isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

For sudo, only allow "sudo" or "sudoedit" as the program name.

Browse Source 
The program name is also used when matching Debug lines in sudo.conf.
We don't want the user to be able to influence sudo.conf Debug matching.
The string "sudoedit" is treated the same as "sudo" in sudo.conf.
Problem reported by Matthias Gerstner of SUSE.
This commit is contained in:
Todd C. Miller
2021-01-06 10:16:00 -07:00
parent a29cac8bd6
commit b132def0b1
4 changed files with 39 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/sudo.c
View File

@@ -152,12 +152,14 @@ main(int argc, char *argv[], char *envp[])
int nargc, status = 0;
char **nargv, **env_add, **user_info;
char **command_info = NULL, **argv_out = NULL, **user_env_out = NULL;
const char * const allowed_prognames[] = { "sudo", "sudoedit", NULL };
struct sudo_settings *settings;
int submit_optind;
sigset_t mask;
debug_decl_vars(main, SUDO_DEBUG_MAIN);
initprogname(argc > 0 ? argv[0] : "sudo");
/* Only allow "sudo" or "sudoedit" as the program name. */
initprogname2(argc > 0 ? argv[0] : "sudo", allowed_prognames);
/* Crank resource limits to unlimited. */
unlimit_sudo();