Add execv(3) support to sudo_intercept.so.
This allows intercept to work with csh which uses execv(3) not execve(2).
This commit is contained in:
Todd C. Miller
@@ -769,10 +769,10 @@ front end configuration
|
|||||||
# Sudo command interception:
|
# Sudo command interception:
|
||||||
# Path intercept /path/to/sudo_intercept.so
|
# Path intercept /path/to/sudo_intercept.so
|
||||||
#
|
#
|
||||||
# Path to a shared library containing replacements for the execv(),
|
# Path to a shared library containing replacements for the execv()
|
||||||
# execve() and fexecve() library functions that perform a policy check
|
# and execve() library functions that perform a policy check to verify
|
||||||
# to verify the command is allowed and simply return an error if not.
|
# the command is allowed and simply return an error if not. This is
|
||||||
# This is used to implement the "intercept" functionality on systems that
|
# used to implement the "intercept" functionality on systems that
|
||||||
# support LD_PRELOAD or its equivalent.
|
# support LD_PRELOAD or its equivalent.
|
||||||
#
|
#
|
||||||
# The compiled-in value is usually sufficient and should only be changed
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
@@ -784,10 +784,10 @@ front end configuration
|
|||||||
# Sudo noexec:
|
# Sudo noexec:
|
||||||
# Path noexec /path/to/sudo_noexec.so
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
#
|
#
|
||||||
# Path to a shared library containing replacements for the execv(),
|
# Path to a shared library containing replacements for the execv()
|
||||||
# execve() and fexecve() library functions that just return an error.
|
# family of library functions that just return an error. This is
|
||||||
# This is used to implement the "noexec" functionality on systems that
|
# used to implement the "noexec" functionality on systems that support
|
||||||
# support LD_PRELOAD or its equivalent.
|
# LD_PRELOAD or its equivalent.
|
||||||
#
|
#
|
||||||
# The compiled-in value is usually sufficient and should only be changed
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
# if you rename or move the sudo_noexec.so file.
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
|||||||
@@ -699,10 +699,10 @@ front end configuration
|
|||||||
# Sudo command interception:
|
# Sudo command interception:
|
||||||
# Path intercept /path/to/sudo_intercept.so
|
# Path intercept /path/to/sudo_intercept.so
|
||||||
#
|
#
|
||||||
# Path to a shared library containing replacements for the execv(),
|
# Path to a shared library containing replacements for the execv()
|
||||||
# execve() and fexecve() library functions that perform a policy check
|
# and execve() library functions that perform a policy check to verify
|
||||||
# to verify the command is allowed and simply return an error if not.
|
# the command is allowed and simply return an error if not. This is
|
||||||
# This is used to implement the "intercept" functionality on systems that
|
# used to implement the "intercept" functionality on systems that
|
||||||
# support LD_PRELOAD or its equivalent.
|
# support LD_PRELOAD or its equivalent.
|
||||||
#
|
#
|
||||||
# The compiled-in value is usually sufficient and should only be changed
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
@@ -714,10 +714,10 @@ front end configuration
|
|||||||
# Sudo noexec:
|
# Sudo noexec:
|
||||||
# Path noexec /path/to/sudo_noexec.so
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
#
|
#
|
||||||
# Path to a shared library containing replacements for the execv(),
|
# Path to a shared library containing replacements for the execv()
|
||||||
# execve() and fexecve() library functions that just return an error.
|
# family of library functions that just return an error. This is
|
||||||
# This is used to implement the "noexec" functionality on systems that
|
# used to implement the "noexec" functionality on systems that support
|
||||||
# support LD_PRELOAD or its equivalent.
|
# LD_PRELOAD or its equivalent.
|
||||||
#
|
#
|
||||||
# The compiled-in value is usually sufficient and should only be changed
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
# if you rename or move the sudo_noexec.so file.
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
|||||||
@@ -2763,8 +2763,10 @@ If set,
|
|||||||
\fBsudoers\fR
|
\fBsudoers\fR
|
||||||
will log when a command spawns a child process and executes a program
|
will log when a command spawns a child process and executes a program
|
||||||
using the
|
using the
|
||||||
|
\fBexecv\fR()
|
||||||
|
or
|
||||||
\fBexecve\fR()
|
\fBexecve\fR()
|
||||||
system call.
|
library functions.
|
||||||
For example, if a shell is run by
|
For example, if a shell is run by
|
||||||
\fBsudo\fR,
|
\fBsudo\fR,
|
||||||
the individual commands run via the shell will be logged.
|
the individual commands run via the shell will be logged.
|
||||||
|
|||||||
@@ -2603,8 +2603,10 @@ If set,
|
|||||||
.Nm
|
.Nm
|
||||||
will log when a command spawns a child process and executes a program
|
will log when a command spawns a child process and executes a program
|
||||||
using the
|
using the
|
||||||
|
.Fn execv
|
||||||
|
or
|
||||||
.Fn execve
|
.Fn execve
|
||||||
system call.
|
library functions.
|
||||||
For example, if a shell is run by
|
For example, if a shell is run by
|
||||||
.Nm sudo ,
|
.Nm sudo ,
|
||||||
the individual commands run via the shell will be logged.
|
the individual commands run via the shell will be logged.
|
||||||
|
|||||||
@@ -1 +1,2 @@
|
|||||||
|
execv
|
||||||
execve
|
execve
|
||||||
|
|||||||
@@ -48,6 +48,7 @@
|
|||||||
#include "sudo_util.h"
|
#include "sudo_util.h"
|
||||||
#include "pathnames.h"
|
#include "pathnames.h"
|
||||||
|
|
||||||
|
extern char **environ;
|
||||||
extern bool command_allowed(const char *cmnd, char * const argv[], char * const envp[], char **ncmnd, char ***nargv, char ***nenvp);
|
extern bool command_allowed(const char *cmnd, char * const argv[], char * const envp[], char **ncmnd, char ***nargv, char ***nenvp);
|
||||||
|
|
||||||
#ifdef HAVE___INTERPOSE
|
#ifdef HAVE___INTERPOSE
|
||||||
@@ -81,10 +82,17 @@ my_execve(const char *cmnd, char * const argv[], char * const envp[])
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
my_execv(const char *cmnd, char * const argv[])
|
||||||
|
{
|
||||||
|
return my_execve(cmnd, argv, environ);
|
||||||
|
}
|
||||||
|
|
||||||
/* Magic to tell dyld to do symbol interposition. */
|
/* Magic to tell dyld to do symbol interposition. */
|
||||||
__attribute__((__used__)) static const interpose_t interposers[]
|
__attribute__((__used__)) static const interpose_t interposers[]
|
||||||
__attribute__((__section__("__DATA,__interpose"))) = {
|
__attribute__((__section__("__DATA,__interpose"))) = {
|
||||||
{ (void *)my_execve, (void *)execve }
|
{ (void *)my_execve, (void *)execve }
|
||||||
|
{ (void *)my_execv, (void *)execv }
|
||||||
};
|
};
|
||||||
|
|
||||||
#else /* HAVE___INTERPOSE */
|
#else /* HAVE___INTERPOSE */
|
||||||
@@ -148,4 +156,10 @@ execve(const char *cmnd, char * const argv[], char * const envp[])
|
|||||||
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sudo_dso_public int
|
||||||
|
execv(const char *cmnd, char * const argv[])
|
||||||
|
{
|
||||||
|
return execve(cmnd, argv, environ);
|
||||||
|
}
|
||||||
#endif /* HAVE___INTERPOSE) */
|
#endif /* HAVE___INTERPOSE) */
|
||||||
|
|||||||
Reference in New Issue
Block a user