Add CHROOT and CWD sudoers options.

Also matching runchroot and runcwd Defaults settings.

MANIFEST

@@ -471,6 +471,7 @@ plugins/sudoers/digestname.c
 plugins/sudoers/editor.c
 plugins/sudoers/env.c
 plugins/sudoers/env_pattern.c
+plugins/sudoers/exptilde.c
 plugins/sudoers/file.c
 plugins/sudoers/filedigest.c
 plugins/sudoers/find_path.c

doc/sudoers.man.in

@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDOERS" "@mansectform@" "August 27, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "@mansectform@" "August 28, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -1163,6 +1163,10 @@ Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
 
 Timeout_Spec ::= 'TIMEOUT=timeout'
 
+Chdir_Spec ::= 'CWD=directory'
+
+Chroot_Spec ::= 'CHROOT=directory'
+
 Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
               'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
               'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
@@ -1502,6 +1506,54 @@ timeout values:
 \fR1d2d3h\fR.
 .PP
 This setting is only supported by version 1.8.20 or higher.
+.SS "Chdir_Spec"
+The working directory that the command will be run in can be specified
+using the
+\fRCWD\fR
+setting.
+The
+\fIdirectory\fR
+must be a fully-qualified path name beginning with a
+\(oq/\(cq
+or
+\(oq~\(cq
+character.
+By default, commands are run from the invoking user's current working
+directory, unless the
+\fB\-i\fR
+option is given.
+Path names of the form
+\fR~user/path/name\fR
+are interpreted as being relative to the named user's home directory.
+If the user name is omitted, the path will be relative to the runas
+user's home directory.
+.PP
+This setting is only supported by version 1.9.3 or higher.
+.SS "Chroot_Spec"
+The root directory that the command will be run in can be specified
+using the
+\fRCHROOT\fR
+setting.
+The
+\fIdirectory\fR
+must be a fully-qualified path name beginning with a
+\(oq/\(cq
+or
+\(oq~\(cq
+character.
+This setting can be used to run the command in a
+chroot(2)
+\(lqsandbox\(rq
+similar to the
+chroot(@mansectsu@)
+utility.
+Path names of the form
+\fR~user/path/name\fR
+are interpreted as being relative to the named user's home directory.
+If the user name is omitted, the path will be relative to the runas
+user's home directory.
+.PP
+This setting is only supported by version 1.9.3 or higher.
 .SS "Tag_Spec"
 A command may have zero or more tags associated with it.
 The following tag values are supported:
@@ -4399,6 +4451,26 @@ In either case, the contents of
 are processed before the contents of
 \fIenv_file\fR.
 .TP 14n
+runchroot
+If set,
+\fBsudo\fR
+will use this value for the root directory when running a command.
+See the
+\fIChroot_Spec\fR
+section for more details.
+.sp
+This setting is only supported by version 1.9.3 or higher.
+.TP 14n
+runcwd
+If set,
+\fBsudo\fR
+will use this value for the working directory when running a command.
+See the
+\fIChdir_Spec\fR
+section for more details.
+.sp
+This setting is only supported by version 1.9.3 or higher.
+.TP 14n
 secure_path
 If set,
 \fBsudo\fR

doc/sudoers.mdoc.in

@@ -24,7 +24,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd August 27, 2020
+.Dd August 28, 2020
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -1096,12 +1096,12 @@ Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
 
 .ie \n(SL \{\
-.ie \n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec)
+.ie \n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
-.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec)
+.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
 .\}
 .el \{\
-.ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec)
+.ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
-.el Option_Spec ::= (Date_Spec | Timeout_Spec)
+.el Option_Spec ::= (Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
 .\}
 
 .if \n(SL \{\
@@ -1116,6 +1116,10 @@ Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
 
 Timeout_Spec ::= 'TIMEOUT=timeout'
 
+Chdir_Spec ::= 'CWD=directory'
+
+Chroot_Spec ::= 'CHROOT=directory'
+
 Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
               'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
               'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
@@ -1422,6 +1426,54 @@ timeout values:
 .Li 1d2d3h .
 .Pp
 This setting is only supported by version 1.8.20 or higher.
+.Ss Chdir_Spec
+The working directory that the command will be run in can be specified
+using the
+.Li CWD
+setting.
+The
+.Fa directory
+must be a fully-qualified path name beginning with a
+.Sq /
+or
+.Sq ~
+character.
+By default, commands are run from the invoking user's current working
+directory, unless the
+.Fl i
+option is given.
+Path names of the form
+.Li ~user/path/name
+are interpreted as being relative to the named user's home directory.
+If the user name is omitted, the path will be relative to the runas
+user's home directory.
+.Pp
+This setting is only supported by version 1.9.3 or higher.
+.Ss Chroot_Spec
+The root directory that the command will be run in can be specified
+using the
+.Li CHROOT
+setting.
+The
+.Fa directory
+must be a fully-qualified path name beginning with a
+.Sq /
+or
+.Sq ~
+character.
+This setting can be used to run the command in a
+.Xr chroot 2
+.Dq sandbox
+similar to the
+.Xr chroot @mansectsu@
+utility.
+Path names of the form
+.Li ~user/path/name
+are interpreted as being relative to the named user's home directory.
+If the user name is omitted, the path will be relative to the runas
+user's home directory.
+.Pp
+This setting is only supported by version 1.9.3 or higher.
 .Ss Tag_Spec
 A command may have zero or more tags associated with it.
 The following tag values are supported:
@@ -4110,6 +4162,24 @@ In either case, the contents of
 .Em restricted_env_file
 are processed before the contents of
 .Em env_file .
+.It runchroot
+If set,
+.Nm sudo
+will use this value for the root directory when running a command.
+See the
+.Sx Chroot_Spec
+section for more details.
+.Pp
+This setting is only supported by version 1.9.3 or higher.
+.It runcwd
+If set,
+.Nm sudo
+will use this value for the working directory when running a command.
+See the
+.Sx Chdir_Spec
+section for more details.
+.Pp
+This setting is only supported by version 1.9.3 or higher.
 .It secure_path
 If set,
 .Nm sudo

plugins/sudoers/Makefile.in

@@ -159,11 +159,11 @@ TEST_PROGS = check_addr check_base64 check_digest check_env_pattern check_fill \
 AUTH_OBJS = sudo_auth.lo @AUTH_OBJS@
 
 LIBPARSESUDOERS_OBJS = alias.lo audit.lo base64.lo defaults.lo digestname.lo \
-		       filedigest.lo gentime.lo gmtoff.lo gram.lo hexchar.lo \
+		       exptilde.lo filedigest.lo gentime.lo gmtoff.lo gram.lo \
-		       match.lo match_addr.lo match_command.lo match_digest.lo \
+		       hexchar.lo match.lo match_addr.lo match_command.lo \
-		       pwutil.lo pwutil_impl.lo rcstr.lo redblack.lo \
+		       match_digest.lo pwutil.lo pwutil_impl.lo rcstr.lo \
-		       strlist.lo sudoers_debug.lo timeout.lo timestr.lo \
+		       redblack.lo strlist.lo sudoers_debug.lo timeout.lo \
-		       toke.lo toke_util.lo
+		       timestr.lo toke.lo toke_util.lo
 
 LIBPARSESUDOERS_IOBJS = $(LIBPARSESUDOERS_OBJS:.lo=.i) passwd.i
 
@@ -1217,6 +1217,28 @@ env_pattern.i: $(srcdir)/env_pattern.c $(devdir)/def_data.h \
 	$(CC) -E -o $@ $(CPPFLAGS) $<
 env_pattern.plog: env_pattern.i
 	rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/env_pattern.c --i-file $< --output-file $@
+exptilde.lo: $(srcdir)/exptilde.c $(devdir)/def_data.h \
+             $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+             $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
+             $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+             $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+             $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+             $(srcdir)/parse.h $(srcdir)/pwutil.h $(srcdir)/sudo_nss.h \
+             $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/exptilde.c
+exptilde.i: $(srcdir)/exptilde.c $(devdir)/def_data.h \
+             $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+             $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
+             $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+             $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+             $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+             $(srcdir)/parse.h $(srcdir)/pwutil.h $(srcdir)/sudo_nss.h \
+             $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+	$(CC) -E -o $@ $(CPPFLAGS) $<
+exptilde.plog: exptilde.i
+	rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/exptilde.c --i-file $< --output-file $@
 file.lo: $(srcdir)/file.c $(devdir)/def_data.h $(devdir)/gram.h \
          $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
          $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h $(incdir)/sudo_fatal.h \

plugins/sudoers/def_data.c

@@ -551,6 +551,14 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"pam_rhost", T_FLAG,
 	N_("Set the pam remote host to the local host name"),
 	NULL,
+    }, {
+	"runcwd", T_STR|T_BOOL|T_PATH|T_TILDE,
+	N_("Working directory to change to before executing the command: %s"),
+	NULL,
+    }, {
+	"runchroot", T_STR|T_BOOL|T_PATH|T_TILDE,
+	N_("Root directory to change to before executing the command: %s"),
+	NULL,
     }, {
 	NULL, 0, NULL
     }

plugins/sudoers/def_data.h

@@ -256,6 +256,10 @@
 #define def_pam_ruser           (sudo_defs_table[I_PAM_RUSER].sd_un.flag)
 #define I_PAM_RHOST             127
 #define def_pam_rhost           (sudo_defs_table[I_PAM_RHOST].sd_un.flag)
+#define I_RUNCWD                128
+#define def_runcwd              (sudo_defs_table[I_RUNCWD].sd_un.str)
+#define I_RUNCHROOT             129
+#define def_runchroot           (sudo_defs_table[I_RUNCHROOT].sd_un.str)
 
 enum def_tuple {
 	never,

plugins/sudoers/def_data.in

@@ -399,3 +399,9 @@ pam_ruser
 pam_rhost
 	T_FLAG
 	"Set the pam remote host to the local host name"
+runcwd
+	T_STR|T_BOOL|T_PATH|T_TILDE
+	"Working directory to change to before executing the command: %s"
+runchroot
+	T_STR|T_BOOL|T_PATH|T_TILDE
+	"Root directory to change to before executing the command: %s"

plugins/sudoers/defaults.c

@@ -249,7 +249,8 @@ parse_default_entry(struct sudo_defs_types *def, const char *val, int op,
 	    rc = store_syslogpri(val, &def->sd_un);
 	    break;
 	case T_STR:
-	    if (ISSET(def->type, T_PATH) && val != NULL && *val != '/') {
+	    if (ISSET(def->type, T_PATH) && val != NULL && *val != '/' &&
+		    (!ISSET(def->type, T_TILDE) || *val != '~')) {
 		if (!quiet) {
 		    if (lineno > 0) {
 			sudo_warnx(U_("%s:%d: values for \"%s\" must start with a '/'"),

plugins/sudoers/defaults.h

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 1999-2005, 2008-2018
+ * Copyright (c) 1999-2005, 2008-2020
  *	Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -111,6 +111,8 @@ struct early_default {
 #define T_BOOL		0x100
 #undef T_PATH
 #define T_PATH		0x200
+#undef T_TILDE
+#define T_TILDE		0x400
 
 /*
  * Argument to update_defaults()

plugins/sudoers/exptilde.c

@@ -0,0 +1,100 @@
+/*
+ * SPDX-License-Identifier: ISC
+ *
+ * Copyright (c) 2020 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This is an open source non-commercial project. Dear PVS-Studio, please check it.
+ * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <grp.h>
+#include <pwd.h>
+
+#include "sudoers.h"
+#include "pwutil.h"
+
+/*
+ * Expand leading tilde in *path, which must be dynamically allocated.
+ * Replaces path with the expanded version as needed, freeing the old one.
+ * Returns true on success, false on failure.
+ */
+bool
+expand_tilde(char **path, const char *user)
+{
+    char *npath, *opath = *path;
+    char *slash = NULL;
+    struct passwd *pw;
+    int len;
+    debug_decl(expand_tilde, SUDOERS_DEBUG_UTIL);
+
+    switch (*opath++) {
+    case '/':
+	/* A fully-qualified path, nothing to do. */
+	debug_return_bool(true);
+    case '~':
+	/* See below. */
+	break;
+    default:
+	/* Not a fully-qualified path or one that starts with a tilde. */
+	debug_return_bool(false);
+    }
+
+    switch (*opath) {
+    case '\0':
+	/* format: ~ */
+	break;
+    case '/':
+	/* format: ~/foo */
+	opath++;
+	break;
+    default:
+	/* format: ~user/foo */
+	user = opath;
+	slash = strchr(opath, '/');
+	if (slash != NULL) {
+	    *slash = '\0';
+	    opath = slash + 1;
+	} else {
+	    opath = NULL;
+	}
+    }
+    pw = sudo_getpwnam(user);
+    if (slash != NULL)
+	*slash = '/';
+    if (pw == NULL) {
+	/* Unknown user. */
+	sudo_warnx(U_("unknown user: %s"), user);
+	debug_return_bool(false);
+    }
+
+    len = asprintf(&npath, "%s%s%s", pw->pw_dir, opath ? "/" : "",
+	opath ? opath : "");
+    sudo_pw_delref(pw);
+    if (len == -1) {
+	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+	debug_return_bool(false);
+    }
+
+    free(*path);
+    *path = npath;
+    debug_return_bool(true);
+}

plugins/sudoers/gram.h

@@ -35,18 +35,20 @@
 #define RUNASALIAS 290
 #define ERROR 291
 #define NOMATCH 292
-#define TYPE 293
+#define CHROOT 293
-#define ROLE 294
+#define CWD 294
-#define PRIVS 295
+#define TYPE 295
-#define LIMITPRIVS 296
+#define ROLE 296
-#define CMND_TIMEOUT 297
+#define PRIVS 297
-#define NOTBEFORE 298
+#define LIMITPRIVS 298
-#define NOTAFTER 299
+#define CMND_TIMEOUT 299
-#define MYSELF 300
+#define NOTBEFORE 300
-#define SHA224_TOK 301
+#define NOTAFTER 301
-#define SHA256_TOK 302
+#define MYSELF 302
-#define SHA384_TOK 303
+#define SHA224_TOK 303
-#define SHA512_TOK 304
+#define SHA256_TOK 304
+#define SHA384_TOK 305
+#define SHA512_TOK 306
 #ifndef YYSTYPE_DEFINED
 #define YYSTYPE_DEFINED
 typedef union {

plugins/sudoers/gram.y

@@ -129,6 +129,8 @@ static struct command_digest *new_digest(int, char *);
 %token <tok>	 '\n'			/* newline (with optional comment) */
 %token <tok>	 ERROR			/* error from lexer */
 %token <tok>	 NOMATCH		/* no match from lexer */
+%token <tok>	 CHROOT			/* root directory for command */
+%token <tok>	 CWD			/* working directory for command */
 %token <tok>	 TYPE			/* SELinux type */
 %token <tok>	 ROLE			/* SELinux role */
 %token <tok>	 PRIVS			/* Solaris privileges */
@@ -165,6 +167,8 @@ static struct command_digest *new_digest(int, char *);
 %type <privilege> privileges
 %type <tag>	  cmndtag
 %type <options>	  options
+%type <string>	  chdirspec
+%type <string>	  chrootspec
 %type <string>	  rolespec
 %type <string>	  typespec
 %type <string>	  privsspec
@@ -388,6 +392,12 @@ cmndspeclist	:	cmndspec
 			    struct cmndspec *prev;
 			    prev = HLTQ_LAST($1, cmndspec, entries);
 			    HLTQ_CONCAT($1, $3, entries);
+
+			    /* propagate runcwd and runchroot */
+			    if ($3->runcwd == NULL)
+				$3->runcwd = prev->runcwd;
+			    if ($3->runchroot == NULL)
+				$3->runchroot = prev->runchroot;
 #ifdef HAVE_SELINUX
 			    /* propagate role and type */
 			    if ($3->role == NULL && $3->type == NULL) {
@@ -479,6 +489,8 @@ cmndspec	:	runasspec options cmndtag digcmnd {
 			    cs->notbefore = $2.notbefore;
 			    cs->notafter = $2.notafter;
 			    cs->timeout = $2.timeout;
+			    cs->runcwd = $2.runcwd;
+			    cs->runchroot = $2.runchroot;
 			    cs->tags = $3;
 			    cs->cmnd = $4;
 			    HLTQ_INIT(cs, entries);
@@ -561,6 +573,16 @@ opcmnd		:	cmnd {
 			}
 		;
 
+chdirspec	:	CWD '=' WORD {
+			    $$ = $3;
+			}
+		;
+
+chrootspec	:	CHROOT '=' WORD {
+			    $$ = $3;
+			}
+		;
+
 timeoutspec	:	CMND_TIMEOUT '=' WORD {
 			    $$ = $3;
 			}
@@ -664,6 +686,14 @@ runaslist	:	/* empty */ {
 options		:	/* empty */ {
 			    init_options(&$$);
 			}
+		|	options chdirspec {
+			    free($$.runcwd);
+			    $$.runcwd = $2;
+			}
+		|	options chrootspec {
+			    free($$.runchroot);
+			    $$.runchroot = $2;
+			}
 		|	options notbeforespec {
 			    $$.notbefore = parse_gentime($2);
 			    free($2);
@@ -1260,6 +1290,7 @@ free_privilege(struct privilege *priv)
     struct member_list *prev_binding = NULL;
     struct cmndspec *cs;
     struct defaults *def;
+    char *runcwd = NULL, *runchroot = NULL;
 #ifdef HAVE_SELINUX
     char *role = NULL, *type = NULL;
 #endif /* HAVE_SELINUX */
@@ -1272,6 +1303,15 @@ free_privilege(struct privilege *priv)
     free_members(&priv->hostlist);
     while ((cs = TAILQ_FIRST(&priv->cmndlist)) != NULL) {
 	TAILQ_REMOVE(&priv->cmndlist, cs, entries);
+	/* Only free the first instance of runcwd/runchroot. */
+	if (cs->runcwd != runcwd) {
+	    runcwd = cs->runcwd;
+	    free(cs->runcwd);
+	}
+	if (cs->runchroot != runchroot) {
+	    runcwd = cs->runchroot;
+	    free(cs->runchroot);
+	}
 #ifdef HAVE_SELINUX
 	/* Only free the first instance of a role/type. */
 	if (cs->role != role) {

plugins/sudoers/parse.c

@@ -239,6 +239,24 @@ apply_cmndspec(struct cmndspec *cs)
 #endif /* HAVE_PRIV_SET */
 	if (cs->timeout > 0)
 	    def_command_timeout = cs->timeout;
+	if (cs->runcwd != NULL) {
+	    free(def_runcwd);
+	    def_runcwd = strdup(cs->runcwd);
+	    if (def_runcwd == NULL) {
+		sudo_warnx(U_("%s: %s"), __func__,
+		    U_("unable to allocate memory"));
+		debug_return_bool(false);
+	    }
+	}
+	if (cs->runchroot != NULL) {
+	    free(def_runchroot);
+	    def_runchroot = strdup(cs->runchroot);
+	    if (def_runchroot == NULL) {
+		sudo_warnx(U_("%s: %s"), __func__,
+		    U_("unable to allocate memory"));
+		debug_return_bool(false);
+	    }
+	}
 	if (cs->tags.nopasswd != UNSPEC)
 	    def_authenticate = !cs->tags.nopasswd;
 	if (cs->tags.noexec != UNSPEC)

plugins/sudoers/parse.h

@@ -131,6 +131,8 @@ struct command_options {
     time_t notbefore;			/* time restriction */
     time_t notafter;			/* time restriction */
     int timeout;			/* command timeout */
+    char *runcwd;			/* working directory */
+    char *runchroot;			/* root directory */
 #ifdef HAVE_SELINUX
     char *role, *type;			/* SELinux role and type */
 #endif
@@ -211,6 +213,8 @@ struct cmndspec {
     int timeout;			/* command timeout */
     time_t notbefore;			/* time restriction */
     time_t notafter;			/* time restriction */
+    char *runcwd;			/* working directory */
+    char *runchroot;			/* root directory */
 #ifdef HAVE_SELINUX
     char *role, *type;			/* SELinux role and type */
 #endif

plugins/sudoers/policy.c

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2010-2017 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2010-2020 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -567,7 +567,7 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask,
 	debug_return_bool(true);	/* nothing to do */
 
     /* Increase the length of command_info as needed, it is *not* checked. */
-    command_info = calloc(54, sizeof(char *));
+    command_info = calloc(55, sizeof(char *));
     if (command_info == NULL)
 	goto oom;
 
@@ -618,7 +618,15 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask,
 		goto oom;
 	}
     }
-    if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
+    if (def_runcwd) {
+	/* Set cwd to explicit value in sudoers. */
+	if (!expand_tilde(&def_runcwd, runas_pw->pw_name)) {
+	    sudo_warnx(U_("invalid working directory: %s"), def_runcwd);
+	    goto bad;
+	}
+	if ((command_info[info_len++] = sudo_new_key_val("cwd", def_runcwd)) == NULL)
+	    goto oom;
+    } else if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
 	/* Set cwd to run user's homedir. */
 	if ((command_info[info_len++] = sudo_new_key_val("cwd", runas_pw->pw_dir)) == NULL)
 	    goto oom;
@@ -779,6 +787,14 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask,
 	if (asprintf(&command_info[info_len++], "timeout=%u", timeout) == -1)
 	    goto oom;
     }
+    if (def_runchroot != NULL) {
+	if (!expand_tilde(&def_runchroot, runas_pw->pw_name)) {
+	    sudo_warnx(U_("invalid chroot directory: %s"), def_runchroot);
+	    goto bad;
+	}
+        if ((command_info[info_len++] = sudo_new_key_val("chroot", def_runchroot)) == NULL)
+            goto oom;
+    }
     if (cmnd_umask != ACCESSPERMS) {
 	if (asprintf(&command_info[info_len++], "umask=0%o", (unsigned int)cmnd_umask) == -1)
 	    goto oom;

plugins/sudoers/regress/sudoers/test1.toke.ok

@@ -2,7 +2,7 @@
 #
 #
 #
-WORD(5) ALL = LOG_INPUT LOG_OUTPUT COMMAND ARG : ALL = NOLOG_INPUT NOLOG_OUTPUT COMMAND 
+WORD(6) ALL = LOG_INPUT LOG_OUTPUT COMMAND ARG : ALL = NOLOG_INPUT NOLOG_OUTPUT COMMAND 
-WORD(5) ALL = NOPASSWD NOEXEC SETENV COMMAND : ALL = PASSWD EXEC NOSETENV COMMAND 
+WORD(6) ALL = NOPASSWD NOEXEC SETENV COMMAND : ALL = PASSWD EXEC NOSETENV COMMAND 
-WORD(5) ALL = MAIL COMMAND : ALL = NOMAIL COMMAND 
+WORD(6) ALL = MAIL COMMAND : ALL = NOMAIL COMMAND 
-WORD(5) ALL = FOLLOW COMMAND ARG : ALL = NOFOLLOW COMMAND ARG 
+WORD(6) ALL = FOLLOW COMMAND ARG : ALL = NOFOLLOW COMMAND ARG 

plugins/sudoers/regress/sudoers/test11.toke.ok

@@ -1,2 +1,2 @@
-WORD(5) 
+WORD(6) 
 <*> 

plugins/sudoers/regress/sudoers/test12.toke.ok

@@ -1,2 +1,2 @@
-WORD(5) ALL = ( ALL ) 
+WORD(6) ALL = ( ALL ) 
 <*> 

plugins/sudoers/regress/sudoers/test13.toke.ok

@@ -1 +1 @@
-WORD(5) ALL = ( ALL ) <*> 
+WORD(6) ALL = ( ALL ) <*> 

plugins/sudoers/regress/sudoers/test14.toke.ok

@@ -1,6 +1,6 @@
 CMNDALIAS ALIAS = SHA224_TOK : DIGEST , SHA224_TOK : DIGEST COMMAND 
 CMNDALIAS ALIAS = SHA256_TOK : DIGEST , SHA256_TOK : DIGEST COMMAND 
 
-WORD(5) ALL = ALIAS , ALIAS , SHA512_TOK : DIGEST COMMAND 
+WORD(6) ALL = ALIAS , ALIAS , SHA512_TOK : DIGEST COMMAND 
 
-WORD(5) ALL = SHA256_TOK : DIGEST , SHA256_TOK : DIGEST ALL 
+WORD(6) ALL = SHA256_TOK : DIGEST , SHA256_TOK : DIGEST ALL 

plugins/sudoers/regress/sudoers/test15.toke.ok

@@ -1,2 +1,2 @@
 #
-WORD(5) ALL = COMMAND ARG 
+WORD(6) ALL = COMMAND ARG 

plugins/sudoers/regress/sudoers/test16.toke.ok

@@ -1,3 +1,3 @@
 #
 CMNDALIAS ALIAS = COMMAND ARG 
-WORD(5) ALL = ALIAS 
+WORD(6) ALL = ALIAS 

plugins/sudoers/regress/sudoers/test17.toke.ok

@@ -1,11 +1,11 @@
 #
 DEFAULTS DEFVAR = WORD(2) 
-WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND , COMMAND , CMND_TIMEOUT = WORD(5) COMMAND 
+WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND , COMMAND , CMND_TIMEOUT = WORD(6) COMMAND 
-WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND 
+WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND 
-WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND 
+WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND 
-WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND 
+WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND 
-WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND 
+WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND 
-WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND 
+WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND 
-WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND 
+WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND 
-WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND 
+WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND 
-WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND , CMND_TIMEOUT = WORD(5) COMMAND , CMND_TIMEOUT = WORD(5) COMMAND , CMND_TIMEOUT = WORD(5) COMMAND , CMND_TIMEOUT = WORD(5) COMMAND , CMND_TIMEOUT = WORD(5) COMMAND 
+WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND , CMND_TIMEOUT = WORD(6) COMMAND , CMND_TIMEOUT = WORD(6) COMMAND , CMND_TIMEOUT = WORD(6) COMMAND , CMND_TIMEOUT = WORD(6) COMMAND , CMND_TIMEOUT = WORD(6) COMMAND 

plugins/sudoers/regress/sudoers/test18.toke.ok

@@ -1,10 +1,10 @@
 #
 DEFAULTS DEFVAR = WORD(2) 
-DEFAULTS_USER WORD(5) DEFVAR = WORD(2) 
+DEFAULTS_USER WORD(6) DEFVAR = WORD(2) 
-WORD(5) ALL = CMND_TIMEOUT = WORD(5) <*> COMMAND , COMMAND , CMND_TIMEOUT = WORD(5) COMMAND 
+WORD(6) ALL = CMND_TIMEOUT = WORD(6) <*> COMMAND , COMMAND , CMND_TIMEOUT = WORD(6) COMMAND 
-WORD(5) ALL = CMND_TIMEOUT = WORD(5) <*> COMMAND 
+WORD(6) ALL = CMND_TIMEOUT = WORD(6) <*> COMMAND 
-WORD(5) ALL = CMND_TIMEOUT = WORD(5) <*> COMMAND 
+WORD(6) ALL = CMND_TIMEOUT = WORD(6) <*> COMMAND 
-WORD(5) ALL = CMND_TIMEOUT = WORD(5) <*> COMMAND 
+WORD(6) ALL = CMND_TIMEOUT = WORD(6) <*> COMMAND 
-WORD(5) ALL = CMND_TIMEOUT = WORD(5) <*> COMMAND 
+WORD(6) ALL = CMND_TIMEOUT = WORD(6) <*> COMMAND 
 testsudoers: sudoers:2: value "2d8h10m59ss" is invalid for option "command_timeout"
 testsudoers: sudoers:3: value "15f" is invalid for option "command_timeout"

plugins/sudoers/regress/sudoers/test19.toke.ok

@@ -1,12 +1,12 @@
 #
 #
-WORD(5) ALL = NOTBEFORE = WORD(5) NOTAFTER = WORD(5) COMMAND , COMMAND 
+WORD(6) ALL = NOTBEFORE = WORD(6) NOTAFTER = WORD(6) COMMAND , COMMAND 
-WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND , NOTAFTER = WORD(5) COMMAND 
+WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND , NOTAFTER = WORD(6) COMMAND 
-WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND 
+WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND 
-WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND 
+WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND 
-WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND 
+WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND 
-WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND 
+WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND 
-WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND 
+WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND 
-WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND 
+WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND 
-WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND 
+WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND 
-WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND 
+WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND 

plugins/sudoers/regress/sudoers/test22.toke.ok

@@ -1,6 +1,6 @@
 #
 
-WORD(5) ALL = ( : ) ALL 
+WORD(6) ALL = ( : ) ALL 
-WORD(5) ALL = ( : ) ALL 
+WORD(6) ALL = ( : ) ALL 
-WORD(5) ALL = ( ) ALL 
+WORD(6) ALL = ( ) ALL 
-WORD(5) ALL = ( ) ALL 
+WORD(6) ALL = ( ) ALL 

plugins/sudoers/regress/sudoers/test3.toke.ok

@@ -1,6 +1,6 @@
 #
-USERALIAS ALIAS = WORD(5) , WORD(5) 
+USERALIAS ALIAS = WORD(6) , WORD(6) 
 DEFAULTS_USER ALIAS DEFVAR 
-DEFAULTS_USER WORD(5) , WORD(5) DEFVAR 
+DEFAULTS_USER WORD(6) , WORD(6) DEFVAR 
-DEFAULTS_USER WORD(5) , WORD(5) DEFVAR 
+DEFAULTS_USER WORD(6) , WORD(6) DEFVAR 
-DEFAULTS_USER WORD(5) , WORD(5) DEFVAR 
+DEFAULTS_USER WORD(6) , WORD(6) DEFVAR 

plugins/sudoers/regress/sudoers/test4.toke.ok

@@ -1,5 +1,5 @@
 #
-USERALIAS ALIAS = WORD(5) : ALIAS = WORD(5) 
+USERALIAS ALIAS = WORD(6) : ALIAS = WORD(6) 
 
 #
-USERALIAS ALIAS = WORD(5) <*> ERROR ALIAS = WORD(5) 
+USERALIAS ALIAS = WORD(6) <*> ERROR ALIAS = WORD(6) 

plugins/sudoers/regress/sudoers/test6.toke.ok

@@ -1,12 +1,12 @@
 #
-DEFAULTS_USER WORD(5) DEFVAR 
+DEFAULTS_USER WORD(6) DEFVAR 
-DEFAULTS_RUNAS WORD(5) DEFVAR 
+DEFAULTS_RUNAS WORD(6) DEFVAR 
 DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR 
 DEFAULTS_RUNAS BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR 
 
 #
-WORD(5) ALL = ALL 
+WORD(6) ALL = ALL 
-WORD(5) ALL = ( WORD(5) : WORD(5) ) ALL 
+WORD(6) ALL = ( WORD(6) : WORD(6) ) ALL 
 BEGINSTR STRBODY ENDSTR WORD(4) ALL = ALL 
 BEGINSTR STRBODY ENDSTR WORD(4) ALL = ( BEGINSTR STRBODY ENDSTR WORD(4) : BEGINSTR STRBODY ENDSTR WORD(4) ) ALL 
 

plugins/sudoers/regress/sudoers/test8.toke.ok

@@ -1,7 +1,7 @@
 #
 USERALIAS ALIAS = BEGINSTR STRBODY ENDSTR WORD(4) 
 USERALIAS ALIAS = BEGINSTR STRBODY STRBODY ENDSTR WORD(4) 
-USERALIAS ALIAS = WORD(5) 
+USERALIAS ALIAS = WORD(6) 
 
 #
 USERALIAS ALIAS = BEGINSTR STRBODY <*> ERROR ERROR 

plugins/sudoers/sudoers.h

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 1993-1996, 1998-2005, 2007-2017
+ * Copyright (c) 1993-1996, 1998-2005, 2007-2020
  *	Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -425,6 +425,9 @@ extern const char *path_plugin_dir;
 char *find_editor(int nfiles, char **files, int *argc_out, char ***argv_out,
      char * const *whitelist, const char **env_editor, bool env_error);
 
+/* exptilde.c */
+bool expand_tilde(char **path, const char *user);
+
 /* gc.c */
 enum sudoers_gc_types {
     GC_UNKNOWN,

plugins/sudoers/sudoers_version.h

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2011-2013, 2015, 2017
+ * Copyright (c) 2011-2013, 2015, 2017, 2019-2020
  *	Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -69,6 +69,7 @@
  * 46	sudo 1.8.20, added TIMEOUT, NOTBEFORE and NOTAFTER options.
  * 47	sudo 1.9.0, Cmd_Alias treated as Cmnd_Alias, support for multiple digests per command and for ALL.
  * 48	sudo 1.9.1, @include and @includedir, include path escaping/quoting.
+ * 49	sudo 1.9.3, CWD and CHDIR options.
  */
 
 #ifndef SUDOERS_VERSION_H

plugins/sudoers/toke.l

@@ -115,6 +115,7 @@ DEFVAR			[a-z_]+
 %x	INSTR
 %s	WANTDIGEST
 %x	GOTINC
+%s	EXPECTPATH
 
 %%
 <GOTDEFS>[[:blank:]]*,[[:blank:]]* {
@@ -573,6 +574,20 @@ ALL {
 			    LEXRETURN(NOTAFTER);
 			}
 
+<INITIAL>CWD {
+			    LEXTRACE("CWD ");
+			    prev_state = YY_START;
+			    BEGIN EXPECTPATH;
+			    LEXRETURN(CWD);
+			}
+
+<INITIAL>CHROOT {
+			    LEXTRACE("CHROOT ");
+			    prev_state = YY_START;
+			    BEGIN EXPECTPATH;
+			    LEXRETURN(CHROOT);
+			}
+
 <INITIAL>ROLE {
 #ifdef HAVE_SELINUX
 			    LEXTRACE("ROLE ");
@@ -660,6 +675,14 @@ sudoedit		{
 				yyterminate();
 			}			/* sudo -e */
 
+<EXPECTPATH>({PATH}|{WORD}) {
+				BEGIN prev_state;
+				if (!fill(sudoerstext, sudoersleng))
+				    yyterminate();
+				LEXTRACE("WORD(5) ");
+				LEXRETURN(WORD);
+			}
+
 {PATH}			{
 			    /* directories can't have args... */
 			    if (sudoerstext[sudoersleng - 1] == '/') {
@@ -667,12 +690,11 @@ sudoedit		{
 				if (!fill_cmnd(sudoerstext, sudoersleng))
 				    yyterminate();
 				LEXRETURN(COMMAND);
-			    } else {
-				BEGIN GOTCMND;
-				LEXTRACE("COMMAND ");
-				if (!fill_cmnd(sudoerstext, sudoersleng))
-				    yyterminate();
 			    }
+			    BEGIN GOTCMND;
+			    LEXTRACE("COMMAND ");
+			    if (!fill_cmnd(sudoerstext, sudoersleng))
+				yyterminate();
 			}			/* a pathname */
 
 <INITIAL,GOTDEFS>\"	{
@@ -686,7 +708,7 @@ sudoedit		{
 			    /* a word */
 			    if (!fill(sudoerstext, sudoersleng))
 				yyterminate();
-			    LEXTRACE("WORD(5) ");
+			    LEXTRACE("WORD(6) ");
 			    LEXRETURN(WORD);
 			}
 
@@ -696,7 +718,7 @@ sudoedit		{
 			    if (!fill(sudoerstext, sudoersleng))
 				yyterminate();
 			    BEGIN INITIAL;
-			    LEXTRACE("WORD(6) ");
+			    LEXTRACE("WORD(7) ");
 			    LEXRETURN(WORD);
 			}