isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Change to runcwd during the policy check where possible.

Browse Source 
Otherwise, attempts to run "./command" from a shell with intercept
set will fail if the current working directory is different from
the main sudo process.
This commit is contained in:
Todd C. Miller
2022-07-26 08:43:44 -06:00
parent 5516cdcd5b
commit 3c1f3ef102
1 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/exec_intercept.c
View File

@@ -369,10 +369,19 @@ intercept_check_policy(const char *command, int argc, char **argv, int envc,
char **user_env_out = NULL; char **user_env_out = NULL;
char **run_argv = NULL; char **run_argv = NULL;
bool ret = true; bool ret = true;
int i, rc; int i, rc, saved_dir = -1;
debug_decl(intercept_check_policy, SUDO_DEBUG_EXEC); debug_decl(intercept_check_policy, SUDO_DEBUG_EXEC);
if (ISSET(closure->details->flags, CD_INTERCEPT)) { if (ISSET(closure->details->flags, CD_INTERCEPT)) {
/* Change to runcwd for the policy check if possible. */
if (runcwd != NULL) {
saved_dir = open(".", O_RDONLY);
if (saved_dir != -1 && chdir(runcwd) == -1) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
"%s: unable to chdir to %s", __func__, runcwd);
}
}
/* We don't currently have a good way to validate the environment. */ /* We don't currently have a good way to validate the environment. */
sudo_debug_set_active_instance(policy_plugin.debug_instance); sudo_debug_set_active_instance(policy_plugin.debug_instance);
rc = policy_plugin.u.policy->check_policy(argc, argv, NULL, rc = policy_plugin.u.policy->check_policy(argc, argv, NULL,
@@ -487,6 +496,9 @@ bad:
ret = false; ret = false;
done: done:
if (saved_dir != -1)
fchdir(saved_dir);
if (command_info_copy != NULL) { if (command_info_copy != NULL) {
for (i = 0; command_info_copy[i] != NULL; i++) { for (i = 0; command_info_copy[i] != NULL; i++) {
free(command_info_copy[i]); free(command_info_copy[i]);