From 788708c9ff925a79ffdd56612f86d3dfc36d7232 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Mon, 9 Aug 2021 15:50:26 -0600
Subject: [PATCH] Add intercept_authenticate sudoers option, defaults to false.
 By default, sudoers will not require authentication of commands run via an
 intercepted session.  To require authenticaton of subsequent commands, enable
 intercept_authenticate in sudoers.

---
 doc/sudoers.man.in          | 19 +++++++++++++++++++
 doc/sudoers.mdoc.in         | 18 ++++++++++++++++++
 plugins/sudoers/check.c     | 10 ++++++++--
 plugins/sudoers/def_data.c  |  4 ++++
 plugins/sudoers/def_data.h  |  2 ++
 plugins/sudoers/def_data.in |  3 +++
 plugins/sudoers/policy.c    |  3 ++-
 plugins/sudoers/sudoers.c   |  8 ++++++++
 plugins/sudoers/sudoers.h   |  4 ++++
 9 files changed, 68 insertions(+), 3 deletions(-)

diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 6ba1a89a2..0f4c32187 100644
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -3049,6 +3049,25 @@ above as well as the
 section at the end of this manual.
 This flag is
 \fIoff\fR
+by default.
+.sp
+This setting is only supported by version 1.9.8 or higher.
+.TP 18n
+intercept_authenticate
+If set, commands run by an intercepted process must be authenticated
+when the user's time stamp is not current.
+For example, if a shell is run with
+\fIintercept\fR
+enabled, as soon as the invoking user's time stamp is out of date,
+subsequent commands will need to be authenticated.
+This flag has no effect unless the
+\fIintercept\fR
+flag is enabled or the
+\fIINTERCEPT\fR
+tag has been set for the command.
+This flag is
+\fIoff\fR
+by default.
 .sp
 This setting is only supported by version 1.9.8 or higher.
 .TP 18n
diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index 73fd8bbfd..6e4c4af2b 100644
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -2871,6 +2871,24 @@ above as well as the
 section at the end of this manual.
 This flag is
 .Em off
+by default.
+.Pp
+This setting is only supported by version 1.9.8 or higher.
+.It intercept_authenticate
+If set, commands run by an intercepted process must be authenticated
+when the user's time stamp is not current.
+For example, if a shell is run with
+.Em intercept
+enabled, as soon as the invoking user's time stamp is out of date,
+subsequent commands will need to be authenticated.
+This flag has no effect unless the
+.Em intercept
+flag is enabled or the
+.Em INTERCEPT
+tag has been set for the command.
+This flag is
+.Em off
+by default.
 .Pp
 This setting is only supported by version 1.9.8 or higher.
 .It netgroup_tuple
diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c
index 4a7bb5edd..4d7b5e490 100644
--- a/plugins/sudoers/check.c
+++ b/plugins/sudoers/check.c
@@ -299,8 +299,14 @@ user_is_exempt(void)
     bool ret = false;
     debug_decl(user_is_exempt, SUDOERS_DEBUG_AUTH);
 
-    if (def_exempt_group)
-	ret = user_in_group(sudo_user.pw, def_exempt_group);
+    if (ISSET(sudo_mode, MODE_POLICY_INTERCEPTED)) {
+	if (!def_intercept_authenticate)
+	    ret = true;
+    }
+    if (def_exempt_group) {
+	if (user_in_group(sudo_user.pw, def_exempt_group))
+	    ret = true;
+    }
     debug_return_bool(ret);
 }
 
diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c
index b169a9fa6..06d3db6a6 100644
--- a/plugins/sudoers/def_data.c
+++ b/plugins/sudoers/def_data.c
@@ -589,6 +589,10 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"log_exit_status", T_FLAG,
 	N_("Log the exit status of commands"),
 	NULL,
+    }, {
+	"intercept_authenticate", T_FLAG,
+	N_("Subsequent commands in an intercepted session must be authenticated"),
+	NULL,
     }, {
 	NULL, 0, NULL
     }
diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h
index ef0928354..e1cbb9c7e 100644
--- a/plugins/sudoers/def_data.h
+++ b/plugins/sudoers/def_data.h
@@ -272,6 +272,8 @@
 #define def_log_children        (sudo_defs_table[I_LOG_CHILDREN].sd_un.flag)
 #define I_LOG_EXIT_STATUS       135
 #define def_log_exit_status     (sudo_defs_table[I_LOG_EXIT_STATUS].sd_un.flag)
+#define I_INTERCEPT_AUTHENTICATE 136
+#define def_intercept_authenticate (sudo_defs_table[I_INTERCEPT_AUTHENTICATE].sd_un.flag)
 
 enum def_tuple {
     never,
diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in
index 04d592d17..6309fb6ae 100644
--- a/plugins/sudoers/def_data.in
+++ b/plugins/sudoers/def_data.in
@@ -424,3 +424,6 @@ log_children
 log_exit_status
 	T_FLAG
 	"Log the exit status of commands"
+intercept_authenticate
+	T_FLAG
+	"Subsequent commands in an intercepted session must be authenticated"
diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
index 055b6f3da..eba3d7306 100644
--- a/plugins/sudoers/policy.c
+++ b/plugins/sudoers/policy.c
@@ -81,7 +81,7 @@ parse_bool(const char *line, int varlen, int *flags, int fval)
     }
 }
 
-#define RUN_VALID_FLAGS	(MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_IMPLIED_SHELL|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_IGNORE_TICKET|MODE_PRESERVE_GROUPS|MODE_SHELL|MODE_RUN)
+#define RUN_VALID_FLAGS	(MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_IMPLIED_SHELL|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_IGNORE_TICKET|MODE_PRESERVE_GROUPS|MODE_SHELL|MODE_RUN|MODE_POLICY_INTERCEPTED)
 #define EDIT_VALID_FLAGS	(MODE_NONINTERACTIVE|MODE_IGNORE_TICKET|MODE_EDIT)
 #define LIST_VALID_FLAGS	(MODE_NONINTERACTIVE|MODE_IGNORE_TICKET|MODE_LIST|MODE_CHECK)
 #define VALIDATE_VALID_FLAGS	(MODE_NONINTERACTIVE|MODE_IGNORE_TICKET|MODE_VALIDATE)
@@ -184,6 +184,7 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
     }
 
     /* Parse command line settings. */
+    sudo_mode = 0;
     user_closefrom = -1;
     for (cur = info->settings; *cur != NULL; cur++) {
 	if (MATCHES(*cur, "closefrom=")) {
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 9a61d8d72..563875387 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -383,6 +383,14 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	debug_return_int(-1);
     }
 
+    /* Was previous command was intercepted? */
+    if (def_intercept)
+	SET(sudo_mode, MODE_POLICY_INTERCEPTED);
+
+    /* Only certain mode flags are legal for intercepted commands. */
+    if (ISSET(sudo_mode, MODE_POLICY_INTERCEPTED))
+	sudo_mode &= MODE_INTERCEPT_MASK;
+
     /* Re-initialize defaults if we are called multiple times. */
     if (need_reinit) {
 	if (!sudoers_reinit_defaults())
diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
index 6b50e81f0..10431627d 100644
--- a/plugins/sudoers/sudoers.h
+++ b/plugins/sudoers/sudoers.h
@@ -194,6 +194,10 @@ struct sudo_user {
 #define MODE_PRESERVE_ENV	0x00400000
 #define MODE_NONINTERACTIVE	0x00800000
 #define MODE_IGNORE_TICKET	0x01000000
+#define MODE_POLICY_INTERCEPTED	0x02000000
+
+/* Mode bits allowed for intercepted commands. */
+#define MODE_INTERCEPT_MASK	(MODE_RUN|MODE_NONINTERACTIVE|MODE_IGNORE_TICKET|MODE_POLICY_INTERCEPTED)
 
 /*
  * Used with set_perms()