isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Only set MODE_POLICY_INTERCEPTED on subsequent policy checks.

Browse Source 
This fixes a bug where MODE_POLICY_INTERCEPTED was set too early
if the intercept option was set globally in sudoers.  It should
only be set after the original command has executed.
This commit is contained in:
Todd C. Miller
2022-08-25 09:33:42 -06:00
parent 966eae6bf3
commit 22dad3f59c
1 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
plugins/sudoers/sudoers.c
View File

@@ -398,16 +398,16 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
debug_return_int(-1);
}
/* Was previous command was intercepted? */
if (ISSET(sudo_mode, MODE_RUN) && def_intercept)
SET(sudo_mode, MODE_POLICY_INTERCEPTED);
/* Only certain mode flags are legal for intercepted commands. */
if (ISSET(sudo_mode, MODE_POLICY_INTERCEPTED))
sudo_mode &= MODE_INTERCEPT_MASK;
/* Re-initialize defaults if we are called multiple times. */
if (need_reinit) {
/* Was previous command intercepted? */
if (ISSET(sudo_mode, MODE_RUN) && def_intercept)
SET(sudo_mode, MODE_POLICY_INTERCEPTED);
/* Only certain mode flags are legal for intercepted commands. */
if (ISSET(sudo_mode, MODE_POLICY_INTERCEPTED))
sudo_mode &= MODE_INTERCEPT_MASK;
/* Re-initialize defaults if we are called multiple times. */
if (!sudoers_reinit_defaults())
debug_return_int(-1);
}