isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Do not compile intercept code if --disable-intercept is specified.

Browse Source
This commit is contained in:
Todd C. Miller
2021-09-01 13:35:47 -06:00
parent 5c2f1ebbcf
commit 38d884a62d
7 changed files with 38 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
configure vendored
View File

@@ -30884,6 +30884,7 @@ done
exec_prefix="$oexec_prefix" exec_prefix="$oexec_prefix"
if test X"$enable_intercept" != X"no"; then if test X"$enable_intercept" != X"no"; then
SUDO_OBJS="${SUDO_OBJS} intercept.pb-c.lo"
PROGS="${PROGS} sudo_intercept.la" PROGS="${PROGS} sudo_intercept.la"
INSTALL_INTERCEPT="install-intercept" INSTALL_INTERCEPT="install-intercept"
@@ -30896,11 +30897,6 @@ if test X"$enable_intercept" != X"no"; then
#define _PATH_SUDO_INTERCEPT "$intercept_file" #define _PATH_SUDO_INTERCEPT "$intercept_file"
EOF EOF
else
cat >>confdefs.h <<EOF
#define _PATH_SUDO_INTERCEPT NULL
EOF
fi fi
if test X"$with_noexec" != X"no"; then if test X"$with_noexec" != X"no"; then
PROGS="${PROGS} sudo_noexec.la" PROGS="${PROGS} sudo_noexec.la"
@@ -30910,11 +30906,6 @@ if test X"$with_noexec" != X"no"; then
#define _PATH_SUDO_NOEXEC "$noexec_file" #define _PATH_SUDO_NOEXEC "$noexec_file"
EOF EOF
else
cat >>confdefs.h <<EOF
#define _PATH_SUDO_NOEXEC NULL
EOF
fi fi
if test X"$with_selinux" != X"no"; then if test X"$with_selinux" != X"no"; then
cat >>confdefs.h <<EOF cat >>confdefs.h <<EOF

5
configure.ac
View File

@@ -4813,6 +4813,7 @@ dnl
dnl Defer setting _PATH_SUDO_NOEXEC, etc until after exec_prefix is set dnl Defer setting _PATH_SUDO_NOEXEC, etc until after exec_prefix is set
dnl dnl
if test X"$enable_intercept" != X"no"; then if test X"$enable_intercept" != X"no"; then
SUDO_OBJS="${SUDO_OBJS} intercept.pb-c.lo"
PROGS="${PROGS} sudo_intercept.la" PROGS="${PROGS} sudo_intercept.la"
INSTALL_INTERCEPT="install-intercept" INSTALL_INTERCEPT="install-intercept"
@@ -4822,16 +4823,12 @@ if test X"$enable_intercept" != X"no"; then
fi fi
SUDO_DEFINE_UNQUOTED(_PATH_SUDO_INTERCEPT, "$intercept_file", [The fully qualified pathname of sudo_intercept.so]) SUDO_DEFINE_UNQUOTED(_PATH_SUDO_INTERCEPT, "$intercept_file", [The fully qualified pathname of sudo_intercept.so])
else
SUDO_DEFINE_UNQUOTED(_PATH_SUDO_INTERCEPT, NULL)
fi fi
if test X"$with_noexec" != X"no"; then if test X"$with_noexec" != X"no"; then
PROGS="${PROGS} sudo_noexec.la" PROGS="${PROGS} sudo_noexec.la"
INSTALL_NOEXEC="install-noexec" INSTALL_NOEXEC="install-noexec"
SUDO_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so]) SUDO_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so])
else
SUDO_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, NULL)
fi fi
if test X"$with_selinux" != X"no"; then if test X"$with_selinux" != X"no"; then
SUDO_DEFINE_UNQUOTED(_PATH_SUDO_SESH, "$sesh_file") SUDO_DEFINE_UNQUOTED(_PATH_SUDO_SESH, "$sesh_file")

7
lib/util/sudo_conf.c
View File

@@ -51,6 +51,13 @@
#include "sudo_util.h" #include "sudo_util.h"
#include "pathnames.h" #include "pathnames.h"
#ifndef _PATH_SUDO_INTERCEPT
# define _PATH_SUDO_INTERCEPT NULL
#endif
#ifndef _PATH_SUDO_NOEXEC
# define _PATH_SUDO_NOEXEC NULL
#endif
struct sudo_conf_table { struct sudo_conf_table {
const char *name; const char *name;
unsigned int namelen; unsigned int namelen;

2
scripts/mkdep.pl
View File

@@ -111,7 +111,7 @@ sub mkdep {
# Expand some configure bits # Expand some configure bits
$makefile =~ s:\@DEV\@::g; $makefile =~ s:\@DEV\@::g;
$makefile =~ s:\@COMMON_OBJS\@:aix.lo event_poll.lo event_select.lo:; $makefile =~ s:\@COMMON_OBJS\@:aix.lo event_poll.lo event_select.lo:;
$makefile =~ s:\@SUDO_OBJS\@:openbsd.o preload.o selinux.o sesh.o solaris.o:; $makefile =~ s:\@SUDO_OBJS\@:intercept.pb-c.lo openbsd.o preload.o selinux.o sesh.o solaris.o:;
$makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo ldap_util.lo ldap_conf.lo solaris_audit.lo sssd.lo:; $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo ldap_util.lo ldap_conf.lo solaris_audit.lo sssd.lo:;
# XXX - fill in AUTH_OBJS from contents of the auth dir instead # XXX - fill in AUTH_OBJS from contents of the auth dir instead
$makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:; $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:;

6
src/Makefile.in
View File

@@ -141,9 +141,9 @@ PROGS = @PROGS@
OBJS = conversation.o copy_file.o edit_open.o env_hooks.o exec.o exec_common.o \ OBJS = conversation.o copy_file.o edit_open.o env_hooks.o exec.o exec_common.o \
exec_intercept.o exec_monitor.o exec_nopty.o exec_preload.lo exec_pty.o \ exec_intercept.o exec_monitor.o exec_nopty.o exec_preload.lo exec_pty.o \
get_pty.o hooks.o intercept.pb-c.lo limits.o load_plugins.o net_ifs.o \ get_pty.o hooks.o limits.o load_plugins.o net_ifs.o parse_args.o \
parse_args.o preserve_fds.o signal.o sudo.o sudo_edit.o \ preserve_fds.o signal.o sudo.o sudo_edit.o tcsetpgrp_nobg.o tgetpass.o \
tcsetpgrp_nobg.o tgetpass.o ttyname.o utmp.o @SUDO_OBJS@ ttyname.o utmp.o @SUDO_OBJS@
IOBJS = $(OBJS:.o=.i) sesh.i IOBJS = $(OBJS:.o=.i) sesh.i

16
src/exec_common.c
View File

@@ -73,18 +73,18 @@ enable_intercept(char *envp[], const char *dso, int intercept_fd)
{ {
debug_decl(enable_intercept, SUDO_DEBUG_UTIL); debug_decl(enable_intercept, SUDO_DEBUG_UTIL);
if (dso != NULL) {
#ifdef RTLD_PRELOAD_VAR #ifdef RTLD_PRELOAD_VAR
if (dso == NULL) if (intercept_fd == -1)
sudo_fatalx("%s: missing DSO", __func__); sudo_fatalx("%s: no intercept fd", __func__);
if (intercept_fd == -1)
sudo_fatalx("%s: no intercept fd", __func__);
envp = sudo_preload_dso(envp, dso, intercept_fd); envp = sudo_preload_dso(envp, dso, intercept_fd);
#else #else
/* Intercept not supported, envp unchanged. */ /* Intercept not supported, envp unchanged. */
if (intercept_fd != -1) if (intercept_fd != -1)
close(intercept_fd); close(intercept_fd);
#endif /* RTLD_PRELOAD_VAR */ #endif /* RTLD_PRELOAD_VAR */
}
debug_return_ptr(envp); debug_return_ptr(envp);
} }

20
src/exec_intercept.c
View File

@@ -45,10 +45,12 @@
#include "sudo_rand.h" #include "sudo_rand.h"
#include "intercept.pb-c.h" #include "intercept.pb-c.h"
#ifdef _PATH_SUDO_INTERCEPT
/* TCSASOFT is a BSD extension that ignores control flags and speed. */ /* TCSASOFT is a BSD extension that ignores control flags and speed. */
#ifndef TCSASOFT # ifndef TCSASOFT
# define TCSASOFT 0 # define TCSASOFT 0
#endif # endif
enum intercept_state { enum intercept_state {
RECV_HELLO_INITIAL, RECV_HELLO_INITIAL,
@@ -938,3 +940,15 @@ bad:
close(client_sock); close(client_sock);
debug_return; debug_return;
} }
#else /* _PATH_SUDO_INTERCEPT */
bool
intercept_setup(int fd, struct sudo_event_base *evbase,
struct command_details *details)
{
debug_decl(intercept_setup, SUDO_DEBUG_EXEC);
/* Intercept support not compiled in. */
debug_return_bool(false);
}
#endif /* _PATH_SUDO_INTERCEPT */