Add intercept_verify sudoers option to control execve(2) argument checking.

2022-07-29 15:22:27 -06:00
parent b80b012de0
commit 3ce19efca9
10 changed files with 99 additions and 32 deletions
--- a/src/sudo.h
+++ b/src/sudo.h
@@ -149,30 +149,31 @@ struct user_details {
    int ts_cols;
 };

-#define CD_SET_UID		0x000001
-#define CD_SET_EUID		0x000002
-#define CD_SET_GID		0x000004
-#define CD_SET_EGID		0x000008
-#define CD_PRESERVE_GROUPS	0x000010
-#define CD_INTERCEPT		0x000020
-#define CD_NOEXEC		0x000040
-#define CD_SET_PRIORITY		0x000080
-#define CD_SET_UMASK		0x000100
-#define CD_SET_TIMEOUT		0x000200
-#define CD_SUDOEDIT		0x000400
-#define CD_BACKGROUND		0x000800
-#define CD_RBAC_ENABLED		0x001000
-#define CD_USE_PTY		0x002000
-#define CD_SET_UTMP		0x004000
-#define CD_EXEC_BG		0x008000
-#define CD_SUDOEDIT_FOLLOW	0x010000
-#define CD_SUDOEDIT_CHECKDIR	0x020000
-#define CD_SET_GROUPS		0x040000
-#define CD_LOGIN_SHELL		0x080000
-#define CD_OVERRIDE_UMASK	0x100000
-#define CD_LOG_SUBCMDS		0x200000
-#define CD_USE_PTRACE		0x400000
-#define CD_FEXECVE		0x800000
+#define CD_SET_UID		0x00000001
+#define CD_SET_EUID		0x00000002
+#define CD_SET_GID		0x00000004
+#define CD_SET_EGID		0x00000008
+#define CD_PRESERVE_GROUPS	0x00000010
+#define CD_INTERCEPT		0x00000020
+#define CD_NOEXEC		0x00000040
+#define CD_SET_PRIORITY		0x00000080
+#define CD_SET_UMASK		0x00000100
+#define CD_SET_TIMEOUT		0x00000200
+#define CD_SUDOEDIT		0x00000400
+#define CD_BACKGROUND		0x00000800
+#define CD_RBAC_ENABLED		0x00001000
+#define CD_USE_PTY		0x00002000
+#define CD_SET_UTMP		0x00004000
+#define CD_EXEC_BG		0x00008000
+#define CD_SUDOEDIT_FOLLOW	0x00010000
+#define CD_SUDOEDIT_CHECKDIR	0x00020000
+#define CD_SET_GROUPS		0x00040000
+#define CD_LOGIN_SHELL		0x00080000
+#define CD_OVERRIDE_UMASK	0x00100000
+#define CD_LOG_SUBCMDS		0x00200000
+#define CD_USE_PTRACE		0x00400000
+#define CD_FEXECVE		0x00800000
+#define CD_INTERCEPT_VERIFY	0x01000000

 struct preserved_fd {
    TAILQ_ENTRY(preserved_fd) entries;