isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make sudoedit_checkdir the default and update the documentation accordingly.

Browse Source
This commit is contained in:
Todd C. Miller
2016-01-19 14:16:25 -07:00
parent e719d954e7
commit de0208a01b
8 changed files with 135 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
doc/sudo.cat
View File

@@ -126,12 +126,23 @@ DDEESSCCRRIIPPTTIIOONN
copied back to their original location and the copied back to their original location and the
temporary versions are removed. temporary versions are removed.
Unless explicitly allowed by the security policy, symbolic To help prevent the editing of unauthorized files, the
links will not be opened. This helps prevent the editing of following restrictions are enforced unless explicitly allowed
unauthorized files when the file is located in a user- by the security policy:
writable directory. Versions of ssuuddoo prior to 1.8.15 do not
have this restriction. Users are never allowed to edit ++oo Symbolic links may not be edited (version 1.8.15 and
device special files. higher).
++oo Symbolic links along the path to be edited are not
followed when the parent directory is writable by the
invoking user unless that user is root (version 1.8.16
and higher).
++oo Files located in a directory that is writable by the
invoking user may not be edited unless that user is root
(version 1.8.16 and higher).
Users are never allowed to edit device special files.
If the specified file does not exist, it will be created. If the specified file does not exist, it will be created.
Note that unlike most commands run by _s_u_d_o, the editor is run Note that unlike most commands run by _s_u_d_o, the editor is run
@@ -440,14 +451,7 @@ SSEECCUURRIITTYY NNOOTTEESS
Users should _n_e_v_e_r be granted ssuuddoo privileges to execute files that are Users should _n_e_v_e_r be granted ssuuddoo privileges to execute files that are
writable by the user or that reside in a directory that is writable by writable by the user or that reside in a directory that is writable by
the user. If the user can modify or replace the command there is no way the user. If the user can modify or replace the command there is no way
to limit what additional commands they can run. Likewise, users should to limit what additional commands they can run.
_n_e_v_e_r be granted ssuuddooeeddiitt permission to edit a file that resides in a
directory the user has write access to. A user with directory write
access could replace the legitimate file with a link to some other,
arbitrary, file. Starting with version 1.8.15, ssuuddooeeddiitt will refuse to
open a symbolic link unless the security policy explicitly permits it.
However, it is still possible to create a hard link if the directory is
writable and the link target resides on the same file system.
Please note that ssuuddoo will normally only log the command it explicitly Please note that ssuuddoo will normally only log the command it explicitly
runs. If a user runs a command such as sudo su or sudo sh, subsequent runs. If a user runs a command such as sudo su or sudo sh, subsequent
@@ -617,4 +621,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.16 November 20, 2015 Sudo 1.8.16 Sudo 1.8.16 January 19, 2016 Sudo 1.8.16

42
doc/sudo.man.in
View File

@@ -1,7 +1,7 @@
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in .\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in
.\" .\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2015 .\" Copyright (c) 1994-1996, 1998-2005, 2007-2016
.\" Todd C. Miller <Todd.Miller@courtesan.com> .\" Todd C. Miller <Todd.Miller@courtesan.com>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.TH "SUDO" "8" "November 20, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .TH "SUDO" "8" "January 19, 2016" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -296,13 +296,23 @@ their original location and the temporary versions are removed.
.RE .RE
.RS 12n .RS 12n
.sp .sp
Unless explicitly allowed by the security policy, symbolic links To help prevent the editing of unauthorized files, the following
will not be opened. restrictions are enforced unless explicitly allowed by the security policy:
This helps prevent the editing of unauthorized files when the file .RS 16n
is located in a user-writable directory. .TP 4n
Versions of \fB\(bu\fR
\fBsudo\fR Symbolic links may not be edited (version 1.8.15 and higher).
prior to 1.8.15 do not have this restriction. .TP 4n
\fB\(bu\fR
Symbolic links along the path to be edited are not followed when the
parent directory is writable by the invoking user unless that user
is root (version 1.8.16 and higher).
.TP 4n
\fB\(bu\fR
Files located in a directory that is writable by the invoking user may
not be edited unless that user is root (version 1.8.16 and higher).
.RE
.sp
Users are never allowed to edit device special files. Users are never allowed to edit device special files.
.sp .sp
If the specified file does not exist, it will be created. If the specified file does not exist, it will be created.
@@ -883,20 +893,6 @@ privileges to execute files that are writable by the user or
that reside in a directory that is writable by the user. that reside in a directory that is writable by the user.
If the user can modify or replace the command there is no way If the user can modify or replace the command there is no way
to limit what additional commands they can run. to limit what additional commands they can run.
Likewise, users should
\fInever\fR
be granted
\fBsudoedit\fR
permission to edit a file that resides in a directory the user has
write access to.
A user with directory write access could replace the legitimate
file with a link to some other, arbitrary, file.
Starting with version 1.8.15,
\fBsudoedit\fR
will refuse to open a symbolic link unless the security policy
explicitly permits it.
However, it is still possible to create a hard link if the directory
is writable and the link target resides on the same file system.
.PP .PP
Please note that Please note that
\fBsudo\fR \fBsudo\fR

39
doc/sudo.mdoc.in
View File

@@ -1,5 +1,5 @@
.\" .\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2015 .\" Copyright (c) 1994-1996, 1998-2005, 2007-2016
.\" Todd C. Miller <Todd.Miller@courtesan.com> .\" Todd C. Miller <Todd.Miller@courtesan.com>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
@@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd November 20, 2015 .Dd January 19, 2016
.Dt SUDO @mansectsu@ .Dt SUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -269,13 +269,20 @@ If they have been modified, the temporary files are copied back to
their original location and the temporary versions are removed. their original location and the temporary versions are removed.
.El .El
.Pp .Pp
Unless explicitly allowed by the security policy, symbolic links To help prevent the editing of unauthorized files, the following
will not be opened. restrictions are enforced unless explicitly allowed by the security policy:
This helps prevent the editing of unauthorized files when the file .Bl -bullet -offset 4
is located in a user-writable directory. .It
Versions of Symbolic links may not be edited (version 1.8.15 and higher).
.Nm .It
prior to 1.8.15 do not have this restriction. Symbolic links along the path to be edited are not followed when the
parent directory is writable by the invoking user unless that user
is root (version 1.8.16 and higher).
.It
Files located in a directory that is writable by the invoking user may
not be edited unless that user is root (version 1.8.16 and higher).
.El
.Pp
Users are never allowed to edit device special files. Users are never allowed to edit device special files.
.Pp .Pp
If the specified file does not exist, it will be created. If the specified file does not exist, it will be created.
@@ -818,20 +825,6 @@ privileges to execute files that are writable by the user or
that reside in a directory that is writable by the user. that reside in a directory that is writable by the user.
If the user can modify or replace the command there is no way If the user can modify or replace the command there is no way
to limit what additional commands they can run. to limit what additional commands they can run.
Likewise, users should
.Em never
be granted
.Nm sudoedit
permission to edit a file that resides in a directory the user has
write access to.
A user with directory write access could replace the legitimate
file with a link to some other, arbitrary, file.
Starting with version 1.8.15,
.Nm sudoedit
will refuse to open a symbolic link unless the security policy
explicitly permits it.
However, it is still possible to create a hard link if the directory
is writable and the link target resides on the same file system.
.Pp .Pp
Please note that Please note that
.Nm .Nm

43
doc/sudoers.cat
View File

@@ -614,9 +614,9 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how
NOEXEC works and whether or not it will work on your system. NOEXEC works and whether or not it will work on your system.
_F_O_L_L_O_W and _N_O_F_O_L_L_O_W Starting with version 1.8.15, ssuuddooeeddiitt will not _F_O_L_L_O_W and _N_O_F_O_L_L_O_W Starting with version 1.8.15, ssuuddooeeddiitt will not open
follow symbolic links when opening files unless the _s_u_d_o_e_d_i_t___f_o_l_l_o_w a file that is a symbolic link unless the _s_u_d_o_e_d_i_t___f_o_l_l_o_w option is
option is enabled. The _F_O_L_L_O_W and _N_O_F_O_L_L_O_W tags override the value of enabled. The _F_O_L_L_O_W and _N_O_F_O_L_L_O_W tags override the value of
_s_u_d_o_e_d_i_t___f_o_l_l_o_w and can be used to permit (or deny) the editing of _s_u_d_o_e_d_i_t___f_o_l_l_o_w and can be used to permit (or deny) the editing of
symbolic links on a per-command basis. These tags are only effective symbolic links on a per-command basis. These tags are only effective
for the _s_u_d_o_e_d_i_t command and are ignored for all other commands. for the _s_u_d_o_e_d_i_t command and are ignored for all other commands.
@@ -1257,15 +1257,20 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
system call. This flag is _o_f_f by default. system call. This flag is _o_f_f by default.
sudoedit_checkdir sudoedit_checkdir
If set, ssuuddooeeddiitt will check directories in the path to If set, ssuuddooeeddiitt will check all directory components of
be edited for writability by the invoking user. the path to be edited for writability by the invoking
Symbolic links will not be followed in writable user. Symbolic links will not be followed in writable
directories and ssuuddooeeddiitt will also refuse to edit a directories and ssuuddooeeddiitt will refuse to edit a file
file located in a writable directory. Theses located in a writable directory. These restrictions
restrictions are not enforced when ssuuddooeeddiitt is invoked are not enforced when ssuuddooeeddiitt is run by root. On some
as root. On many systems, this option requires that systems, if all directory components of the path to be
all directories in the path to be edited be readable by edited are not readable by the target user, ssuuddooeeddiitt
the target user. This flag is _o_f_f by default. will be unable to edit the file. This flag is _o_n by
default.
This setting was first introduced in version 1.8.15.
The check for symbolic links in writable intermediate
directories was added in version 1.8.16.
sudoedit_follow By default, ssuuddooeeddiitt will not follow symbolic links sudoedit_follow By default, ssuuddooeeddiitt will not follow symbolic links
when opening files. The _s_u_d_o_e_d_i_t___f_o_l_l_o_w option can be when opening files. The _s_u_d_o_e_d_i_t___f_o_l_l_o_w option can be
@@ -2378,12 +2383,14 @@ SSEECCUURRIITTYY NNOOTTEESS
resides in a directory the user has write access to, either directly or resides in a directory the user has write access to, either directly or
via a wildcard. If the user has write access to the directory it is via a wildcard. If the user has write access to the directory it is
possible to replace the legitimate file with a link to another file, possible to replace the legitimate file with a link to another file,
allowing the editing of arbitrary files. Starting with version 1.8.15, allowing the editing of arbitrary files. To prevent this, starting with
version 1.8.16, symbolic links will not be followed in writable
directories and ssuuddooeeddiitt will refuse to edit a file located in a writable
directory unless the _s_u_d_o_e_d_i_t___c_h_e_c_k_d_i_r option has been disabled or the
invoking user is root. Additionally, in version 1.8.15 and higher,
ssuuddooeeddiitt will refuse to open a symbolic link unless either the ssuuddooeeddiitt will refuse to open a symbolic link unless either the
_s_u_d_o_e_d_i_t___f_o_l_l_o_w Defaults option is enabled or the _s_u_d_o_e_d_i_t command is _s_u_d_o_e_d_i_t___f_o_l_l_o_w option is enabled or the _s_u_d_o_e_d_i_t command is prefixed
prefixed with the FOLLOW tag. However, it is still possible to create a with the FOLLOW tag in the _s_u_d_o_e_r_s file.
hard link if the directory is writable and the link target resides on the
same file system.
TTiimmee ssttaammpp ffiillee cchheecckkss TTiimmee ssttaammpp ffiillee cchheecckkss
ssuuddooeerrss will check the ownership of its time stamp directory ssuuddooeerrss will check the ownership of its time stamp directory
@@ -2524,4 +2531,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.16 January 16, 2016 Sudo 1.8.16 Sudo 1.8.16 January 19, 2016 Sudo 1.8.16

41
doc/sudoers.man.in
View File

@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.TH "SUDOERS" "5" "January 16, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "5" "January 19, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -1298,7 +1298,7 @@ works and whether or not it will work on your system.
\fIFOLLOW\fR and \fINOFOLLOW\fR \fIFOLLOW\fR and \fINOFOLLOW\fR
Starting with version 1.8.15, Starting with version 1.8.15,
\fBsudoedit\fR \fBsudoedit\fR
will not follow symbolic links when opening files unless the will not open a file that is a symbolic link unless the
\fIsudoedit_follow\fR \fIsudoedit_follow\fR
option is enabled. option is enabled.
The The
@@ -2687,19 +2687,25 @@ sudoedit_checkdir
.br .br
If set, If set,
\fBsudoedit\fR \fBsudoedit\fR
will check directories in the path to be edited for writability will check all directory components of the path to be edited for writability
by the invoking user. by the invoking user.
Symbolic links will not be followed in writable directories and Symbolic links will not be followed in writable directories and
\fBsudoedit\fR \fBsudoedit\fR
will also refuse to edit a file located in a writable directory. will refuse to edit a file located in a writable directory.
Theses restrictions are not enforced when These restrictions are not enforced when
\fBsudoedit\fR \fBsudoedit\fR
is invoked as root. is run by root.
On many systems, this option requires that all directories On some systems, if all directory components of the path to be edited
in the path to be edited be readable by the target user. are not readable by the target user,
\fBsudoedit\fR
will be unable to edit the file.
This flag is This flag is
\fIoff\fR \fIon\fR
by default. by default.
.sp
This setting was first introduced in version 1.8.15.
The check for symbolic links in writable intermediate directories
was added in version 1.8.16.
.TP 18n .TP 18n
sudoedit_follow sudoedit_follow
By default, By default,
@@ -4847,17 +4853,24 @@ has write access to, either directly or via a wildcard.
If the user has write access to the directory it is possible to If the user has write access to the directory it is possible to
replace the legitimate file with a link to another file, replace the legitimate file with a link to another file,
allowing the editing of arbitrary files. allowing the editing of arbitrary files.
Starting with version 1.8.15, To prevent this, starting with version 1.8.16, symbolic links will
not be followed in writable directories and
\fBsudoedit\fR
will refuse to edit a file located in a writable directory
unless the
\fIsudoedit_checkdir\fR
option has been disabled or the invoking user is root.
Additionally, in version 1.8.15 and higher,
\fBsudoedit\fR \fBsudoedit\fR
will refuse to open a symbolic link unless either the will refuse to open a symbolic link unless either the
\fIsudoedit_follow\fR \fIsudoedit_follow\fR
Defaults option is enabled or the option is enabled or the
\fIsudoedit\fR \fIsudoedit\fR
command is prefixed with the command is prefixed with the
\fRFOLLOW\fR \fRFOLLOW\fR
tag. tag in the
However, it is still possible to create a hard link if the directory \fIsudoers\fR
is writable and the link target resides on the same file system. file.
.SS "Time stamp file checks" .SS "Time stamp file checks"
\fBsudoers\fR \fBsudoers\fR
will check the ownership of its time stamp directory will check the ownership of its time stamp directory

41
doc/sudoers.mdoc.in
View File

@@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd January 16, 2016 .Dd January 19, 2016
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -1215,7 +1215,7 @@ works and whether or not it will work on your system.
.It Em FOLLOW No and Em NOFOLLOW .It Em FOLLOW No and Em NOFOLLOW
Starting with version 1.8.15, Starting with version 1.8.15,
.Nm sudoedit .Nm sudoedit
will not follow symbolic links when opening files unless the will not open a file that is a symbolic link unless the
.Em sudoedit_follow .Em sudoedit_follow
option is enabled. option is enabled.
The The
@@ -2517,19 +2517,25 @@ by default.
.It sudoedit_checkdir .It sudoedit_checkdir
If set, If set,
.Nm sudoedit .Nm sudoedit
will check directories in the path to be edited for writability will check all directory components of the path to be edited for writability
by the invoking user. by the invoking user.
Symbolic links will not be followed in writable directories and Symbolic links will not be followed in writable directories and
.Nm sudoedit .Nm sudoedit
will also refuse to edit a file located in a writable directory. will refuse to edit a file located in a writable directory.
Theses restrictions are not enforced when These restrictions are not enforced when
.Nm sudoedit .Nm sudoedit
is invoked as root. is run by root.
On many systems, this option requires that all directories On some systems, if all directory components of the path to be edited
in the path to be edited be readable by the target user. are not readable by the target user,
.Nm sudoedit
will be unable to edit the file.
This flag is This flag is
.Em off .Em on
by default. by default.
.Pp
This setting was first introduced in version 1.8.15.
The check for symbolic links in writable intermediate directories
was added in version 1.8.16.
.It sudoedit_follow .It sudoedit_follow
By default, By default,
.Nm sudoedit .Nm sudoedit
@@ -4468,17 +4474,24 @@ has write access to, either directly or via a wildcard.
If the user has write access to the directory it is possible to If the user has write access to the directory it is possible to
replace the legitimate file with a link to another file, replace the legitimate file with a link to another file,
allowing the editing of arbitrary files. allowing the editing of arbitrary files.
Starting with version 1.8.15, To prevent this, starting with version 1.8.16, symbolic links will
not be followed in writable directories and
.Nm sudoedit
will refuse to edit a file located in a writable directory
unless the
.Em sudoedit_checkdir
option has been disabled or the invoking user is root.
Additionally, in version 1.8.15 and higher,
.Nm sudoedit .Nm sudoedit
will refuse to open a symbolic link unless either the will refuse to open a symbolic link unless either the
.Em sudoedit_follow .Em sudoedit_follow
Defaults option is enabled or the option is enabled or the
.Em sudoedit .Em sudoedit
command is prefixed with the command is prefixed with the
.Li FOLLOW .Li FOLLOW
tag. tag in the
However, it is still possible to create a hard link if the directory .Em sudoers
is writable and the link target resides on the same file system. file.
.Ss Time stamp file checks .Ss Time stamp file checks
.Nm sudoers .Nm sudoers
will check the ownership of its time stamp directory will check the ownership of its time stamp directory

1
plugins/sudoers/defaults.c
View File

@@ -440,6 +440,7 @@ init_defaults(void)
def_use_netgroups = true; def_use_netgroups = true;
#endif #endif
def_netgroup_tuple = false; def_netgroup_tuple = false;
def_sudoedit_checkdir = true;
/* Syslog options need special care since they both strings and ints */ /* Syslog options need special care since they both strings and ints */
#if (LOGGING & SLOG_SYSLOG) #if (LOGGING & SLOG_SYSLOG)

1
src/sudo.c
View File

@@ -586,6 +586,7 @@ command_info_to_details(char * const info[], struct command_details *details)
memset(details, 0, sizeof(*details)); memset(details, 0, sizeof(*details));
details->closefrom = -1; details->closefrom = -1;
details->execfd = -1; details->execfd = -1;
details->flags = CD_SUDOEDIT_CHECKDIR;
TAILQ_INIT(&details->preserved_fds); TAILQ_INIT(&details->preserved_fds);
#define SET_STRING(s, n) \ #define SET_STRING(s, n) \