isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add pam_ruser and pam_rhost sudoers flags.

Browse Source
This commit is contained in:
Todd C. Miller
2020-03-01 13:37:00 -07:00
parent f561e2cafe
commit e1df9d1dc3
7 changed files with 110 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
doc/sudoers.man.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "January 22, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "@mansectform@" "March 1, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -2805,6 +2805,41 @@ by default.
.sp .sp
This setting is only supported by version 1.8.28 or higher. This setting is only supported by version 1.8.28 or higher.
.TP 18n .TP 18n
pam_rhost
On systems that use PAM for authentication,
\fBsudo\fR
will set the PAM remote host value to the name of the local host
when the
\fIpam_rhost\fR
flag is enabled.
On Linux systems, enabling
\fIpam_rhost\fR
may result in DNS lookups of the local host name when PAM is initialized.
On Solaris versions prior to Solaris 8,
\fIpam_rhost\fR
must be enabled if
\fIpam_ruser\fR
is also enabled to avoid a crash in the Solaris PAM implementation.
.sp
This flag is
\fIoff\fR
by default on systems other than Solaris.
.sp
This setting is only supported by version 1.9.0 or higher.
.TP 18n
pam_ruser
On systems that use PAM for authentication,
\fBsudo\fR
will set the PAM remote user value to the name of the user that invoked sudo
when the
\fIpam_ruser\fR
flag is enabled.
This flag is
\fIon\fR
by default.
.sp
This setting is only supported by version 1.9.0 or higher.
.TP 18n
pam_session pam_session
On systems that use PAM for authentication, On systems that use PAM for authentication,
\fBsudo\fR \fBsudo\fR

35
doc/sudoers.mdoc.in
View File

@@ -24,7 +24,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.Dd January 22, 2020 .Dd March 1, 2020
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -2639,6 +2639,39 @@ This flag is
by default. by default.
.Pp .Pp
This setting is only supported by version 1.8.28 or higher. This setting is only supported by version 1.8.28 or higher.
.It pam_rhost
On systems that use PAM for authentication,
.Nm sudo
will set the PAM remote host value to the name of the local host
when the
.Em pam_rhost
flag is enabled.
On Linux systems, enabling
.Em pam_rhost
may result in DNS lookups of the local host name when PAM is initialized.
On Solaris versions prior to Solaris 8,
.Em pam_rhost
must be enabled if
.Em pam_ruser
is also enabled to avoid a crash in the Solaris PAM implementation.
.Pp
This flag is
.Em off
by default on systems other than Solaris.
.Pp
This setting is only supported by version 1.9.0 or higher.
.It pam_ruser
On systems that use PAM for authentication,
.Nm sudo
will set the PAM remote user value to the name of the user that invoked sudo
when the
.Em pam_ruser
flag is enabled.
This flag is
.Em on
by default.
.Pp
This setting is only supported by version 1.9.0 or higher.
.It pam_session .It pam_session
On systems that use PAM for authentication, On systems that use PAM for authentication,
.Nm sudo .Nm sudo

31
plugins/sudoers/auth/pam.c
View File

@@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 1999-2005, 2007-2019 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 1999-2005, 2007-2020 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@@ -229,22 +229,25 @@ sudo_pam_init2(struct passwd *pw, sudo_auth *auth, bool quiet)
/* /*
* Set PAM_RUSER to the invoking user (the "from" user). * Set PAM_RUSER to the invoking user (the "from" user).
* We set PAM_RHOST to avoid a bug in Solaris 7 and below. * Solaris 7 and below require PAM_RHOST to be set if PAM_RUSER is.
* Note: PAM_RHOST may cause a DNS lookup on Linux in libaudit.
*/ */
rc = pam_set_item(pamh, PAM_RUSER, user_name); if (def_pam_ruser) {
if (rc != PAM_SUCCESS) { rc = pam_set_item(pamh, PAM_RUSER, user_name);
errstr = sudo_pam_strerror(pamh, rc); if (rc != PAM_SUCCESS) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, errstr = sudo_pam_strerror(pamh, rc);
"pam_set_item(pamh, PAM_RUSER, %s): %s", user_name, errstr); sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"pam_set_item(pamh, PAM_RUSER, %s): %s", user_name, errstr);
}
} }
#ifdef __sun__ if (def_pam_rhost) {
rc = pam_set_item(pamh, PAM_RHOST, user_host); rc = pam_set_item(pamh, PAM_RHOST, user_host);
if (rc != PAM_SUCCESS) { if (rc != PAM_SUCCESS) {
errstr = sudo_pam_strerror(pamh, rc); errstr = sudo_pam_strerror(pamh, rc);
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"pam_set_item(pamh, PAM_RHOST, %s): %s", user_host, errstr); "pam_set_item(pamh, PAM_RHOST, %s): %s", user_host, errstr);
}
} }
#endif
#if defined(__LINUX_PAM__) || defined(__sun__) #if defined(__LINUX_PAM__) || defined(__sun__)
/* /*

8
plugins/sudoers/def_data.c
View File

@@ -537,6 +537,14 @@ struct sudo_defs_types sudo_defs_table[] = {
"runas_check_shell", T_FLAG, "runas_check_shell", T_FLAG,
N_("Only permit running commands as a user with a valid shell"), N_("Only permit running commands as a user with a valid shell"),
NULL, NULL,
}, {
"pam_ruser", T_FLAG,
N_("Set the pam remote user to the user running sudo"),
NULL,
}, {
"pam_rhost", T_FLAG,
N_("Set the pam remote host to the local host name"),
NULL,
}, { }, {
NULL, 0, NULL NULL, 0, NULL
} }

4
plugins/sudoers/def_data.h
View File

@@ -248,6 +248,10 @@
#define def_runas_allow_unknown_id (sudo_defs_table[I_RUNAS_ALLOW_UNKNOWN_ID].sd_un.flag) #define def_runas_allow_unknown_id (sudo_defs_table[I_RUNAS_ALLOW_UNKNOWN_ID].sd_un.flag)
#define I_RUNAS_CHECK_SHELL 124 #define I_RUNAS_CHECK_SHELL 124
#define def_runas_check_shell (sudo_defs_table[I_RUNAS_CHECK_SHELL].sd_un.flag) #define def_runas_check_shell (sudo_defs_table[I_RUNAS_CHECK_SHELL].sd_un.flag)
#define I_PAM_RUSER 125
#define def_pam_ruser (sudo_defs_table[I_PAM_RUSER].sd_un.flag)
#define I_PAM_RHOST 126
#define def_pam_rhost (sudo_defs_table[I_PAM_RHOST].sd_un.flag)
enum def_tuple { enum def_tuple {
never, never,

7
plugins/sudoers/def_data.in
View File

@@ -390,4 +390,9 @@ runas_allow_unknown_id
runas_check_shell runas_check_shell
T_FLAG T_FLAG
"Only permit running commands as a user with a valid shell" "Only permit running commands as a user with a valid shell"
pam_ruser
T_FLAG
"Set the pam remote user to the user running sudo"
pam_rhost
T_FLAG
"Set the pam remote host to the local host name"

6
plugins/sudoers/defaults.c
View File

@@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 1999-2005, 2007-2018 * Copyright (c) 1999-2005, 2007-2020
* Todd C. Miller <Todd.Miller@sudo.ws> * Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
@@ -514,6 +514,10 @@ init_defaults(void)
def_env_reset = ENV_RESET; def_env_reset = ENV_RESET;
def_set_logname = true; def_set_logname = true;
def_closefrom = STDERR_FILENO + 1; def_closefrom = STDERR_FILENO + 1;
def_pam_ruser = true;
#ifdef __sun__
def_pam_rhost = true;
#endif
if ((def_pam_service = strdup("sudo")) == NULL) if ((def_pam_service = strdup("sudo")) == NULL)
goto oom; goto oom;
#ifdef HAVE_PAM_LOGIN #ifdef HAVE_PAM_LOGIN