isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make sudoedit_checkdir the default and update the documentation accordingly.

Browse Source
This commit is contained in:
Todd C. Miller
2016-01-19 14:16:25 -07:00
parent e719d954e7
commit de0208a01b
8 changed files with 135 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
doc/sudo.cat
View File

@@ -126,12 +126,23 @@ DDEESSCCRRIIPPTTIIOONN
copied back to their original location and the
temporary versions are removed.
Unless explicitly allowed by the security policy, symbolic
links will not be opened. This helps prevent the editing of
unauthorized files when the file is located in a user-
writable directory. Versions of ssuuddoo prior to 1.8.15 do not
have this restriction. Users are never allowed to edit
device special files.
To help prevent the editing of unauthorized files, the
following restrictions are enforced unless explicitly allowed
by the security policy:
++oo Symbolic links may not be edited (version 1.8.15 and
higher).
++oo Symbolic links along the path to be edited are not
followed when the parent directory is writable by the
invoking user unless that user is root (version 1.8.16
and higher).
++oo Files located in a directory that is writable by the
invoking user may not be edited unless that user is root
(version 1.8.16 and higher).
Users are never allowed to edit device special files.
If the specified file does not exist, it will be created.
Note that unlike most commands run by _s_u_d_o, the editor is run
@@ -440,14 +451,7 @@ SSEECCUURRIITTYY NNOOTTEESS
Users should _n_e_v_e_r be granted ssuuddoo privileges to execute files that are
writable by the user or that reside in a directory that is writable by
the user. If the user can modify or replace the command there is no way
to limit what additional commands they can run. Likewise, users should
_n_e_v_e_r be granted ssuuddooeeddiitt permission to edit a file that resides in a
directory the user has write access to. A user with directory write
access could replace the legitimate file with a link to some other,
arbitrary, file. Starting with version 1.8.15, ssuuddooeeddiitt will refuse to
open a symbolic link unless the security policy explicitly permits it.
However, it is still possible to create a hard link if the directory is
writable and the link target resides on the same file system.
to limit what additional commands they can run.
Please note that ssuuddoo will normally only log the command it explicitly
runs. If a user runs a command such as sudo su or sudo sh, subsequent
@@ -617,4 +621,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details.
Sudo 1.8.16 November 20, 2015 Sudo 1.8.16
Sudo 1.8.16 January 19, 2016 Sudo 1.8.16

42
doc/sudo.man.in
View File

@@ -1,7 +1,7 @@
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in
.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2015
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2016
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.TH "SUDO" "8" "November 20, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.TH "SUDO" "8" "January 19, 2016" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -296,13 +296,23 @@ their original location and the temporary versions are removed.
.RE
.RS 12n
.sp
Unless explicitly allowed by the security policy, symbolic links
will not be opened.
This helps prevent the editing of unauthorized files when the file
is located in a user-writable directory.
Versions of
\fBsudo\fR
prior to 1.8.15 do not have this restriction.
To help prevent the editing of unauthorized files, the following
restrictions are enforced unless explicitly allowed by the security policy:
.RS 16n
.TP 4n
\fB\(bu\fR
Symbolic links may not be edited (version 1.8.15 and higher).
.TP 4n
\fB\(bu\fR
Symbolic links along the path to be edited are not followed when the
parent directory is writable by the invoking user unless that user
is root (version 1.8.16 and higher).
.TP 4n
\fB\(bu\fR
Files located in a directory that is writable by the invoking user may
not be edited unless that user is root (version 1.8.16 and higher).
.RE
.sp
Users are never allowed to edit device special files.
.sp
If the specified file does not exist, it will be created.
@@ -883,20 +893,6 @@ privileges to execute files that are writable by the user or
that reside in a directory that is writable by the user.
If the user can modify or replace the command there is no way
to limit what additional commands they can run.
Likewise, users should
\fInever\fR
be granted
\fBsudoedit\fR
permission to edit a file that resides in a directory the user has
write access to.
A user with directory write access could replace the legitimate
file with a link to some other, arbitrary, file.
Starting with version 1.8.15,
\fBsudoedit\fR
will refuse to open a symbolic link unless the security policy
explicitly permits it.
However, it is still possible to create a hard link if the directory
is writable and the link target resides on the same file system.
.PP
Please note that
\fBsudo\fR

39
doc/sudo.mdoc.in
View File

@@ -1,5 +1,5 @@
.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2015
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2016
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.Dd November 20, 2015
.Dd January 19, 2016
.Dt SUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -269,13 +269,20 @@ If they have been modified, the temporary files are copied back to
their original location and the temporary versions are removed.
.El
.Pp
Unless explicitly allowed by the security policy, symbolic links
will not be opened.
This helps prevent the editing of unauthorized files when the file
is located in a user-writable directory.
Versions of
.Nm
prior to 1.8.15 do not have this restriction.
To help prevent the editing of unauthorized files, the following
restrictions are enforced unless explicitly allowed by the security policy:
.Bl -bullet -offset 4
.It
Symbolic links may not be edited (version 1.8.15 and higher).
.It
Symbolic links along the path to be edited are not followed when the
parent directory is writable by the invoking user unless that user
is root (version 1.8.16 and higher).
.It
Files located in a directory that is writable by the invoking user may
not be edited unless that user is root (version 1.8.16 and higher).
.El
.Pp
Users are never allowed to edit device special files.
.Pp
If the specified file does not exist, it will be created.
@@ -818,20 +825,6 @@ privileges to execute files that are writable by the user or
that reside in a directory that is writable by the user.
If the user can modify or replace the command there is no way
to limit what additional commands they can run.
Likewise, users should
.Em never
be granted
.Nm sudoedit
permission to edit a file that resides in a directory the user has
write access to.
A user with directory write access could replace the legitimate
file with a link to some other, arbitrary, file.
Starting with version 1.8.15,
.Nm sudoedit
will refuse to open a symbolic link unless the security policy
explicitly permits it.
However, it is still possible to create a hard link if the directory
is writable and the link target resides on the same file system.
.Pp
Please note that
.Nm

43
doc/sudoers.cat
View File

@@ -614,9 +614,9 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how
NOEXEC works and whether or not it will work on your system.
_F_O_L_L_O_W and _N_O_F_O_L_L_O_W Starting with version 1.8.15, ssuuddooeeddiitt will not
follow symbolic links when opening files unless the _s_u_d_o_e_d_i_t___f_o_l_l_o_w
option is enabled. The _F_O_L_L_O_W and _N_O_F_O_L_L_O_W tags override the value of
_F_O_L_L_O_W and _N_O_F_O_L_L_O_W Starting with version 1.8.15, ssuuddooeeddiitt will not open
a file that is a symbolic link unless the _s_u_d_o_e_d_i_t___f_o_l_l_o_w option is
enabled. The _F_O_L_L_O_W and _N_O_F_O_L_L_O_W tags override the value of
_s_u_d_o_e_d_i_t___f_o_l_l_o_w and can be used to permit (or deny) the editing of
symbolic links on a per-command basis. These tags are only effective
for the _s_u_d_o_e_d_i_t command and are ignored for all other commands.
@@ -1257,15 +1257,20 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
system call. This flag is _o_f_f by default.
sudoedit_checkdir
If set, ssuuddooeeddiitt will check directories in the path to
be edited for writability by the invoking user.
Symbolic links will not be followed in writable
directories and ssuuddooeeddiitt will also refuse to edit a
file located in a writable directory. Theses
restrictions are not enforced when ssuuddooeeddiitt is invoked
as root. On many systems, this option requires that
all directories in the path to be edited be readable by
the target user. This flag is _o_f_f by default.
If set, ssuuddooeeddiitt will check all directory components of
the path to be edited for writability by the invoking
user. Symbolic links will not be followed in writable
directories and ssuuddooeeddiitt will refuse to edit a file
located in a writable directory. These restrictions
are not enforced when ssuuddooeeddiitt is run by root. On some
systems, if all directory components of the path to be
edited are not readable by the target user, ssuuddooeeddiitt
will be unable to edit the file. This flag is _o_n by
default.
This setting was first introduced in version 1.8.15.
The check for symbolic links in writable intermediate
directories was added in version 1.8.16.
sudoedit_follow By default, ssuuddooeeddiitt will not follow symbolic links
when opening files. The _s_u_d_o_e_d_i_t___f_o_l_l_o_w option can be
@@ -2378,12 +2383,14 @@ SSEECCUURRIITTYY NNOOTTEESS
resides in a directory the user has write access to, either directly or
via a wildcard. If the user has write access to the directory it is
possible to replace the legitimate file with a link to another file,
allowing the editing of arbitrary files. Starting with version 1.8.15,
allowing the editing of arbitrary files. To prevent this, starting with
version 1.8.16, symbolic links will not be followed in writable
directories and ssuuddooeeddiitt will refuse to edit a file located in a writable
directory unless the _s_u_d_o_e_d_i_t___c_h_e_c_k_d_i_r option has been disabled or the
invoking user is root. Additionally, in version 1.8.15 and higher,
ssuuddooeeddiitt will refuse to open a symbolic link unless either the
_s_u_d_o_e_d_i_t___f_o_l_l_o_w Defaults option is enabled or the _s_u_d_o_e_d_i_t command is
prefixed with the FOLLOW tag. However, it is still possible to create a
hard link if the directory is writable and the link target resides on the
same file system.
_s_u_d_o_e_d_i_t___f_o_l_l_o_w option is enabled or the _s_u_d_o_e_d_i_t command is prefixed
with the FOLLOW tag in the _s_u_d_o_e_r_s file.
TTiimmee ssttaammpp ffiillee cchheecckkss
ssuuddooeerrss will check the ownership of its time stamp directory
@@ -2524,4 +2531,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details.
Sudo 1.8.16 January 16, 2016 Sudo 1.8.16
Sudo 1.8.16 January 19, 2016 Sudo 1.8.16

41
doc/sudoers.man.in
View File

@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.TH "SUDOERS" "5" "January 16, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS" "5" "January 19, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -1298,7 +1298,7 @@ works and whether or not it will work on your system.
\fIFOLLOW\fR and \fINOFOLLOW\fR
Starting with version 1.8.15,
\fBsudoedit\fR
will not follow symbolic links when opening files unless the
will not open a file that is a symbolic link unless the
\fIsudoedit_follow\fR
option is enabled.
The
@@ -2687,19 +2687,25 @@ sudoedit_checkdir
.br
If set,
\fBsudoedit\fR
will check directories in the path to be edited for writability
will check all directory components of the path to be edited for writability
by the invoking user.
Symbolic links will not be followed in writable directories and
\fBsudoedit\fR
will also refuse to edit a file located in a writable directory.
Theses restrictions are not enforced when
will refuse to edit a file located in a writable directory.
These restrictions are not enforced when
\fBsudoedit\fR
is invoked as root.
On many systems, this option requires that all directories
in the path to be edited be readable by the target user.
is run by root.
On some systems, if all directory components of the path to be edited
are not readable by the target user,
\fBsudoedit\fR
will be unable to edit the file.
This flag is
\fIoff\fR
\fIon\fR
by default.
.sp
This setting was first introduced in version 1.8.15.
The check for symbolic links in writable intermediate directories
was added in version 1.8.16.
.TP 18n
sudoedit_follow
By default,
@@ -4847,17 +4853,24 @@ has write access to, either directly or via a wildcard.
If the user has write access to the directory it is possible to
replace the legitimate file with a link to another file,
allowing the editing of arbitrary files.
Starting with version 1.8.15,
To prevent this, starting with version 1.8.16, symbolic links will
not be followed in writable directories and
\fBsudoedit\fR
will refuse to edit a file located in a writable directory
unless the
\fIsudoedit_checkdir\fR
option has been disabled or the invoking user is root.
Additionally, in version 1.8.15 and higher,
\fBsudoedit\fR
will refuse to open a symbolic link unless either the
\fIsudoedit_follow\fR
Defaults option is enabled or the
option is enabled or the
\fIsudoedit\fR
command is prefixed with the
\fRFOLLOW\fR
tag.
However, it is still possible to create a hard link if the directory
is writable and the link target resides on the same file system.
tag in the
\fIsudoers\fR
file.
.SS "Time stamp file checks"
\fBsudoers\fR
will check the ownership of its time stamp directory

41
doc/sudoers.mdoc.in
View File

@@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.Dd January 16, 2016
.Dd January 19, 2016
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -1215,7 +1215,7 @@ works and whether or not it will work on your system.
.It Em FOLLOW No and Em NOFOLLOW
Starting with version 1.8.15,
.Nm sudoedit
will not follow symbolic links when opening files unless the
will not open a file that is a symbolic link unless the
.Em sudoedit_follow
option is enabled.
The
@@ -2517,19 +2517,25 @@ by default.
.It sudoedit_checkdir
If set,
.Nm sudoedit
will check directories in the path to be edited for writability
will check all directory components of the path to be edited for writability
by the invoking user.
Symbolic links will not be followed in writable directories and
.Nm sudoedit
will also refuse to edit a file located in a writable directory.
Theses restrictions are not enforced when
will refuse to edit a file located in a writable directory.
These restrictions are not enforced when
.Nm sudoedit
is invoked as root.
On many systems, this option requires that all directories
in the path to be edited be readable by the target user.
is run by root.
On some systems, if all directory components of the path to be edited
are not readable by the target user,
.Nm sudoedit
will be unable to edit the file.
This flag is
.Em off
.Em on
by default.
.Pp
This setting was first introduced in version 1.8.15.
The check for symbolic links in writable intermediate directories
was added in version 1.8.16.
.It sudoedit_follow
By default,
.Nm sudoedit
@@ -4468,17 +4474,24 @@ has write access to, either directly or via a wildcard.
If the user has write access to the directory it is possible to
replace the legitimate file with a link to another file,
allowing the editing of arbitrary files.
Starting with version 1.8.15,
To prevent this, starting with version 1.8.16, symbolic links will
not be followed in writable directories and
.Nm sudoedit
will refuse to edit a file located in a writable directory
unless the
.Em sudoedit_checkdir
option has been disabled or the invoking user is root.
Additionally, in version 1.8.15 and higher,
.Nm sudoedit
will refuse to open a symbolic link unless either the
.Em sudoedit_follow
Defaults option is enabled or the
option is enabled or the
.Em sudoedit
command is prefixed with the
.Li FOLLOW
tag.
However, it is still possible to create a hard link if the directory
is writable and the link target resides on the same file system.
tag in the
.Em sudoers
file.
.Ss Time stamp file checks
.Nm sudoers
will check the ownership of its time stamp directory

1
plugins/sudoers/defaults.c
View File

@@ -440,6 +440,7 @@ init_defaults(void)
def_use_netgroups = true;
#endif
def_netgroup_tuple = false;
def_sudoedit_checkdir = true;
/* Syslog options need special care since they both strings and ints */
#if (LOGGING & SLOG_SYSLOG)

1
src/sudo.c
View File

@@ -586,6 +586,7 @@ command_info_to_details(char * const info[], struct command_details *details)
memset(details, 0, sizeof(*details));
details->closefrom = -1;
details->execfd = -1;
details->flags = CD_SUDOEDIT_CHECKDIR;
TAILQ_INIT(&details->preserved_fds);
#define SET_STRING(s, n) \