isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add intercept_allow_setid sudoers option, disabled by default.

Browse Source 
With this change, a shell in intercept mode cannot run a setuid or
setgid binary by default.  On most systems, the dynamic loader will
ignore LD_PRELOAD for setuid/setgid binaries such as sudo which
would effectively disable intercept mode.
This commit is contained in:
Todd C. Miller
2021-08-18 15:43:26 -06:00
parent 53a95e3a50
commit f9d3f46fa7
9 changed files with 130 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/sudoers/parse.c
View File

@@ -124,6 +124,8 @@ sudoers_lookup_check(struct sudo_nss *nss, struct passwd *pw,
debug_decl(sudoers_lookup_check, SUDOERS_DEBUG_PARSER);
memset(info, 0, sizeof(*info));
if (def_intercept || ISSET(sudo_mode, MODE_POLICY_INTERCEPTED))
info->intercepted = true;
TAILQ_FOREACH_REVERSE(us, &nss->parse_tree->userspecs, userspec_list, entries) {
if (userlist_matches(nss->parse_tree, pw, &us->users) != ALLOW)