isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

match_command: apply runchroot if set when matching the command

Browse Source 
Previously we would prepend runchroot to the path we were checking
but that does not properly handle symbolic links.
This commit is contained in:
Todd C. Miller
2023-02-21 13:24:33 -07:00
parent bff4e3ce16
commit 78ff514358
3 changed files with 93 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
plugins/sudoers/match_digest.c
View File

@@ -39,7 +39,7 @@
#include <gram.h>
bool
digest_matches(int fd, const char *path, const char *runchroot,
digest_matches(int fd, const char *path,
const struct command_digest_list *digests)
{
unsigned int digest_type = SUDO_DIGEST_INVALID;
@@ -47,7 +47,6 @@ digest_matches(int fd, const char *path, const char *runchroot,
unsigned char *sudoers_digest = NULL;
struct command_digest *digest;
size_t digest_len = (size_t)-1;
char pathbuf[PATH_MAX];
bool matched = false;
debug_decl(digest_matches, SUDOERS_DEBUG_MATCH);
@@ -61,16 +60,6 @@ digest_matches(int fd, const char *path, const char *runchroot,
goto done;
}
if (runchroot != NULL) {
const int len =
snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, path);
if (len >= ssizeof(pathbuf)) {
errno = ENAMETOOLONG;
debug_return_bool(false);
}
path = pathbuf;
}
TAILQ_FOREACH(digest, digests, entries) {
/* Compute file digest if needed. */
if (digest->digest_type != digest_type) {