isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add exec_background option in plugin command info and a sudoers

Browse Source 
option to match.  When set, commands are started in the background
and automatically foregrounded as needed.  There are issues with
some ill-mannered programs (like Linux su) so this is not the
default.
This commit is contained in:
Todd C. Miller
2013-01-11 14:34:09 -05:00
parent a6f3517f23
commit 9479bb623b
13 changed files with 351 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
doc/sudo_plugin.cat
View File

@@ -592,6 +592,49 @@ DDEESSCCRRIIPPTTIIOONN
If not set, ssuuddoo will base the new entry on the
invoking user's existing entry.
exec_background=bool
By default, ssuuddoo runs a command as the foreground
process as long as ssuuddoo itself is running in the
foreground. When _e_x_e_c___b_a_c_k_g_r_o_u_n_d is enabled and the
command is being run in a pty (due to I/O logging or
the _u_s_e___p_t_y setting), the command will be run as a
background process. Attempts to read from the
controlling terminal (or to change terminal settings)
will result in the command being suspended with the
SIGTTIN signal (or SIGTTOU in the case of terminal
settings). If this happens when ssuuddoo is a foreground
process, the command will be granted the controlling
terminal and resumed in the foreground with no user
intervention required. The advantage of initially
running the command in the background is that ssuuddoo need
not read from the terminal unless the command
explicitly requests it. Otherwise, any terminal input
must be passed to the command, whether it has required
it or not (the kernel buffers terminals so it is not
possible to tell whether the command really wants the
input). This is different from historic _s_u_d_o behavior
or when the command is not being run in a pty.
For this to work seamlessly, the operating system must
support the automatic restarting of system calls.
Unfortunately, not all operating systems do this by
default, and even those that do may have bugs. For
example, Mac OS X fails to restart the ttccggeettaattttrr() and
ttccsseettaattttrr() system calls (this is a bug in Mac OS X).
Furthermore, because this behavior depends on the
command stopping with the SIGTTIN or SIGTTOU signals,
programs that catch these signals and suspend
themselves with a different signal (usually SIGTOP)
will not be automatically foregrounded. Some versions
of the linux su(1) command behave this way. Because of
this, a plugin should not set _e_x_e_c___b_a_c_k_g_r_o_u_n_d unless it
is explicitly enabled by the administrator and there
should be a way to enabled or disable it on a per-
command basis.
This setting has no effect unless I/O logging is
enabled or _u_s_e___p_t_y is enabled.
Unsupported values will be ignored.
argv_out
@@ -1364,4 +1407,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details.
Sudo 1.8.7 November 26, 2012 Sudo 1.8.7
Sudo 1.8.7 Janurary 11, 2013 Sudo 1.8.7

65
doc/sudo_plugin.man.in
View File

@@ -1,7 +1,7 @@
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudo_plugin.mdoc.in
.\"
.\" Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
.\" Copyright (c) 2009-2013 Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.TH "SUDO_PLUGIN" "5" "November 26, 2012" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
.TH "SUDO_PLUGIN" "5" "Janurary 11, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -1018,6 +1018,67 @@ If not set,
\fBsudo\fR
will base the new entry on
the invoking user's existing entry.
.TP 6n
exec_background=bool
By default,
\fBsudo\fR
runs a command as the foreground process as long as
\fBsudo\fR
itself is running in the foreground.
When
\fIexec_background\fR
is enabled and the command is being run in a pty (due to I/O logging
or the
\fIuse_pty\fR
setting), the command will be run as a background process.
Attempts to read from the controlling terminal (or to change terminal
settings) will result in the command being suspended with the
\fRSIGTTIN\fR
signal (or
\fRSIGTTOU\fR
in the case of terminal settings).
If this happens when
\fBsudo\fR
is a foreground process, the command will be granted the controlling terminal
and resumed in the foreground with no user intervention required.
The advantage of initially running the command in the background is that
\fBsudo\fR
need not read from the terminal unless the command explicitly requests it.
Otherwise, any terminal input must be passed to the command, whether it
has required it or not (the kernel buffers terminals so it is not possible
to tell whether the command really wants the input).
This is different from historic
\fIsudo\fR
behavior or when the command is not being run in a pty.
.sp
For this to work seamlessly, the operating system must support the
automatic restarting of system calls.
Unfortunately, not all operating systems do this by default,
and even those that do may have bugs.
For example, Mac OS X fails to restart the
\fBtcgetattr\fR()
and
\fBtcsetattr\fR()
system calls (this is a bug in Mac OS X).
Furthermore, because this behavior depends on the command stopping with the
\fRSIGTTIN\fR
or
\fRSIGTTOU\fR
signals, programs that catch these signals and suspend themselves
with a different signal (usually
\fRSIGTOP\fR)
will not be automatically foregrounded.
Some versions of the linux
su(1)
command behave this way.
Because of this, a plugin should not set
\fIexec_background\fR
unless it is explicitly enabled by the administrator and there should
be a way to enabled or disable it on a per-command basis.
.sp
This setting has no effect unless I/O logging is enabled or
\fIuse_pty\fR
is enabled.
.PP
Unsupported values will be ignored.
.PP

64
doc/sudo_plugin.mdoc.in
View File

@@ -1,5 +1,5 @@
.\"
.\" Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
.\" Copyright (c) 2009-2013 Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd November 26, 2012
.Dd Janurary 11, 2013
.Dt SUDO_PLUGIN @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -900,6 +900,66 @@ If not set,
.Nm sudo
will base the new entry on
the invoking user's existing entry.
.It exec_background=bool
By default,
.Nm sudo
runs a command as the foreground process as long as
.Nm sudo
itself is running in the foreground.
When
.Em exec_background
is enabled and the command is being run in a pty (due to I/O logging
or the
.Em use_pty
setting), the command will be run as a background process.
Attempts to read from the controlling terminal (or to change terminal
settings) will result in the command being suspended with the
.Dv SIGTTIN
signal (or
.Dv SIGTTOU
in the case of terminal settings).
If this happens when
.Nm sudo
is a foreground process, the command will be granted the controlling terminal
and resumed in the foreground with no user intervention required.
The advantage of initially running the command in the background is that
.Nm sudo
need not read from the terminal unless the command explicitly requests it.
Otherwise, any terminal input must be passed to the command, whether it
has required it or not (the kernel buffers terminals so it is not possible
to tell whether the command really wants the input).
This is different from historic
.Em sudo
behavior or when the command is not being run in a pty.
.Pp
For this to work seamlessly, the operating system must support the
automatic restarting of system calls.
Unfortunately, not all operating systems do this by default,
and even those that do may have bugs.
For example, Mac OS X fails to restart the
.Fn tcgetattr
and
.Fn tcsetattr
system calls (this is a bug in Mac OS X).
Furthermore, because this behavior depends on the command stopping with the
.Dv SIGTTIN
or
.Dv SIGTTOU
signals, programs that catch these signals and suspend themselves
with a different signal (usually
.Dv SIGTOP )
will not be automatically foregrounded.
Some versions of the linux
.Xr su 1
command behave this way.
Because of this, a plugin should not set
.Em exec_background
unless it is explicitly enabled by the administrator and there should
be a way to enabled or disable it on a per-command basis.
.Pp
This setting has no effect unless I/O logging is enabled or
.Em use_pty
is enabled.
.El
.Pp
Unsupported values will be ignored.

40
doc/sudoers.cat
View File

@@ -732,6 +732,44 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
This flag is _o_n by default when ssuuddoo is compiled with
zzlliibb support.
exec_background By default, ssuuddoo runs a command as the foreground
process as long as ssuuddoo itself is running in the
foreground. When the _e_x_e_c___b_a_c_k_g_r_o_u_n_d flag is enabled
and the command is being run in a pty (due to I/O
logging or the _u_s_e___p_t_y flag), the command will be run
as a background process. Attempts to read from the
controlling terminal (or to change terminal settings)
will result in the command being suspended with the
SIGTTIN signal (or SIGTTOU in the case of terminal
settings). If this happens when ssuuddoo is a foreground
process, the command will be granted the controlling
terminal and resumed in the foreground with no user
intervention required. The advantage of initially
running the command in the background is that ssuuddoo need
not read from the terminal unless the command
explicitly requests it. Otherwise, any terminal input
must be passed to the command, whether it has required
it or not (the kernel buffers terminals so it is not
possible to tell whether the command really wants the
input). This is different from historic _s_u_d_o behavior
or when the command is not being run in a pty.
For this to work seamlessly, the operating system must
support the automatic restarting of system calls.
Unfortunately, not all operating systems do this by
default, and even those that do may have bugs. For
example, Mac OS X fails to restart the ttccggeettaattttrr() and
ttccsseettaattttrr() system calls (this is a bug in Mac OS X).
Furthermore, because this behavior depends on the
command stopping with the SIGTTIN or SIGTTOU signals,
programs that catch these signals and suspend
themselves with a different signal (usually SIGTOP)
will not be automatically foregrounded. Some versions
of the linux su(1) command behave this way.
This setting has no effect unless I/O logging is
enabled or _u_s_e___p_t_y is enabled.
env_editor If set, vviissuuddoo will use the value of the EDITOR or
VISUAL environment variables before falling back on the
default editor list. Note that this may create a
@@ -2092,4 +2130,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details.
Sudo 1.8.6 October 23, 2012 Sudo 1.8.6
Sudo 1.8.7 October 23, 2012 Sudo 1.8.7

59
doc/sudoers.man.in
View File

@@ -1,7 +1,7 @@
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@@ -1639,6 +1639,63 @@ is compiled with
\fBzlib\fR
support.
.TP 18n
exec_background
By default,
\fBsudo\fR
runs a command as the foreground process as long as
\fBsudo\fR
itself is running in the foreground.
When the
\fIexec_background\fR
flag is enabled and the command is being run in a pty (due to I/O logging
or the
\fIuse_pty\fR
flag), the command will be run as a background process.
Attempts to read from the controlling terminal (or to change terminal
settings) will result in the command being suspended with the
\fRSIGTTIN\fR
signal (or
\fRSIGTTOU\fR
in the case of terminal settings).
If this happens when
\fBsudo\fR
is a foreground process, the command will be granted the controlling terminal
and resumed in the foreground with no user intervention required.
The advantage of initially running the command in the background is that
\fBsudo\fR
need not read from the terminal unless the command explicitly requests it.
Otherwise, any terminal input must be passed to the command, whether it
has required it or not (the kernel buffers terminals so it is not possible
to tell whether the command really wants the input).
This is different from historic
\fIsudo\fR
behavior or when the command is not being run in a pty.
.sp
For this to work seamlessly, the operating system must support the
automatic restarting of system calls.
Unfortunately, not all operating systems do this by default,
and even those that do may have bugs.
For example, Mac OS X fails to restart the
\fBtcgetattr\fR()
and
\fBtcsetattr\fR()
system calls (this is a bug in Mac OS X).
Furthermore, because this behavior depends on the command stopping with the
\fRSIGTTIN\fR
or
\fRSIGTTOU\fR
signals, programs that catch these signals and suspend themselves
with a different signal (usually
\fRSIGTOP\fR)
will not be automatically foregrounded.
Some versions of the linux
su(1)
command behave this way.
.sp
This setting has no effect unless I/O logging is enabled or
\fIuse_pty\fR
is enabled.
.TP 18n
env_editor
If set,
\fBvisudo\fR

60
doc/sudoers.mdoc.in
View File

@@ -1,5 +1,5 @@
.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.Dd October 23, 2012
.Dd January 11, 2013
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -1521,6 +1521,62 @@ by default when
is compiled with
.Sy zlib
support.
.It exec_background
By default,
.Nm sudo
runs a command as the foreground process as long as
.Nm sudo
itself is running in the foreground.
When the
.Em exec_background
flag is enabled and the command is being run in a pty (due to I/O logging
or the
.Em use_pty
flag), the command will be run as a background process.
Attempts to read from the controlling terminal (or to change terminal
settings) will result in the command being suspended with the
.Dv SIGTTIN
signal (or
.Dv SIGTTOU
in the case of terminal settings).
If this happens when
.Nm sudo
is a foreground process, the command will be granted the controlling terminal
and resumed in the foreground with no user intervention required.
The advantage of initially running the command in the background is that
.Nm sudo
need not read from the terminal unless the command explicitly requests it.
Otherwise, any terminal input must be passed to the command, whether it
has required it or not (the kernel buffers terminals so it is not possible
to tell whether the command really wants the input).
This is different from historic
.Em sudo
behavior or when the command is not being run in a pty.
.Pp
For this to work seamlessly, the operating system must support the
automatic restarting of system calls.
Unfortunately, not all operating systems do this by default,
and even those that do may have bugs.
For example, Mac OS X fails to restart the
.Fn tcgetattr
and
.Fn tcsetattr
system calls (this is a bug in Mac OS X).
Furthermore, because this behavior depends on the command stopping with the
.Dv SIGTTIN
or
.Dv SIGTTOU
signals, programs that catch these signals and suspend themselves
with a different signal (usually
.Dv SIGTOP )
will not be automatically foregrounded.
Some versions of the linux
.Xr su 1
command behave this way.
.Pp
This setting has no effect unless I/O logging is enabled or
.Em use_pty
is enabled.
.It env_editor
If set,
.Nm visudo

4
plugins/sudoers/def_data.c
View File

@@ -350,6 +350,10 @@ struct sudo_defs_types sudo_defs_table[] = {
"limitprivs", T_STR,
N_("Set of limit privileges"),
NULL,
}, {
"exec_background", T_FLAG,
N_("Run commands on a pty in the background"),
NULL,
}, {
NULL, 0, NULL
}

2
plugins/sudoers/def_data.h
View File

@@ -162,6 +162,8 @@
#define I_PRIVS 80
#define def_limitprivs (sudo_defs_table[81].sd_un.str)
#define I_LIMITPRIVS 81
#define def_exec_background (sudo_defs_table[82].sd_un.flag)
#define I_EXEC_BACKGROUND 82
enum def_tuple {
never,

3
plugins/sudoers/def_data.in
View File

@@ -259,3 +259,6 @@ privs
limitprivs
T_STR
"Set of limit privileges"
exec_background
T_FLAG
"Run commands on a pty in the background"

4
plugins/sudoers/sudoers.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1993-1996, 1998-2012 Todd C. Miller <Todd.Miller@courtesan.com>
* Copyright (c) 1993-1996, 1998-2013 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -526,7 +526,7 @@ done:
error_disable_setjmp();
rewind_perms();
/* Restore signal handlers before we exec. */
/* Restore signal handlers before we return. */
(void) sigaction(SIGINT, &saved_sa_int, NULL);
(void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);

29
src/exec_pty.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
* Copyright (c) 2009-2013 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -78,18 +78,6 @@
# define winsize ttysize
#endif
/*
* Mac OS X has a bug wrt tc[gs]etpgrp where it returns EINTR if interrupted
* by a signal (usually SIGTTOU or SIGTTIN) instead of being restarted
* automatically (via ERESTART in the kernel). On other systems we can start
* the command in the background which prevents sudo from stealing /dev/tty
* input when it doesn't need to. When the command receives SIGTTOU or SIGTTIN,
* sudo will continue it in the foreground (assuming sudo is in the foreground).
*/
#ifdef __APPLE__
# define TCSETATTR_NO_RESTART
#endif
struct io_buffer {
struct io_buffer *next;
int len; /* buffer length (how much produced) */
@@ -676,9 +664,8 @@ fork_pty(struct command_details *details, int sv[], int *maxfd, sigset_t *omask)
sync_ttysize(io_fds[SFD_USERTTY], io_fds[SFD_SLAVE]);
}
#ifdef TCSETATTR_NO_RESTART
/* Start out in raw mode if we are not part of a pipeline. */
if (!pipeline) {
/* Start out in raw mode unless part of a pipeline or backgrounded. */
if (!pipeline && !ISSET(details->flags, CD_EXEC_BG)) {
ttymode = TERM_RAW;
do {
n = term_raw(io_fds[SFD_USERTTY], 0);
@@ -686,7 +673,6 @@ fork_pty(struct command_details *details, int sv[], int *maxfd, sigset_t *omask)
if (!n)
error(1, _("unable to set terminal to raw mode"));
}
#endif
}
/*
@@ -1111,14 +1097,13 @@ exec_monitor(struct command_details *details, int backchannel)
/* Put command in its own process group. */
cmnd_pgrp = cmnd_pid;
setpgid(cmnd_pid, cmnd_pgrp);
#ifdef TCSETATTR_NO_RESTART
/* Make the command the foreground process for the pty slave. */
if (foreground) {
if (foreground && !ISSET(details->flags, CD_EXEC_BG)) {
do {
n = tcsetpgrp(io_fds[SFD_SLAVE], cmnd_pgrp);
} while (n == -1 && errno == EINTR);
}
#endif
/* Wait for errno on pipe, signal on backchannel or for SIGCHLD */
maxfd = MAX(MAX(errpipe[0], signal_pipe[0]), backchannel);
@@ -1311,13 +1296,11 @@ exec_pty(struct command_details *details, int *errfd)
dup2(io_fds[SFD_STDERR], STDERR_FILENO) == -1)
error(1, "dup2");
#ifdef TCSETATTR_NO_RESTART
/* Wait for parent to grant us the tty if we are foreground. */
if (foreground) {
if (foreground && !ISSET(details->flags, CD_EXEC_BG)) {
while (tcgetpgrp(io_fds[SFD_SLAVE]) != self)
; /* spin */
}
#endif
/* We have guaranteed that the slave fd is > 2 */
if (io_fds[SFD_SLAVE] != -1)

9
src/sudo.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
* Copyright (c) 2009-2013 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -543,6 +543,13 @@ command_info_to_details(char * const info[], struct command_details *details)
break;
}
break;
case 'e':
if (strncmp("exec_background=", info[i], sizeof("exec_background=") - 1) == 0) {
if (atobool(info[i] + sizeof("exec_background=") - 1) == true)
SET(details->flags, CD_EXEC_BG);
break;
}
break;
case 'l':
SET_STRING("login_class=", login_class)
break;

3
src/sudo.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1993-1996, 1998-2005, 2007-2012
* Copyright (c) 1993-1996, 1998-2005, 2007-2013
* Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
@@ -128,6 +128,7 @@ struct user_details {
#define CD_RBAC_ENABLED 0x0800
#define CD_USE_PTY 0x1000
#define CD_SET_UTMP 0x2000
#define CD_EXEC_BG 0x4000
struct command_details {
uid_t uid;