isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor code to set LD_PRELOAD (or the equivalent) in the environment

Browse Source 
into a preload_dso() function.  Also avoid allocating a new copy
of the environment array if the size of the array does not change.
This commit is contained in:
Todd C. Miller
2015-12-16 15:08:01 -07:00
parent 3b338830cf
commit 4536480800
2 changed files with 67 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

115
src/exec_common.c
View File

@@ -36,37 +36,25 @@
#include "sudo.h" #include "sudo.h"
#include "sudo_exec.h" #include "sudo_exec.h"
/*
* Disable execution of child processes in the command we are about
* to run. On systems with privilege sets, we can remove the exec
* privilege. On other systems we use LD_PRELOAD and the like.
*/
static char * const *
disable_execute(char *const envp[])
{
#ifdef _PATH_SUDO_NOEXEC #ifdef _PATH_SUDO_NOEXEC
char *preload = NULL, **nenvp = NULL; /*
int env_len, env_size; * Add a DSO file to LD_PRELOAD or the system equivalent.
*/
static char **
preload_dso(char *envp[], const char *dso_file)
{
char *preload = NULL;
int env_len;
int preload_idx = -1; int preload_idx = -1;
# ifdef RTLD_PRELOAD_ENABLE_VAR # ifdef RTLD_PRELOAD_ENABLE_VAR
bool enabled = false; bool enabled = false;
# else
const bool enabled = true;
# endif # endif
#endif /* _PATH_SUDO_NOEXEC */ debug_decl(preload_dso, SUDO_DEBUG_UTIL)
debug_decl(disable_execute, SUDO_DEBUG_UTIL)
#ifdef HAVE_PRIV_SET
/* Solaris privileges, remove PRIV_PROC_EXEC post-execve. */
(void)priv_set(PRIV_ON, PRIV_INHERITABLE, "PRIV_FILE_DAC_READ", NULL);
(void)priv_set(PRIV_ON, PRIV_INHERITABLE, "PRIV_FILE_DAC_WRITE", NULL);
(void)priv_set(PRIV_ON, PRIV_INHERITABLE, "PRIV_FILE_DAC_SEARCH", NULL);
if (priv_set(PRIV_OFF, PRIV_LIMIT, "PRIV_PROC_EXEC", NULL) == 0)
debug_return_const_ptr(envp);
sudo_warn(U_("unable to remove PRIV_PROC_EXEC from PRIV_LIMIT"));
#endif /* HAVE_PRIV_SET */
#ifdef _PATH_SUDO_NOEXEC
/* /*
* Preload a noexec file. For a list of LD_PRELOAD-alikes, see * Preload a DSO file. For a list of LD_PRELOAD-alikes, see
* http://www.fortran-2000.com/ArnaudRecipes/sharedlib.html * http://www.fortran-2000.com/ArnaudRecipes/sharedlib.html
* XXX - need to support 32-bit and 64-bit variants * XXX - need to support 32-bit and 64-bit variants
*/ */
@@ -77,56 +65,85 @@ disable_execute(char *const envp[])
preload_idx = env_len; preload_idx = env_len;
continue; continue;
} }
#ifdef RTLD_PRELOAD_ENABLE_VAR # ifdef RTLD_PRELOAD_ENABLE_VAR
if (strncmp(envp[env_len], RTLD_PRELOAD_ENABLE_VAR "=", sizeof(RTLD_PRELOAD_ENABLE_VAR)) == 0) { if (strncmp(envp[env_len], RTLD_PRELOAD_ENABLE_VAR "=", sizeof(RTLD_PRELOAD_ENABLE_VAR)) == 0) {
enabled = true; enabled = true;
continue; continue;
} }
#endif # endif
} }
/* Make a new copy of envp as needed. */ /*
env_size = env_len + 1 + (preload_idx == -1); * Make a new copy of envp as needed.
#ifdef RTLD_PRELOAD_ENABLE_VAR * It would be nice to realloc the old envp[] but we don't know
if (!enabled) * whether it was dynamically allocated. [TODO: plugin API]
env_size++; */
#endif if (preload_idx == -1 || !enabled) {
nenvp = reallocarray(NULL, env_size, sizeof(*envp)); const int env_size = env_len + 1 + (preload_idx == -1) + enabled;
if (nenvp == NULL)
sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); char **nenvp = reallocarray(NULL, env_size, sizeof(*envp));
memcpy(nenvp, envp, env_len * sizeof(*envp)); if (nenvp == NULL)
nenvp[env_len] = NULL; sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
memcpy(nenvp, envp, env_len * sizeof(*envp));
nenvp[env_len] = NULL;
envp = nenvp;
}
/* Prepend our LD_PRELOAD to existing value or add new entry at the end. */ /* Prepend our LD_PRELOAD to existing value or add new entry at the end. */
if (preload_idx == -1) { if (preload_idx == -1) {
# ifdef RTLD_PRELOAD_DEFAULT # ifdef RTLD_PRELOAD_DEFAULT
asprintf(&preload, "%s=%s%s%s", RTLD_PRELOAD_VAR, sudo_conf_noexec_path(), RTLD_PRELOAD_DELIM, RTLD_PRELOAD_DEFAULT); asprintf(&preload, "%s=%s%s%s", RTLD_PRELOAD_VAR, dso_file,
RTLD_PRELOAD_DELIM, RTLD_PRELOAD_DEFAULT);
# else # else
preload = sudo_new_key_val(RTLD_PRELOAD_VAR, sudo_conf_noexec_path()); preload = sudo_new_key_val(RTLD_PRELOAD_VAR, dso_file);
# endif # endif
if (preload == NULL) if (preload == NULL)
sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
nenvp[env_len++] = preload; envp[env_len++] = preload;
nenvp[env_len] = NULL; envp[env_len] = NULL;
} else { } else {
int len = asprintf(&preload, "%s=%s%s%s", RTLD_PRELOAD_VAR, int len = asprintf(&preload, "%s=%s%s%s", RTLD_PRELOAD_VAR,
sudo_conf_noexec_path(), RTLD_PRELOAD_DELIM, nenvp[preload_idx]); dso_file, RTLD_PRELOAD_DELIM, envp[preload_idx]);
if (len == -1) if (len == -1)
sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
nenvp[preload_idx] = preload; envp[preload_idx] = preload;
} }
# ifdef RTLD_PRELOAD_ENABLE_VAR # ifdef RTLD_PRELOAD_ENABLE_VAR
if (!enabled) { if (!enabled) {
nenvp[env_len++] = RTLD_PRELOAD_ENABLE_VAR "="; envp[env_len++] = RTLD_PRELOAD_ENABLE_VAR "=";
nenvp[env_len] = NULL; envp[env_len] = NULL;
} }
# endif # endif
/* Install new env pointer. */ debug_return_ptr(envp);
envp = nenvp; }
#endif /* _PATH_SUDO_NOEXEC */ #endif /* _PATH_SUDO_NOEXEC */
debug_return_const_ptr(envp); /*
* Disable execution of child processes in the command we are about
* to run. On systems with privilege sets, we can remove the exec
* privilege. On other systems we use LD_PRELOAD and the like.
*/
static char **
disable_execute(char *envp[])
{
debug_decl(disable_execute, SUDO_DEBUG_UTIL)
#ifdef HAVE_PRIV_SET
/* Solaris privileges, remove PRIV_PROC_EXEC post-execve. */
(void)priv_set(PRIV_ON, PRIV_INHERITABLE, "PRIV_FILE_DAC_READ", NULL);
(void)priv_set(PRIV_ON, PRIV_INHERITABLE, "PRIV_FILE_DAC_WRITE", NULL);
(void)priv_set(PRIV_ON, PRIV_INHERITABLE, "PRIV_FILE_DAC_SEARCH", NULL);
if (priv_set(PRIV_OFF, PRIV_LIMIT, "PRIV_PROC_EXEC", NULL) == 0)
debug_return_ptr(envp);
sudo_warn(U_("unable to remove PRIV_PROC_EXEC from PRIV_LIMIT"));
#endif /* HAVE_PRIV_SET */
#ifdef _PATH_SUDO_NOEXEC
envp = preload_dso(envp, sudo_conf_noexec_path());
#endif /* _PATH_SUDO_NOEXEC */
debug_return_ptr(envp);
} }
/* /*
@@ -134,7 +151,7 @@ disable_execute(char *const envp[])
* ala execvp(3) if we get ENOEXEC. * ala execvp(3) if we get ENOEXEC.
*/ */
int int
sudo_execve(const char *path, char *const argv[], char *const envp[], bool noexec) sudo_execve(const char *path, char *const argv[], char *envp[], bool noexec)
{ {
/* Modify the environment as needed to disable further execve(). */ /* Modify the environment as needed to disable further execve(). */
if (noexec) if (noexec)

2
src/sudo_exec.h
View File

@@ -74,7 +74,7 @@
/* exec.c */ /* exec.c */
struct sudo_event_base; struct sudo_event_base;
int sudo_execve(const char *path, char *const argv[], char *const envp[], bool noexec); int sudo_execve(const char *path, char *const argv[], char *envp[], bool noexec);
extern volatile pid_t cmnd_pid; extern volatile pid_t cmnd_pid;
/* exec_pty.c */ /* exec_pty.c */