intercept_verify also compares the environment.
Also mention the overhead involved in checking things.
This commit is contained in:
Todd C. Miller
@@ -25,7 +25,7 @@
|
|||||||
.nr BA @BAMAN@
|
.nr BA @BAMAN@
|
||||||
.nr LC @LCMAN@
|
.nr LC @LCMAN@
|
||||||
.nr PS @PSMAN@
|
.nr PS @PSMAN@
|
||||||
.TH "SUDOERS" "@mansectform@" "August 11, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
.TH "SUDOERS" "@mansectform@" "August 23, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
||||||
.nh
|
.nh
|
||||||
.if n .ad l
|
.if n .ad l
|
||||||
.SH "NAME"
|
.SH "NAME"
|
||||||
@@ -3403,19 +3403,35 @@ intercept_verify
|
|||||||
If set,
|
If set,
|
||||||
\fBsudo\fR
|
\fBsudo\fR
|
||||||
will attempt to verify that a command run in intercept mode has
|
will attempt to verify that a command run in intercept mode has
|
||||||
the expected path name and command line arguments.
|
the expected path name, command line arguments and environment.
|
||||||
The process is stopped after
|
.sp
|
||||||
|
The process will be stopped after
|
||||||
execve(2)
|
execve(2)
|
||||||
has completed but before the new command has had a chance to run.
|
has completed but before the new command has had a chance to run.
|
||||||
In the case of a path name or argument mismatch, the command will be sent a
|
To verify the command,
|
||||||
|
\fBsudo\fR
|
||||||
|
will read the command's path from
|
||||||
|
\fI/proc/PID/exe\fR,
|
||||||
|
the command line arguments and environment from the process's memory,
|
||||||
|
and compare them against the arguments that were passed to
|
||||||
|
execve(2).
|
||||||
|
In the event of a mismatch, the command will be sent a
|
||||||
\fRSIGKILL\fR
|
\fRSIGKILL\fR
|
||||||
signal and terminated.
|
signal and terminated.
|
||||||
|
.sp
|
||||||
This can help prevent a time of check versus time of use issue with
|
This can help prevent a time of check versus time of use issue with
|
||||||
intercept mode where the
|
intercept mode where the
|
||||||
execve(2)
|
execve(2)
|
||||||
arguments could be altered after the
|
arguments could be altered after the
|
||||||
\fBsudoers\fR
|
\fBsudoers\fR
|
||||||
policy check.
|
policy check.
|
||||||
|
The checks can only be performed if the
|
||||||
|
proc(@mansectform@)
|
||||||
|
file system is available.
|
||||||
|
The additional overhead from
|
||||||
|
\fIintercept_verify\fR
|
||||||
|
can slow down intercept mode considerably for shell scripts that
|
||||||
|
execute a large number of commands.
|
||||||
This flag has no effect unless the
|
This flag has no effect unless the
|
||||||
\fIintercept\fR
|
\fIintercept\fR
|
||||||
flag is enabled or the
|
flag is enabled or the
|
||||||
|
|||||||
@@ -25,7 +25,7 @@
|
|||||||
.nr BA @BAMAN@
|
.nr BA @BAMAN@
|
||||||
.nr LC @LCMAN@
|
.nr LC @LCMAN@
|
||||||
.nr PS @PSMAN@
|
.nr PS @PSMAN@
|
||||||
.Dd August 11, 2022
|
.Dd August 23, 2022
|
||||||
.Dt SUDOERS @mansectform@
|
.Dt SUDOERS @mansectform@
|
||||||
.Os Sudo @PACKAGE_VERSION@
|
.Os Sudo @PACKAGE_VERSION@
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@@ -3224,19 +3224,35 @@ This setting is only supported by version 1.9.8 or higher.
|
|||||||
If set,
|
If set,
|
||||||
.Nm sudo
|
.Nm sudo
|
||||||
will attempt to verify that a command run in intercept mode has
|
will attempt to verify that a command run in intercept mode has
|
||||||
the expected path name and command line arguments.
|
the expected path name, command line arguments and environment.
|
||||||
The process is stopped after
|
.Pp
|
||||||
|
The process will be stopped after
|
||||||
.Xr execve 2
|
.Xr execve 2
|
||||||
has completed but before the new command has had a chance to run.
|
has completed but before the new command has had a chance to run.
|
||||||
In the case of a path name or argument mismatch, the command will be sent a
|
To verify the command,
|
||||||
|
.Nm sudo
|
||||||
|
will read the command's path from
|
||||||
|
.Pa /proc/PID/exe ,
|
||||||
|
the command line arguments and environment from the process's memory,
|
||||||
|
and compare them against the arguments that were passed to
|
||||||
|
.Xr execve 2 .
|
||||||
|
In the event of a mismatch, the command will be sent a
|
||||||
.Dv SIGKILL
|
.Dv SIGKILL
|
||||||
signal and terminated.
|
signal and terminated.
|
||||||
|
.Pp
|
||||||
This can help prevent a time of check versus time of use issue with
|
This can help prevent a time of check versus time of use issue with
|
||||||
intercept mode where the
|
intercept mode where the
|
||||||
.Xr execve 2
|
.Xr execve 2
|
||||||
arguments could be altered after the
|
arguments could be altered after the
|
||||||
.Nm
|
.Nm
|
||||||
policy check.
|
policy check.
|
||||||
|
The checks can only be performed if the
|
||||||
|
.Xr proc @mansectform@
|
||||||
|
file system is available.
|
||||||
|
The additional overhead from
|
||||||
|
.Em intercept_verify
|
||||||
|
can slow down intercept mode considerably for shell scripts that
|
||||||
|
execute a large number of commands.
|
||||||
This flag has no effect unless the
|
This flag has no effect unless the
|
||||||
.Em intercept
|
.Em intercept
|
||||||
flag is enabled or the
|
flag is enabled or the
|
||||||
|
|||||||
Reference in New Issue
Block a user