isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor disable_execute() and my_execve() into exec_common.c for

Browse Source 
use by sesh.c.  This fixes NOEXEC when SELinux is used.  Instead
of disabling exec in exec_setup(), disable it immediately before
executing the command.  Adapted from a diff by Arno Schuring.
This commit is contained in:
Todd C. Miller
2012-01-25 14:58:02 -05:00
parent e852bf4374
commit d11e7febbc
10 changed files with 240 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/exec_pty.c
View File

@@ -1190,11 +1190,15 @@ exec_pty(struct command_details *details, int *errfd)
closefrom(maxfd);
}
#ifdef HAVE_SELINUX
if (ISSET(details->flags, CD_RBAC_ENABLED))
selinux_execve(details->command, details->argv, details->envp);
else
if (ISSET(details->flags, CD_RBAC_ENABLED)) {
selinux_execve(details->command, details->argv, details->envp,
ISSET(details->flags, CD_NOEXEC));
} else
#endif
my_execve(details->command, details->argv, details->envp);
{
sudo_execve(details->command, details->argv, details->envp,
ISSET(details->flags, CD_NOEXEC));
}
sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to exec %s: %s",
details->command, strerror(errno));
debug_return;