strings>: