Update intercept documentation.
This commit is contained in:
Todd C. Miller
@@ -17,7 +17,7 @@
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.nr SL @SEMAN@
|
||||
.TH "SUDO.CONF" "@mansectform@" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
||||
.TH "SUDO.CONF" "@mansectform@" "April 28, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
||||
.nh
|
||||
.if n .ad l
|
||||
.SH "NAME"
|
||||
@@ -605,9 +605,9 @@ Debug sudo_intercept.so @log_dir@/intercept_debug all@debug
|
||||
.PP
|
||||
would log all debugging statements, regardless of level, for the
|
||||
\fIsudo_intercept.so\fR
|
||||
shared object that implements
|
||||
shared library that implements
|
||||
\fBsudo\fR's
|
||||
intercept functionality.
|
||||
intercept functionality on some systems.
|
||||
.PP
|
||||
As of
|
||||
\fBsudo\fR
|
||||
|
||||
@@ -16,7 +16,7 @@
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.nr SL @SEMAN@
|
||||
.Dd February 16, 2022
|
||||
.Dd April 28, 2022
|
||||
.Dt SUDO.CONF @mansectform@
|
||||
.Os Sudo @PACKAGE_VERSION@
|
||||
.Sh NAME
|
||||
@@ -549,9 +549,9 @@ Debug sudo_intercept.so @log_dir@/intercept_debug all@debug
|
||||
.Pp
|
||||
would log all debugging statements, regardless of level, for the
|
||||
.Pa sudo_intercept.so
|
||||
shared object that implements
|
||||
shared library that implements
|
||||
.Nm sudo Ns 's
|
||||
intercept functionality.
|
||||
intercept functionality on some systems.
|
||||
.Pp
|
||||
As of
|
||||
.Nm sudo
|
||||
|
||||
@@ -25,7 +25,7 @@
|
||||
.nr BA @BAMAN@
|
||||
.nr LC @LCMAN@
|
||||
.nr PS @PSMAN@
|
||||
.TH "SUDOERS" "@mansectform@" "February 21, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
||||
.TH "SUDOERS" "@mansectform@" "April 28, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
||||
.nh
|
||||
.if n .ad l
|
||||
.SH "NAME"
|
||||
@@ -3114,7 +3114,9 @@ See
|
||||
\fIPreventing shell escapes\fR
|
||||
for more information on what systems support this option and its limitations.
|
||||
This setting is only supported by version 1.9.8 or higher
|
||||
and is incompatible with SELinux RBAC support.
|
||||
and is incompatible with SELinux RBAC support unless the system supports
|
||||
seccomp(2)
|
||||
filter mode.
|
||||
.TP 18n
|
||||
log_year
|
||||
If set, the four-digit year will be logged in the (non-syslog)
|
||||
@@ -3291,7 +3293,9 @@ This flag is
|
||||
by default.
|
||||
.sp
|
||||
This setting is only supported by version 1.9.8 or higher
|
||||
and is incompatible with SELinux RBAC support.
|
||||
and is incompatible with SELinux RBAC support unless the system supports
|
||||
seccomp(2)
|
||||
filter mode.
|
||||
.TP 18n
|
||||
intercept_allow_setid
|
||||
On most systems, the dynamic loader will ignore
|
||||
@@ -6757,14 +6761,35 @@ For example, this can be used to restrict the commands run from
|
||||
within a privileged shell.
|
||||
Note, however, that this applies only to dynamically-linked
|
||||
executables.
|
||||
Statically-linked executables and executables
|
||||
running under binary emulation are not affected.
|
||||
Also, most shells support built-in commands and the ability to read
|
||||
or write sensitive files that cannot be intercepted by
|
||||
\fBsudo\fR.
|
||||
.sp
|
||||
Currently,
|
||||
It is not possible to intercept commands for statically-linked executables
|
||||
or executables that run under binary emulation.
|
||||
This implementation of the
|
||||
\fIintercept\fR
|
||||
functionality is incompatible with
|
||||
\fBsudo\fR's
|
||||
SELinux RBAC support (but see below).
|
||||
SELinux disables
|
||||
\fRLD_PRELOAD\fR
|
||||
by default and interferes with file descriptor inheritance.
|
||||
.sp
|
||||
Linux systems that support
|
||||
seccomp(2)
|
||||
filtering will use a different method involving
|
||||
ptrace(2)
|
||||
instead of pre-loading a shared library.
|
||||
This method supports both static and dynamic executables as well as
|
||||
\fBsudo\fR's
|
||||
SELinux RBAC mode.
|
||||
Because it operates at the system call level, not the library function level,
|
||||
it is possible to intercept all calls to
|
||||
execve(2).
|
||||
Functions utilizing the
|
||||
execveat(2)
|
||||
system call, such as
|
||||
fexecve(3),
|
||||
are not currently intercepted.
|
||||
.sp
|
||||
The shared library-based
|
||||
\fIintercept\fR
|
||||
functionality only works for programs that use the
|
||||
\fBexecl\fR(),
|
||||
@@ -6785,6 +6810,9 @@ Because most dynamic loaders ignore
|
||||
will not permit such programs to be run in
|
||||
\fIintercept\fR
|
||||
mode.
|
||||
The Linux
|
||||
seccomp(2)\-based
|
||||
implementation does not share these restrictions.
|
||||
.sp
|
||||
The
|
||||
\fIintercept\fR
|
||||
@@ -6797,11 +6825,8 @@ Check your operating system's manual pages for the dynamic linker
|
||||
(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
|
||||
\fRLD_PRELOAD\fR
|
||||
is supported.
|
||||
It is
|
||||
\fInot\fR
|
||||
supported when
|
||||
\fBsudo\fR's
|
||||
SELinux RBAC support is in use due to a fundamental incompatibility.
|
||||
It is not possible to intercept shell built-in commands or restrict
|
||||
the ability to read or write sensitive files from within a shell.
|
||||
.sp
|
||||
To enable intercept mode on a per-command basis, use the
|
||||
\fRINTERCEPT\fR
|
||||
@@ -6859,7 +6884,9 @@ noexec
|
||||
functionality can be used to prevent a program run by
|
||||
\fBsudo\fR
|
||||
from executing any other programs.
|
||||
On most systems, it uses the same mechanism as
|
||||
On most systems, it uses the same
|
||||
\fRLD_PRELOAD\fR
|
||||
mechanism as
|
||||
\fIintercept\fR
|
||||
(see above) and thus the same caveats apply.
|
||||
The
|
||||
|
||||
@@ -24,7 +24,7 @@
|
||||
.nr BA @BAMAN@
|
||||
.nr LC @LCMAN@
|
||||
.nr PS @PSMAN@
|
||||
.Dd February 21, 2022
|
||||
.Dd April 28, 2022
|
||||
.Dt SUDOERS @mansectform@
|
||||
.Os Sudo @PACKAGE_VERSION@
|
||||
.Sh NAME
|
||||
@@ -2941,7 +2941,9 @@ See
|
||||
.Sx Preventing shell escapes
|
||||
for more information on what systems support this option and its limitations.
|
||||
This setting is only supported by version 1.9.8 or higher
|
||||
and is incompatible with SELinux RBAC support.
|
||||
and is incompatible with SELinux RBAC support unless the system supports
|
||||
.Xr seccomp 2
|
||||
filter mode.
|
||||
.It log_year
|
||||
If set, the four-digit year will be logged in the (non-syslog)
|
||||
.Nm sudo
|
||||
@@ -3108,7 +3110,9 @@ This flag is
|
||||
by default.
|
||||
.Pp
|
||||
This setting is only supported by version 1.9.8 or higher
|
||||
and is incompatible with SELinux RBAC support.
|
||||
and is incompatible with SELinux RBAC support unless the system supports
|
||||
.Xr seccomp 2
|
||||
filter mode.
|
||||
.It intercept_allow_setid
|
||||
On most systems, the dynamic loader will ignore
|
||||
.Ev LD_PRELOAD
|
||||
@@ -6246,14 +6250,35 @@ For example, this can be used to restrict the commands run from
|
||||
within a privileged shell.
|
||||
Note, however, that this applies only to dynamically-linked
|
||||
executables.
|
||||
Statically-linked executables and executables
|
||||
running under binary emulation are not affected.
|
||||
Also, most shells support built-in commands and the ability to read
|
||||
or write sensitive files that cannot be intercepted by
|
||||
.Nm sudo .
|
||||
.Pp
|
||||
Currently,
|
||||
It is not possible to intercept commands for statically-linked executables
|
||||
or executables that run under binary emulation.
|
||||
This implementation of the
|
||||
.Em intercept
|
||||
functionality is incompatible with
|
||||
.Nm sudo Ns 's
|
||||
SELinux RBAC support (but see below).
|
||||
SELinux disables
|
||||
.Ev LD_PRELOAD
|
||||
by default and interferes with file descriptor inheritance.
|
||||
.Pp
|
||||
Linux systems that support
|
||||
.Xr seccomp 2
|
||||
filtering will use a different method involving
|
||||
.Xr ptrace 2
|
||||
instead of pre-loading a shared library.
|
||||
This method supports both static and dynamic executables as well as
|
||||
.Nm sudo Ns 's
|
||||
SELinux RBAC mode.
|
||||
Because it operates at the system call level, not the library function level,
|
||||
it is possible to intercept all calls to
|
||||
.Xr execve 2 .
|
||||
Functions utilizing the
|
||||
.Xr execveat 2
|
||||
system call, such as
|
||||
.Xr fexecve 3 ,
|
||||
are not currently intercepted.
|
||||
.Pp
|
||||
The shared library-based
|
||||
.Em intercept
|
||||
functionality only works for programs that use the
|
||||
.Fn execl ,
|
||||
@@ -6274,6 +6299,9 @@ Because most dynamic loaders ignore
|
||||
will not permit such programs to be run in
|
||||
.Em intercept
|
||||
mode.
|
||||
The Linux
|
||||
.Xr seccomp 2 Ns \- Ns based
|
||||
implementation does not share these restrictions.
|
||||
.Pp
|
||||
The
|
||||
.Em intercept
|
||||
@@ -6286,11 +6314,8 @@ Check your operating system's manual pages for the dynamic linker
|
||||
(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
|
||||
.Ev LD_PRELOAD
|
||||
is supported.
|
||||
It is
|
||||
.Em not
|
||||
supported when
|
||||
.Nm sudo Ns 's
|
||||
SELinux RBAC support is in use due to a fundamental incompatibility.
|
||||
It is not possible to intercept shell built-in commands or restrict
|
||||
the ability to read or write sensitive files from within a shell.
|
||||
.Pp
|
||||
To enable intercept mode on a per-command basis, use the
|
||||
.Li INTERCEPT
|
||||
@@ -6341,7 +6366,9 @@ flag uses the same mechanism as
|
||||
functionality can be used to prevent a program run by
|
||||
.Nm sudo
|
||||
from executing any other programs.
|
||||
On most systems, it uses the same mechanism as
|
||||
On most systems, it uses the same
|
||||
.Ev LD_PRELOAD
|
||||
mechanism as
|
||||
.Em intercept
|
||||
(see above) and thus the same caveats apply.
|
||||
The
|
||||
|
||||
Reference in New Issue
Block a user