isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,192 Commits 1 Branch 0 Tags
1bcddb9602eeac0ff5543c5e85da5401cd94e24d
Commit Graph

45 Commits

Author SHA1 Message Date
Todd C. Miller
a32a54dced Correct error message when command doesn't exist in intercept mode. 
Previously, we would always use EACCES, even when ENOENT was
appropriate.  This also affected log_subcmds.
 2023-01-25 10:31:49 -07:00
modric
b1af59aa56 intercept_read: Print and then return. 2022-11-21 09:57:14 +08:00
Todd C. Miller
8db1eb0c8b Update the cwd for log_subcmds too. 
Fixes a problem for intercept_method=trace when running a relative
command from a different directory than what sudo ws started from.
GitHub issue #194
 2022-11-07 12:14:15 -07:00
Todd C. Miller
57b5ff8e8c Avoid a -Wshadow warning on Solaris 9. 2022-10-07 11:00:17 -06:00
Todd C. Miller
2902ebe067 intercept_check_policy_req: an empty argv[] is now supported 2022-08-25 14:21:12 -06:00
Todd C. Miller
bc5016296d Handle the case where argc is 0 when rebuilding argv. 
We need to pass the pathname to the policy plugin in argv[0] so we
must be sure to allocate space for it even if argc is 0.
 2022-08-18 15:07:25 -06:00
Todd C. Miller
de3d5fe934 Reject relative command paths if runcwd is not set. 
This is now treated as a policy rejection.
 2022-07-26 11:04:29 -06:00
Todd C. Miller
16ea0bb3fd intercept_check_policy: close saved_dir before returning 2022-07-26 08:56:27 -06:00
Todd C. Miller
3c1f3ef102 Change to runcwd during the policy check where possible. 
Otherwise, attempts to run "./command" from a shell with intercept
set will fail if the current working directory is different from
the main sudo process.
 2022-07-26 08:43:44 -06:00
Todd C. Miller
75e97fd5b2 Make sure the plugin provides a command, argv and envp. 2022-07-14 09:49:00 -06:00
Todd C. Miller
e5652fc65a Linux execve(2) allows argv or envp to be NULL. 
Add checks to make sure we don't deference a NULL pointer.
 2022-07-14 09:29:40 -06:00
Todd C. Miller
a5ac29219a intercept_check_policy: add oom label and fix approval failure case. 
If the approval plugin fails we need to set the state to POLICY_REJECT
just like we do if the policy rejected the command.
 2022-07-13 13:06:21 -06:00
Todd C. Miller
3cd9c5f5e6 Stop sending an InterceptResponse to a PolicyCheckRequest for log_subcmds. 
There's no real reason for the command to wait for sudo send back a
response that will always be a PolicyAcceptMessage.
 2022-06-30 13:35:07 -06:00
Todd C. Miller
e9c2695268 intercept_write: remove unused CD_USE_PTRACE code. 
It is not possible to end up in intercept_write when CD_USE_PTRACE
is set.
 2022-06-21 09:54:41 -06:00
Todd C. Miller
332a6afe77 Set TCP_NODELAY on the socket used for intercept IPC to reduce latency. 
On some systems, Nagle's algorithm was delaying receipt of the data,
causing commands with intercept or log_subcmds to run slowly.
Related to Bug #1034.
 2022-06-20 16:22:29 -06:00
Todd C. Miller
8829c028d3 Add debug printfs when send/recv return EAGAIN or EINTR. 
These are not actually errors but can help gain insight into what
is going on and, in the case of EAGAIN, whether or not there may
be a kernel resource starvation problem.
 2022-06-20 14:58:06 -06:00
Todd C. Miller
f19a71a3db Move a comment to the correct location. 2022-06-03 10:32:47 -06:00
Todd C. Miller
38c6e1bffb Standardize protobuf "unable to unpack" warning messages. 2022-05-26 09:35:18 -06:00
Todd C. Miller
4010d06ed0 In ptrace(2) intercept mode, add execveat to the seccomp(2) filter. 
This allows us to avoid logging the initial command twice regardless
of whether the kernel supports execveat(2) or not.
 2022-04-29 13:09:03 -06:00
Todd C. Miller
52cacfc302 For ptrace intercept mode, do not do a policy check for the initial command. 
We can skip the policy check for the execve(2) of the initial command
since it has already been check.  Otherwise, we would log the command
twice.  When using fexecve(2) due to a digest check, there should
be no need to skip the initial command since it will be executed
via execveat(2) not execve(2).  However, on older kernels without
execveat(2), glibc will emulate fexecve(2) using /proc which will
result in the extra log entry.
 2022-04-29 13:09:03 -06:00
Todd C. Miller
8e375445fb Check the policy for ptrace-based intercept mode. 2022-04-29 13:08:59 -06:00
Todd C. Miller
01733a5214 Add scaffolding for ptrace-based intercept mode. 2022-04-29 12:35:31 -06:00
Todd C. Miller
841375783a Don't require a pty for intercept or log_subcmmds. 
The code to take back control of the tty before a policy check
doesn't appear to be needed.  If the command is run in its own pty,
sudo has control over the user's tty.  If the command is run in
the user's tty, sudo should be in the foreground process group.
 2022-04-20 11:56:26 -06:00
Todd C. Miller
5421c61828 Add intercept_cleanup() stub for when building w/o intercept support. 2021-09-20 09:01:05 -06:00
Todd C. Miller
a8c4d9800b Add intercept_cleanup() to free the closure used by intercept_accept_cb(). 2021-09-20 08:50:42 -06:00
Todd C. Miller
db750232c5 Avoid symbol name clash to fix --enable-static-sudoers linking. 2021-09-15 11:19:03 -06:00
Todd C. Miller
157ceadfab Fix computation of the token address when handling a partial read. 
We want to treat it as an array of bytes, not an array of tokens.
Coverity CID 240011
 2021-09-02 14:15:50 -06:00
Todd C. Miller
38d884a62d Do not compile intercept code if --disable-intercept is specified. 2021-09-01 13:35:47 -06:00
Todd C. Miller
9a690a8984 Switch to a 128-bit token instead of a 64-bit secret. 
Protobuf doesn't have a 128-bit type so use two u64s.
We now support partial reads of the token.
 2021-09-01 10:17:26 -06:00
Todd C. Miller
9137909c7d sudo_intercept.so: send the secret immediately after connecting. 
Sending the secret out of band, before the message size is read,
should make it harder to mount a DoS attack.
 2021-08-31 16:33:54 -06:00
Todd C. Miller
a078bc64bb Make the sudo side of the intercept socket non-blocking. 2021-08-31 07:46:58 -06:00
Todd C. Miller
3c26b92a75 Handle partial read/write by dropping back into the event loop. 2021-08-31 07:36:54 -06:00
Todd C. Miller
33d1b26c6a intercept_check_policy: Fix double free introduced in last commit 
If the command is not accepted we don't rebuild command_info[] and
must not free it.  It will be freed by the policy instead.
 2021-08-31 05:50:52 -06:00
Todd C. Miller
168d5c47c9 Update runcwd in command_info[] before passing it to the audit plugin. 
Since sudoers does rejected commands itself the runcwd will still
not be correct for those.
 2021-08-27 15:58:19 -06:00
Todd C. Miller
75bac8dee9 intercept_check_policy: fix potential NUL dereference on the error path. 2021-08-26 17:29:30 -06:00
Todd C. Miller
3d8b327c60 Fix use-after-free on error. 
Also remove useless free of a ptr that is always NULL on the error path.
 2021-08-26 10:07:50 -06:00
Todd C. Miller
d6a71fe32e Fix command name of sub-command in logs when log_children is set. 2021-08-26 09:46:26 -06:00
Todd C. Miller
438a0cf07e Add a state variable to intercept_closure, replaces policy_result. 2021-08-25 14:24:36 -06:00
Todd C. Miller
c465d8971d Change intercept IPC to use a localhost socket instead of inherited fd. 
This allows intercept mode to work with shells that close all open
fds upon startup.  The ctor in sudo_intercept.so requests the port
number and secret over the socket inherited from the parent then
closes it.  For each policy request, a TCP connection is made to
the sudo parent process to perform the policy check.  Child processes
re-use the TCP socket to request the port number and secret just like
the initial process started by sudo does.
 2021-08-25 14:24:36 -06:00
Todd C. Miller
448536e0f7 Fold intercept_closure_reset() into intercept_close(). 2021-08-24 13:00:52 -06:00
Todd C. Miller
5d3ab032f2 intercept_fd_cb: store the passed fd in newfd, not fd 
only affects the old BSD-style fd passing code, not POSIX-style.
 2021-08-19 13:10:44 -06:00
Todd C. Miller
340d753947 Fix memory leak when client requests secret. 
Move closure allocation closer to where it is used.
 2021-08-14 08:54:36 -06:00
Todd C. Miller
a55b54329e Add missing stdint.h and sudo_rand.h includes. 
Needed for arc4random() and uin64_t.
 2021-08-13 09:25:01 -06:00
Todd C. Miller
eaf03a382b Pass a secret value to sudo_intercept.so and verify after policy check. 
The goal is to make it harder for someone to have a fake policy checker.
This will not stop a determined adversary since the secret is present
in the address space of the running process.
 2021-08-13 09:10:44 -06:00
Todd C. Miller
c9d9225469 Split off intercept code into exec_intercept.c. 2021-08-11 16:00:47 -06:00