isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sudo_debug_register: add minfd argument to specify lowest fd number

Browse Source 
Use this in sudo_intercept.so to avoid allocating a low-numbered
fd which the shell reserves for use by scripts.
This commit is contained in:
Todd C. Miller
2021-08-26 09:57:24 -06:00
parent d6a71fe32e
commit 70aef0eb2d
13 changed files with 35 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
include/sudo_debug.h
View File

@@ -267,6 +267,7 @@ sudo_dso_public int sudo_debug_parse_flags_v1(struct sudo_conf_debug_file_list *
sudo_dso_public void sudo_debug_printf2_v1(const char *func, const char *file, int line, int level, const char *fmt, ...) __printf0like(5, 6); sudo_dso_public void sudo_debug_printf2_v1(const char *func, const char *file, int line, int level, const char *fmt, ...) __printf0like(5, 6);
sudo_dso_public void sudo_debug_printf_nvm_v1(int pri, const char *fmt, ...) __printf0like(2, 3); sudo_dso_public void sudo_debug_printf_nvm_v1(int pri, const char *fmt, ...) __printf0like(2, 3);
sudo_dso_public int sudo_debug_register_v1(const char *program, const char *const subsystems[], unsigned int ids[], struct sudo_conf_debug_file_list *debug_files); sudo_dso_public int sudo_debug_register_v1(const char *program, const char *const subsystems[], unsigned int ids[], struct sudo_conf_debug_file_list *debug_files);
sudo_dso_public int sudo_debug_register_v2(const char *program, const char *const subsystems[], unsigned int ids[], struct sudo_conf_debug_file_list *debug_files, int minfd);
sudo_dso_public int sudo_debug_set_active_instance_v1(int inst); sudo_dso_public int sudo_debug_set_active_instance_v1(int inst);
sudo_dso_public void sudo_debug_update_fd_v1(int ofd, int nfd); sudo_dso_public void sudo_debug_update_fd_v1(int ofd, int nfd);
sudo_dso_public void sudo_debug_vprintf2_v1(const char *func, const char *file, int line, int level, const char *fmt, va_list ap) __printf0like(5, 0); sudo_dso_public void sudo_debug_vprintf2_v1(const char *func, const char *file, int line, int level, const char *fmt, va_list ap) __printf0like(5, 0);
@@ -295,7 +296,7 @@ sudo_dso_public bool sudo_debug_needed_v1(int level);
#define sudo_debug_parse_flags(_a, _b) sudo_debug_parse_flags_v1((_a), (_b)) #define sudo_debug_parse_flags(_a, _b) sudo_debug_parse_flags_v1((_a), (_b))
#define sudo_debug_printf2 sudo_debug_printf2_v1 #define sudo_debug_printf2 sudo_debug_printf2_v1
#define sudo_debug_printf_nvm sudo_debug_printf_nvm_v1 #define sudo_debug_printf_nvm sudo_debug_printf_nvm_v1
#define sudo_debug_register(_a, _b, _c, _d) sudo_debug_register_v1((_a), (_b), (_c), (_d)) #define sudo_debug_register(_a, _b, _c, _d, _e) sudo_debug_register_v2((_a), (_b), (_c), (_d), (_e))
#define sudo_debug_set_active_instance(_a) sudo_debug_set_active_instance_v1((_a)) #define sudo_debug_set_active_instance(_a) sudo_debug_set_active_instance_v1((_a))
#define sudo_debug_update_fd(_a, _b) sudo_debug_update_fd_v1((_a), (_b)) #define sudo_debug_update_fd(_a, _b) sudo_debug_update_fd_v1((_a), (_b))
#define sudo_debug_vprintf2(_a, _b, _c, _d, _e, _f) sudo_debug_vprintf2_v1((_a), (_b), (_c), (_d), (_e), (_f)) #define sudo_debug_vprintf2(_a, _b, _c, _d, _e, _f) sudo_debug_vprintf2_v1((_a), (_b), (_c), (_d), (_e), (_f))

25
lib/util/sudo_debug.c
View File

@@ -142,7 +142,7 @@ sudo_debug_free_output(struct sudo_debug_output *output)
*/ */
static struct sudo_debug_output * static struct sudo_debug_output *
sudo_debug_new_output(struct sudo_debug_instance *instance, sudo_debug_new_output(struct sudo_debug_instance *instance,
struct sudo_debug_file *debug_file) struct sudo_debug_file *debug_file, int minfd)
{ {
char *buf, *cp, *last, *subsys, *pri; char *buf, *cp, *last, *subsys, *pri;
struct sudo_debug_output *output; struct sudo_debug_output *output;
@@ -181,6 +181,15 @@ sudo_debug_new_output(struct sudo_debug_instance *instance,
} }
ignore_result(fchown(output->fd, (uid_t)-1, 0)); ignore_result(fchown(output->fd, (uid_t)-1, 0));
} }
if (output->fd < minfd) {
int newfd = fcntl(output->fd, F_DUPFD, minfd);
if (newfd == -1) {
sudo_warn_nodebug("%s", output->filename);
goto bad;
}
close(output->fd);
output->fd = newfd;
}
if (fcntl(output->fd, F_SETFD, FD_CLOEXEC) == -1) { if (fcntl(output->fd, F_SETFD, FD_CLOEXEC) == -1) {
sudo_warn_nodebug("%s", output->filename); sudo_warn_nodebug("%s", output->filename);
goto bad; goto bad;
@@ -259,8 +268,9 @@ bad:
* on error. * on error.
*/ */
int int
sudo_debug_register_v1(const char *program, const char *const subsystems[], sudo_debug_register_v2(const char *program, const char *const subsystems[],
unsigned int ids[], struct sudo_conf_debug_file_list *debug_files) unsigned int ids[], struct sudo_conf_debug_file_list *debug_files,
int minfd)
{ {
struct sudo_debug_instance *instance = NULL; struct sudo_debug_instance *instance = NULL;
struct sudo_debug_output *output; struct sudo_debug_output *output;
@@ -346,7 +356,7 @@ sudo_debug_register_v1(const char *program, const char *const subsystems[],
} }
TAILQ_FOREACH(debug_file, debug_files, entries) { TAILQ_FOREACH(debug_file, debug_files, entries) {
output = sudo_debug_new_output(instance, debug_file); output = sudo_debug_new_output(instance, debug_file, minfd);
if (output != NULL) if (output != NULL)
SLIST_INSERT_HEAD(&instance->outputs, output, entries); SLIST_INSERT_HEAD(&instance->outputs, output, entries);
} }
@@ -364,6 +374,13 @@ sudo_debug_register_v1(const char *program, const char *const subsystems[],
return idx; return idx;
} }
int
sudo_debug_register_v1(const char *program, const char *const subsystems[],
unsigned int ids[], struct sudo_conf_debug_file_list *debug_files)
{
return sudo_debug_register_v2(program, subsystems, ids, debug_files, -1);
}
/* /*
* De-register the specified instance from the debug subsystem * De-register the specified instance from the debug subsystem
* and free up any associated data structures. * and free up any associated data structures.

1
lib/util/util.exp.in
View File

@@ -39,6 +39,7 @@ sudo_debug_needed_v1
sudo_debug_parse_flags_v1 sudo_debug_parse_flags_v1
sudo_debug_printf2_v1 sudo_debug_printf2_v1
sudo_debug_register_v1 sudo_debug_register_v1
sudo_debug_register_v2
sudo_debug_set_active_instance_v1 sudo_debug_set_active_instance_v1
sudo_debug_update_fd_v1 sudo_debug_update_fd_v1
sudo_debug_vprintf2_v1 sudo_debug_vprintf2_v1

4
logsrvd/logsrvd.c
View File

@@ -1602,7 +1602,7 @@ server_reload(struct sudo_event_base *evbase)
logsrvd_debug_instance = SUDO_DEBUG_INSTANCE_INITIALIZER; logsrvd_debug_instance = SUDO_DEBUG_INSTANCE_INITIALIZER;
if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) != -1) { if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) != -1) {
logsrvd_debug_instance = sudo_debug_register(getprogname(), logsrvd_debug_instance = sudo_debug_register(getprogname(),
NULL, NULL, sudo_conf_debug_files(getprogname())); NULL, NULL, sudo_conf_debug_files(getprogname()), -1);
} }
} }
@@ -1909,7 +1909,7 @@ main(int argc, char *argv[])
if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) == -1) if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) == -1)
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
logsrvd_debug_instance = sudo_debug_register(getprogname(), NULL, NULL, logsrvd_debug_instance = sudo_debug_register(getprogname(), NULL, NULL,
sudo_conf_debug_files(getprogname())); sudo_conf_debug_files(getprogname()), -1);
if (protobuf_c_version_number() < 1003000) if (protobuf_c_version_number() < 1003000)
sudo_fatalx("%s", U_("Protobuf-C version 1.3 or higher required")); sudo_fatalx("%s", U_("Protobuf-C version 1.3 or higher required"));

2
logsrvd/sendlog.c
View File

@@ -1526,7 +1526,7 @@ main(int argc, char *argv[])
if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) == -1) if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) == -1)
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
sudo_debug_register(getprogname(), NULL, NULL, sudo_debug_register(getprogname(), NULL, NULL,
sudo_conf_debug_files(getprogname())); sudo_conf_debug_files(getprogname()), -1);
if (protobuf_c_version_number() < 1003000) if (protobuf_c_version_number() < 1003000)
sudo_fatalx("%s", U_("Protobuf-C version 1.3 or higher required")); sudo_fatalx("%s", U_("Protobuf-C version 1.3 or higher required"));

2
plugins/audit_json/audit_json.c
View File

@@ -122,7 +122,7 @@ audit_json_open(unsigned int version, sudo_conv_t conversation,
} }
if (plugin_path != NULL && !TAILQ_EMPTY(&debug_files)) { if (plugin_path != NULL && !TAILQ_EMPTY(&debug_files)) {
audit_debug_instance = audit_debug_instance =
sudo_debug_register(plugin_path, NULL, NULL, &debug_files); sudo_debug_register(plugin_path, NULL, NULL, &debug_files, -1);
if (audit_debug_instance == SUDO_DEBUG_INSTANCE_ERROR) { if (audit_debug_instance == SUDO_DEBUG_INSTANCE_ERROR) {
*errstr = U_("unable to initialize debugging"); *errstr = U_("unable to initialize debugging");
goto bad; goto bad;

2
plugins/python/sudo_python_debug.c
View File

@@ -84,7 +84,7 @@ python_debug_register(const char *program,
if (debug_files != NULL && !TAILQ_EMPTY(debug_files)) { if (debug_files != NULL && !TAILQ_EMPTY(debug_files)) {
if (program != NULL) { if (program != NULL) {
instance = sudo_debug_register(program, python_subsystem_names, instance = sudo_debug_register(program, python_subsystem_names,
(unsigned int *)python_subsystem_ids, debug_files); (unsigned int *)python_subsystem_ids, debug_files, -1);
} }
TAILQ_FOREACH_SAFE(debug_file, debug_files, entries, debug_next) { TAILQ_FOREACH_SAFE(debug_file, debug_files, entries, debug_next) {
TAILQ_REMOVE(debug_files, debug_file, entries); TAILQ_REMOVE(debug_files, debug_file, entries);

2
plugins/sample_approval/sample_approval.c
View File

@@ -77,7 +77,7 @@ sample_approval_open(unsigned int version, sudo_conv_t conversation,
} }
if (plugin_path != NULL && !TAILQ_EMPTY(&debug_files)) { if (plugin_path != NULL && !TAILQ_EMPTY(&debug_files)) {
approval_debug_instance = approval_debug_instance =
sudo_debug_register(plugin_path, NULL, NULL, &debug_files); sudo_debug_register(plugin_path, NULL, NULL, &debug_files, -1);
if (approval_debug_instance == SUDO_DEBUG_INSTANCE_ERROR) { if (approval_debug_instance == SUDO_DEBUG_INSTANCE_ERROR) {
*errstr = U_("unable to initialize debugging"); *errstr = U_("unable to initialize debugging");
goto done; goto done;

2
plugins/sudoers/sudoers_debug.c
View File

@@ -90,7 +90,7 @@ sudoers_debug_register(const char *program,
if (debug_files != NULL && !TAILQ_EMPTY(debug_files)) { if (debug_files != NULL && !TAILQ_EMPTY(debug_files)) {
if (program != NULL) { if (program != NULL) {
instance = sudo_debug_register(program, sudoers_subsystem_names, instance = sudo_debug_register(program, sudoers_subsystem_names,
sudoers_subsystem_ids, debug_files); sudoers_subsystem_ids, debug_files, -1);
} }
TAILQ_FOREACH_SAFE(debug_file, debug_files, entries, debug_next) { TAILQ_FOREACH_SAFE(debug_file, debug_files, entries, debug_next) {
TAILQ_REMOVE(debug_files, debug_file, entries); TAILQ_REMOVE(debug_files, debug_file, entries);

2
plugins/sudoers/sudoreplay.c
View File

@@ -234,7 +234,7 @@ main(int argc, char *argv[])
if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) == -1) if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) == -1)
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
sudo_debug_register(getprogname(), NULL, NULL, sudo_debug_register(getprogname(), NULL, NULL,
sudo_conf_debug_files(getprogname())); sudo_conf_debug_files(getprogname()), -1);
while ((ch = getopt_long(argc, argv, short_opts, long_opts, NULL)) != -1) { while ((ch = getopt_long(argc, argv, short_opts, long_opts, NULL)) != -1) {
switch (ch) { switch (ch) {

2
src/sesh.c
View File

@@ -75,7 +75,7 @@ main(int argc, char *argv[], char *envp[])
if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) == -1) if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) == -1)
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
sudo_debug_register(getprogname(), NULL, NULL, sudo_debug_register(getprogname(), NULL, NULL,
sudo_conf_debug_files(getprogname())); sudo_conf_debug_files(getprogname()), -1);
if (strcmp(argv[1], "-e") == 0) { if (strcmp(argv[1], "-e") == 0) {
ret = sesh_sudoedit(argc, argv); ret = sesh_sudoedit(argc, argv);

2
src/sudo.c
View File

@@ -175,7 +175,7 @@ main(int argc, char *argv[], char *envp[])
if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) == -1) if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) == -1)
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
sudo_debug_instance = sudo_debug_register(getprogname(), sudo_debug_instance = sudo_debug_register(getprogname(),
NULL, NULL, sudo_conf_debug_files(getprogname())); NULL, NULL, sudo_conf_debug_files(getprogname()), -1);
if (sudo_debug_instance == SUDO_DEBUG_INSTANCE_ERROR) if (sudo_debug_instance == SUDO_DEBUG_INSTANCE_ERROR)
exit(EXIT_FAILURE); exit(EXIT_FAILURE);

2
src/sudo_intercept_common.c
View File

@@ -198,7 +198,7 @@ sudo_interposer_init(void)
/* Read debug section of sudo.conf and init debugging. */ /* Read debug section of sudo.conf and init debugging. */
if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) != -1) { if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) != -1) {
sudo_debug_register("sudo_intercept.so", NULL, NULL, sudo_debug_register("sudo_intercept.so", NULL, NULL,
sudo_conf_debug_files("sudo_intercept.so")); sudo_conf_debug_files("sudo_intercept.so"), INTERCEPT_FD_MIN);
} }
sudo_debug_enter(__func__, __FILE__, __LINE__, sudo_debug_subsys); sudo_debug_enter(__func__, __FILE__, __LINE__, sudo_debug_subsys);