isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove monitor support until there is a versino of systrace that

Browse Source 
uses a lookaside buffer (or we have a better mechanism to use).
This commit is contained in:
Todd C. Miller
2007-08-15 15:20:01 +00:00
parent 72b36ddf50
commit 317e600f41
20 changed files with 3115 additions and 3333 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
INSTALL
View File

@@ -252,14 +252,6 @@ Special features/options:
is to compile noexec support if libtool supports building is to compile noexec support if libtool supports building
shared objects on your OS. shared objects on your OS.
--with-systrace[=DIR]
Enable support for the systrace(4) tracing facility. This
allows sudo to control execution of further commands by
the program being run through sudo. On systems with
systrace(4) support this is a better option than the
"noexec" facility. If DIR is specified it indicates the
directory in which to find the systrace.h include file.
--disable-root-mailer --disable-root-mailer
By default sudo will run the mailer as root when tattling By default sudo will run the mailer as root when tattling
on a user so as to prevent that user from killing the mailer. on a user so as to prevent that user from killing the mailer.

4
Makefile.in
View File

@@ -101,7 +101,7 @@ PROGS = @PROGS@
SRCS = alloc.c alloca.c check.c closefrom.c def_data.c defaults.c env.c \ SRCS = alloc.c alloca.c check.c closefrom.c def_data.c defaults.c env.c \
error.c fileops.c find_path.c fnmatch.c getcwd.c getprogname.c \ error.c fileops.c find_path.c fnmatch.c getcwd.c getprogname.c \
getspwuid.c gettime.c goodpath.c gram.c gram.y interfaces.c ldap.c \ getspwuid.c gettime.c goodpath.c gram.c gram.y interfaces.c ldap.c \
logging.c match.c mkstemp.c memrchr.c mon_systrace.c parse.c pwutil.c \ logging.c match.c mkstemp.c memrchr.c parse.c pwutil.c \
set_perms.c sigaction.c snprintf.c strcasecmp.c strerror.c strlcat.c \ set_perms.c sigaction.c snprintf.c strcasecmp.c strerror.c strlcat.c \
strlcpy.c sudo.c sudo_noexec.c sudo_edit.c testsudoers.c tgetpass.c \ strlcpy.c sudo.c sudo_noexec.c sudo_edit.c testsudoers.c tgetpass.c \
toke.c toke.l tsgetgrpw.c utimes.c visudo.c zero_bytes.c redblack.c \ toke.c toke.l tsgetgrpw.c utimes.c visudo.c zero_bytes.c redblack.c \
@@ -263,8 +263,6 @@ mkstemp.o: $(srcdir)/mkstemp.c $(SUDODEP)
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/mkstemp.c $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/mkstemp.c
mon_solaris.o: $(srcdir)/mon_solaris.c $(SUDODEP) $(srcdir)/mon_solaris.h mon_solaris.o: $(srcdir)/mon_solaris.c $(SUDODEP) $(srcdir)/mon_solaris.h
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/mon_solaris.c $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/mon_solaris.c
mon_systrace.o: $(srcdir)/mon_systrace.c $(SUDODEP) $(srcdir)/mon_systrace.h
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/mon_systrace.c
parse.o: $(srcdir)/parse.c $(SUDODEP) $(srcdir)/parse.h $(devdir)/gram.h parse.o: $(srcdir)/parse.c $(SUDODEP) $(srcdir)/parse.h $(devdir)/gram.h
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/parse.c $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/parse.c
pwutil.o: $(srcdir)/pwutil.c $(SUDODEP) pwutil.o: $(srcdir)/pwutil.c $(SUDODEP)

8
WHATSNEW
View File

@@ -5,14 +5,6 @@ What's new in Sudo 1.7?
apply sudoers Defaults entries before searching for the command. apply sudoers Defaults entries before searching for the command.
It also adds support for per-command Defaults specifications. It also adds support for per-command Defaults specifications.
* New monitor functionality for systems with the systrace kernel facility
(OpenBSD and NetBSD in the default system, FreeBSD and Linux with kernel
patched). When monitoring is enabled, sudo will fork a daemon that
monitors the command being run and intercepts the execve() system call,
allowing or denying execution of the new command based on a sudoers lookup.
The SUDO_* environment variables are also updated if this is supported by
the version of systrace(4) on the system.
* Sudoers now supports a #include facility to allow the inclusion of other * Sudoers now supports a #include facility to allow the inclusion of other
sudoers-format files. sudoers-format files.

12
config.h.in
View File

@@ -75,9 +75,6 @@
/* Define to 1 if your `DIR' contains dd_fd. */ /* Define to 1 if your `DIR' contains dd_fd. */
#undef HAVE_DD_FD #undef HAVE_DD_FD
/* Define to 1 if you have the <dev/systrace.h> header file. */
#undef HAVE_DEV_SYSTRACE_H
/* Define to 1 if you have the <dirent.h> header file, and it defines `DIR'. /* Define to 1 if you have the <dirent.h> header file, and it defines `DIR'.
*/ */
#undef HAVE_DIRENT_H #undef HAVE_DIRENT_H
@@ -221,9 +218,6 @@
/* Define to 1 if you have the `ldap_start_tls_s' function. */ /* Define to 1 if you have the `ldap_start_tls_s' function. */
#undef HAVE_LDAP_START_TLS_S #undef HAVE_LDAP_START_TLS_S
/* Define to 1 if you have the <linux/systrace.h> header file. */
#undef HAVE_LINUX_SYSTRACE_H
/* Define to 1 if you have the `lockf' function. */ /* Define to 1 if you have the `lockf' function. */
#undef HAVE_LOCKF #undef HAVE_LOCKF
@@ -374,9 +368,6 @@
/* Define to 1 if you have the `sysconf' function. */ /* Define to 1 if you have the `sysconf' function. */
#undef HAVE_SYSCONF #undef HAVE_SYSCONF
/* Define to 1 to build support for tracing subprocesses using systrace(4) */
#undef HAVE_SYSTRACE
/* Define to 1 if you have the <sys/bsdtypes.h> header file. */ /* Define to 1 if you have the <sys/bsdtypes.h> header file. */
#undef HAVE_SYS_BSDTYPES_H #undef HAVE_SYS_BSDTYPES_H
@@ -397,9 +388,6 @@
/* Define to 1 if you have the <sys/stat.h> header file. */ /* Define to 1 if you have the <sys/stat.h> header file. */
#undef HAVE_SYS_STAT_H #undef HAVE_SYS_STAT_H
/* Define to 1 if you have the <sys/systrace.h> header file. */
#undef HAVE_SYS_SYSTRACE_H
/* Define to 1 if you have the <sys/types.h> header file. */ /* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H #undef HAVE_SYS_TYPES_H

21
configure.in
View File

@@ -392,13 +392,6 @@ AC_ARG_WITH(bsdauth, [ --with-bsdauth enable BSD authentication suppor
;; ;;
esac]) esac])
AC_ARG_WITH(systrace, [ --with-systrace[[=DIR]] enable systrace(4) support],
[case $with_systrace in
no) with_systrace=""
;;
*) ;;
esac])
AC_ARG_WITH(project, [ --with-project enable Solaris project support], AC_ARG_WITH(project, [ --with-project enable Solaris project support],
[case $with_project in [case $with_project in
yes|no) ;; yes|no) ;;
@@ -1781,19 +1774,6 @@ AC_CHECK_FUNCS(getprogname, , [
AC_MSG_RESULT($sudo_cv___progname) AC_MSG_RESULT($sudo_cv___progname)
]) ])
dnl dnl
dnl systrace(4) support
dnl
if test -n "$with_systrace"; then
AC_DEFINE(HAVE_SYSTRACE)
if test "$with_systrace" = "yes"; then
AC_CHECK_HEADERS(dev/systrace.h sys/systrace.h linux/systrace.h, [break], [], [#include <sys/param.h>])
else
CPPFLAGS="$CPPFLAGS -I${with_systrace}"
fi
SUDO_OBJS="${SUDO_OBJS} mon_systrace.o"
AC_CHECK_FUNCS(setproctitle)
fi
dnl
dnl Kerberos IV dnl Kerberos IV
dnl dnl
if test -n "$with_kerb4"; then if test -n "$with_kerb4"; then
@@ -2393,7 +2373,6 @@ AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().]) AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])
AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member]) AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member])
AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member]) AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member])
AH_TEMPLATE(HAVE_SYSTRACE, [Define to 1 to build support for tracing subprocesses using systrace(4)])
AH_TEMPLATE(HAVE_TERMIOS_H, [Define to 1 if you have the <termios.h> header file and the `tcgetattr' function.]) AH_TEMPLATE(HAVE_TERMIOS_H, [Define to 1 if you have the <termios.h> header file and the `tcgetattr' function.])
AH_TEMPLATE(HAVE_TIMESPEC, [Define to 1 if you have struct timespec in sys/time.h]) AH_TEMPLATE(HAVE_TIMESPEC, [Define to 1 if you have struct timespec in sys/time.h])
AH_TEMPLATE(HAVE_TIMESPECSUB2, [Define to 1 if you have a timespecsub macro or function that takes two arguments (not three)]) AH_TEMPLATE(HAVE_TIMESPECSUB2, [Define to 1 if you have a timespecsub macro or function that takes two arguments (not three)])

4
def_data.c
View File

@@ -247,10 +247,6 @@ struct sudo_defs_types sudo_defs_table[] = {
"ignore_local_sudoers", T_FLAG, "ignore_local_sudoers", T_FLAG,
"If LDAP directory is up, do we ignore local sudoers file", "If LDAP directory is up, do we ignore local sudoers file",
NULL, NULL,
}, {
"monitor", T_FLAG,
"Monitor children of cmnd and apply sudoers restrictions to them",
NULL,
}, { }, {
"closefrom", T_INT, "closefrom", T_INT,
"File descriptors >= %d will be closed before executing a command", "File descriptors >= %d will be closed before executing a command",

26
def_data.h
View File

@@ -110,20 +110,18 @@
#define I_NOEXEC_FILE 54 #define I_NOEXEC_FILE 54
#define def_ignore_local_sudoers (sudo_defs_table[55].sd_un.flag) #define def_ignore_local_sudoers (sudo_defs_table[55].sd_un.flag)
#define I_IGNORE_LOCAL_SUDOERS 55 #define I_IGNORE_LOCAL_SUDOERS 55
#define def_monitor (sudo_defs_table[56].sd_un.flag) #define def_closefrom (sudo_defs_table[56].sd_un.ival)
#define I_MONITOR 56 #define I_CLOSEFROM 56
#define def_closefrom (sudo_defs_table[57].sd_un.ival) #define def_closefrom_override (sudo_defs_table[57].sd_un.flag)
#define I_CLOSEFROM 57 #define I_CLOSEFROM_OVERRIDE 57
#define def_closefrom_override (sudo_defs_table[58].sd_un.flag) #define def_env_check (sudo_defs_table[58].sd_un.list)
#define I_CLOSEFROM_OVERRIDE 58 #define I_ENV_CHECK 58
#define def_env_check (sudo_defs_table[59].sd_un.list) #define def_env_delete (sudo_defs_table[59].sd_un.list)
#define I_ENV_CHECK 59 #define I_ENV_DELETE 59
#define def_env_delete (sudo_defs_table[60].sd_un.list) #define def_env_keep (sudo_defs_table[60].sd_un.list)
#define I_ENV_DELETE 60 #define I_ENV_KEEP 60
#define def_env_keep (sudo_defs_table[61].sd_un.list) #define def_setenv (sudo_defs_table[61].sd_un.flag)
#define I_ENV_KEEP 61 #define I_SETENV 61
#define def_setenv (sudo_defs_table[62].sd_un.flag)
#define I_SETENV 62
enum def_tupple { enum def_tupple {
never, never,

3
def_data.in
View File

@@ -182,9 +182,6 @@ noexec_file
ignore_local_sudoers ignore_local_sudoers
T_FLAG T_FLAG
"If LDAP directory is up, do we ignore local sudoers file" "If LDAP directory is up, do we ignore local sudoers file"
monitor
T_FLAG
"Monitor children of cmnd and apply sudoers restrictions to them"
closefrom closefrom
T_INT T_INT
"File descriptors >= %d will be closed before executing a command" "File descriptors >= %d will be closed before executing a command"

621
gram.c
View File

File diff suppressed because it is too large Load Diff

20
gram.h
View File

@@ -15,17 +15,15 @@
#define PASSWD 271 #define PASSWD 271
#define NOEXEC 272 #define NOEXEC 272
#define EXEC 273 #define EXEC 273
#define MONITOR 274 #define SETENV 274
#define NOMONITOR 275 #define NOSETENV 275
#define SETENV 276 #define ALL 276
#define NOSETENV 277 #define COMMENT 277
#define ALL 278 #define HOSTALIAS 278
#define COMMENT 279 #define CMNDALIAS 279
#define HOSTALIAS 280 #define USERALIAS 280
#define CMNDALIAS 281 #define RUNASALIAS 281
#define USERALIAS 282 #define ERROR 282
#define RUNASALIAS 283
#define ERROR 284
#ifndef YYSTYPE_DEFINED #ifndef YYSTYPE_DEFINED
#define YYSTYPE_DEFINED #define YYSTYPE_DEFINED
typedef union { typedef union {

16
gram.y
View File

@@ -127,8 +127,6 @@ yyerror(s)
%token <tok> PASSWD /* passwd req for command (default) */ %token <tok> PASSWD /* passwd req for command (default) */
%token <tok> NOEXEC /* preload dummy execve() for cmnd */ %token <tok> NOEXEC /* preload dummy execve() for cmnd */
%token <tok> EXEC /* don't preload dummy execve() */ %token <tok> EXEC /* don't preload dummy execve() */
%token <tok> MONITOR /* monitor children of cmnd */
%token <tok> NOMONITOR /* disable monitoring of children */
%token <tok> SETENV /* user may set environment for cmnd */ %token <tok> SETENV /* user may set environment for cmnd */
%token <tok> NOSETENV /* user may not set environment */ %token <tok> NOSETENV /* user may not set environment */
%token <tok> ALL /* ALL keyword */ %token <tok> ALL /* ALL keyword */
@@ -246,8 +244,7 @@ privilege : hostlist '=' cmndspeclist {
struct cmndspec *cs; struct cmndspec *cs;
p->hostlist = $1; p->hostlist = $1;
p->cmndlist = $3; p->cmndlist = $3;
tags.nopasswd = tags.noexec = tags.monitor = tags.nopasswd = tags.noexec = tags.setenv = UNSPEC;
tags.setenv = UNSPEC;
/* propagate tags */ /* propagate tags */
for (cs = $3; cs != NULL; cs = cs->next) { for (cs = $3; cs != NULL; cs = cs->next) {
if (cs->tags.nopasswd == UNSPEC) if (cs->tags.nopasswd == UNSPEC)
@@ -256,8 +253,6 @@ privilege : hostlist '=' cmndspeclist {
cs->tags.noexec = tags.noexec; cs->tags.noexec = tags.noexec;
if (cs->tags.setenv == UNSPEC) if (cs->tags.setenv == UNSPEC)
cs->tags.setenv = tags.setenv; cs->tags.setenv = tags.setenv;
if (cs->tags.monitor == UNSPEC)
cs->tags.monitor = tags.monitor;
memcpy(&tags, &cs->tags, sizeof(tags)); memcpy(&tags, &cs->tags, sizeof(tags));
} }
p->last = NULL; p->last = NULL;
@@ -364,8 +359,7 @@ runasuser : ALIAS {
; ;
cmndtag : /* empty */ { cmndtag : /* empty */ {
$$.nopasswd = $$.noexec = $$.monitor = $$.nopasswd = $$.noexec = $$.setenv = UNSPEC;
$$.setenv = UNSPEC;
} }
| cmndtag NOPASSWD { | cmndtag NOPASSWD {
$$.nopasswd = TRUE; $$.nopasswd = TRUE;
@@ -385,12 +379,6 @@ cmndtag : /* empty */ {
| cmndtag NOSETENV { | cmndtag NOSETENV {
$$.setenv = FALSE; $$.setenv = FALSE;
} }
| cmndtag MONITOR {
$$.monitor = TRUE;
}
| cmndtag NOMONITOR {
$$.monitor = FALSE;
}
; ;
cmnd : ALL { cmnd : ALL {

7
parse.c
View File

@@ -193,8 +193,6 @@ sudoers_lookup(pwflag)
def_noexec = tags->noexec; def_noexec = tags->noexec;
if (tags->setenv != UNSPEC) if (tags->setenv != UNSPEC)
def_setenv = tags->setenv; def_setenv = tags->setenv;
if (tags->monitor != UNSPEC)
def_monitor = tags->monitor;
} }
} }
set_perms(PERM_ROOT); set_perms(PERM_ROOT);
@@ -243,7 +241,6 @@ display_privs(v, pw)
continue; continue;
for (priv = us->privileges; priv != NULL; priv = priv->next) { for (priv = us->privileges; priv != NULL; priv = priv->next) {
tags.monitor = def_monitor;
tags.noexec = def_noexec; tags.noexec = def_noexec;
tags.setenv = def_setenv; tags.setenv = def_setenv;
tags.nopasswd = !def_authenticate; tags.nopasswd = !def_authenticate;
@@ -261,10 +258,6 @@ display_privs(v, pw)
print_priv(def_runas_default); print_priv(def_runas_default);
} }
print_priv(") "); print_priv(") ");
if (TAG_CHANGED(monitor)) {
print_priv(cs->tags.monitor ? "MONITOR: " : "NOMONITOR: ");
tags.monitor = cs->tags.monitor;
}
if (TAG_CHANGED(setenv)) { if (TAG_CHANGED(setenv)) {
print_priv(cs->tags.setenv ? "SETENV: " : "NOSETENV: "); print_priv(cs->tags.setenv ? "SETENV: " : "NOSETENV: ");
tags.setenv = cs->tags.setenv; tags.setenv = cs->tags.setenv;

1
parse.h
View File

@@ -44,7 +44,6 @@ struct cmndtag {
char nopasswd; char nopasswd;
char noexec; char noexec;
char setenv; char setenv;
char monitor;
char extra; char extra;
}; };

4
pathnames.h.in
View File

@@ -111,7 +111,3 @@
#ifndef _PATH_LDAP_SECRET #ifndef _PATH_LDAP_SECRET
#define _PATH_LDAP_SECRET "/etc/ldap.secret" #define _PATH_LDAP_SECRET "/etc/ldap.secret"
#endif /* _PATH_LDAP_SECRET */ #endif /* _PATH_LDAP_SECRET */
#ifndef _PATH_DEV_SYSTRACE
#define _PATH_DEV_SYSTRACE "/dev/systrace"
#endif /* _PATH_DEV_SYSTRACE */

5
sudo.c
View File

@@ -405,11 +405,6 @@ main(argc, argv, envp)
} }
#endif #endif
#ifdef HAVE_SYSTRACE
if (def_monitor)
systrace_attach(getpid());
#endif
/* Override user's umask if configured to do so. */ /* Override user's umask if configured to do so. */
if (def_umask != 0777) if (def_umask != 0777)
(void) umask(def_umask); (void) umask(def_umask);

3
sudo.h
View File

@@ -279,9 +279,6 @@ struct passwd *sudo_getpwuid __P((uid_t));
struct passwd *sudo_fakepwuid __P((uid_t)); struct passwd *sudo_fakepwuid __P((uid_t));
struct group *sudo_getgrnam __P((const char *)); struct group *sudo_getgrnam __P((const char *));
struct group *sudo_getgrgid __P((gid_t)); struct group *sudo_getgrgid __P((gid_t));
#ifdef HAVE_SYSTRACE
void systrace_attach __P((pid_t));
#endif
YY_DECL; YY_DECL;
/* Only provide extern declarations outside of sudo.c. */ /* Only provide extern declarations outside of sudo.c. */

58
sudoers.pod
View File

@@ -250,7 +250,7 @@ See L</"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
Runas_Spec ::= '(' Runas_List ')' Runas_Spec ::= '(' Runas_List ')'
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:') 'SETENV:' | 'NOSETENV:' )
A B<user specification> determines which commands a user may run A B<user specification> determines which commands a user may run
(and as what user) on specified hosts. By default, commands are (and as what user) on specified hosts. By default, commands are
@@ -285,7 +285,7 @@ but F</bin/kill> and F</usr/bin/lprm> as B<root>.
A command may have zero or more tags associated with it. There are A command may have zero or more tags associated with it. There are
eight possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>, C<EXEC>, eight possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>, C<EXEC>,
C<SETENV>, C<NOSETENV>, C<MONITOR> and C<NOMONITOR>. C<SETENV> and C<NOSETENV>.
Once a tag is set on a C<Cmnd>, subsequent C<Cmnd>s in the Once a tag is set on a C<Cmnd>, subsequent C<Cmnd>s in the
C<Cmnd_Spec_List>, inherit the tag unless it is overridden by the C<Cmnd_Spec_List>, inherit the tag unless it is overridden by the
opposite tag (i.e.: C<PASSWD> overrides C<NOPASSWD> and C<NOEXEC> opposite tag (i.e.: C<PASSWD> overrides C<NOPASSWD> and C<NOEXEC>
@@ -342,23 +342,6 @@ to the restrictions imposed by I<env_check>, I<env_delete>, or
I<env_keep>. As such, only trusted users should be allowed to set I<env_keep>. As such, only trusted users should be allowed to set
variables in this manner. variables in this manner.
=head3 MONITOR and NOMONITOR
If B<sudo> has been configured with the C<--with-systrace> option,
the C<MONITOR> tag can be used to cause programs spawned by a command
to be checked against I<sudoers> and logged just like they would
be if run through B<sudo> directly. This is useful in conjunction
with commands that allow shell escapes such as editors, shells and
paginators.
In the following example, user B<chuck> may run any command on the
machine research in monitor mode.
chuck research = MONITOR: ALL
See the L<PREVENTING SHELL ESCAPES> section below for more details
on how C<MONITOR> works and whether or not it will work on your system.
=head2 Wildcards =head2 Wildcards
B<sudo> allows shell-style I<wildcards> (aka meta or glob characters) B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
@@ -603,16 +586,6 @@ If set, mail will be sent to the I<mailto> user if the invoking
user is not in the I<sudoers> file. This flag is I<@mail_no_user@> user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
by default. by default.
=item monitor
If set, all commands run via B<sudo> will behave as if the C<MONITOR>
tag has been set, unless overridden by a C<NOMONITOR> tag. See the
description of I<MONITOR and NOMONITOR> below as well as the L<PREVENTING
SHELL ESCAPES> section at the end of this manual. Be aware that
tracing is only supported on certain operating systems. On systems
where it is not supported this flag will have no effect.
This flag is I<off> by default.
=item noexec =item noexec
If set, all commands run via B<sudo> will behave as if the C<NOEXEC> If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
@@ -1286,7 +1259,7 @@ which lets a user bypass B<sudo>'s access control and logging.
Common programs that permit shell escapes include shells (obviously), Common programs that permit shell escapes include shells (obviously),
editors, paginators, mail and terminal programs. editors, paginators, mail and terminal programs.
There are three basic approaches to this problem: There are two basic approaches to this problem:
=over 10 =over 10
@@ -1341,31 +1314,6 @@ executing other commands (such as a shell). If you are unsure
whether or not your system is capable of supporting I<noexec> you whether or not your system is capable of supporting I<noexec> you
can always just try it out and see if it works. can always just try it out and see if it works.
=item monitor
On operating systems that support the B<systrace> pseudo-device,
the C<--with-systrace> configure option can be used to compile
support for proccess monitoring in B<sudo>. In monitor mode
B<sudo> can transparently intercept a new command, allow or deny
it based on I<sudoers>, and log the result. This does require that
B<sudo> become a daemon that persists until the command and all its
descendents have exited.
To enable monitor mode on a per-command basis, use the C<MONITOR>
tag as documented in the User Specification section above. Here
is that example again:
chuck research = MONITOR: ALL
This allows user B<chuck> to run any command on the machine research
in monitor mode. Any commands run via shell escapes will be logged
by B<sudo>.
At the time of this writing the B<systrace> pseudo-device comes
standard with OpenBSD and NetBSD and is available as patches to
FreeBSD, MacOS X and Linux. See L<http://www.systrace.org/> for
more information.
=back =back
Note that restricting shell escapes is not a panacea. Programs Note that restricting shell escapes is not a panacea. Programs

4
testsudoers.c
View File

@@ -474,7 +474,7 @@ print_privilege(priv)
print_member(m); print_member(m);
} }
fputs(" = ", stdout); fputs(" = ", stdout);
tags.nopasswd = tags.noexec = tags.monitor = UNSPEC; tags.nopasswd = tags.noexec = UNSPEC;
for (cs = p->cmndlist; cs != NULL; cs = cs->next) { for (cs = p->cmndlist; cs != NULL; cs = cs->next) {
if (cs != p->cmndlist) if (cs != p->cmndlist)
fputs(", ", stdout); fputs(", ", stdout);
@@ -491,8 +491,6 @@ print_privilege(priv)
printf("%sPASSWD: ", cs->tags.nopasswd ? "NO" : ""); printf("%sPASSWD: ", cs->tags.nopasswd ? "NO" : "");
if (cs->tags.noexec != UNSPEC && cs->tags.noexec != tags.noexec) if (cs->tags.noexec != UNSPEC && cs->tags.noexec != tags.noexec)
printf("%sEXEC: ", cs->tags.noexec ? "NO" : ""); printf("%sEXEC: ", cs->tags.noexec ? "NO" : "");
if (cs->tags.monitor != UNSPEC && cs->tags.monitor != tags.monitor)
printf("%sMONITOR: ", cs->tags.monitor ? "" : "NO");
print_member(cs->cmnd); print_member(cs->cmnd);
memcpy(&tags, &cs->tags, sizeof(tags)); memcpy(&tags, &cs->tags, sizeof(tags));
} }

5613
toke.c
View File

File diff suppressed because it is too large Load Diff

10
toke.l
View File

@@ -286,16 +286,6 @@ NOSETENV[[:blank:]]*: {
return(NOSETENV); return(NOSETENV);
} }
NOMONITOR[[:blank:]]*: {
LEXTRACE("NOMONITOR ");
return(NOMONITOR);
}
MONITOR[[:blank:]]*: {
LEXTRACE("MONITOR ");
return(MONITOR);
}
\+{WORD} { \+{WORD} {
/* netgroup */ /* netgroup */
if (!fill(yytext, yyleng)) if (!fill(yytext, yyleng))