isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add closefrom sudoers option to start closing at a point other than 3.

Browse Source 
Add closefrom_override sudoers option and -C sudo flag to allow the
user to specify a different closefrom starting point.
This commit is contained in:
Todd C. Miller
2004-12-16 18:33:49 +00:00
parent 74c19b024a
commit 051a2110a4
8 changed files with 96 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
def_data.c
View File

@@ -243,6 +243,22 @@ struct sudo_defs_types sudo_defs_table[] = {
"noexec_file", T_STR|T_PATH,
"File containing dummy exec functions: %s",
NULL,
}, {
"ignore_local_sudoers", T_FLAG,
"If LDAP directory is up, do we ignore local sudoers file",
NULL,
}, {
"monitor", T_FLAG,
"Monitor children of cmnd and apply sudoers restrictions to them",
NULL,
}, {
"closefrom", T_INT,
"File descriptors >= %d will be closed before executing a command",
NULL,
}, {
"closefrom_override", T_FLAG,
"If set, users may override the value of `closefrom' with the -O option",
NULL,
}, {
"env_check", T_LIST|T_BOOL,
"Environment variables to check for sanity:",
@@ -255,14 +271,6 @@ struct sudo_defs_types sudo_defs_table[] = {
"env_keep", T_LIST|T_BOOL,
"Environment variables to preserve:",
NULL,
}, {
"ignore_local_sudoers", T_FLAG,
"If LDAP directory is up, do we ignore local sudoers file",
NULL,
}, {
"monitor", T_FLAG,
"Monitor children of cmnd and apply sudoers restrictions to them",
NULL,
}, {
NULL, 0, NULL
}

24
def_data.h
View File

@@ -108,16 +108,20 @@
#define I_NOEXEC 53
#define def_noexec_file (sudo_defs_table[54].sd_un.str)
#define I_NOEXEC_FILE 54
#define def_env_check (sudo_defs_table[55].sd_un.list)
#define I_ENV_CHECK 55
#define def_env_delete (sudo_defs_table[56].sd_un.list)
#define I_ENV_DELETE 56
#define def_env_keep (sudo_defs_table[57].sd_un.list)
#define I_ENV_KEEP 57
#define def_ignore_local_sudoers (sudo_defs_table[58].sd_un.flag)
#define I_IGNORE_LOCAL_SUDOERS 58
#define def_monitor (sudo_defs_table[59].sd_un.flag)
#define I_MONITOR 59
#define def_ignore_local_sudoers (sudo_defs_table[55].sd_un.flag)
#define I_IGNORE_LOCAL_SUDOERS 55
#define def_monitor (sudo_defs_table[56].sd_un.flag)
#define I_MONITOR 56
#define def_closefrom (sudo_defs_table[57].sd_un.ival)
#define I_CLOSEFROM 57
#define def_closefrom_override (sudo_defs_table[58].sd_un.flag)
#define I_CLOSEFROM_OVERRIDE 58
#define def_env_check (sudo_defs_table[59].sd_un.list)
#define I_ENV_CHECK 59
#define def_env_delete (sudo_defs_table[60].sd_un.list)
#define I_ENV_DELETE 60
#define def_env_keep (sudo_defs_table[61].sd_un.list)
#define I_ENV_KEEP 61
enum def_tupple {
never,

18
def_data.in
View File

@@ -179,6 +179,18 @@ noexec
noexec_file
T_STR|T_PATH
"File containing dummy exec functions: %s"
ignore_local_sudoers
T_FLAG
"If LDAP directory is up, do we ignore local sudoers file"
monitor
T_FLAG
"Monitor children of cmnd and apply sudoers restrictions to them"
closefrom
T_INT
"File descriptors >= %d will be closed before executing a command"
closefrom_override
T_FLAG
"If set, users may override the value of `closefrom' with the -O option"
env_check
T_LIST|T_BOOL
"Environment variables to check for sanity:"
@@ -188,9 +200,3 @@ env_delete
env_keep
T_LIST|T_BOOL
"Environment variables to preserve:"
ignore_local_sudoers
T_FLAG
"If LDAP directory is up, do we ignore local sudoers file"
monitor
T_FLAG
"Monitor children of cmnd and apply sudoers restrictions to them"

1
defaults.c
View File

@@ -428,6 +428,7 @@ init_defaults()
def_env_editor = TRUE;
#endif
def_set_logname = TRUE;
def_closefrom = STDERR_FILENO + 1;
/* Syslog options need special care since they both strings and ints */
#if (LOGGING & SLOG_SYSLOG)

3
logging.c
View File

@@ -490,9 +490,10 @@ send_mail(line)
}
argv[i] = NULL;
/* Close password and group files so we don't leak fds. */
/* Close password, group and other fds so we don't leak. */
sudo_endpwent();
sudo_endgrent();
closefrom(STDERR_FILENO + 1);
/*
* Depending on the config, either run the mailer as root

27
sudo.c
View File

@@ -116,6 +116,7 @@ extern char **zero_env __P((char **));
int Argc, NewArgc;
char **Argv, **NewArgv;
char *prev_user;
static int user_closefrom = -1;
struct sudo_user sudo_user;
struct passwd *auth_pw, *list_pw;
struct interface *interfaces;
@@ -189,7 +190,7 @@ main(argc, argv, envp)
(void) sigaction(SIGCHLD, &sa, &saved_sa_chld);
/*
* Turn off core dumps and close open files.
* Turn off core dumps and make sure fds 0-2 are open.
*/
initial_setup();
sudo_setpwent();
@@ -280,6 +281,14 @@ main(argc, argv, envp)
exit(1);
}
/* Check for -C overriding def_closefrom. */
if (user_closefrom >= 0 && user_closefrom != def_closefrom) {
if (!def_closefrom_override)
errorx(1, "you are not permitted to use the -O option");
else
def_closefrom = user_closefrom;
}
cmnd_status = set_cmnd(sudo_mode);
#ifdef HAVE_LDAP
@@ -426,6 +435,8 @@ main(argc, argv, envp)
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
(void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
closefrom(def_closefrom + 1);
#ifndef PROFILING
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)
exit(0);
@@ -753,6 +764,16 @@ parse_args(argc, argv)
NewArgv++;
break;
#endif
case 'C':
if (NewArgv[1] == NULL)
usage(1);
if ((user_closefrom = atoi(NewArgv[1])) < 3) {
warningx("the argument to -O must be at least 3");
usage(1);
}
NewArgc--;
NewArgv++;
break;
case 'b':
SET(rval, MODE_BACKGROUND);
break;
@@ -993,9 +1014,10 @@ initial_setup()
(void) dup2(devnull, STDOUT_FILENO);
if (miss[STDERR_FILENO])
(void) dup2(devnull, STDERR_FILENO);
if (devnull > STDERR_FILENO)
close(devnull);
}
}
closefrom(STDERR_FILENO + 1);
}
#ifdef HAVE_LOGIN_CAP_H
@@ -1151,6 +1173,7 @@ usage(exit_val)
#ifdef HAVE_BSD_AUTH_H
" [-a auth_type]",
#endif
" [-C fd]",
#ifdef HAVE_LOGIN_CAP_H
" [-c class|-]",
#endif

14
sudo.pod
View File

@@ -31,8 +31,8 @@ B<sudo> B<-K> | B<-L> | B<-V> | B<-h> | B<-k> | B<-v>
B<sudo> S<[B<-U> I<username>]> S<[B<-u> I<username>|I<#uid>]> B<-l> [I<command>]
B<sudo> [B<-HPSb>] S<[B<-a> I<auth_type>]> S<[B<-c> I<class>|I<->]>
S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]>
B<sudo> [B<-HPSb>] S<[B<-a> I<auth_type>]> S<[B<-C> I<fd>]>
S<[B<-c> I<class>|I<->]> S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]>
S<{B<-e> file [...] | B<-i> | B<-s> | I<command>}>
B<sudoedit> [B<-S>] S<[B<-a> I<auth_type>]>
@@ -92,6 +92,16 @@ B<sudo> accepts the following command line options:
=over 4
=item -C fd
Normally, B<sudo> will close all open file descriptors other than
standard input, standard output and standard error. The B<-C>
(I<close from>) option allows the user to specify a starting point
above the standard error (file descriptor three). Values less than
three are not permitted. This option is only available if the
administrator has enabled the I<closefrom_override> option in
L<sudoers(@mansectform@)>.
=item -H
The B<-H> (I<HOME>) option sets the C<HOME> environment variable

14
sudoers.pod
View File

@@ -477,6 +477,12 @@ Since this options tells B<sudo> how to behave when no specific LDAP entries
have been matched, this sudoOption is only meaningful for the cn=defaults
section. This flag is I<off> by default.
=item closefrom_override
If set, the user may use B<sudo>'s B<-O> option which
overrides the default starting point at which B<sudo> begins
closing open file descriptors. This flag is I<off> by default.
=back
B<Integers>:
@@ -520,6 +526,14 @@ The default is C<@password_timeout@>, set this to C<0> for no password timeout.
Umask to use when running the command. Negate this option or set
it to 0777 to preserve the user's umask. The default is C<@sudo_umask@>.
=item closefrom
Before it executes a command, B<sudo> will close all open file
descriptors other than standard input, standard output and standard
error (ie: file descriptors 0-2). The I<closefrom> option can be used
to specify a different file descriptor at which to start closing.
The default is 3.
=back
B<Strings>: