isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,574 Commits 1 Branch 0 Tags
c6987aa26ea12569e65bc7ab18e702b06ab8d715
Commit Graph

1652 Commits

Author SHA1 Message Date
Todd C. Miller
db750232c5 Avoid symbol name clash to fix --enable-static-sudoers linking. 2021-09-15 11:19:03 -06:00
Todd C. Miller
3a4aec7a62 sudo_intercept.so: only replace execvpe() if it is present. 
execvpe() is a GNU extension also found on *BSD (but not macOS).
 2021-09-08 11:09:59 -06:00
Todd C. Miller
6c456127b3 Implement simple PATH resolution for execvp(). 
We want to use PATH from the current value of the environment, not
the initial value of PATH when the policy was opened.
This is a little different from how real execvp() works since we
use stat() instead of just execve().
 2021-09-07 19:55:47 -06:00
Todd C. Miller
7ae62866e4 Add support for execl, execle, execlp, execvp, and execvpe. 
Currently, PATH traversal is handled by sudoers which uses
the original PATH, not the one updated by the shell.
 2021-09-07 19:55:45 -06:00
Todd C. Miller
157ceadfab Fix computation of the token address when handling a partial read. 
We want to treat it as an array of bytes, not an array of tokens.
Coverity CID 240011
 2021-09-02 14:15:50 -06:00
Todd C. Miller
967bcab4db regen 2021-09-01 13:37:17 -06:00
Todd C. Miller
38d884a62d Do not compile intercept code if --disable-intercept is specified. 2021-09-01 13:35:47 -06:00
Todd C. Miller
9a690a8984 Switch to a 128-bit token instead of a 64-bit secret. 
Protobuf doesn't have a 128-bit type so use two u64s.
We now support partial reads of the token.
 2021-09-01 10:17:26 -06:00
Todd C. Miller
9137909c7d sudo_intercept.so: send the secret immediately after connecting. 
Sending the secret out of band, before the message size is read,
should make it harder to mount a DoS attack.
 2021-08-31 16:33:54 -06:00
Todd C. Miller
26938012f8 Handle reading large messages that don't fit in a single recv(). 
We know the length of what we are receiving so just loop until
we have it all, get EOF or an error.
 2021-08-31 12:09:05 -06:00
Todd C. Miller
a078bc64bb Make the sudo side of the intercept socket non-blocking. 2021-08-31 07:46:58 -06:00
Todd C. Miller
3c26b92a75 Handle partial read/write by dropping back into the event loop. 2021-08-31 07:36:54 -06:00
Todd C. Miller
33d1b26c6a intercept_check_policy: Fix double free introduced in last commit 
If the command is not accepted we don't rebuild command_info[] and
must not free it.  It will be freed by the policy instead.
 2021-08-31 05:50:52 -06:00
Todd C. Miller
168d5c47c9 Update runcwd in command_info[] before passing it to the audit plugin. 
Since sudoers does rejected commands itself the runcwd will still
not be correct for those.
 2021-08-27 15:58:19 -06:00
Todd C. Miller
22de92b0da Fix LD_PRELOAD formatting when there is an existing LD_PRELOAD var. 2021-08-27 13:19:58 -06:00
Todd C. Miller
75bac8dee9 intercept_check_policy: fix potential NUL dereference on the error path. 2021-08-26 17:29:30 -06:00
Todd C. Miller
ba171724f7 Rename log_children -> log_subcmds 2021-08-26 16:36:41 -06:00
Todd C. Miller
3d8b327c60 Fix use-after-free on error. 
Also remove useless free of a ptr that is always NULL on the error path.
 2021-08-26 10:07:50 -06:00
Todd C. Miller
dc30c842bb No longer need to remap intercept fd but we do need to remap debug fd. 
The intercept fd is closed in the ctor but the debug fd will still be open.
 2021-08-26 09:57:25 -06:00
Todd C. Miller
70aef0eb2d sudo_debug_register: add minfd argument to specify lowest fd number 
Use this in sudo_intercept.so to avoid allocating a low-numbered
fd which the shell reserves for use by scripts.
 2021-08-26 09:57:24 -06:00
Todd C. Miller
d6a71fe32e Fix command name of sub-command in logs when log_children is set. 2021-08-26 09:46:26 -06:00
Todd C. Miller
438a0cf07e Add a state variable to intercept_closure, replaces policy_result. 2021-08-25 14:24:36 -06:00
Todd C. Miller
c465d8971d Change intercept IPC to use a localhost socket instead of inherited fd. 
This allows intercept mode to work with shells that close all open
fds upon startup.  The ctor in sudo_intercept.so requests the port
number and secret over the socket inherited from the parent then
closes it.  For each policy request, a TCP connection is made to
the sudo parent process to perform the policy check.  Child processes
re-use the TCP socket to request the port number and secret just like
the initial process started by sudo does.
 2021-08-25 14:24:36 -06:00
Todd C. Miller
448536e0f7 Fold intercept_closure_reset() into intercept_close(). 2021-08-24 13:00:52 -06:00
Todd C. Miller
222d6f94cd Fix typo that caused SUDO_INTERCEPT_FD to overwrite LD_PRELOAD. 2021-08-24 08:51:43 -06:00
Todd C. Miller
1391813443 Fix off-by-one that could result in duplicate SUDO_INTERCEPT_FD vars. 2021-08-24 08:34:14 -06:00
Todd C. Miller
df68f4c8d9 Fix typo in macOS execv change. 2021-08-24 08:09:20 -06:00
Todd C. Miller
98401c0588 Add execv(3) support to sudo_intercept.so. 
This allows intercept to work with csh which uses execv(3) not execve(2).
 2021-08-21 08:44:16 -06:00
Todd C. Miller
4ccd966e22 Add exports file for sudo_intercept.so that only exports execve() 2021-08-20 11:49:22 -06:00
Todd C. Miller
dc281f0366 Add some debugging to the sudo_intercept.so. 2021-08-20 11:32:29 -06:00
Todd C. Miller
5d3ab032f2 intercept_fd_cb: store the passed fd in newfd, not fd 
only affects the old BSD-style fd passing code, not POSIX-style.
 2021-08-19 13:10:44 -06:00
Todd C. Miller
ad5feeb40b regen 2021-08-18 15:48:05 -06:00
Todd C. Miller
340d753947 Fix memory leak when client requests secret. 
Move closure allocation closer to where it is used.
 2021-08-14 08:54:36 -06:00
Todd C. Miller
a55b54329e Add missing stdint.h and sudo_rand.h includes. 
Needed for arc4random() and uin64_t.
 2021-08-13 09:25:01 -06:00
Todd C. Miller
eaf03a382b Pass a secret value to sudo_intercept.so and verify after policy check. 
The goal is to make it harder for someone to have a fake policy checker.
This will not stop a determined adversary since the secret is present
in the address space of the running process.
 2021-08-13 09:10:44 -06:00
Todd C. Miller
c9d9225469 Split off intercept code into exec_intercept.c. 2021-08-11 16:00:47 -06:00
Todd C. Miller
abac069566 Fix compilation when configure option --disable-shared is specified. 2021-08-09 16:39:32 -06:00
Todd C. Miller
dfe26f8c34 If building with address sanitizer make sure its DSO is first. 
Address sanitizer requires that it be preloaded before any other
DSO in LD_PRELOAD.  This should not be required for clang, which
links in asan statically by default.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
8f8a9c37b3 Require that our dso be first in the list to make sure it takes effect. 
Otherwise, another dso could take precedence and ours would not be run.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
0ea5efd8b7 If msg_control is not present in struct msghdr use msg_accrights instead. 
Fixes building on Solaris and probably others.  It is possible to
expose msg_control on Solaris but this requires a specific set of
feature flag defines which can cause other complications.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
13b89e9103 Make the log_children option only log and not check policy. 2021-08-09 15:50:25 -06:00
Todd C. Miller
258fa9d4f9 Add debug support to sudo_intercept.so 2021-08-09 15:50:25 -06:00
Todd C. Miller
9c3df47da9 Move preload_dso() to its own file and rename to sudo_preload_dso(). 
It now takes an intercept fd as an optional argument instead of a
list of extra variables to add.  This lets us check whether it is
already set to the expected value (and add it if not).
sudo_intercept.so now uses sudo_preload_dso() to make sure that
LD_PRELOAD and SUDO_INTERCEPT_FD are set properly before executing.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
60e76e3e35 Take control of the tty and save its settings before doing a policy check. 
Otherwise the policy plugin won't be able to read the password.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
42598735d0 Call the approval plugin after the policy plugin accepts a command. 
Previously, for intercepted commands we only called the policy plugin.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
4ff3f7604d Reduce the number of function args passed to plugin wrappers. 
This makes sudo_settings, user_info, submit_argv, submit_envp and
submit_optind global.  This will be required for calling the wrapper
from outside of sudo.c where we may not have access to those
variables.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
840bf4b09d Add return values for most of the plugin function wrappers that returned void. 
Previously, they would just exit if there was an error.
Now the error is passed back up the stack so we can use them in
sudo_intercept.so.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
4cf3d1c416 Implement sudo_intercept.so. 
Uses protobuf to talk to main sudo process over a socketpair.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
d7380bb271 Implement the sudo side of the sudo_intercept.so communication. 2021-08-09 15:50:25 -06:00
Todd C. Miller
cede7dd92d Define protocol for sudo <-> sudo_intercept.so communication. 
Uses google protocol buffers.
 2021-08-09 15:50:25 -06:00