From db3b776277975c1107ef2efac1e85bc7fdf2e7d2 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 29 Jan 2014 15:19:45 -0700 Subject: [PATCH] When listing a user's privileges, always prompt the user for their own password, regardless of the value of target_pw, root_pw or runas_pw. --- NEWS | 4 ++++ doc/sudoers.cat | 23 +++++++++++++---------- doc/sudoers.man.in | 11 +++++++---- doc/sudoers.mdoc.in | 11 +++++++---- plugins/sudoers/check.c | 38 ++++++++++++++++++++++---------------- 5 files changed, 53 insertions(+), 34 deletions(-) diff --git a/NEWS b/NEWS index c2efbca25..75ff93475 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,10 @@ What's new in Sudo 1.8.10? sudo.conf by changing the value of the probe_interfaces setting. + * When listing a user's privileges (sudo -l), the sudoers plugin + will now prompt for the user's password even if the targetpw, + rootpw or runaspw options are set. + What's new in Sudo 1.8.9p4? * Fixed a bug where sudo could consume large amounts of CPU while diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 0ca49e333..d82336a7e 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -1120,13 +1120,15 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS This flag is _o_n by default. rootpw If set, ssuuddoo will prompt for the root password instead - of the password of the invoking user. This flag is _o_f_f - by default. + of the password of the invoking user when running a + command or editing a file. This flag is _o_f_f by + default. runaspw If set, ssuuddoo will prompt for the password of the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) - instead of the password of the invoking user. This - flag is _o_f_f by default. + instead of the password of the invoking user when + running a command or editing a file. This flag is _o_f_f + by default. set_home If enabled and ssuuddoo is invoked with the --ss option the HOME environment variable will be set to the home @@ -1185,11 +1187,12 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS targetpw If set, ssuuddoo will prompt for the password of the user specified by the --uu option (defaults to root) instead - of the password of the invoking user. In addition, the - time stamp file name will include the target user's - name. Note that this flag precludes the use of a uid - not listed in the passwd database as an argument to the - --uu option. This flag is _o_f_f by default. + of the password of the invoking user when running a + command or editing a file. In addition, the time stamp + file name will include the target user's name. Note + that this flag precludes the use of a uid not listed in + the passwd database as an argument to the --uu option. + This flag is _o_f_f by default. tty_tickets If set, users must authenticate on a per-tty basis. With this flag enabled, ssuuddoo will use a file named for @@ -2292,4 +2295,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -Sudo 1.8.9 January 1, 2014 Sudo 1.8.9 +Sudo 1.8.10 January 29, 2014 Sudo 1.8.10 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 5a50a5d1d..158d85df0 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "@mansectsu@" "January 1, 2014" "Sudo @PACKAGE_VERSION@" "Programmer's Manual" +.TH "SUDOERS" "@mansectsu@" "January 29, 2014" "Sudo @PACKAGE_VERSION@" "Programmer's Manual" .nh .if n .ad l .SH "NAME" @@ -2366,7 +2366,8 @@ by default. rootpw If set, \fBsudo\fR -will prompt for the root password instead of the password of the invoking user. +will prompt for the root password instead of the password of the invoking user +when running a command or editing a file. This flag is \fIoff\fR by default. @@ -2378,7 +2379,8 @@ will prompt for the password of the user defined by the \fIrunas_default\fR option (defaults to \fR@runas_default@\fR) -instead of the password of the invoking user. +instead of the password of the invoking user +when running a command or editing a file. This flag is \fIoff\fR by default. @@ -2521,7 +2523,8 @@ by the \fB\-u\fR option (defaults to \fRroot\fR) -instead of the password of the invoking user. +instead of the password of the invoking user +when running a command or editing a file. In addition, the time stamp file name will include the target user's name. Note that this flag precludes the use of a uid not listed in the passwd database as an argument to the diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index dbe703613..fd7a40438 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd January 1, 2014 +.Dd January 29, 2014 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -2209,7 +2209,8 @@ by default. .It rootpw If set, .Nm sudo -will prompt for the root password instead of the password of the invoking user. +will prompt for the root password instead of the password of the invoking user +when running a command or editing a file. This flag is .Em off by default. @@ -2220,7 +2221,8 @@ will prompt for the password of the user defined by the .Em runas_default option (defaults to .Li @runas_default@ ) -instead of the password of the invoking user. +instead of the password of the invoking user +when running a command or editing a file. This flag is .Em off by default. @@ -2356,7 +2358,8 @@ by the .Fl u option (defaults to .Li root ) -instead of the password of the invoking user. +instead of the password of the invoking user +when running a command or editing a file. In addition, the time stamp file name will include the target user's name. Note that this flag precludes the use of a uid not listed in the passwd database as an argument to the diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c index a25077633..2e7799227 100644 --- a/plugins/sudoers/check.c +++ b/plugins/sudoers/check.c @@ -53,7 +53,7 @@ #include "check.h" static bool display_lecture(int); -static struct passwd *get_authpw(void); +static struct passwd *get_authpw(int); /* * Returns true if the user successfully authenticates, false if not @@ -123,7 +123,7 @@ check_user(int validated, int mode) * Init authentication system regardless of whether we need a password. * Required for proper PAM session support. */ - auth_pw = get_authpw(); + auth_pw = get_authpw(mode); if (sudo_auth_init(auth_pw) == -1) { rval = -1; goto done; @@ -217,26 +217,32 @@ user_is_exempt(void) * case, this matches sudo_user.pw or runas_pw. */ static struct passwd * -get_authpw(void) +get_authpw(int mode) { struct passwd *pw; debug_decl(get_authpw, SUDO_DEBUG_AUTH) - if (def_rootpw) { - if ((pw = sudo_getpwuid(ROOT_UID)) == NULL) - log_fatal(0, N_("unknown uid: %u"), ROOT_UID); - } else if (def_runaspw) { - if ((pw = sudo_getpwnam(def_runas_default)) == NULL) - log_fatal(0, N_("unknown user: %s"), def_runas_default); - } else if (def_targetpw) { - if (runas_pw->pw_name == NULL) - log_fatal(NO_MAIL|MSG_ONLY, N_("unknown uid: %u"), - (unsigned int) runas_pw->pw_uid); - sudo_pw_addref(runas_pw); - pw = runas_pw; - } else { + if (ISSET(mode, (MODE_CHECK|MODE_LIST))) { + /* In list mode we always prompt for the user's password. */ sudo_pw_addref(sudo_user.pw); pw = sudo_user.pw; + } else { + if (def_rootpw) { + if ((pw = sudo_getpwuid(ROOT_UID)) == NULL) + log_fatal(0, N_("unknown uid: %u"), ROOT_UID); + } else if (def_runaspw) { + if ((pw = sudo_getpwnam(def_runas_default)) == NULL) + log_fatal(0, N_("unknown user: %s"), def_runas_default); + } else if (def_targetpw) { + if (runas_pw->pw_name == NULL) + log_fatal(NO_MAIL|MSG_ONLY, N_("unknown uid: %u"), + (unsigned int) runas_pw->pw_uid); + sudo_pw_addref(runas_pw); + pw = runas_pw; + } else { + sudo_pw_addref(sudo_user.pw); + pw = sudo_user.pw; + } } debug_return_ptr(pw);