isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Defaults settings after parsing sudoers.

Browse Source 
Also stub out dump_defaults when fuzzing as it is not used.
This commit is contained in:
Todd C. Miller
2021-02-24 12:29:34 -07:00
parent 33551acd1f
commit cbd11c44d2
4 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
MANIFEST
View File

@@ -493,7 +493,8 @@ plugins/sudoers/auth/securid5.c
plugins/sudoers/auth/sia.c plugins/sudoers/auth/sia.c
plugins/sudoers/auth/sudo_auth.c plugins/sudoers/auth/sudo_auth.c
plugins/sudoers/auth/sudo_auth.h plugins/sudoers/auth/sudo_auth.h
plugins/sudoers/base64.c plugins/sudoers/b64_decode.c
plugins/sudoers/b64_encode.c
plugins/sudoers/boottime.c plugins/sudoers/boottime.c
plugins/sudoers/bsm_audit.c plugins/sudoers/bsm_audit.c
plugins/sudoers/bsm_audit.h plugins/sudoers/bsm_audit.h

2
plugins/sudoers/defaults.c
View File

@@ -81,6 +81,7 @@ static bool valid_path(struct sudo_defs_types *def, const char *val, const char
void void
dump_defaults(void) dump_defaults(void)
{ {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
struct sudo_defs_types *cur; struct sudo_defs_types *cur;
struct list_member *item; struct list_member *item;
struct def_values *def; struct def_values *def;
@@ -164,6 +165,7 @@ dump_defaults(void)
} }
} }
debug_return; debug_return;
#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
} }
/* /*

3
plugins/sudoers/regress/fuzz/fuzz_sudoers.c
View File

@@ -268,6 +268,7 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
sudoersrestart(fp); sudoersrestart(fp);
sudoersparse(); sudoersparse();
reparent_parse_tree(&parse_tree); reparent_parse_tree(&parse_tree);
update_defaults(&parse_tree, NULL, (SETDEF_ALL & ~SETDEF_USER), false);
if (!parse_error) { if (!parse_error) {
/* Match user/host/command against parsed policy. */ /* Match user/host/command against parsed policy. */
@@ -278,6 +279,8 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
if (sudo_user.pw == NULL) if (sudo_user.pw == NULL)
goto done; goto done;
update_defaults(&parse_tree, NULL, SETDEF_USER, false);
sudoers_lookup(&snl, sudo_user.pw, &cmnd_status, false); sudoers_lookup(&snl, sudo_user.pw, &cmnd_status, false);
/* Match again as a pseudo-command (list, validate, etc). */ /* Match again as a pseudo-command (list, validate, etc). */

1
plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok
View File

@@ -368,6 +368,7 @@ user3 ALL = TIMEOUT=10m30ss /usr/bin/id
sudoers:8:21: invalid timeout value sudoers:8:21: invalid timeout value
user4 ALL = TIMEOUT=14g /usr/bin/id user4 ALL = TIMEOUT=14g /usr/bin/id
^~~ ^~~
fuzz_sudoers: sudoers:2:26: value "2d8h10m59ss" is invalid for option "command_timeout"
Executed regress/sudoers/test18.in Executed regress/sudoers/test18.in
Running: regress/sudoers/test19.in Running: regress/sudoers/test19.in
User root is not allowed to run sudo on localhost. User root is not allowed to run sudo on localhost.