isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Call closefrom() before we change to a non-root UID.

Browse Source 
This prevents another process from changing the NOFILE resource limit
of the child process and defeating the closefrom() call.
Reported by Joe Vennix from Apple Information Security.
This commit is contained in:
Todd C. Miller
2019-11-02 10:51:49 -06:00
parent fd9fa6bcaa
commit 7acbfc18a9
2 changed files with 32 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/tgetpass.c
View File

@@ -318,6 +318,8 @@ sudo_askpass(const char *askpass, const char *prompt)
}
if (setuid(ROOT_UID) == -1)
sudo_warn("setuid(%d)", ROOT_UID);
/* Close fds before uid change to prevent prlimit sabotage on Linux. */
closefrom(STDERR_FILENO + 1);
if (setgid(user_details.gid)) {
sudo_warn(U_("unable to set gid to %u"), (unsigned int)user_details.gid);
_exit(255);
@@ -326,7 +328,6 @@ sudo_askpass(const char *askpass, const char *prompt)
sudo_warn(U_("unable to set uid to %u"), (unsigned int)user_details.uid);
_exit(255);
}
closefrom(STDERR_FILENO + 1);
execl(askpass, askpass, prompt, (char *)NULL);
sudo_warn(U_("unable to run %s"), askpass);
_exit(255);