isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add a new flag "allow_unknown_runas_id" to control matching of unknown IDs.

Browse Source 
Previous, sudo would always allow unknown user or group IDs if the
sudoers entry permitted it.  This included the "ALL" alias.
With this change, the admin must explicitly enable support for unknown IDs.
This commit is contained in:
Todd C. Miller
2019-12-09 17:14:06 -07:00
parent d7b4f88658
commit df8f06609c
7 changed files with 71 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
plugins/sudoers/sudoers.c
View File

@@ -106,6 +106,8 @@ static char *prev_user;
static char *runas_user;
static char *runas_group;
static struct sudo_nss_list *snl;
static bool unknown_runas_uid;
static bool unknown_runas_gid;
#ifdef __linux__
static struct rlimit nproclimit;
@@ -376,6 +378,22 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
}
}
/* Defer uid/gid checks until after defaults have been updated. */
if (unknown_runas_uid && !def_runas_allow_unknown_id) {
audit_failure(NewArgc, NewArgv, N_("unknown user: %s"),
runas_pw->pw_name);
sudo_warnx(U_("unknown user: %s"), runas_pw->pw_name);
goto done;
}
if (runas_gr != NULL) {
if (unknown_runas_gid && !def_runas_allow_unknown_id) {
audit_failure(NewArgc, NewArgv, N_("unknown group: %s"),
runas_gr->gr_name);
sudo_warnx(U_("unknown group: %s"), runas_gr->gr_name);
goto done;
}
}
/*
* Look up the timestamp dir owner if one is specified.
*/
@@ -1192,12 +1210,15 @@ set_runaspw(const char *user, bool quiet)
struct passwd *pw = NULL;
debug_decl(set_runaspw, SUDOERS_DEBUG_PLUGIN)
unknown_runas_uid = false;
if (*user == '#') {
const char *errstr;
uid_t uid = sudo_strtoid(user + 1, &errstr);
if (errstr == NULL) {
if ((pw = sudo_getpwuid(uid)) == NULL)
if ((pw = sudo_getpwuid(uid)) == NULL) {
unknown_runas_uid = true;
pw = sudo_fakepwnam(user, user_gid);
}
}
}
if (pw == NULL) {
@@ -1223,12 +1244,15 @@ set_runasgr(const char *group, bool quiet)
struct group *gr = NULL;
debug_decl(set_runasgr, SUDOERS_DEBUG_PLUGIN)
unknown_runas_gid = false;
if (*group == '#') {
const char *errstr;
gid_t gid = sudo_strtoid(group + 1, &errstr);
if (errstr == NULL) {
if ((gr = sudo_getgrgid(gid)) == NULL)
if ((gr = sudo_getgrgid(gid)) == NULL) {
unknown_runas_gid = true;
gr = sudo_fakegrnam(group);
}
}
}
if (gr == NULL) {