Only allow the user to specify -D or -R for the special "*" value.

The sudoers file must now explicitly allow the user to specify a directory (sudo -D) or chroot (sudo -R) by setting cwd or chroot to "*". If a specific cwd or chroot value is set in sudoers, the user may not use the -D or -R options, even if they match the value in sudoers.
2023-07-10 14:30:40 -06:00
parent 44cfa9e132
commit d1625f9c83
5 changed files with 6 additions and 46 deletions
--- a/plugins/sudoers/check_util.c
+++ b/plugins/sudoers/check_util.c
@@ -73,10 +73,10 @@ check_user_runchroot(void)
 	def_runchroot ? def_runchroot : "none",
 	user_runchroot ? user_runchroot : "none");

-    if (def_runchroot == NULL || (strcmp(def_runchroot, "*") != 0 &&
-	    strcmp(def_runchroot, user_runchroot) != 0)) {
+    /* User may only specify a root dir if runchroot is "*" */
+    if (def_runchroot == NULL || strcmp(def_runchroot, "*") != 0)
 	debug_return_bool(false);
-    }
+
    free(def_runchroot);
    if ((def_runchroot = strdup(user_runchroot)) == NULL) {
 	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
@@ -102,10 +102,10 @@ check_user_runcwd(void)
        def_runcwd ? def_runcwd : "none",
        user_runcwd ? user_runcwd : "none");

-    if (def_runcwd == NULL || (strcmp(def_runcwd, "*") != 0 &&
-            strcmp(def_runcwd, user_runcwd) != 0)) {
+    /* User may only specify a cwd if runcwd is "*" */
+    if (def_runcwd == NULL || strcmp(def_runcwd, "*") != 0)
        debug_return_bool(false);
-    }
+
    free(def_runcwd);
    if ((def_runcwd = strdup(user_runcwd)) == NULL) {
 	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
--- a/plugins/sudoers/regress/testsudoers/test25.out.ok
+++ b/plugins/sudoers/regress/testsudoers/test25.out.ok
@@ -12,18 +12,6 @@ User root is not allowed to change directory to /

 Command denied

-User can run commands with cwd set to sudoers value:
-Parses OK
-
-Entries for user root:
-
-ALL = CWD=/some/where/else /bin/ls
-	host  allowed
-	runas allowed
-	cmnd  allowed
-
-Command allowed
-
 User cannot override the sudoers cwd:
 Parses OK

--- a/plugins/sudoers/regress/testsudoers/test25.sh
+++ b/plugins/sudoers/regress/testsudoers/test25.sh
@@ -20,14 +20,6 @@ if [ $? -eq 0 ]; then
    retval=1
 fi

-printf "\nUser can run commands with cwd set to sudoers value:\n"
-$TESTSUDOERS -D /some/where/else root /bin/ls <<'EOF'
-root ALL = CWD=/some/where/else /bin/ls
-EOF
-if [ $? -ne 0 ]; then
-    retval=$?
-fi
-
 printf "\nUser cannot override the sudoers cwd:\n"
 $TESTSUDOERS -D / root /bin/ls <<'EOF'
 root ALL = CWD=/some/where/else /bin/ls
--- a/plugins/sudoers/regress/testsudoers/test26.out.ok
+++ b/plugins/sudoers/regress/testsudoers/test26.out.ok
@@ -12,18 +12,6 @@ User root is not allowed to change root directory to /

 Command denied

-User can run commands with chroot set to sudoers value:
-Parses OK
-
-Entries for user root:
-
-ALL = CHROOT=/some/where/else /bin/ls
-	host  allowed
-	runas allowed
-	cmnd  allowed
-
-Command allowed
-
 User cannot override the sudoers chroot:
 Parses OK

--- a/plugins/sudoers/regress/testsudoers/test26.sh
+++ b/plugins/sudoers/regress/testsudoers/test26.sh
@@ -18,14 +18,6 @@ if [ $? -eq 0 ]; then
    retval=1
 fi

-printf "\nUser can run commands with chroot set to sudoers value:\n"
-$TESTSUDOERS -R /some/where/else root /bin/ls <<'EOF'
-root ALL = CHROOT=/some/where/else /bin/ls
-EOF
-if [ $? -ne 0 ]; then
-    retval=$?
-fi
-
 # Because command_matches() uses the per-rule CHROOT, this results in
 # an unmatched rule instead of a matched rule that is rejected later.
 # This is different from the CWD checking which is performed after