isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update intercept documentation.

Browse Source
This commit is contained in:
Todd C. Miller
2022-04-29 13:09:03 -06:00
parent 52cacfc302
commit 052d3d1d91
4 changed files with 92 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/sudo.conf.man.in
View File

@@ -17,7 +17,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.nr SL @SEMAN@ .nr SL @SEMAN@
.TH "SUDO.CONF" "@mansectform@" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDO.CONF" "@mansectform@" "April 28, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -605,9 +605,9 @@ Debug sudo_intercept.so @log_dir@/intercept_debug all@debug
.PP .PP
would log all debugging statements, regardless of level, for the would log all debugging statements, regardless of level, for the
\fIsudo_intercept.so\fR \fIsudo_intercept.so\fR
shared object that implements shared library that implements
\fBsudo\fR's \fBsudo\fR's
intercept functionality. intercept functionality on some systems.
.PP .PP
As of As of
\fBsudo\fR \fBsudo\fR

6
docs/sudo.conf.mdoc.in
View File

@@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.nr SL @SEMAN@ .nr SL @SEMAN@
.Dd February 16, 2022 .Dd April 28, 2022
.Dt SUDO.CONF @mansectform@ .Dt SUDO.CONF @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -549,9 +549,9 @@ Debug sudo_intercept.so @log_dir@/intercept_debug all@debug
.Pp .Pp
would log all debugging statements, regardless of level, for the would log all debugging statements, regardless of level, for the
.Pa sudo_intercept.so .Pa sudo_intercept.so
shared object that implements shared library that implements
.Nm sudo Ns 's .Nm sudo Ns 's
intercept functionality. intercept functionality on some systems.
.Pp .Pp
As of As of
.Nm sudo .Nm sudo

59
docs/sudoers.man.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "February 21, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "@mansectform@" "April 28, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -3114,7 +3114,9 @@ See
\fIPreventing shell escapes\fR \fIPreventing shell escapes\fR
for more information on what systems support this option and its limitations. for more information on what systems support this option and its limitations.
This setting is only supported by version 1.9.8 or higher This setting is only supported by version 1.9.8 or higher
and is incompatible with SELinux RBAC support. and is incompatible with SELinux RBAC support unless the system supports
seccomp(2)
filter mode.
.TP 18n .TP 18n
log_year log_year
If set, the four-digit year will be logged in the (non-syslog) If set, the four-digit year will be logged in the (non-syslog)
@@ -3291,7 +3293,9 @@ This flag is
by default. by default.
.sp .sp
This setting is only supported by version 1.9.8 or higher This setting is only supported by version 1.9.8 or higher
and is incompatible with SELinux RBAC support. and is incompatible with SELinux RBAC support unless the system supports
seccomp(2)
filter mode.
.TP 18n .TP 18n
intercept_allow_setid intercept_allow_setid
On most systems, the dynamic loader will ignore On most systems, the dynamic loader will ignore
@@ -6757,14 +6761,35 @@ For example, this can be used to restrict the commands run from
within a privileged shell. within a privileged shell.
Note, however, that this applies only to dynamically-linked Note, however, that this applies only to dynamically-linked
executables. executables.
Statically-linked executables and executables It is not possible to intercept commands for statically-linked executables
running under binary emulation are not affected. or executables that run under binary emulation.
Also, most shells support built-in commands and the ability to read This implementation of the
or write sensitive files that cannot be intercepted by \fIintercept\fR
\fBsudo\fR. functionality is incompatible with
.sp
Currently,
\fBsudo\fR's \fBsudo\fR's
SELinux RBAC support (but see below).
SELinux disables
\fRLD_PRELOAD\fR
by default and interferes with file descriptor inheritance.
.sp
Linux systems that support
seccomp(2)
filtering will use a different method involving
ptrace(2)
instead of pre-loading a shared library.
This method supports both static and dynamic executables as well as
\fBsudo\fR's
SELinux RBAC mode.
Because it operates at the system call level, not the library function level,
it is possible to intercept all calls to
execve(2).
Functions utilizing the
execveat(2)
system call, such as
fexecve(3),
are not currently intercepted.
.sp
The shared library-based
\fIintercept\fR \fIintercept\fR
functionality only works for programs that use the functionality only works for programs that use the
\fBexecl\fR(), \fBexecl\fR(),
@@ -6785,6 +6810,9 @@ Because most dynamic loaders ignore
will not permit such programs to be run in will not permit such programs to be run in
\fIintercept\fR \fIintercept\fR
mode. mode.
The Linux
seccomp(2)\-based
implementation does not share these restrictions.
.sp .sp
The The
\fIintercept\fR \fIintercept\fR
@@ -6797,11 +6825,8 @@ Check your operating system's manual pages for the dynamic linker
(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
\fRLD_PRELOAD\fR \fRLD_PRELOAD\fR
is supported. is supported.
It is It is not possible to intercept shell built-in commands or restrict
\fInot\fR the ability to read or write sensitive files from within a shell.
supported when
\fBsudo\fR's
SELinux RBAC support is in use due to a fundamental incompatibility.
.sp .sp
To enable intercept mode on a per-command basis, use the To enable intercept mode on a per-command basis, use the
\fRINTERCEPT\fR \fRINTERCEPT\fR
@@ -6859,7 +6884,9 @@ noexec
functionality can be used to prevent a program run by functionality can be used to prevent a program run by
\fBsudo\fR \fBsudo\fR
from executing any other programs. from executing any other programs.
On most systems, it uses the same mechanism as On most systems, it uses the same
\fRLD_PRELOAD\fR
mechanism as
\fIintercept\fR \fIintercept\fR
(see above) and thus the same caveats apply. (see above) and thus the same caveats apply.
The The

59
docs/sudoers.mdoc.in
View File

@@ -24,7 +24,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.Dd February 21, 2022 .Dd April 28, 2022
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -2941,7 +2941,9 @@ See
.Sx Preventing shell escapes .Sx Preventing shell escapes
for more information on what systems support this option and its limitations. for more information on what systems support this option and its limitations.
This setting is only supported by version 1.9.8 or higher This setting is only supported by version 1.9.8 or higher
and is incompatible with SELinux RBAC support. and is incompatible with SELinux RBAC support unless the system supports
.Xr seccomp 2
filter mode.
.It log_year .It log_year
If set, the four-digit year will be logged in the (non-syslog) If set, the four-digit year will be logged in the (non-syslog)
.Nm sudo .Nm sudo
@@ -3108,7 +3110,9 @@ This flag is
by default. by default.
.Pp .Pp
This setting is only supported by version 1.9.8 or higher This setting is only supported by version 1.9.8 or higher
and is incompatible with SELinux RBAC support. and is incompatible with SELinux RBAC support unless the system supports
.Xr seccomp 2
filter mode.
.It intercept_allow_setid .It intercept_allow_setid
On most systems, the dynamic loader will ignore On most systems, the dynamic loader will ignore
.Ev LD_PRELOAD .Ev LD_PRELOAD
@@ -6246,14 +6250,35 @@ For example, this can be used to restrict the commands run from
within a privileged shell. within a privileged shell.
Note, however, that this applies only to dynamically-linked Note, however, that this applies only to dynamically-linked
executables. executables.
Statically-linked executables and executables It is not possible to intercept commands for statically-linked executables
running under binary emulation are not affected. or executables that run under binary emulation.
Also, most shells support built-in commands and the ability to read This implementation of the
or write sensitive files that cannot be intercepted by .Em intercept
.Nm sudo . functionality is incompatible with
.Pp
Currently,
.Nm sudo Ns 's .Nm sudo Ns 's
SELinux RBAC support (but see below).
SELinux disables
.Ev LD_PRELOAD
by default and interferes with file descriptor inheritance.
.Pp
Linux systems that support
.Xr seccomp 2
filtering will use a different method involving
.Xr ptrace 2
instead of pre-loading a shared library.
This method supports both static and dynamic executables as well as
.Nm sudo Ns 's
SELinux RBAC mode.
Because it operates at the system call level, not the library function level,
it is possible to intercept all calls to
.Xr execve 2 .
Functions utilizing the
.Xr execveat 2
system call, such as
.Xr fexecve 3 ,
are not currently intercepted.
.Pp
The shared library-based
.Em intercept .Em intercept
functionality only works for programs that use the functionality only works for programs that use the
.Fn execl , .Fn execl ,
@@ -6274,6 +6299,9 @@ Because most dynamic loaders ignore
will not permit such programs to be run in will not permit such programs to be run in
.Em intercept .Em intercept
mode. mode.
The Linux
.Xr seccomp 2 Ns \- Ns based
implementation does not share these restrictions.
.Pp .Pp
The The
.Em intercept .Em intercept
@@ -6286,11 +6314,8 @@ Check your operating system's manual pages for the dynamic linker
(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
.Ev LD_PRELOAD .Ev LD_PRELOAD
is supported. is supported.
It is It is not possible to intercept shell built-in commands or restrict
.Em not the ability to read or write sensitive files from within a shell.
supported when
.Nm sudo Ns 's
SELinux RBAC support is in use due to a fundamental incompatibility.
.Pp .Pp
To enable intercept mode on a per-command basis, use the To enable intercept mode on a per-command basis, use the
.Li INTERCEPT .Li INTERCEPT
@@ -6341,7 +6366,9 @@ flag uses the same mechanism as
functionality can be used to prevent a program run by functionality can be used to prevent a program run by
.Nm sudo .Nm sudo
from executing any other programs. from executing any other programs.
On most systems, it uses the same mechanism as On most systems, it uses the same
.Ev LD_PRELOAD
mechanism as
.Em intercept .Em intercept
(see above) and thus the same caveats apply. (see above) and thus the same caveats apply.
The The