isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add admin_flag sudoers option and make --enable-admin-flag take a path.

Browse Source 
It is now possible to disable the Ubuntu admin flag in sudoers
or change its location.
GitHub issue #56
This commit is contained in:
Todd C. Miller
2021-02-16 13:20:02 -07:00
parent 5ec59cddc2
commit a5504148a5
12 changed files with 92 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
INSTALL
View File

@@ -424,9 +424,11 @@ Operating system-specific options:
Disable use of the setresuid() function for operating systems Disable use of the setresuid() function for operating systems
where it is broken (none currently known). where it is broken (none currently known).
--enable-admin-flag --enable-admin-flag[=PATH]
Enable the creation of an Ubuntu-style admin flag file Enable the creation of an Ubuntu-style admin flag file the
the first time sudo is run. first time sudo is run. If PATH is not specified, the
default value is:
~/.sudo_as_admin_successful
--enable-devsearch=PATH --enable-devsearch=PATH
Set a system-specific search path of directories to look in Set a system-specific search path of directories to look in

4
config.h.in
View File

@@ -1231,10 +1231,6 @@
/* Define to 1 if the `unsetenv' function returns void instead of `int'. */ /* Define to 1 if the `unsetenv' function returns void instead of `int'. */
#undef UNSETENV_VOID #undef UNSETENV_VOID
/* Define to 1 if you want to create ~/.sudo_as_admin_successful if the user
is in the admin group the first time they run sudo. */
#undef USE_ADMIN_FLAG
/* Define to 1 if you want to insult the user for entering an incorrect /* Define to 1 if you want to insult the user for entering an incorrect
password. */ password. */
#undef USE_INSULTS #undef USE_INSULTS

14
configure vendored
View File

@@ -1718,7 +1718,8 @@ Optional Features:
instead of the default C compiler. instead of the default C compiler.
--disable-leaks Prevent some harmless memory leaks. --disable-leaks Prevent some harmless memory leaks.
--disable-poll Use select() instead of poll(). --disable-poll Use select() instead of poll().
--enable-admin-flag Whether to create a Ubuntu-style admin flag file --enable-admin-flag[=PATH]
Whether to create a Ubuntu-style admin flag file
--disable-nls Disable natural language support using gettext --disable-nls Disable natural language support using gettext
--disable-rpath Disable passing of -Rpath to the linker --disable-rpath Disable passing of -Rpath to the linker
--enable-static-sudoers Build the sudoers policy module as part of the sudo --enable-static-sudoers Build the sudoers policy module as part of the sudo
@@ -6989,12 +6990,16 @@ fi
if test ${enable_admin_flag+y} if test ${enable_admin_flag+y}
then : then :
enableval=$enable_admin_flag; case "$enableval" in enableval=$enable_admin_flag; case "$enableval" in
yes) printf "%s\n" "#define USE_ADMIN_FLAG 1" >>confdefs.h yes) cat >>confdefs.h <<EOF
#define _PATH_SUDO_ADMIN_FLAG "~/.sudo_as_admin_successful"
EOF
;; ;;
no) ;; no) ;;
*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring unknown argument to --enable-admin-flag: $enableval" >&5 *) cat >>confdefs.h <<EOF
printf "%s\n" "$as_me: WARNING: Ignoring unknown argument to --enable-admin-flag: $enableval" >&2;} #define _PATH_SUDO_ADMIN_FLAG "$enableval"
EOF
;; ;;
esac esac
@@ -31913,6 +31918,5 @@ fi

7
configure.ac
View File

@@ -1574,12 +1574,12 @@ AC_ARG_ENABLE(poll,
[AS_HELP_STRING([--disable-poll], [Use select() instead of poll().])]) [AS_HELP_STRING([--disable-poll], [Use select() instead of poll().])])
AC_ARG_ENABLE(admin-flag, AC_ARG_ENABLE(admin-flag,
[AS_HELP_STRING([--enable-admin-flag], [Whether to create a Ubuntu-style admin flag file])], [AS_HELP_STRING([--enable-admin-flag[[=PATH]]], [Whether to create a Ubuntu-style admin flag file])],
[ case "$enableval" in [ case "$enableval" in
yes) AC_DEFINE(USE_ADMIN_FLAG) yes) SUDO_DEFINE_UNQUOTED(_PATH_SUDO_ADMIN_FLAG, "~/.sudo_as_admin_successful")
;; ;;
no) ;; no) ;;
*) AC_MSG_WARN([Ignoring unknown argument to --enable-admin-flag: $enableval]) *) SUDO_DEFINE_UNQUOTED(_PATH_SUDO_ADMIN_FLAG, "$enableval")
;; ;;
esac esac
]) ])
@@ -5051,7 +5051,6 @@ AH_TEMPLATE(SHELL_SETS_HOME, [Define to 1 if you want sudo to set $HOME in shell
AH_TEMPLATE(STATIC_SUDOERS_PLUGIN, [Define to 1 to compile the sudoers plugin statically into the sudo binary.]) AH_TEMPLATE(STATIC_SUDOERS_PLUGIN, [Define to 1 to compile the sudoers plugin statically into the sudo binary.])
AH_TEMPLATE(STUB_LOAD_INTERFACES, [Define to 1 if the code in interfaces.c does not compile for you.]) AH_TEMPLATE(STUB_LOAD_INTERFACES, [Define to 1 if the code in interfaces.c does not compile for you.])
AH_TEMPLATE(UMASK_OVERRIDE, [Define to 1 to use the umask specified in sudoers even when it is less restrictive than the invoking user's.]) AH_TEMPLATE(UMASK_OVERRIDE, [Define to 1 to use the umask specified in sudoers even when it is less restrictive than the invoking user's.])
AH_TEMPLATE(USE_ADMIN_FLAG, [Define to 1 if you want to create ~/.sudo_as_admin_successful if the user is in the admin group the first time they run sudo.])
AH_TEMPLATE(USE_INSULTS, [Define to 1 if you want to insult the user for entering an incorrect password.]) AH_TEMPLATE(USE_INSULTS, [Define to 1 if you want to insult the user for entering an incorrect password.])
AH_TEMPLATE(USE_STOW, [Define to 1 if you use GNU stow packaging.]) AH_TEMPLATE(USE_STOW, [Define to 1 if you use GNU stow packaging.])
AH_TEMPLATE(WITHOUT_PASSWD, [Define to avoid using the passwd/shadow file for authentication.]) AH_TEMPLATE(WITHOUT_PASSWD, [Define to avoid using the passwd/shadow file for authentication.])

20
doc/sudoers.man.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "January 8, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "@mansectform@" "February 16, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -4265,6 +4265,24 @@ is built with SELinux support.
.PP .PP
\fBStrings that can be used in a boolean context\fR: \fBStrings that can be used in a boolean context\fR:
.TP 14n .TP 14n
admin_flag
The
\fIadmin_flag\fR
option specifies the path to a file that is created the first time
a user that is a member of the
\fIsudo\fR
or
\fIadmin\fR
groups runs
\fBsudo\fR.
Only available if
\fBsudo\fR
is configured with the
\fR--enable-admin-flag\fR
option.
The default value is
\fR~/.sudo_as_admin_successful\fR.
.TP 14n
env_file env_file
The The
\fIenv_file\fR \fIenv_file\fR

19
doc/sudoers.mdoc.in
View File

@@ -24,7 +24,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.Dd January 8, 2020 .Dd February 16, 2020
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -4003,6 +4003,23 @@ is built with SELinux support.
.Pp .Pp
.Sy Strings that can be used in a boolean context : .Sy Strings that can be used in a boolean context :
.Bl -tag -width 12n .Bl -tag -width 12n
.It admin_flag
The
.Em admin_flag
option specifies the path to a file that is created the first time
a user that is a member of the
.Em sudo
or
.Em admin
groups runs
.Nm sudo .
Only available if
.Nm sudo
is configured with the
.Li --enable-admin-flag
option.
The default value is
.Li ~/.sudo_as_admin_successful .
.It env_file .It env_file
The The
.Em env_file .Em env_file

8
pathnames.h.in
View File

@@ -141,6 +141,14 @@
# undef _PATH_SUDO_LOGFILE # undef _PATH_SUDO_LOGFILE
#endif /* _PATH_SUDO_LOGFILE */ #endif /* _PATH_SUDO_LOGFILE */
/*
* The path to an Ubuntu-style admin flag file that is created the
* first time a user runs sudo.
*/
#ifndef _PATH_SUDO_ADMIN_FLAG
# undef _PATH_SUDO_ADMIN_FLAG
#endif /* _PATH_SUDO_ADMIN_FLAG */
#ifndef _PATH_SUDO_SENDMAIL #ifndef _PATH_SUDO_SENDMAIL
# undef _PATH_SUDO_SENDMAIL # undef _PATH_SUDO_SENDMAIL
#endif /* _PATH_SUDO_SENDMAIL */ #endif /* _PATH_SUDO_SENDMAIL */

4
plugins/sudoers/def_data.c
View File

@@ -573,6 +573,10 @@ struct sudo_defs_types sudo_defs_table[] = {
"selinux", T_FLAG, "selinux", T_FLAG,
N_("Enable SELinux RBAC support"), N_("Enable SELinux RBAC support"),
NULL, NULL,
}, {
"admin_flag", T_STR|T_BOOL|T_CHPATH,
N_("Path to the file that is created the first time sudo is run: %s"),
NULL,
}, { }, {
NULL, 0, NULL NULL, 0, NULL
} }

2
plugins/sudoers/def_data.h
View File

@@ -264,6 +264,8 @@
#define def_log_format (sudo_defs_table[I_LOG_FORMAT].sd_un.tuple) #define def_log_format (sudo_defs_table[I_LOG_FORMAT].sd_un.tuple)
#define I_SELINUX 131 #define I_SELINUX 131
#define def_selinux (sudo_defs_table[I_SELINUX].sd_un.flag) #define def_selinux (sudo_defs_table[I_SELINUX].sd_un.flag)
#define I_ADMIN_FLAG 132
#define def_admin_flag (sudo_defs_table[I_ADMIN_FLAG].sd_un.str)
enum def_tuple { enum def_tuple {
never, never,

3
plugins/sudoers/def_data.in
View File

@@ -412,3 +412,6 @@ log_format
selinux selinux
T_FLAG T_FLAG
"Enable SELinux RBAC support" "Enable SELinux RBAC support"
admin_flag
T_STR|T_BOOL|T_CHPATH
"Path to the file that is created the first time sudo is run: %s"

4
plugins/sudoers/defaults.c
View File

@@ -531,6 +531,10 @@ init_defaults(void)
#endif #endif
#ifdef HAVE_INNETGR #ifdef HAVE_INNETGR
def_use_netgroups = true; def_use_netgroups = true;
#endif
#ifdef _PATH_SUDO_ADMIN_FLAG
if ((def_admin_flag = strdup(_PATH_SUDO_ADMIN_FLAG)) == NULL)
goto oom;
#endif #endif
def_netgroup_tuple = false; def_netgroup_tuple = false;
def_sudoedit_checkdir = true; def_sudoedit_checkdir = true;

25
plugins/sudoers/timestamp.c
View File

@@ -1083,24 +1083,32 @@ done:
debug_return_int(ret); debug_return_int(ret);
} }
#ifdef USE_ADMIN_FLAG #ifdef _PATH_SUDO_ADMIN_FLAG
int int
create_admin_success_flag(void) create_admin_success_flag(void)
{ {
char flagfile[PATH_MAX]; char *flagfile;
int len, ret = -1; int ret = -1;
debug_decl(create_admin_success_flag, SUDOERS_DEBUG_AUTH); debug_decl(create_admin_success_flag, SUDOERS_DEBUG_AUTH);
/* Is the admin flag file even enabled? */
if (!def_admin_flag)
debug_return_int(true);
/* Check whether the user is in the sudo or admin group. */ /* Check whether the user is in the sudo or admin group. */
if (!user_in_group(sudo_user.pw, "sudo") && if (!user_in_group(sudo_user.pw, "sudo") &&
!user_in_group(sudo_user.pw, "admin")) !user_in_group(sudo_user.pw, "admin"))
debug_return_int(true); debug_return_int(true);
/* Build path to flag file. */ /* Build path to flag file. */
len = snprintf(flagfile, sizeof(flagfile), "%s/.sudo_as_admin_successful", if ((flagfile = strdup(def_admin_flag)) == NULL) {
user_dir); sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
if (len < 0 || len >= ssizeof(flagfile)) debug_return_int(-1);
}
if (!expand_tilde(&flagfile, user_name)) {
free(flagfile);
debug_return_int(false); debug_return_int(false);
}
/* Create admin flag file if it doesn't already exist. */ /* Create admin flag file if it doesn't already exist. */
if (set_perms(PERM_USER)) { if (set_perms(PERM_USER)) {
@@ -1111,13 +1119,14 @@ create_admin_success_flag(void)
if (!restore_perms()) if (!restore_perms())
ret = -1; ret = -1;
} }
free(flagfile);
debug_return_int(ret); debug_return_int(ret);
} }
#else /* !USE_ADMIN_FLAG */ #else /* !_PATH_SUDO_ADMIN_FLAG */
int int
create_admin_success_flag(void) create_admin_success_flag(void)
{ {
/* STUB */ /* STUB */
return true; return true;
} }
#endif /* USE_ADMIN_FLAG */ #endif /* _PATH_SUDO_ADMIN_FLAG */