Add execv(3) support to sudo_intercept.so.
This allows intercept to work with csh which uses execv(3) not execve(2).
This commit is contained in:
Todd C. Miller
@@ -769,10 +769,10 @@ front end configuration
|
||||
# Sudo command interception:
|
||||
# Path intercept /path/to/sudo_intercept.so
|
||||
#
|
||||
# Path to a shared library containing replacements for the execv(),
|
||||
# execve() and fexecve() library functions that perform a policy check
|
||||
# to verify the command is allowed and simply return an error if not.
|
||||
# This is used to implement the "intercept" functionality on systems that
|
||||
# Path to a shared library containing replacements for the execv()
|
||||
# and execve() library functions that perform a policy check to verify
|
||||
# the command is allowed and simply return an error if not. This is
|
||||
# used to implement the "intercept" functionality on systems that
|
||||
# support LD_PRELOAD or its equivalent.
|
||||
#
|
||||
# The compiled-in value is usually sufficient and should only be changed
|
||||
@@ -784,10 +784,10 @@ front end configuration
|
||||
# Sudo noexec:
|
||||
# Path noexec /path/to/sudo_noexec.so
|
||||
#
|
||||
# Path to a shared library containing replacements for the execv(),
|
||||
# execve() and fexecve() library functions that just return an error.
|
||||
# This is used to implement the "noexec" functionality on systems that
|
||||
# support LD_PRELOAD or its equivalent.
|
||||
# Path to a shared library containing replacements for the execv()
|
||||
# family of library functions that just return an error. This is
|
||||
# used to implement the "noexec" functionality on systems that support
|
||||
# LD_PRELOAD or its equivalent.
|
||||
#
|
||||
# The compiled-in value is usually sufficient and should only be changed
|
||||
# if you rename or move the sudo_noexec.so file.
|
||||
|
||||
@@ -699,10 +699,10 @@ front end configuration
|
||||
# Sudo command interception:
|
||||
# Path intercept /path/to/sudo_intercept.so
|
||||
#
|
||||
# Path to a shared library containing replacements for the execv(),
|
||||
# execve() and fexecve() library functions that perform a policy check
|
||||
# to verify the command is allowed and simply return an error if not.
|
||||
# This is used to implement the "intercept" functionality on systems that
|
||||
# Path to a shared library containing replacements for the execv()
|
||||
# and execve() library functions that perform a policy check to verify
|
||||
# the command is allowed and simply return an error if not. This is
|
||||
# used to implement the "intercept" functionality on systems that
|
||||
# support LD_PRELOAD or its equivalent.
|
||||
#
|
||||
# The compiled-in value is usually sufficient and should only be changed
|
||||
@@ -714,10 +714,10 @@ front end configuration
|
||||
# Sudo noexec:
|
||||
# Path noexec /path/to/sudo_noexec.so
|
||||
#
|
||||
# Path to a shared library containing replacements for the execv(),
|
||||
# execve() and fexecve() library functions that just return an error.
|
||||
# This is used to implement the "noexec" functionality on systems that
|
||||
# support LD_PRELOAD or its equivalent.
|
||||
# Path to a shared library containing replacements for the execv()
|
||||
# family of library functions that just return an error. This is
|
||||
# used to implement the "noexec" functionality on systems that support
|
||||
# LD_PRELOAD or its equivalent.
|
||||
#
|
||||
# The compiled-in value is usually sufficient and should only be changed
|
||||
# if you rename or move the sudo_noexec.so file.
|
||||
|
||||
@@ -2763,8 +2763,10 @@ If set,
|
||||
\fBsudoers\fR
|
||||
will log when a command spawns a child process and executes a program
|
||||
using the
|
||||
\fBexecv\fR()
|
||||
or
|
||||
\fBexecve\fR()
|
||||
system call.
|
||||
library functions.
|
||||
For example, if a shell is run by
|
||||
\fBsudo\fR,
|
||||
the individual commands run via the shell will be logged.
|
||||
|
||||
@@ -2603,8 +2603,10 @@ If set,
|
||||
.Nm
|
||||
will log when a command spawns a child process and executes a program
|
||||
using the
|
||||
.Fn execv
|
||||
or
|
||||
.Fn execve
|
||||
system call.
|
||||
library functions.
|
||||
For example, if a shell is run by
|
||||
.Nm sudo ,
|
||||
the individual commands run via the shell will be logged.
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
execv
|
||||
execve
|
||||
|
||||
@@ -48,6 +48,7 @@
|
||||
#include "sudo_util.h"
|
||||
#include "pathnames.h"
|
||||
|
||||
extern char **environ;
|
||||
extern bool command_allowed(const char *cmnd, char * const argv[], char * const envp[], char **ncmnd, char ***nargv, char ***nenvp);
|
||||
|
||||
#ifdef HAVE___INTERPOSE
|
||||
@@ -81,10 +82,17 @@ my_execve(const char *cmnd, char * const argv[], char * const envp[])
|
||||
return -1;
|
||||
}
|
||||
|
||||
static int
|
||||
my_execv(const char *cmnd, char * const argv[])
|
||||
{
|
||||
return my_execve(cmnd, argv, environ);
|
||||
}
|
||||
|
||||
/* Magic to tell dyld to do symbol interposition. */
|
||||
__attribute__((__used__)) static const interpose_t interposers[]
|
||||
__attribute__((__section__("__DATA,__interpose"))) = {
|
||||
{ (void *)my_execve, (void *)execve }
|
||||
{ (void *)my_execv, (void *)execv }
|
||||
};
|
||||
|
||||
#else /* HAVE___INTERPOSE */
|
||||
@@ -148,4 +156,10 @@ execve(const char *cmnd, char * const argv[], char * const envp[])
|
||||
|
||||
return -1;
|
||||
}
|
||||
|
||||
sudo_dso_public int
|
||||
execv(const char *cmnd, char * const argv[])
|
||||
{
|
||||
return execve(cmnd, argv, environ);
|
||||
}
|
||||
#endif /* HAVE___INTERPOSE) */
|
||||
|
||||
Reference in New Issue
Block a user