From 052d3d1d9155b6557239b2006a3d4fdf7957bf8f Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 29 Apr 2022 13:09:03 -0600 Subject: [PATCH] Update intercept documentation. --- docs/sudo.conf.man.in | 6 ++--- docs/sudo.conf.mdoc.in | 6 ++--- docs/sudoers.man.in | 59 ++++++++++++++++++++++++++++++------------ docs/sudoers.mdoc.in | 59 ++++++++++++++++++++++++++++++------------ 4 files changed, 92 insertions(+), 38 deletions(-) diff --git a/docs/sudo.conf.man.in b/docs/sudo.conf.man.in index c9758e99d..bf7cf5b1a 100644 --- a/docs/sudo.conf.man.in +++ b/docs/sudo.conf.man.in @@ -17,7 +17,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .nr SL @SEMAN@ -.TH "SUDO.CONF" "@mansectform@" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDO.CONF" "@mansectform@" "April 28, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -605,9 +605,9 @@ Debug sudo_intercept.so @log_dir@/intercept_debug all@debug .PP would log all debugging statements, regardless of level, for the \fIsudo_intercept.so\fR -shared object that implements +shared library that implements \fBsudo\fR's -intercept functionality. +intercept functionality on some systems. .PP As of \fBsudo\fR diff --git a/docs/sudo.conf.mdoc.in b/docs/sudo.conf.mdoc.in index 722fbd625..51e442de6 100644 --- a/docs/sudo.conf.mdoc.in +++ b/docs/sudo.conf.mdoc.in @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .nr SL @SEMAN@ -.Dd February 16, 2022 +.Dd April 28, 2022 .Dt SUDO.CONF @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -549,9 +549,9 @@ Debug sudo_intercept.so @log_dir@/intercept_debug all@debug .Pp would log all debugging statements, regardless of level, for the .Pa sudo_intercept.so -shared object that implements +shared library that implements .Nm sudo Ns 's -intercept functionality. +intercept functionality on some systems. .Pp As of .Nm sudo diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in index fcb953d2d..e8388931a 100644 --- a/docs/sudoers.man.in +++ b/docs/sudoers.man.in @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.TH "SUDOERS" "@mansectform@" "February 21, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "@mansectform@" "April 28, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -3114,7 +3114,9 @@ See \fIPreventing shell escapes\fR for more information on what systems support this option and its limitations. This setting is only supported by version 1.9.8 or higher -and is incompatible with SELinux RBAC support. +and is incompatible with SELinux RBAC support unless the system supports +seccomp(2) +filter mode. .TP 18n log_year If set, the four-digit year will be logged in the (non-syslog) @@ -3291,7 +3293,9 @@ This flag is by default. .sp This setting is only supported by version 1.9.8 or higher -and is incompatible with SELinux RBAC support. +and is incompatible with SELinux RBAC support unless the system supports +seccomp(2) +filter mode. .TP 18n intercept_allow_setid On most systems, the dynamic loader will ignore @@ -6757,14 +6761,35 @@ For example, this can be used to restrict the commands run from within a privileged shell. Note, however, that this applies only to dynamically-linked executables. -Statically-linked executables and executables -running under binary emulation are not affected. -Also, most shells support built-in commands and the ability to read -or write sensitive files that cannot be intercepted by -\fBsudo\fR. -.sp -Currently, +It is not possible to intercept commands for statically-linked executables +or executables that run under binary emulation. +This implementation of the +\fIintercept\fR +functionality is incompatible with \fBsudo\fR's +SELinux RBAC support (but see below). +SELinux disables +\fRLD_PRELOAD\fR +by default and interferes with file descriptor inheritance. +.sp +Linux systems that support +seccomp(2) +filtering will use a different method involving +ptrace(2) +instead of pre-loading a shared library. +This method supports both static and dynamic executables as well as +\fBsudo\fR's +SELinux RBAC mode. +Because it operates at the system call level, not the library function level, +it is possible to intercept all calls to +execve(2). +Functions utilizing the +execveat(2) +system call, such as +fexecve(3), +are not currently intercepted. +.sp +The shared library-based \fIintercept\fR functionality only works for programs that use the \fBexecl\fR(), @@ -6785,6 +6810,9 @@ Because most dynamic loaders ignore will not permit such programs to be run in \fIintercept\fR mode. +The Linux +seccomp(2)\-based +implementation does not share these restrictions. .sp The \fIintercept\fR @@ -6797,11 +6825,8 @@ Check your operating system's manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if \fRLD_PRELOAD\fR is supported. -It is -\fInot\fR -supported when -\fBsudo\fR's -SELinux RBAC support is in use due to a fundamental incompatibility. +It is not possible to intercept shell built-in commands or restrict +the ability to read or write sensitive files from within a shell. .sp To enable intercept mode on a per-command basis, use the \fRINTERCEPT\fR @@ -6859,7 +6884,9 @@ noexec functionality can be used to prevent a program run by \fBsudo\fR from executing any other programs. -On most systems, it uses the same mechanism as +On most systems, it uses the same +\fRLD_PRELOAD\fR +mechanism as \fIintercept\fR (see above) and thus the same caveats apply. The diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in index 4a47f3702..7920fcc63 100644 --- a/docs/sudoers.mdoc.in +++ b/docs/sudoers.mdoc.in @@ -24,7 +24,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.Dd February 21, 2022 +.Dd April 28, 2022 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -2941,7 +2941,9 @@ See .Sx Preventing shell escapes for more information on what systems support this option and its limitations. This setting is only supported by version 1.9.8 or higher -and is incompatible with SELinux RBAC support. +and is incompatible with SELinux RBAC support unless the system supports +.Xr seccomp 2 +filter mode. .It log_year If set, the four-digit year will be logged in the (non-syslog) .Nm sudo @@ -3108,7 +3110,9 @@ This flag is by default. .Pp This setting is only supported by version 1.9.8 or higher -and is incompatible with SELinux RBAC support. +and is incompatible with SELinux RBAC support unless the system supports +.Xr seccomp 2 +filter mode. .It intercept_allow_setid On most systems, the dynamic loader will ignore .Ev LD_PRELOAD @@ -6246,14 +6250,35 @@ For example, this can be used to restrict the commands run from within a privileged shell. Note, however, that this applies only to dynamically-linked executables. -Statically-linked executables and executables -running under binary emulation are not affected. -Also, most shells support built-in commands and the ability to read -or write sensitive files that cannot be intercepted by -.Nm sudo . -.Pp -Currently, +It is not possible to intercept commands for statically-linked executables +or executables that run under binary emulation. +This implementation of the +.Em intercept +functionality is incompatible with .Nm sudo Ns 's +SELinux RBAC support (but see below). +SELinux disables +.Ev LD_PRELOAD +by default and interferes with file descriptor inheritance. +.Pp +Linux systems that support +.Xr seccomp 2 +filtering will use a different method involving +.Xr ptrace 2 +instead of pre-loading a shared library. +This method supports both static and dynamic executables as well as +.Nm sudo Ns 's +SELinux RBAC mode. +Because it operates at the system call level, not the library function level, +it is possible to intercept all calls to +.Xr execve 2 . +Functions utilizing the +.Xr execveat 2 +system call, such as +.Xr fexecve 3 , +are not currently intercepted. +.Pp +The shared library-based .Em intercept functionality only works for programs that use the .Fn execl , @@ -6274,6 +6299,9 @@ Because most dynamic loaders ignore will not permit such programs to be run in .Em intercept mode. +The Linux +.Xr seccomp 2 Ns \- Ns based +implementation does not share these restrictions. .Pp The .Em intercept @@ -6286,11 +6314,8 @@ Check your operating system's manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if .Ev LD_PRELOAD is supported. -It is -.Em not -supported when -.Nm sudo Ns 's -SELinux RBAC support is in use due to a fundamental incompatibility. +It is not possible to intercept shell built-in commands or restrict +the ability to read or write sensitive files from within a shell. .Pp To enable intercept mode on a per-command basis, use the .Li INTERCEPT @@ -6341,7 +6366,9 @@ flag uses the same mechanism as functionality can be used to prevent a program run by .Nm sudo from executing any other programs. -On most systems, it uses the same mechanism as +On most systems, it uses the same +.Ev LD_PRELOAD +mechanism as .Em intercept (see above) and thus the same caveats apply. The