isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Prime user/group cached and set the interface list.

Browse Source 
Also match parsed policy against multiple users.
This commit is contained in:
Todd C. Miller
2021-02-22 10:59:58 -07:00
parent 7463a1989f
commit f92080be62
2 changed files with 205 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

118
plugins/sudoers/regress/fuzz/fuzz_sudoers.c
View File

@@ -16,6 +16,8 @@
#include <config.h> #include <config.h>
#include <sys/socket.h>
#include <stdarg.h> #include <stdarg.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
@@ -27,8 +29,16 @@
#elif defined(HAVE_INTTYPES_H) #elif defined(HAVE_INTTYPES_H)
# include <inttypes.h> # include <inttypes.h>
#endif #endif
#include <netinet/in.h>
#include <arpa/inet.h>
#ifdef NEED_RESOLV_H
# include <arpa/nameser.h>
# include <resolv.h>
#endif /* NEED_RESOLV_H */
#include <netdb.h>
#include "sudoers.h" #include "sudoers.h"
#include "interfaces.h"
static int fuzz_conversation(int num_msgs, const struct sudo_conv_message msgs[], struct sudo_conv_reply replies[], struct sudo_conv_callback *callback); static int fuzz_conversation(int num_msgs, const struct sudo_conv_message msgs[], struct sudo_conv_reply replies[], struct sudo_conv_callback *callback);
@@ -148,8 +158,13 @@ extern struct sudo_nss sudo_nss_file;
int int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{ {
char **u, *users[] = { "root", "millert", "operator", NULL };
struct sudo_nss_list snl = TAILQ_HEAD_INITIALIZER(snl); struct sudo_nss_list snl = TAILQ_HEAD_INITIALIZER(snl);
struct sudoers_parse_tree parse_tree; struct sudoers_parse_tree parse_tree;
struct interface_list *interfaces;
struct passwd *pw;
struct group *gr;
char *gids[10];
FILE *fp; FILE *fp;
/* Don't waste time fuzzing tiny inputs. */ /* Don't waste time fuzzing tiny inputs. */
@@ -160,14 +175,73 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
if (fp == NULL) if (fp == NULL)
return 0; return 0;
/* The minimum needed to perform matching. */ /* Prime the group cache */
gr = sudo_mkgrent("wheel", 0, "millert", "root", NULL);
if (gr == NULL)
goto done;
sudo_gr_delref(gr);
gr = sudo_mkgrent("operator", 5, "operator", "root", "millert", NULL);
if (gr == NULL)
goto done;
sudo_gr_delref(gr);
gr = sudo_mkgrent("staff", 20, "root", "millert", NULL);
if (gr == NULL)
goto done;
sudo_gr_delref(gr);
/* Prime the passwd cache */
pw = sudo_mkpwent("root", 0, 0, "/", "/bin/sh");
if (pw == NULL)
goto done;
gids[0] = "0";
gids[1] = "20";
gids[2] = "5";
gids[3] = NULL;
if (sudo_set_gidlist(pw, gids, ENTRY_TYPE_FRONTEND) == -1)
goto done;
sudo_pw_delref(pw);
pw = sudo_mkpwent("operator", 2, 5, "/operator", "/sbin/nologin");
if (pw == NULL)
goto done;
gids[0] = "5";
gids[1] = NULL;
if (sudo_set_gidlist(pw, gids, ENTRY_TYPE_FRONTEND) == -1)
goto done;
sudo_pw_delref(pw);
pw = sudo_mkpwent("millert", 8036, 20, "/home/millert", "/bin/tcsh");
if (pw == NULL)
goto done;
gids[0] = "0";
gids[1] = "20";
gids[2] = "5";
gids[3] = NULL;
if (sudo_set_gidlist(pw, gids, ENTRY_TYPE_FRONTEND) == -1)
goto done;
sudo_pw_delref(pw);
/* The minimum needed to perform matching (user_cmnd must be dynamic). */
user_host = user_shost = user_runhost = user_srunhost = "localhost"; user_host = user_shost = user_runhost = user_srunhost = "localhost";
user_name = "nobody"; user_cmnd = strdup("/usr/bin/id");
user_cmnd = "/usr/bin/id";
user_args = "-u"; user_args = "-u";
user_base = "id"; user_base = "id";
sudo_user.pw = sudo_getpwnam("root");
runas_pw = sudo_getpwnam("root"); runas_pw = sudo_getpwnam("root");
if (user_cmnd == NULL || runas_pw == NULL)
goto done;
/* Add a fake network interfaces. */
interfaces = get_interfaces();
if (SLIST_EMPTY(interfaces)) {
static struct interface interface;
interface.family = AF_INET;
inet_pton(AF_INET, "128.138.243.151", &interface.addr.ip4);
inet_pton(AF_INET, "255.255.255.0", &interface.netmask.ip4);
SLIST_INSERT_HEAD(interfaces, &interface, entries);
}
/* Only one sudoers source, the sudoers file itself. */ /* Only one sudoers source, the sudoers file itself. */
TAILQ_INSERT_TAIL(&snl, &sudo_nss_file, entries); TAILQ_INSERT_TAIL(&snl, &sudo_nss_file, entries);
@@ -182,21 +256,41 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
reparent_parse_tree(&parse_tree); reparent_parse_tree(&parse_tree);
if (!parse_error) { if (!parse_error) {
/* Match command against parsed policy. */ /* Match user/host/command against parsed policy. */
int cmnd_status; for (u = users; (user_name = *u) != NULL; u++) {
sudoers_lookup(&snl, sudo_user.pw, &cmnd_status, false); int cmnd_status;
/* Match again as a pseudo-command (list, validate, etc). */ sudo_user.pw = sudo_getpwnam(user_name);
sudoers_lookup(&snl, sudo_user.pw, &cmnd_status, true); if (sudo_user.pw == NULL)
goto done;
/* Display privileges. */ sudoers_lookup(&snl, sudo_user.pw, &cmnd_status, false);
display_privs(&snl, sudo_user.pw, false);
/* Match again as a pseudo-command (list, validate, etc). */
sudoers_lookup(&snl, sudo_user.pw, &cmnd_status, true);
/* Display privileges. */
display_privs(&snl, sudo_user.pw, false);
display_privs(&snl, sudo_user.pw, true);
sudo_pw_delref(sudo_user.pw);
sudo_user.pw = NULL;
}
} }
done:
/* Cleanup. */ /* Cleanup. */
fclose(fp);
free_parse_tree(&parse_tree); free_parse_tree(&parse_tree);
init_parser(NULL, false, true); init_parser(NULL, false, true);
fclose(fp); if (sudo_user.pw != NULL)
sudo_pw_delref(sudo_user.pw);
if (runas_pw != NULL)
sudo_pw_delref(runas_pw);
sudo_freepwcache();
sudo_freegrcache();
free(user_cmnd);
memset(&sudo_user, 0, sizeof(sudo_user));
return 0; return 0;
} }

156
plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok
View File

@@ -1,57 +1,99 @@
sudoers:1:6: syntax error Matching Defaults entries for root on localhost:
bogus syslog=auth, runcwd=~
^
sudoers:1:17: syntax error Runas and Command-specific defaults for root:
user ALL = (ALL) Defaults>root !set_logname Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec
^
sudoers:1:17: syntax error
user ALL = (ALL) User root may run the following commands on localhost:
^ (ALL) ALL
sudoers:4:21: invalid timeout value (ALL) ALL
user0 ALL = TIMEOUT=7dd4h10m30s /usr/bin/id, /usr/bin/who, TIMEOUT=0 /bin/ls
^~~~~~~~~~~ Matching Defaults entries for root on localhost:
sudoers:5:21: invalid timeout value syslog=auth, runcwd=~
user1 ALL = TIMEOUT=7d4h10mm30s /usr/bin/id
^~~~~~~~~~~ Runas and Command-specific defaults for root:
sudoers:6:21: invalid timeout value Defaults>root !set_logname Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec
user2 ALL = TIMEOUT=4hg10m30s /usr/bin/id
^~~~~~~~~
sudoers:7:21: invalid timeout value User root may run the following commands on localhost:
user3 ALL = TIMEOUT=10m30ss /usr/bin/id
^~~~~~~ Sudoers entry:
sudoers:8:21: invalid timeout value RunAsUsers: ALL
user4 ALL = TIMEOUT=14g /usr/bin/id Commands:
^~~ ALL
sudoers:4:28: syntax error
foo ALL = CWD=~ron /bin/ls \ Sudoers entry:
^~ RunAsUsers: ALL
sudoers:7:1: invalid line continuation Commands:
User_Alias BAR = bar ALL
^~~~~~~~~~
sudoers:2:19: empty string Matching Defaults entries for millert on localhost:
User_Alias FOO = "" syslog=auth, runcwd=~, !lecture, runchroot=*, !authenticate
^
sudoers:3:2: empty string Runas and Command-specific defaults for millert:
"" ALL = ALL Defaults>root !set_logname Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec
^
sudoers:2:21: empty group
User_Alias FOO1 = "%" User millert may run the following commands on localhost:
^ (ALL) ALL
sudoers:3:22: empty group (root) NOPASSWD: ALL
User_Alias FOO2 = "%:"
^ Matching Defaults entries for millert on localhost:
sudoers:4:21: empty netgroup syslog=auth, runcwd=~, !lecture, runchroot=*, !authenticate
User_Alias FOO3 = "+"
^ Runas and Command-specific defaults for millert:
sudoers:5:19: empty group Defaults>root !set_logname Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec
User_Alias FOO4 = %
^
sudoers:6:19: empty group User millert may run the following commands on localhost:
User_Alias FOO5 = %:
^~ Sudoers entry:
sudoers:7:19: empty netgroup RunAsUsers: ALL
User_Alias FOO6 = + Commands:
^ ALL
sudoers:8:20: unexpected line break in string
User_Alias UA4 = "x Sudoers entry:
^ RunAsUsers: root
Options: !authenticate
Commands:
ALL
Matching Defaults entries for operator on localhost:
syslog=auth, runcwd=~
Runas and Command-specific defaults for operator:
Defaults>root !set_logname Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec
User operator may run the following commands on localhost:
(root) /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, /usr/sbin/rrestore, /usr/bin/mt, sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== /home/operator/bin/start_backups, /usr/bin/kill, /usr/bin/top, /usr/sbin/shutdown, /usr/sbin/halt, /usr/sbin/reboot, /usr/sbin/lpc, /usr/bin/lprm, sudoedit /etc/printcap, /usr/oper/bin/
Matching Defaults entries for operator on localhost:
syslog=auth, runcwd=~
Runas and Command-specific defaults for operator:
Defaults>root !set_logname Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec
User operator may run the following commands on localhost:
Sudoers entry:
RunAsUsers: root
Commands:
/usr/sbin/dump
/usr/sbin/rdump
/usr/sbin/restore
/usr/sbin/rrestore
/usr/bin/mt
sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== /home/operator/bin/start_backups
/usr/bin/kill
/usr/bin/top
/usr/sbin/shutdown
/usr/sbin/halt
/usr/sbin/reboot
/usr/sbin/lpc
/usr/bin/lprm
sudoedit /etc/printcap
/usr/oper/bin/