isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
12,726 Commits 1 Branch 0 Tags
0f40753d46bfd704869e77d25c765a81ff1e3457
Commit Graph

1666 Commits

Author SHA1 Message Date
Todd C. Miller
19065cb221 Use strtoul() on systems without strtoull(). 
We can assume that systems without strtoull() have 32-bit resource limits.
 2021-11-08 18:21:15 -07:00
Todd C. Miller
74ef983f60 Add front-end support for setting resouce limits. 
The special value "user" means preserve the invoking user's limit.
The value "default" means don't override the default limit for the
user as assigned by the system (PAM, loging.conf, userdb, etc).
 2021-11-08 18:21:11 -07:00
Todd C. Miller
9c465f84ad switch_user_nonfatal: only define if using faccessat() 2021-11-08 17:45:26 -07:00
Todd C. Miller
22d624c028 Rename selinux_setcon -> selinux_setexeccon 2021-11-05 12:34:03 -06:00
Todd C. Miller
e92c3d841e In the SELinux role is "unconfined_r", disable SELinux support. 
We only want to apply SELinux to confined users.  This is a bit of
a hack as unconfined_r is specific to the targeted policy.
 2021-11-05 12:33:31 -06:00
Todd C. Miller
e97fb5fd0b Separate out the code to compute the context from selinux_setup(). 
This makes it possible to determine whether we really need to execute
the command via the sesh helper.  What was left of selinux_setup()
is now selinux_relabel_tty() and selinux_audit_role_change().
 2021-11-05 12:33:20 -06:00
Todd C. Miller
a336a8422f Pass status of selinux sudoers setting to front-end as selinux-rbac. 
The front-end uses this to decide whether or not to enable SELinux.
If selinux-rbac is true _or_ if it is not present and selinux_role or
selinux_type are set, SELinux support is enabled.
Previously, SELinux support was only enabled if a role was specified.
 2021-11-05 12:32:02 -06:00
Todd C. Miller
6804632591 Make get_exec_context static, it is unused outside selinux.c. 2021-11-01 14:15:08 -06:00
Todd C. Miller
a527d6dfdd dir_is_writable: add fallback if changing UIDs fails 
The SELinux policy may not allow uid/gid changes which will break
the writability checks and cause sudoedit to fail.
 2021-11-05 12:24:51 -06:00
Todd C. Miller
73e9256f9d Handle EMLINK and EFTYPE errno values for O_NOFOLLOW failure. 
FreeBSD returns EMLINK and NetBSD returns EFTYPE instead of ELOOP.
This is only used to present the user with a more appropriate error
message.
 2021-09-26 08:05:08 -06:00
Todd C. Miller
5421c61828 Add intercept_cleanup() stub for when building w/o intercept support. 2021-09-20 09:01:05 -06:00
Todd C. Miller
a8c4d9800b Add intercept_cleanup() to free the closure used by intercept_accept_cb(). 2021-09-20 08:50:42 -06:00
Todd C. Miller
4289e9609d Teach mkdep.pl about --tag=disable-static in LTFLAGS. 
If static objs are disabled we need to add explicit dependencies for
.o files.  The OpenBSD libtool doesn't use a pic object file when
linking executables so we need to build the non-pic objects too.
 2021-09-13 09:33:17 -06:00
Todd C. Miller
51d5f05e67 sudo_interposer_init: verify message type from sudo 
We should only get a HelloResponse from sudo at this point.
 2021-09-15 11:20:45 -06:00
Todd C. Miller
db750232c5 Avoid symbol name clash to fix --enable-static-sudoers linking. 2021-09-15 11:19:03 -06:00
Todd C. Miller
3a4aec7a62 sudo_intercept.so: only replace execvpe() if it is present. 
execvpe() is a GNU extension also found on *BSD (but not macOS).
 2021-09-08 11:09:59 -06:00
Todd C. Miller
6c456127b3 Implement simple PATH resolution for execvp(). 
We want to use PATH from the current value of the environment, not
the initial value of PATH when the policy was opened.
This is a little different from how real execvp() works since we
use stat() instead of just execve().
 2021-09-07 19:55:47 -06:00
Todd C. Miller
7ae62866e4 Add support for execl, execle, execlp, execvp, and execvpe. 
Currently, PATH traversal is handled by sudoers which uses
the original PATH, not the one updated by the shell.
 2021-09-07 19:55:45 -06:00
Todd C. Miller
157ceadfab Fix computation of the token address when handling a partial read. 
We want to treat it as an array of bytes, not an array of tokens.
Coverity CID 240011
 2021-09-02 14:15:50 -06:00
Todd C. Miller
967bcab4db regen 2021-09-01 13:37:17 -06:00
Todd C. Miller
38d884a62d Do not compile intercept code if --disable-intercept is specified. 2021-09-01 13:35:47 -06:00
Todd C. Miller
9a690a8984 Switch to a 128-bit token instead of a 64-bit secret. 
Protobuf doesn't have a 128-bit type so use two u64s.
We now support partial reads of the token.
 2021-09-01 10:17:26 -06:00
Todd C. Miller
9137909c7d sudo_intercept.so: send the secret immediately after connecting. 
Sending the secret out of band, before the message size is read,
should make it harder to mount a DoS attack.
 2021-08-31 16:33:54 -06:00
Todd C. Miller
26938012f8 Handle reading large messages that don't fit in a single recv(). 
We know the length of what we are receiving so just loop until
we have it all, get EOF or an error.
 2021-08-31 12:09:05 -06:00
Todd C. Miller
a078bc64bb Make the sudo side of the intercept socket non-blocking. 2021-08-31 07:46:58 -06:00
Todd C. Miller
3c26b92a75 Handle partial read/write by dropping back into the event loop. 2021-08-31 07:36:54 -06:00
Todd C. Miller
33d1b26c6a intercept_check_policy: Fix double free introduced in last commit 
If the command is not accepted we don't rebuild command_info[] and
must not free it.  It will be freed by the policy instead.
 2021-08-31 05:50:52 -06:00
Todd C. Miller
168d5c47c9 Update runcwd in command_info[] before passing it to the audit plugin. 
Since sudoers does rejected commands itself the runcwd will still
not be correct for those.
 2021-08-27 15:58:19 -06:00
Todd C. Miller
22de92b0da Fix LD_PRELOAD formatting when there is an existing LD_PRELOAD var. 2021-08-27 13:19:58 -06:00
Todd C. Miller
75bac8dee9 intercept_check_policy: fix potential NUL dereference on the error path. 2021-08-26 17:29:30 -06:00
Todd C. Miller
ba171724f7 Rename log_children -> log_subcmds 2021-08-26 16:36:41 -06:00
Todd C. Miller
3d8b327c60 Fix use-after-free on error. 
Also remove useless free of a ptr that is always NULL on the error path.
 2021-08-26 10:07:50 -06:00
Todd C. Miller
dc30c842bb No longer need to remap intercept fd but we do need to remap debug fd. 
The intercept fd is closed in the ctor but the debug fd will still be open.
 2021-08-26 09:57:25 -06:00
Todd C. Miller
70aef0eb2d sudo_debug_register: add minfd argument to specify lowest fd number 
Use this in sudo_intercept.so to avoid allocating a low-numbered
fd which the shell reserves for use by scripts.
 2021-08-26 09:57:24 -06:00
Todd C. Miller
d6a71fe32e Fix command name of sub-command in logs when log_children is set. 2021-08-26 09:46:26 -06:00
Todd C. Miller
438a0cf07e Add a state variable to intercept_closure, replaces policy_result. 2021-08-25 14:24:36 -06:00
Todd C. Miller
c465d8971d Change intercept IPC to use a localhost socket instead of inherited fd. 
This allows intercept mode to work with shells that close all open
fds upon startup.  The ctor in sudo_intercept.so requests the port
number and secret over the socket inherited from the parent then
closes it.  For each policy request, a TCP connection is made to
the sudo parent process to perform the policy check.  Child processes
re-use the TCP socket to request the port number and secret just like
the initial process started by sudo does.
 2021-08-25 14:24:36 -06:00
Todd C. Miller
448536e0f7 Fold intercept_closure_reset() into intercept_close(). 2021-08-24 13:00:52 -06:00
Todd C. Miller
222d6f94cd Fix typo that caused SUDO_INTERCEPT_FD to overwrite LD_PRELOAD. 2021-08-24 08:51:43 -06:00
Todd C. Miller
1391813443 Fix off-by-one that could result in duplicate SUDO_INTERCEPT_FD vars. 2021-08-24 08:34:14 -06:00
Todd C. Miller
df68f4c8d9 Fix typo in macOS execv change. 2021-08-24 08:09:20 -06:00
Todd C. Miller
98401c0588 Add execv(3) support to sudo_intercept.so. 
This allows intercept to work with csh which uses execv(3) not execve(2).
 2021-08-21 08:44:16 -06:00
Todd C. Miller
4ccd966e22 Add exports file for sudo_intercept.so that only exports execve() 2021-08-20 11:49:22 -06:00
Todd C. Miller
dc281f0366 Add some debugging to the sudo_intercept.so. 2021-08-20 11:32:29 -06:00
Todd C. Miller
5d3ab032f2 intercept_fd_cb: store the passed fd in newfd, not fd 
only affects the old BSD-style fd passing code, not POSIX-style.
 2021-08-19 13:10:44 -06:00
Todd C. Miller
ad5feeb40b regen 2021-08-18 15:48:05 -06:00
Todd C. Miller
340d753947 Fix memory leak when client requests secret. 
Move closure allocation closer to where it is used.
 2021-08-14 08:54:36 -06:00
Todd C. Miller
a55b54329e Add missing stdint.h and sudo_rand.h includes. 
Needed for arc4random() and uin64_t.
 2021-08-13 09:25:01 -06:00
Todd C. Miller
eaf03a382b Pass a secret value to sudo_intercept.so and verify after policy check. 
The goal is to make it harder for someone to have a fake policy checker.
This will not stop a determined adversary since the secret is present
in the address space of the running process.
 2021-08-13 09:10:44 -06:00
Todd C. Miller
c9d9225469 Split off intercept code into exec_intercept.c. 2021-08-11 16:00:47 -06:00