From 3c05e748a44f8d1303b2e9fdb1330c75c8821afb Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 29 Aug 2023 09:55:09 -0600 Subject: [PATCH] Add ignore_perms plugin argument to skip the sudoers file security checks. This is not intended to be used in a production environment. --- docs/sudoers.man.in | 14 +++++++++++++- docs/sudoers.mdoc.in | 13 ++++++++++++- plugins/sudoers/policy.c | 9 +++++++++ plugins/sudoers/sudoers.c | 12 ++++++++++-- plugins/sudoers/sudoers.h | 2 ++ 5 files changed, 46 insertions(+), 4 deletions(-) diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in index b0458888f..bea31ea93 100644 --- a/docs/sudoers.man.in +++ b/docs/sudoers.man.in @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.TH "SUDOERS" "@mansectform@" "June 20, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "@mansectform@" "August 28, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -130,6 +130,18 @@ A value of will disable error recovery. Prior to version 1.9.3, no error recovery was performed. .TP 6n +ignore_perms=bool +The +\fIignore_perms\fR +argument can be used to disable security checks when loading the +\fIsudoers\fR +file. +If enabled, the +\fIsudoers\fR +file will be loaded regardless of the owner or file mode. +This argument is intended to be used for testing purposes and +should not be enabled on production systems. +.TP 6n ldap_conf=pathname The \fIldap_conf\fR diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in index 6b25a40f3..b861d8f7b 100644 --- a/docs/sudoers.mdoc.in +++ b/docs/sudoers.mdoc.in @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.Dd June 20, 2023 +.Dd August 28, 2023 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -123,6 +123,17 @@ A value of .Em false will disable error recovery. Prior to version 1.9.3, no error recovery was performed. +.It ignore_perms=bool +The +.Em ignore_perms +argument can be used to disable security checks when loading the +.Em sudoers +file. +If enabled, the +.Em sudoers +file will be loaded regardless of the owner or file mode. +This argument is intended to be used for testing purposes and +should not be enabled on production systems. .It ldap_conf=pathname The .Em ldap_conf diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c index 00b376d5b..437c01f21 100644 --- a/plugins/sudoers/policy.c +++ b/plugins/sudoers/policy.c @@ -134,6 +134,15 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v, } continue; } + if (MATCHES(*cur, "ignore_perms=")) { + int val = sudo_strtobool(*cur + sizeof("ignore_perms=") - 1); + if (val == -1) { + INVALID("ignore_perms="); /* Not a fatal error. */ + } else { + ctx->parser_conf.ignore_perms = val; + } + continue; + } if (MATCHES(*cur, "sudoers_file=")) { CHECK(*cur, "sudoers_file="); path_sudoers = *cur + sizeof("sudoers_file=") - 1; diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c index caf1e3bae..1d6b4f1a3 100644 --- a/plugins/sudoers/sudoers.c +++ b/plugins/sudoers/sudoers.c @@ -1282,8 +1282,16 @@ open_sudoers(const char *path, char **outfile, bool doedit, bool *keepopen) debug_decl(open_sudoers, SUDOERS_DEBUG_PLUGIN); fd = sudo_open_conf_path(path, fname, sizeof(fname), open_file); - error = sudo_secure_fd(fd, S_IFREG, sudoers_file_uid(), sudoers_file_gid(), - &sb); + if (sudoers_ctx.parser_conf.ignore_perms) { + /* Skip sudoers security checks when ignore_perms is set. */ + if (fd == -1 || fstat(fd, &sb) == -1) + error = SUDO_PATH_MISSING; + else + error = SUDO_PATH_SECURE; + } else { + error = sudo_secure_fd(fd, S_IFREG, sudoers_file_uid(), + sudoers_file_gid(), &sb); + } switch (error) { case SUDO_PATH_SECURE: /* diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h index 8f48dd7b2..a5dc7ec13 100644 --- a/plugins/sudoers/sudoers.h +++ b/plugins/sudoers/sudoers.h @@ -82,6 +82,7 @@ struct sudoers_parser_config { const char *sudoers_path; bool strict; bool recovery; + bool ignore_perms; int verbose; mode_t sudoers_mode; uid_t sudoers_uid; @@ -91,6 +92,7 @@ struct sudoers_parser_config { NULL, /* sudoers_path */ \ false, /* strict */ \ true, /* recovery */ \ + false, /* ignore_perms */ \ 1, /* verbose level 1 */ \ SUDOERS_MODE, \ SUDOERS_UID, \