isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add "intercept" Defaults setting to allow interception of sub-commands.

Browse Source 
This causes "intercept" to be set to true in command_info[] which
the sudo front-end will use to determine whether or not to intercept
attempts to run further commands, such as from a shell.  Also add
"log_children" which will use the same mechanism but only log (audit)
further commands.
This commit is contained in:
Todd C. Miller
2021-08-09 15:50:25 -06:00
parent b3e86c65b1
commit 786e5865cb
16 changed files with 3346 additions and 2977 deletions
Download Patch File Download Diff File Expand all files Collapse all files

155
doc/sudoers.man.in
View File

@@ -1190,8 +1190,9 @@ Chroot_Spec ::= 'CHROOT=directory'
Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' | Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' | 'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'INTERCEPT:' |
'NOPASSWD:' | 'SETENV:' | 'NOSETENV:') 'NOINTERCEPT:' | 'PASSWD:' | 'NOPASSWD:' | 'SETENV:' |
'NOSETENV:')
.RE .RE
.fi .fi
.PP .PP
@@ -1607,6 +1608,8 @@ The following tag values are supported:
\fRNOLOG_OUTPUT\fR, \fRNOLOG_OUTPUT\fR,
\fRMAIL\fR, \fRMAIL\fR,
\fRNOMAIL\fR, \fRNOMAIL\fR,
\fRINTERCEPT\fR,
\fRNOINTERCEPT\fR,
\fRPASSWD\fR, \fRPASSWD\fR,
\fRNOPASSWD\fR, \fRNOPASSWD\fR,
\fRSETENV\fR, \fRSETENV\fR,
@@ -1767,7 +1770,9 @@ and
\fI/usr/bin/lprm\fR \fI/usr/bin/lprm\fR
as as
\fBroot\fR \fBroot\fR
on the machine rushmore without authenticating himself. on the machine
\(lqrushmore\(rq
without authenticating himself.
If we only want If we only want
\fBray\fR \fBray\fR
to be able to to be able to
@@ -1832,6 +1837,42 @@ the
tag is implied for that command; this default may be overridden by use of the tag is implied for that command; this default may be overridden by use of the
\fRNOSETENV\fR \fRNOSETENV\fR
tag. tag.
.TP 2n
\fIINTERCEPT\fR and \fINOINTERCEPT\fR
.sp
If
\fBsudo\fR
has been compiled with
\fIintercept\fR
support and the underlying operating system supports it, the
\fRINTERCEPT\fR
tag can be used to cause programs spawned by a command to be checked against
\fIsudoers\fR
and logged just like they would be if run through
\fBsudo\fR
directly.
This is useful in conjunction with commands that allow shell escapes
such as editors, shells and paginators.
.sp
In the following example, user
\fBchuck\fR
may run any command on the machine
\(lqresearch\(rq
in intercept mode.
.nf
.sp
.RS 2n
chuck research = INTERCEPT: ALL
.RE
.fi
.RS 2n
.sp
See the
\fIPreventing shell escapes\fR
section below for more details on how
\fRINTERCEPT\fR
works and whether or not it will work on your system.
.RE
.SS "Wildcards" .SS "Wildcards"
\fBsudo\fR \fBsudo\fR
allows shell-style allows shell-style
@@ -2717,6 +2758,29 @@ by default.
.sp .sp
This setting is only supported by version 1.8.29 or higher. This setting is only supported by version 1.8.29 or higher.
.TP 18n .TP 18n
log_children
If set,
\fBsudoers\fR
will log when a command runs a child process.
For example, if a shell is run by
\fBsudo\fR,
the individual commands run via the shell will be logged.
This flag is
\fIoff\fR
by default.
.sp
The
\fIlog_children\fR
flag uses the same underlying mechanism as the
\fIintercept\fR
and
\fInoexec\fR
settings.
See
\fIPreventing shell escapes\fR
for more information on what systems support this option and its limitations.
This setting is only supported by version 1.9.8 or higher.
.TP 18n
log_denied log_denied
If set, If set,
\fBsudoers\fR \fBsudoers\fR
@@ -2970,6 +3034,24 @@ by default.
.sp .sp
This setting is only supported by version 1.8.18 or higher. This setting is only supported by version 1.8.18 or higher.
.TP 18n .TP 18n
intercept
If set, all commands run via
\fBsudo\fR
will behave as if the
\fRINTERCEPT\fR
tag has been set, unless overridden by an
\fRNOINTERCEPT\fR
tag.
See the description of
\fIINTERCEPT and NOINTERCEPT\fR
above as well as the
\fIPreventing shell escapes\fR
section at the end of this manual.
This flag is
\fIoff\fR
.sp
This setting is only supported by version 1.9.8 or higher.
.TP 18n
netgroup_tuple netgroup_tuple
If set, netgroup lookups will be performed using the full netgroup If set, netgroup lookups will be performed using the full netgroup
tuple: host name, user name and domain (if one is set). tuple: host name, user name and domain (if one is set).
@@ -6145,7 +6227,7 @@ access control and logging.
Common programs that permit shell escapes include shells (obviously), Common programs that permit shell escapes include shells (obviously),
editors, paginators, mail and terminal programs. editors, paginators, mail and terminal programs.
.PP .PP
There are two basic approaches to this problem: There are three basic approaches to this problem:
.TP 10n .TP 10n
restrict restrict
Avoid giving users access to commands that allow the user to run Avoid giving users access to commands that allow the user to run
@@ -6160,7 +6242,8 @@ Due to the large number of programs that
offer shell escapes, restricting users to the set of programs that offer shell escapes, restricting users to the set of programs that
do not is often unworkable. do not is often unworkable.
.TP 10n .TP 10n
noexec intercept
.br
Many systems that support shared libraries have the ability to Many systems that support shared libraries have the ability to
override default library functions by pointing an environment override default library functions by pointing an environment
variable (usually variable (usually
@@ -6168,19 +6251,24 @@ variable (usually
to an alternate shared library. to an alternate shared library.
On such systems, On such systems,
\fBsudo\fR's \fBsudo\fR's
\fInoexec\fR \fIintercept\fR
functionality can be used to prevent a program run by functionality can be used to transparently intercept an attempt to
\fBsudo\fR run a new command, allow or deny it based on
from executing any other programs. \fIsudoers\fR,
and log the result.
For example, this can be used to restrict the commands run from
within a shell.
Note, however, that this applies only to dynamically-linked Note, however, that this applies only to dynamically-linked
executables. executables.
Statically-linked executables and executables Statically-linked executables and executables
running under binary emulation are not affected. running under binary emulation are not affected.
Also, many shells support built-in commands that cannot be intercepted by
\fBsudo\fR.
.sp .sp
The The
\fInoexec\fR \fIintercept\fR
feature is known to work on SunOS, Solaris, *BSD, feature is known to work on Solaris, *BSD, Linux, macOS, HP-UX 11.x
Linux, IRIX, Tru64 UNIX, macOS, HP-UX 11.x and AIX 5.3 and above. and AIX 5.3 and above.
It should be supported on most operating systems that support the It should be supported on most operating systems that support the
\fRLD_PRELOAD\fR \fRLD_PRELOAD\fR
environment variable. environment variable.
@@ -6189,6 +6277,46 @@ Check your operating system's manual pages for the dynamic linker
\fRLD_PRELOAD\fR \fRLD_PRELOAD\fR
is supported. is supported.
.sp .sp
To enable intercept mode on a per-command basis, use the
\fRINTERCEPT\fR
tag as documented in the User Specification section above.
Here is that example again:
.nf
.sp
.RS 10n
chuck research = INTERCEPT: ALL
.RE
.fi
.RS 10n
.sp
This allows user
\fBchuck\fR
to run any command on the machine
\(lqresearch\(rq
in intercept mode.
Any commands run via shell escapes will be validated and logged by
\fBsudo\fR.
If you are unsure whether or not your system is capable of supporting
\fIintercept\fR,
you can always just try it out and check whether or not external
commands run via a shell are logged when
\fIintercept\fR
is enabled.
.RE
.TP 10n
noexec
\fBsudo\fR's
\fInoexec\fR
functionality can be used to prevent a program run by
\fBsudo\fR
from executing any other programs.
On most systems, it uses the same mechanism as
\fIintercept\fR
(see above) and thus the same caveats apply.
On Linux, a
\fBseccomp\fR()
filter is used to implement
\fInoexec\fR.
On Solaris 10 and higher, On Solaris 10 and higher,
\fInoexec\fR \fInoexec\fR
uses Solaris privileges instead of the uses Solaris privileges instead of the
@@ -6199,8 +6327,7 @@ To enable
\fInoexec\fR \fInoexec\fR
for a command, use the for a command, use the
\fRNOEXEC\fR \fRNOEXEC\fR
tag as documented tag as documented in the User Specification section above.
in the User Specification section above.
Here is that example again: Here is that example again:
.nf .nf
.sp .sp

140
doc/sudoers.mdoc.in
View File

@@ -1143,8 +1143,9 @@ Chroot_Spec ::= 'CHROOT=directory'
Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' | Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' | 'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'INTERCEPT:' |
'NOPASSWD:' | 'SETENV:' | 'NOSETENV:') 'NOINTERCEPT:' | 'PASSWD:' | 'NOPASSWD:' | 'SETENV:' |
'NOSETENV:')
.Ed .Ed
.Pp .Pp
A A
@@ -1527,6 +1528,8 @@ The following tag values are supported:
.Li NOLOG_OUTPUT , .Li NOLOG_OUTPUT ,
.Li MAIL , .Li MAIL ,
.Li NOMAIL , .Li NOMAIL ,
.Li INTERCEPT ,
.Li NOINTERCEPT ,
.Li PASSWD , .Li PASSWD ,
.Li NOPASSWD , .Li NOPASSWD ,
.Li SETENV , .Li SETENV ,
@@ -1673,7 +1676,9 @@ and
.Pa /usr/bin/lprm .Pa /usr/bin/lprm
as as
.Sy root .Sy root
on the machine rushmore without authenticating himself. on the machine
.Dq rushmore
without authenticating himself.
If we only want If we only want
.Sy ray .Sy ray
to be able to to be able to
@@ -1733,6 +1738,36 @@ the
tag is implied for that command; this default may be overridden by use of the tag is implied for that command; this default may be overridden by use of the
.Li NOSETENV .Li NOSETENV
tag. tag.
.It Em INTERCEPT No and Em NOINTERCEPT
.sp
If
.Nm sudo
has been compiled with
.Em intercept
support and the underlying operating system supports it, the
.Li INTERCEPT
tag can be used to cause programs spawned by a command to be checked against
.Em sudoers
and logged just like they would be if run through
.Nm sudo
directly.
This is useful in conjunction with commands that allow shell escapes
such as editors, shells and paginators.
.Pp
In the following example, user
.Sy chuck
may run any command on the machine
.Dq research
in intercept mode.
.Bd -literal
chuck research = INTERCEPT: ALL
.Ed
.Pp
See the
.Sx Preventing shell escapes
section below for more details on how
.Li INTERCEPT
works and whether or not it will work on your system.
.El .El
.Ss Wildcards .Ss Wildcards
.Nm sudo .Nm sudo
@@ -2563,6 +2598,28 @@ This flag is
by default. by default.
.Pp .Pp
This setting is only supported by version 1.8.29 or higher. This setting is only supported by version 1.8.29 or higher.
.It log_children
If set,
.Nm
will log when a command runs a child process.
For example, if a shell is run by
.Nm sudo ,
the individual commands run via the shell will be logged.
This flag is
.Em off
by default.
.Pp
The
.Em log_children
flag uses the same underlying mechanism as the
.Em intercept
and
.Em noexec
settings.
See
.Sx Preventing shell escapes
for more information on what systems support this option and its limitations.
This setting is only supported by version 1.9.8 or higher.
.It log_denied .It log_denied
If set, If set,
.Nm .Nm
@@ -2799,6 +2856,23 @@ This flag is
by default. by default.
.Pp .Pp
This setting is only supported by version 1.8.18 or higher. This setting is only supported by version 1.8.18 or higher.
.It intercept
If set, all commands run via
.Nm sudo
will behave as if the
.Li INTERCEPT
tag has been set, unless overridden by an
.Li NOINTERCEPT
tag.
See the description of
.Em INTERCEPT and NOINTERCEPT
above as well as the
.Sx Preventing shell escapes
section at the end of this manual.
This flag is
.Em off
.Pp
This setting is only supported by version 1.9.8 or higher.
.It netgroup_tuple .It netgroup_tuple
If set, netgroup lookups will be performed using the full netgroup If set, netgroup lookups will be performed using the full netgroup
tuple: host name, user name and domain (if one is set). tuple: host name, user name and domain (if one is set).
@@ -5678,7 +5752,7 @@ access control and logging.
Common programs that permit shell escapes include shells (obviously), Common programs that permit shell escapes include shells (obviously),
editors, paginators, mail and terminal programs. editors, paginators, mail and terminal programs.
.Pp .Pp
There are two basic approaches to this problem: There are three basic approaches to this problem:
.Bl -tag -width 8n .Bl -tag -width 8n
.It restrict .It restrict
Avoid giving users access to commands that allow the user to run Avoid giving users access to commands that allow the user to run
@@ -5692,7 +5766,7 @@ running editors via
Due to the large number of programs that Due to the large number of programs that
offer shell escapes, restricting users to the set of programs that offer shell escapes, restricting users to the set of programs that
do not is often unworkable. do not is often unworkable.
.It noexec .It intercept
Many systems that support shared libraries have the ability to Many systems that support shared libraries have the ability to
override default library functions by pointing an environment override default library functions by pointing an environment
variable (usually variable (usually
@@ -5700,19 +5774,24 @@ variable (usually
to an alternate shared library. to an alternate shared library.
On such systems, On such systems,
.Nm sudo Ns 's .Nm sudo Ns 's
.Em noexec .Em intercept
functionality can be used to prevent a program run by functionality can be used to transparently intercept an attempt to
.Nm sudo run a new command, allow or deny it based on
from executing any other programs. .Em sudoers ,
and log the result.
For example, this can be used to restrict the commands run from
within a shell.
Note, however, that this applies only to dynamically-linked Note, however, that this applies only to dynamically-linked
executables. executables.
Statically-linked executables and executables Statically-linked executables and executables
running under binary emulation are not affected. running under binary emulation are not affected.
Also, many shells support built-in commands that cannot be intercepted by
.Nm sudo .
.Pp .Pp
The The
.Em noexec .Em intercept
feature is known to work on SunOS, Solaris, *BSD, feature is known to work on Solaris, *BSD, Linux, macOS, HP-UX 11.x
Linux, IRIX, Tru64 UNIX, macOS, HP-UX 11.x and AIX 5.3 and above. and AIX 5.3 and above.
It should be supported on most operating systems that support the It should be supported on most operating systems that support the
.Ev LD_PRELOAD .Ev LD_PRELOAD
environment variable. environment variable.
@@ -5721,6 +5800,40 @@ Check your operating system's manual pages for the dynamic linker
.Ev LD_PRELOAD .Ev LD_PRELOAD
is supported. is supported.
.Pp .Pp
To enable intercept mode on a per-command basis, use the
.Li INTERCEPT
tag as documented in the User Specification section above.
Here is that example again:
.Bd -literal
chuck research = INTERCEPT: ALL
.Ed
.Pp
This allows user
.Sy chuck
to run any command on the machine
.Dq research
in intercept mode.
Any commands run via shell escapes will be validated and logged by
.Nm sudo .
If you are unsure whether or not your system is capable of supporting
.Em intercept ,
you can always just try it out and check whether or not external
commands run via a shell are logged when
.Em intercept
is enabled.
.It noexec
.Nm sudo Ns 's
.Em noexec
functionality can be used to prevent a program run by
.Nm sudo
from executing any other programs.
On most systems, it uses the same mechanism as
.Em intercept
(see above) and thus the same caveats apply.
On Linux, a
.Fn seccomp
filter is used to implement
.Em noexec .
On Solaris 10 and higher, On Solaris 10 and higher,
.Em noexec .Em noexec
uses Solaris privileges instead of the uses Solaris privileges instead of the
@@ -5731,8 +5844,7 @@ To enable
.Em noexec .Em noexec
for a command, use the for a command, use the
.Li NOEXEC .Li NOEXEC
tag as documented tag as documented in the User Specification section above.
in the User Specification section above.
Here is that example again: Here is that example again:
.Bd -literal .Bd -literal
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi

7
plugins/sudoers/cvtsudoers_json.c
View File

@@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2013-2020 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2013-2021 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@@ -682,6 +682,11 @@ print_cmndspec_json(struct json_container *jsonc,
value.u.boolean = tag.noexec; value.u.boolean = tag.noexec;
sudo_json_add_value_as_object(jsonc, "noexec", &value); sudo_json_add_value_as_object(jsonc, "noexec", &value);
} }
if (tag.intercept != UNSPEC) {
value.type = JSON_BOOL;
value.u.boolean = tag.intercept;
sudo_json_add_value_as_object(jsonc, "intercept", &value);
}
if (tag.send_mail != UNSPEC) { if (tag.send_mail != UNSPEC) {
value.type = JSON_BOOL; value.type = JSON_BOOL;
value.u.boolean = tag.send_mail; value.u.boolean = tag.send_mail;

6
plugins/sudoers/cvtsudoers_ldif.c
View File

@@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2018 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2018-2021 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@@ -386,6 +386,10 @@ print_cmndspec_ldif(FILE *fp, struct sudoers_parse_tree *parse_tree,
print_attribute_ldif(fp, "sudoOption", print_attribute_ldif(fp, "sudoOption",
tag.noexec ? "noexec" : "!noexec"); tag.noexec ? "noexec" : "!noexec");
} }
if (tag.intercept != UNSPEC) {
print_attribute_ldif(fp, "sudoOption",
tag.intercept ? "intercept" : "!intercept");
}
if (tag.send_mail != UNSPEC) { if (tag.send_mail != UNSPEC) {
if (tag.send_mail) { if (tag.send_mail) {
print_attribute_ldif(fp, "sudoOption", "mail_all_cmnds"); print_attribute_ldif(fp, "sudoOption", "mail_all_cmnds");

8
plugins/sudoers/def_data.c
View File

@@ -577,6 +577,14 @@ struct sudo_defs_types sudo_defs_table[] = {
"admin_flag", T_STR|T_BOOL|T_CHPATH, "admin_flag", T_STR|T_BOOL|T_CHPATH,
N_("Path to the file that is created the first time sudo is run: %s"), N_("Path to the file that is created the first time sudo is run: %s"),
NULL, NULL,
}, {
"intercept", T_FLAG,
N_("Intercept further commands and apply sudoers restrictions to them"),
NULL,
}, {
"log_children", T_FLAG,
N_("Log any child processes run by the command"),
NULL,
}, { }, {
"log_exit_status", T_FLAG, "log_exit_status", T_FLAG,
N_("Log the exit status of commands"), N_("Log the exit status of commands"),

6
plugins/sudoers/def_data.h
View File

@@ -266,7 +266,11 @@
#define def_selinux (sudo_defs_table[I_SELINUX].sd_un.flag) #define def_selinux (sudo_defs_table[I_SELINUX].sd_un.flag)
#define I_ADMIN_FLAG 132 #define I_ADMIN_FLAG 132
#define def_admin_flag (sudo_defs_table[I_ADMIN_FLAG].sd_un.str) #define def_admin_flag (sudo_defs_table[I_ADMIN_FLAG].sd_un.str)
#define I_LOG_EXIT_STATUS 133 #define I_INTERCEPT 133
#define def_intercept (sudo_defs_table[I_INTERCEPT].sd_un.flag)
#define I_LOG_CHILDREN 134
#define def_log_children (sudo_defs_table[I_LOG_CHILDREN].sd_un.flag)
#define I_LOG_EXIT_STATUS 135
#define def_log_exit_status (sudo_defs_table[I_LOG_EXIT_STATUS].sd_un.flag) #define def_log_exit_status (sudo_defs_table[I_LOG_EXIT_STATUS].sd_un.flag)
enum def_tuple { enum def_tuple {

6
plugins/sudoers/def_data.in
View File

@@ -415,6 +415,12 @@ selinux
admin_flag admin_flag
T_STR|T_BOOL|T_CHPATH T_STR|T_BOOL|T_CHPATH
"Path to the file that is created the first time sudo is run: %s" "Path to the file that is created the first time sudo is run: %s"
intercept
T_FLAG
"Intercept further commands and apply sudoers restrictions to them"
log_children
T_FLAG
"Log any child processes run by the command"
log_exit_status log_exit_status
T_FLAG T_FLAG
"Log the exit status of commands" "Log the exit status of commands"

6
plugins/sudoers/fmtsudoers.c
View File

@@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2004-2005, 2007-2020 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2004-2005, 2007-2021 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@@ -152,6 +152,8 @@ sudoers_defaults_to_tags(const char *var, const char *val, int op,
tags->log_output = op == true; tags->log_output = op == true;
} else if (strcmp(var, "noexec") == 0) { } else if (strcmp(var, "noexec") == 0) {
tags->noexec = op == true; tags->noexec = op == true;
} else if (strcmp(var, "intercept") == 0) {
tags->intercept = op == true;
} else if (strcmp(var, "setenv") == 0) { } else if (strcmp(var, "setenv") == 0) {
tags->setenv = op == true; tags->setenv = op == true;
} else if (strcmp(var, "mail_all_cmnds") == 0 || } else if (strcmp(var, "mail_all_cmnds") == 0 ||
@@ -251,6 +253,8 @@ sudoers_format_cmndspec(struct sudo_lbuf *lbuf,
} }
if (TAG_CHANGED(prev_cs, cs, tags, setenv)) if (TAG_CHANGED(prev_cs, cs, tags, setenv))
sudo_lbuf_append(lbuf, tags.setenv ? "SETENV: " : "NOSETENV: "); sudo_lbuf_append(lbuf, tags.setenv ? "SETENV: " : "NOSETENV: ");
if (TAG_CHANGED(prev_cs, cs, tags, intercept))
sudo_lbuf_append(lbuf, tags.intercept ? "INTERCEPT: " : "NOINTERCEPT: ");
if (TAG_CHANGED(prev_cs, cs, tags, noexec)) if (TAG_CHANGED(prev_cs, cs, tags, noexec))
sudo_lbuf_append(lbuf, tags.noexec ? "NOEXEC: " : "EXEC: "); sudo_lbuf_append(lbuf, tags.noexec ? "NOEXEC: " : "EXEC: ");
if (TAG_CHANGED(prev_cs, cs, tags, nopasswd)) if (TAG_CHANGED(prev_cs, cs, tags, nopasswd))

1401
plugins/sudoers/gram.c
View File

File diff suppressed because it is too large Load Diff

94
plugins/sudoers/gram.h
View File

@@ -1,4 +1,4 @@
/* A Bison parser, made by GNU Bison 3.7.5. */ /* A Bison parser, made by GNU Bison 3.7.6. */
/* Bison interface for Yacc-like parsers in C /* Bison interface for Yacc-like parsers in C
@@ -16,7 +16,7 @@
GNU General Public License for more details. GNU General Public License for more details.
You should have received a copy of the GNU General Public License You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>. */ along with this program. If not, see <https://www.gnu.org/licenses/>. */
/* As a special exception, you may create a larger work that contains /* As a special exception, you may create a larger work that contains
part or all of the Bison parser skeleton and distribute that work part or all of the Bison parser skeleton and distribute that work
@@ -83,27 +83,29 @@ extern int sudoersdebug;
NOMAIL = 284, /* NOMAIL */ NOMAIL = 284, /* NOMAIL */
FOLLOWLNK = 285, /* FOLLOWLNK */ FOLLOWLNK = 285, /* FOLLOWLNK */
NOFOLLOWLNK = 286, /* NOFOLLOWLNK */ NOFOLLOWLNK = 286, /* NOFOLLOWLNK */
ALL = 287, /* ALL */ INTERCEPT = 287, /* INTERCEPT */
HOSTALIAS = 288, /* HOSTALIAS */ NOINTERCEPT = 288, /* NOINTERCEPT */
CMNDALIAS = 289, /* CMNDALIAS */ ALL = 289, /* ALL */
USERALIAS = 290, /* USERALIAS */ HOSTALIAS = 290, /* HOSTALIAS */
RUNASALIAS = 291, /* RUNASALIAS */ CMNDALIAS = 291, /* CMNDALIAS */
ERROR = 292, /* ERROR */ USERALIAS = 292, /* USERALIAS */
NOMATCH = 293, /* NOMATCH */ RUNASALIAS = 293, /* RUNASALIAS */
CHROOT = 294, /* CHROOT */ ERROR = 294, /* ERROR */
CWD = 295, /* CWD */ NOMATCH = 295, /* NOMATCH */
TYPE = 296, /* TYPE */ CHROOT = 296, /* CHROOT */
ROLE = 297, /* ROLE */ CWD = 297, /* CWD */
PRIVS = 298, /* PRIVS */ TYPE = 298, /* TYPE */
LIMITPRIVS = 299, /* LIMITPRIVS */ ROLE = 299, /* ROLE */
CMND_TIMEOUT = 300, /* CMND_TIMEOUT */ PRIVS = 300, /* PRIVS */
NOTBEFORE = 301, /* NOTBEFORE */ LIMITPRIVS = 301, /* LIMITPRIVS */
NOTAFTER = 302, /* NOTAFTER */ CMND_TIMEOUT = 302, /* CMND_TIMEOUT */
MYSELF = 303, /* MYSELF */ NOTBEFORE = 303, /* NOTBEFORE */
SHA224_TOK = 304, /* SHA224_TOK */ NOTAFTER = 304, /* NOTAFTER */
SHA256_TOK = 305, /* SHA256_TOK */ MYSELF = 305, /* MYSELF */
SHA384_TOK = 306, /* SHA384_TOK */ SHA224_TOK = 306, /* SHA224_TOK */
SHA512_TOK = 307 /* SHA512_TOK */ SHA256_TOK = 307, /* SHA256_TOK */
SHA384_TOK = 308, /* SHA384_TOK */
SHA512_TOK = 309 /* SHA512_TOK */
}; };
typedef enum yytokentype yytoken_kind_t; typedef enum yytokentype yytoken_kind_t;
#endif #endif
@@ -141,27 +143,29 @@ extern int sudoersdebug;
#define NOMAIL 284 #define NOMAIL 284
#define FOLLOWLNK 285 #define FOLLOWLNK 285
#define NOFOLLOWLNK 286 #define NOFOLLOWLNK 286
#define ALL 287 #define INTERCEPT 287
#define HOSTALIAS 288 #define NOINTERCEPT 288
#define CMNDALIAS 289 #define ALL 289
#define USERALIAS 290 #define HOSTALIAS 290
#define RUNASALIAS 291 #define CMNDALIAS 291
#define ERROR 292 #define USERALIAS 292
#define NOMATCH 293 #define RUNASALIAS 293
#define CHROOT 294 #define ERROR 294
#define CWD 295 #define NOMATCH 295
#define TYPE 296 #define CHROOT 296
#define ROLE 297 #define CWD 297
#define PRIVS 298 #define TYPE 298
#define LIMITPRIVS 299 #define ROLE 299
#define CMND_TIMEOUT 300 #define PRIVS 300
#define NOTBEFORE 301 #define LIMITPRIVS 301
#define NOTAFTER 302 #define CMND_TIMEOUT 302
#define MYSELF 303 #define NOTBEFORE 303
#define SHA224_TOK 304 #define NOTAFTER 304
#define SHA256_TOK 305 #define MYSELF 305
#define SHA384_TOK 306 #define SHA224_TOK 306
#define SHA512_TOK 307 #define SHA256_TOK 307
#define SHA384_TOK 308
#define SHA512_TOK 309
/* Value type. */ /* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -181,7 +185,7 @@ union YYSTYPE
char *string; char *string;
int tok; int tok;
#line 185 "y.tab.h" #line 189 "y.tab.h"
}; };
typedef union YYSTYPE YYSTYPE; typedef union YYSTYPE YYSTYPE;

12
plugins/sudoers/gram.y
View File

@@ -2,7 +2,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 1996, 1998-2005, 2007-2013, 2014-2020 * Copyright (c) 1996, 1998-2005, 2007-2013, 2014-2021
* Todd C. Miller <Todd.Miller@sudo.ws> * Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
@@ -129,6 +129,8 @@ static void alias_error(const char *name, int errnum);
%token <tok> NOMAIL /* don't mail log message */ %token <tok> NOMAIL /* don't mail log message */
%token <tok> FOLLOWLNK /* follow symbolic links */ %token <tok> FOLLOWLNK /* follow symbolic links */
%token <tok> NOFOLLOWLNK /* don't follow symbolic links */ %token <tok> NOFOLLOWLNK /* don't follow symbolic links */
%token <tok> INTERCEPT /* intercept children of command */
%token <tok> NOINTERCEPT /* disable intercepting of children */
%token <tok> ALL /* ALL keyword */ %token <tok> ALL /* ALL keyword */
%token <tok> HOSTALIAS /* Host_Alias keyword */ %token <tok> HOSTALIAS /* Host_Alias keyword */
%token <tok> CMNDALIAS /* Cmnd_Alias keyword */ %token <tok> CMNDALIAS /* Cmnd_Alias keyword */
@@ -468,6 +470,8 @@ cmndspeclist : cmndspec
$3->tags.nopasswd = prev->tags.nopasswd; $3->tags.nopasswd = prev->tags.nopasswd;
if ($3->tags.noexec == UNSPEC) if ($3->tags.noexec == UNSPEC)
$3->tags.noexec = prev->tags.noexec; $3->tags.noexec = prev->tags.noexec;
if ($3->tags.intercept == UNSPEC)
$3->tags.intercept = prev->tags.intercept;
if ($3->tags.setenv == UNSPEC && if ($3->tags.setenv == UNSPEC &&
prev->tags.setenv != IMPLIED) prev->tags.setenv != IMPLIED)
$3->tags.setenv = prev->tags.setenv; $3->tags.setenv = prev->tags.setenv;
@@ -876,6 +880,12 @@ cmndtag : /* empty */ {
| cmndtag EXEC { | cmndtag EXEC {
$$.noexec = false; $$.noexec = false;
} }
| cmndtag INTERCEPT {
$$.intercept = true;
}
| cmndtag NOINTERCEPT {
$$.intercept = false;
}
| cmndtag SETENV { | cmndtag SETENV {
$$.setenv = true; $$.setenv = true;
} }

9
plugins/sudoers/parse.c
View File

@@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2004-2005, 2007-2020 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2004-2005, 2007-2021 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@@ -300,6 +300,11 @@ apply_cmndspec(struct cmndspec *cs)
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_noexec -> %s", def_noexec ? "true" : "false"); "def_noexec -> %s", def_noexec ? "true" : "false");
} }
if (cs->tags.intercept != UNSPEC) {
def_intercept = cs->tags.intercept;
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_intercept -> %s", def_intercept ? "true" : "false");
}
if (cs->tags.setenv != UNSPEC) { if (cs->tags.setenv != UNSPEC) {
def_setenv = cs->tags.setenv; def_setenv = cs->tags.setenv;
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
@@ -566,6 +571,8 @@ display_priv_long(struct sudoers_parse_tree *parse_tree, struct passwd *pw,
sudo_lbuf_append(lbuf, "%ssetenv, ", cs->tags.setenv ? "" : "!"); sudo_lbuf_append(lbuf, "%ssetenv, ", cs->tags.setenv ? "" : "!");
if (TAG_SET(cs->tags.noexec)) if (TAG_SET(cs->tags.noexec))
sudo_lbuf_append(lbuf, "%snoexec, ", cs->tags.noexec ? "" : "!"); sudo_lbuf_append(lbuf, "%snoexec, ", cs->tags.noexec ? "" : "!");
if (TAG_SET(cs->tags.intercept))
sudo_lbuf_append(lbuf, "%sintercept, ", cs->tags.intercept ? "" : "!");
if (TAG_SET(cs->tags.nopasswd)) if (TAG_SET(cs->tags.nopasswd))
sudo_lbuf_append(lbuf, "%sauthenticate, ", cs->tags.nopasswd ? "!" : ""); sudo_lbuf_append(lbuf, "%sauthenticate, ", cs->tags.nopasswd ? "!" : "");
if (TAG_SET(cs->tags.log_input)) if (TAG_SET(cs->tags.log_input))

23
plugins/sudoers/parse.h
View File

@@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 1996, 1998-2000, 2004, 2007-2020 * Copyright (c) 1996, 1998-2000, 2004, 2007-2021
* Todd C. Miller <Todd.Miller@sudo.ws> * Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
@@ -48,6 +48,7 @@
*/ */
#define TAGS_INIT(t) do { \ #define TAGS_INIT(t) do { \
(t)->follow = UNSPEC; \ (t)->follow = UNSPEC; \
(t)->intercept = UNSPEC; \
(t)->log_input = UNSPEC; \ (t)->log_input = UNSPEC; \
(t)->log_output = UNSPEC; \ (t)->log_output = UNSPEC; \
(t)->noexec = UNSPEC; \ (t)->noexec = UNSPEC; \
@@ -62,6 +63,8 @@
#define TAGS_MERGE(t, t2) do { \ #define TAGS_MERGE(t, t2) do { \
if ((t2).follow != UNSPEC) \ if ((t2).follow != UNSPEC) \
(t).follow = (t2).follow; \ (t).follow = (t2).follow; \
if ((t2).intercept != UNSPEC) \
(t).intercept = (t2).intercept; \
if ((t2).log_input != UNSPEC) \ if ((t2).log_input != UNSPEC) \
(t).log_input = (t2).log_input; \ (t).log_input = (t2).log_input; \
if ((t2).log_output != UNSPEC) \ if ((t2).log_output != UNSPEC) \
@@ -80,10 +83,10 @@
* Returns true if any tag are not UNSPEC, else false. * Returns true if any tag are not UNSPEC, else false.
*/ */
#define TAGS_SET(t) \ #define TAGS_SET(t) \
((t).follow != UNSPEC || (t).log_input != UNSPEC || \ ((t).follow != UNSPEC || (t).intercept != UNSPEC || \
(t).log_output != UNSPEC || (t).noexec != UNSPEC || \ (t).log_input != UNSPEC || (t).log_output != UNSPEC || \
(t).nopasswd != UNSPEC || (t).send_mail != UNSPEC || \ (t).noexec != UNSPEC || (t).nopasswd != UNSPEC || \
(t).setenv != UNSPEC) (t).send_mail != UNSPEC || (t).setenv != UNSPEC)
/* /*
* Returns true if the specified tag is not UNSPEC or IMPLIED, else false. * Returns true if the specified tag is not UNSPEC or IMPLIED, else false.
@@ -96,6 +99,7 @@
*/ */
#define TAGS_CHANGED(ot, nt) \ #define TAGS_CHANGED(ot, nt) \
((TAG_SET((nt).follow) && (nt).follow != (ot).follow) || \ ((TAG_SET((nt).follow) && (nt).follow != (ot).follow) || \
(TAG_SET((nt).intercept) && (nt).intercept != (ot).intercept) || \
(TAG_SET((nt).log_input) && (nt).log_input != (ot).log_input) || \ (TAG_SET((nt).log_input) && (nt).log_input != (ot).log_input) || \
(TAG_SET((nt).log_output) && (nt).log_output != (ot).log_output) || \ (TAG_SET((nt).log_output) && (nt).log_output != (ot).log_output) || \
(TAG_SET((nt).noexec) && (nt).noexec != (ot).noexec) || \ (TAG_SET((nt).noexec) && (nt).noexec != (ot).noexec) || \
@@ -121,13 +125,14 @@ struct command_digest {
* Possible values: true, false, IMPLIED, UNSPEC. * Possible values: true, false, IMPLIED, UNSPEC.
*/ */
struct cmndtag { struct cmndtag {
signed int nopasswd: 3; signed int follow: 3;
signed int noexec: 3; signed int intercept: 3;
signed int setenv: 3;
signed int log_input: 3; signed int log_input: 3;
signed int log_output: 3; signed int log_output: 3;
signed int noexec: 3;
signed int nopasswd: 3;
signed int send_mail: 3; signed int send_mail: 3;
signed int follow: 3; signed int setenv: 3;
}; };
/* /*

12
plugins/sudoers/policy.c
View File

@@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2010-2020 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2010-2021 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@@ -611,7 +611,7 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
debug_return_bool(true); /* nothing to do */ debug_return_bool(true); /* nothing to do */
/* Increase the length of command_info as needed, it is *not* checked. */ /* Increase the length of command_info as needed, it is *not* checked. */
command_info = calloc(55, sizeof(char *)); command_info = calloc(57, sizeof(char *));
if (command_info == NULL) if (command_info == NULL)
goto oom; goto oom;
@@ -620,6 +620,10 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
if (command_info[info_len++] == NULL) if (command_info[info_len++] == NULL)
goto oom; goto oom;
} }
if (def_log_children) {
if ((command_info[info_len++] = strdup("log_children=true")) == NULL)
goto oom;
}
if (def_log_input || def_log_output) { if (def_log_input || def_log_output) {
if (iolog_path) if (iolog_path)
command_info[info_len++] = iolog_path; /* now owned */ command_info[info_len++] = iolog_path; /* now owned */
@@ -765,6 +769,10 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
if ((command_info[info_len++] = strdup("ignore_iolog_errors=true")) == NULL) if ((command_info[info_len++] = strdup("ignore_iolog_errors=true")) == NULL)
goto oom; goto oom;
} }
if (def_intercept) {
if ((command_info[info_len++] = strdup("intercept=true")) == NULL)
goto oom;
}
if (def_noexec) { if (def_noexec) {
if ((command_info[info_len++] = strdup("noexec=true")) == NULL) if ((command_info[info_len++] = strdup("noexec=true")) == NULL)
goto oom; goto oom;

4426
plugins/sudoers/toke.c
View File

File diff suppressed because it is too large Load Diff

12
plugins/sudoers/toke.l
View File

@@ -2,7 +2,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 1996, 1998-2005, 2007-2020 * Copyright (c) 1996, 1998-2005, 2007-2021
* Todd C. Miller <Todd.Miller@sudo.ws> * Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
@@ -446,6 +446,16 @@ EXEC[[:blank:]]*: {
return EXEC; return EXEC;
} }
INTERCEPT[[:blank:]]*: {
LEXTRACE("INTERCEPT ");
return INTERCEPT;
}
NOINTERCEPT[[:blank:]]*: {
LEXTRACE("NOINTERCEPT ");
return NOINTERCEPT;
}
SETENV[[:blank:]]*: { SETENV[[:blank:]]*: {
LEXTRACE("SETENV "); LEXTRACE("SETENV ");
return SETENV; return SETENV;