import sudo-1.8.29-5.el8
This commit is contained in:
commit
0cec5fa054
|
@ -0,0 +1 @@
|
|||
SOURCES/sudo-1.8.29.tar.gz
|
|
@ -0,0 +1 @@
|
|||
fdce342856f1803478eb549479190370001dca95 SOURCES/sudo-1.8.29.tar.gz
|
|
@ -0,0 +1,11 @@
|
|||
--- sudo-1.6.7p5/install-sh.strip 2005-07-21 14:28:25.000000000 +0200
|
||||
+++ sudo-1.6.7p5/install-sh 2005-07-21 14:29:18.000000000 +0200
|
||||
@@ -138,7 +138,7 @@
|
||||
fi
|
||||
;;
|
||||
X-s)
|
||||
- STRIPIT=true
|
||||
+ #STRIPIT=true
|
||||
;;
|
||||
X--)
|
||||
shift
|
|
@ -0,0 +1,27 @@
|
|||
From 44a602b49365969e56c63c9f12eda197e951302f Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Sykora <tosykora@redhat.com>
|
||||
Date: Fri, 19 Aug 2016 14:07:35 +0200
|
||||
Subject: [PATCH 02/10] Added "Enviroment debugging" message
|
||||
|
||||
rebased from:
|
||||
Patch2: sudo-1.7.2p1-envdebug.patch
|
||||
---
|
||||
configure.ac | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 9feddfd..39a2d86 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1390,7 +1390,7 @@ AC_ARG_ENABLE(env_debug,
|
||||
[AS_HELP_STRING([--enable-env-debug], [Whether to enable environment debugging.])],
|
||||
[ case "$enableval" in
|
||||
yes) AC_MSG_RESULT(yes)
|
||||
- AC_DEFINE(ENV_DEBUG)
|
||||
+ AC_DEFINE(ENV_DEBUG, [], [Environment debugging.])
|
||||
;;
|
||||
no) AC_MSG_RESULT(no)
|
||||
;;
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -0,0 +1,89 @@
|
|||
diff -up ./plugins/sudoers/cvtsudoers.c.legacy-processing ./plugins/sudoers/cvtsudoers.c
|
||||
--- ./plugins/sudoers/cvtsudoers.c.legacy-processing 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./plugins/sudoers/cvtsudoers.c 2019-10-30 13:32:43.309480623 +0100
|
||||
@@ -347,6 +347,15 @@ main(int argc, char *argv[])
|
||||
sudo_fatalx("error: unhandled input %d", input_format);
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * cvtsudoers group filtering doesn't work if def_match_group_by_gid
|
||||
+ * is set to true by default (at compile-time). It cannot be set to false
|
||||
+ * because cvtsudoers doesn't apply the parsed Defaults.
|
||||
+ *
|
||||
+ * Related: sudo-1.8.23-legacy-group-processing.patch
|
||||
+ */
|
||||
+ def_match_group_by_gid = def_legacy_group_processing = false;
|
||||
+
|
||||
/* Apply filters. */
|
||||
filter_userspecs(&parsed_policy, conf);
|
||||
filter_defaults(&parsed_policy, conf);
|
||||
diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaults.c
|
||||
--- ./plugins/sudoers/defaults.c.legacy-processing 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./plugins/sudoers/defaults.c 2019-10-30 13:32:43.309480623 +0100
|
||||
@@ -93,6 +93,7 @@ static struct early_default early_defaul
|
||||
{ I_FQDN },
|
||||
#endif
|
||||
{ I_MATCH_GROUP_BY_GID },
|
||||
+ { I_LEGACY_GROUP_PROCESSING },
|
||||
{ I_GROUP_PLUGIN },
|
||||
{ I_RUNAS_DEFAULT },
|
||||
{ I_SUDOERS_LOCALE },
|
||||
@@ -494,6 +495,8 @@ init_defaults(void)
|
||||
}
|
||||
|
||||
/* First initialize the flags. */
|
||||
+ def_legacy_group_processing = true;
|
||||
+ def_match_group_by_gid = true;
|
||||
#ifdef LONG_OTP_PROMPT
|
||||
def_long_otp_prompt = true;
|
||||
#endif
|
||||
diff -up ./plugins/sudoers/def_data.c.legacy-processing ./plugins/sudoers/def_data.c
|
||||
--- ./plugins/sudoers/def_data.c.legacy-processing 2019-10-30 13:32:43.309480623 +0100
|
||||
+++ ./plugins/sudoers/def_data.c 2019-10-30 13:37:25.914602825 +0100
|
||||
@@ -506,6 +506,10 @@ struct sudo_defs_types sudo_defs_table[]
|
||||
N_("Log when a command is denied by sudoers"),
|
||||
NULL,
|
||||
}, {
|
||||
+ "legacy_group_processing", T_FLAG,
|
||||
+ N_("Don't pre-resolve all group names"),
|
||||
+ NULL,
|
||||
+ }, {
|
||||
NULL, 0, NULL
|
||||
}
|
||||
};
|
||||
diff -up ./plugins/sudoers/def_data.h.legacy-processing ./plugins/sudoers/def_data.h
|
||||
--- ./plugins/sudoers/def_data.h.legacy-processing 2019-10-30 13:32:43.310480638 +0100
|
||||
+++ ./plugins/sudoers/def_data.h 2019-10-30 13:40:59.651713757 +0100
|
||||
@@ -232,6 +232,8 @@
|
||||
#define def_log_allowed (sudo_defs_table[I_LOG_ALLOWED].sd_un.flag)
|
||||
#define I_LOG_DENIED 116
|
||||
#define def_log_denied (sudo_defs_table[I_LOG_DENIED].sd_un.flag)
|
||||
+#define I_LEGACY_GROUP_PROCESSING 117
|
||||
+#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
|
||||
|
||||
enum def_tuple {
|
||||
never,
|
||||
diff -up ./plugins/sudoers/def_data.in.legacy-processing ./plugins/sudoers/def_data.in
|
||||
--- ./plugins/sudoers/def_data.in.legacy-processing 2019-10-30 13:32:43.310480638 +0100
|
||||
+++ ./plugins/sudoers/def_data.in 2019-10-30 13:42:20.915896239 +0100
|
||||
@@ -366,3 +366,6 @@ log_allowed
|
||||
log_denied
|
||||
T_FLAG
|
||||
"Log when a command is denied by sudoers"
|
||||
+legacy_group_processing
|
||||
+ T_FLAG
|
||||
+ "Don't pre-resolve all group names"
|
||||
diff -up ./plugins/sudoers/sudoers.c.legacy-processing ./plugins/sudoers/sudoers.c
|
||||
--- ./plugins/sudoers/sudoers.c.legacy-processing 2019-10-28 13:28:53.000000000 +0100
|
||||
+++ ./plugins/sudoers/sudoers.c 2019-10-30 13:32:43.310480638 +0100
|
||||
@@ -221,6 +221,10 @@ sudoers_policy_init(void *info, char * c
|
||||
if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
|
||||
ret = true;
|
||||
|
||||
+ if (!def_match_group_by_gid || !def_legacy_group_processing) {
|
||||
+ def_match_group_by_gid = false;
|
||||
+ def_legacy_group_processing = false;
|
||||
+ }
|
||||
cleanup:
|
||||
if (!restore_perms())
|
||||
ret = -1;
|
|
@ -0,0 +1,60 @@
|
|||
diff -up ./plugins/sudoers/def_data.c.nowait ./plugins/sudoers/def_data.c
|
||||
--- ./plugins/sudoers/def_data.c.nowait 2019-10-30 13:43:48.376168944 +0100
|
||||
+++ ./plugins/sudoers/def_data.c 2019-10-30 13:43:48.378168973 +0100
|
||||
@@ -510,6 +510,10 @@ struct sudo_defs_types sudo_defs_table[]
|
||||
N_("Don't pre-resolve all group names"),
|
||||
NULL,
|
||||
}, {
|
||||
+ "cmnd_no_wait", T_FLAG,
|
||||
+ N_("Don't fork and wait for the command to finish, just exec it"),
|
||||
+ NULL,
|
||||
+ }, {
|
||||
NULL, 0, NULL
|
||||
}
|
||||
};
|
||||
diff -up ./plugins/sudoers/def_data.h.nowait ./plugins/sudoers/def_data.h
|
||||
--- ./plugins/sudoers/def_data.h.nowait 2019-10-30 13:43:48.378168973 +0100
|
||||
+++ ./plugins/sudoers/def_data.h 2019-10-30 13:45:38.425770365 +0100
|
||||
@@ -234,6 +234,8 @@
|
||||
#define def_log_denied (sudo_defs_table[I_LOG_DENIED].sd_un.flag)
|
||||
#define I_LEGACY_GROUP_PROCESSING 117
|
||||
#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
|
||||
+#define I_CMND_NO_WAIT 118
|
||||
+#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
|
||||
|
||||
enum def_tuple {
|
||||
never,
|
||||
diff -up ./plugins/sudoers/def_data.in.nowait ./plugins/sudoers/def_data.in
|
||||
--- ./plugins/sudoers/def_data.in.nowait 2019-10-30 13:43:48.376168944 +0100
|
||||
+++ ./plugins/sudoers/def_data.in 2019-10-30 13:43:48.379168987 +0100
|
||||
@@ -369,3 +369,6 @@ log_denied
|
||||
legacy_group_processing
|
||||
T_FLAG
|
||||
"Don't pre-resolve all group names"
|
||||
+cmnd_no_wait
|
||||
+ T_FLAG
|
||||
+ "Don't fork and wait for the command to finish, just exec it"
|
||||
diff -up ./plugins/sudoers/sudoers.c.nowait ./plugins/sudoers/sudoers.c
|
||||
--- ./plugins/sudoers/sudoers.c.nowait 2019-10-30 13:43:48.376168944 +0100
|
||||
+++ ./plugins/sudoers/sudoers.c 2019-10-30 13:43:48.379168987 +0100
|
||||
@@ -225,6 +225,20 @@ sudoers_policy_init(void *info, char * c
|
||||
def_match_group_by_gid = false;
|
||||
def_legacy_group_processing = false;
|
||||
}
|
||||
+
|
||||
+ /*
|
||||
+ * Emulate cmnd_no_wait option by disabling PAM session, PTY allocation
|
||||
+ * and I/O logging. This will cause sudo to execute the given command
|
||||
+ * directly instead of forking a separate process for it.
|
||||
+ */
|
||||
+ if (def_cmnd_no_wait) {
|
||||
+ def_pam_setcred = false;
|
||||
+ def_pam_session = false;
|
||||
+ def_use_pty = false;
|
||||
+ def_log_input = false;
|
||||
+ def_log_output = false;
|
||||
+ }
|
||||
+
|
||||
cleanup:
|
||||
if (!restore_perms())
|
||||
ret = -1;
|
|
@ -0,0 +1,32 @@
|
|||
diff -up sudo-1.8.23/doc/Makefile.in.sudoldapconfman sudo-1.8.23/doc/Makefile.in
|
||||
--- sudo-1.8.23/doc/Makefile.in.sudoldapconfman 2018-04-29 21:59:31.000000000 +0200
|
||||
+++ sudo-1.8.23/doc/Makefile.in 2018-05-17 13:56:24.693651178 +0200
|
||||
@@ -345,10 +345,16 @@ install-doc: install-dirs
|
||||
rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
|
||||
echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
|
||||
ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
|
||||
+ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
|
||||
+ echo ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
|
||||
+ ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
|
||||
else \
|
||||
rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
|
||||
echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
|
||||
ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
|
||||
+ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
|
||||
+ echo ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
|
||||
+ ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
|
||||
fi
|
||||
|
||||
install-plugin:
|
||||
@@ -363,8 +369,9 @@ uninstall:
|
||||
$(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \
|
||||
$(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \
|
||||
$(DESTDIR)$(mandirform)/sudoers.$(mansectform) \
|
||||
- $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform)
|
||||
- $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
|
||||
+ $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) \
|
||||
+ $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) \
|
||||
+ $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)
|
||||
|
||||
splint:
|
||||
|
|
@ -0,0 +1,77 @@
|
|||
diff -up ./src/tgetpass.c.CVE-2019-18634 ./src/tgetpass.c
|
||||
--- ./src/tgetpass.c.CVE-2019-18634 2019-10-28 13:27:39.000000000 +0100
|
||||
+++ ./src/tgetpass.c 2020-02-05 14:08:27.516101197 +0100
|
||||
@@ -61,7 +61,7 @@ enum tgetpass_errval {
|
||||
static volatile sig_atomic_t signo[NSIG];
|
||||
|
||||
static void tgetpass_handler(int);
|
||||
-static char *getln(int, char *, size_t, int, enum tgetpass_errval *);
|
||||
+static char *getln(int, char *, size_t, bool, enum tgetpass_errval *);
|
||||
static char *sudo_askpass(const char *, const char *);
|
||||
|
||||
static int
|
||||
@@ -125,6 +125,7 @@ tgetpass(const char *prompt, int timeout
|
||||
static char buf[SUDO_CONV_REPL_MAX + 1];
|
||||
int i, input, output, save_errno, ttyfd;
|
||||
bool need_restart, neednl = false;
|
||||
+ bool feedback = ISSET(flags, TGP_MASK);
|
||||
enum tgetpass_errval errval;
|
||||
debug_decl(tgetpass, SUDO_DEBUG_CONV)
|
||||
|
||||
@@ -180,7 +181,7 @@ restart:
|
||||
*/
|
||||
if (!ISSET(flags, TGP_ECHO)) {
|
||||
for (;;) {
|
||||
- if (ISSET(flags, TGP_MASK))
|
||||
+ if (feedback)
|
||||
neednl = sudo_term_cbreak(input);
|
||||
else
|
||||
neednl = sudo_term_noecho(input);
|
||||
@@ -194,6 +195,9 @@ restart:
|
||||
}
|
||||
}
|
||||
}
|
||||
+ /* Only use feedback mode when we can disable echo. */
|
||||
+ if (!neednl)
|
||||
+ feedback = false;
|
||||
|
||||
/*
|
||||
* Catch signals that would otherwise cause the user to end
|
||||
@@ -224,7 +228,7 @@ restart:
|
||||
|
||||
if (timeout > 0)
|
||||
alarm(timeout);
|
||||
- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval);
|
||||
+ pass = getln(input, buf, sizeof(buf), feedback, &errval);
|
||||
alarm(0);
|
||||
save_errno = errno;
|
||||
|
||||
@@ -360,7 +364,7 @@ sudo_askpass(const char *askpass, const
|
||||
extern int sudo_term_eof, sudo_term_erase, sudo_term_kill;
|
||||
|
||||
static char *
|
||||
-getln(int fd, char *buf, size_t bufsiz, int feedback,
|
||||
+getln(int fd, char *buf, size_t bufsiz, bool feedback,
|
||||
enum tgetpass_errval *errval)
|
||||
{
|
||||
size_t left = bufsiz;
|
||||
@@ -389,15 +393,15 @@ getln(int fd, char *buf, size_t bufsiz,
|
||||
while (cp > buf) {
|
||||
if (write(fd, "\b \b", 3) == -1)
|
||||
break;
|
||||
- --cp;
|
||||
+ cp--;
|
||||
}
|
||||
+ cp = buf;
|
||||
left = bufsiz;
|
||||
continue;
|
||||
} else if (c == sudo_term_erase) {
|
||||
if (cp > buf) {
|
||||
- if (write(fd, "\b \b", 3) == -1)
|
||||
- break;
|
||||
- --cp;
|
||||
+ ignore_result(write(fd, "\b \b", 3));
|
||||
+ cp--;
|
||||
left++;
|
||||
}
|
||||
continue;
|
|
@ -0,0 +1,169 @@
|
|||
diff -up ./doc/sudoers.man.in.CVE-2019-19232 ./doc/sudoers.man.in
|
||||
--- ./doc/sudoers.man.in.CVE-2019-19232 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./doc/sudoers.man.in 2020-01-14 15:34:46.908027286 +0100
|
||||
@@ -2942,6 +2942,23 @@ This flag is
|
||||
\fIoff\fR
|
||||
by default.
|
||||
.TP 18n
|
||||
+runas_allow_unknown_id
|
||||
+If enabled, allow matching of runas user and group IDs that are
|
||||
+not present in the password or group databases.
|
||||
+In addition to explicitly matching unknown user or group IDs in a
|
||||
+\fRRunas_List\fR,
|
||||
+this option also allows the
|
||||
+\fBALL\fR
|
||||
+alias to match unknown IDs.
|
||||
+This flag is
|
||||
+\fIoff\fR
|
||||
+by default.
|
||||
+.sp
|
||||
+This setting is only supported by version 1.8.29 or higher.
|
||||
+Older versions of
|
||||
+\fBsudo\fR
|
||||
+always allowed matching of unknown user and group IDs.
|
||||
+.TP 18n
|
||||
runaspw
|
||||
If set,
|
||||
\fBsudo\fR
|
||||
diff -up ./doc/sudoers.mdoc.in.CVE-2019-19232 ./doc/sudoers.mdoc.in
|
||||
--- ./doc/sudoers.mdoc.in.CVE-2019-19232 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./doc/sudoers.mdoc.in 2020-01-14 15:34:46.908027286 +0100
|
||||
@@ -2768,6 +2768,22 @@ when running a command or editing a file
|
||||
This flag is
|
||||
.Em off
|
||||
by default.
|
||||
+.It runas_allow_unknown_id
|
||||
+If enabled, allow matching of runas user and group IDs that are
|
||||
+not present in the password or group databases.
|
||||
+In addition to explicitly matching unknown user or group IDs in a
|
||||
+.Li Runas_List ,
|
||||
+this option also allows the
|
||||
+.Sy ALL
|
||||
+alias to match unknown IDs.
|
||||
+This flag is
|
||||
+.Em off
|
||||
+by default.
|
||||
+.Pp
|
||||
+This setting is only supported by version 1.8.29 or higher.
|
||||
+Older versions of
|
||||
+.Nm sudo
|
||||
+always allowed matching of unknown user and group IDs.
|
||||
.It runaspw
|
||||
If set,
|
||||
.Nm sudo
|
||||
diff -up ./plugins/sudoers/defaults.c.CVE-2019-19232 ./plugins/sudoers/defaults.c
|
||||
--- ./plugins/sudoers/defaults.c.CVE-2019-19232 2020-01-14 15:34:46.902027246 +0100
|
||||
+++ ./plugins/sudoers/defaults.c 2020-01-14 15:34:46.909027293 +0100
|
||||
@@ -581,6 +581,7 @@ init_defaults(void)
|
||||
def_fdexec = digest_only;
|
||||
def_log_allowed = true;
|
||||
def_log_denied = true;
|
||||
+ def_runas_allow_unknown_id = false;
|
||||
|
||||
/* Syslog options need special care since they both strings and ints */
|
||||
#if (LOGGING & SLOG_SYSLOG)
|
||||
diff -up ./plugins/sudoers/def_data.c.CVE-2019-19232 ./plugins/sudoers/def_data.c
|
||||
--- ./plugins/sudoers/def_data.c.CVE-2019-19232 2020-01-14 15:34:46.908027286 +0100
|
||||
+++ ./plugins/sudoers/def_data.c 2020-01-14 15:40:19.441555509 +0100
|
||||
@@ -514,6 +514,10 @@ struct sudo_defs_types sudo_defs_table[]
|
||||
N_("Don't fork and wait for the command to finish, just exec it"),
|
||||
NULL,
|
||||
}, {
|
||||
+ "runas_allow_unknown_id", T_FLAG,
|
||||
+ N_("Allow the use of unknown runas user and/or group ID"),
|
||||
+ NULL,
|
||||
+ }, {
|
||||
NULL, 0, NULL
|
||||
}
|
||||
};
|
||||
diff -up ./plugins/sudoers/def_data.h.CVE-2019-19232 ./plugins/sudoers/def_data.h
|
||||
--- ./plugins/sudoers/def_data.h.CVE-2019-19232 2020-01-14 15:34:46.909027293 +0100
|
||||
+++ ./plugins/sudoers/def_data.h 2020-01-14 15:41:33.658012401 +0100
|
||||
@@ -236,6 +236,8 @@
|
||||
#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
|
||||
#define I_CMND_NO_WAIT 118
|
||||
#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
|
||||
+#define I_RUNAS_ALLOW_UNKNOWN_ID 119
|
||||
+#define def_runas_allow_unknown_id (sudo_defs_table[I_RUNAS_ALLOW_UNKNOWN_ID].sd_un.flag)
|
||||
|
||||
enum def_tuple {
|
||||
never,
|
||||
diff -up ./plugins/sudoers/def_data.in.CVE-2019-19232 ./plugins/sudoers/def_data.in
|
||||
--- ./plugins/sudoers/def_data.in.CVE-2019-19232 2020-01-14 15:34:46.909027293 +0100
|
||||
+++ ./plugins/sudoers/def_data.in 2020-01-14 15:42:42.176481484 +0100
|
||||
@@ -372,3 +372,6 @@ legacy_group_processing
|
||||
cmnd_no_wait
|
||||
T_FLAG
|
||||
"Don't fork and wait for the command to finish, just exec it"
|
||||
+runas_allow_unknown_id
|
||||
+ T_FLAG
|
||||
+ "Allow the use of unknown runas user and/or group ID"
|
||||
diff -up ./plugins/sudoers/sudoers.c.CVE-2019-19232 ./plugins/sudoers/sudoers.c
|
||||
--- ./plugins/sudoers/sudoers.c.CVE-2019-19232 2020-01-14 15:34:46.905027266 +0100
|
||||
+++ ./plugins/sudoers/sudoers.c 2020-01-14 15:34:46.910027299 +0100
|
||||
@@ -105,6 +105,8 @@ static char *prev_user;
|
||||
static char *runas_user;
|
||||
static char *runas_group;
|
||||
static struct sudo_nss_list *snl;
|
||||
+static bool unknown_runas_uid;
|
||||
+static bool unknown_runas_gid;
|
||||
|
||||
#ifdef __linux__
|
||||
static struct rlimit nproclimit;
|
||||
@@ -354,6 +356,22 @@ sudoers_policy_main(int argc, char * con
|
||||
}
|
||||
}
|
||||
|
||||
+ /* Defer uid/gid checks until after defaults have been updated. */
|
||||
+ if (unknown_runas_uid && !def_runas_allow_unknown_id) {
|
||||
+ audit_failure(NewArgc, NewArgv, N_("unknown user: %s"),
|
||||
+ runas_pw->pw_name);
|
||||
+ sudo_warnx(U_("unknown user: %s"), runas_pw->pw_name);
|
||||
+ goto done;
|
||||
+ }
|
||||
+ if (runas_gr != NULL) {
|
||||
+ if (unknown_runas_gid && !def_runas_allow_unknown_id) {
|
||||
+ audit_failure(NewArgc, NewArgv, N_("unknown group: %s"),
|
||||
+ runas_gr->gr_name);
|
||||
+ sudo_warnx(U_("unknown group: %s"), runas_gr->gr_name);
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Look up the timestamp dir owner if one is specified.
|
||||
*/
|
||||
@@ -1167,12 +1185,15 @@ set_runaspw(const char *user, bool quiet
|
||||
struct passwd *pw = NULL;
|
||||
debug_decl(set_runaspw, SUDOERS_DEBUG_PLUGIN)
|
||||
|
||||
+ unknown_runas_uid = false;
|
||||
if (*user == '#') {
|
||||
const char *errstr;
|
||||
uid_t uid = sudo_strtoid(user + 1, &errstr);
|
||||
if (errstr == NULL) {
|
||||
- if ((pw = sudo_getpwuid(uid)) == NULL)
|
||||
+ if ((pw = sudo_getpwuid(uid)) == NULL) {
|
||||
+ unknown_runas_uid = true;
|
||||
pw = sudo_fakepwnam(user, user_gid);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
if (pw == NULL) {
|
||||
@@ -1198,12 +1219,15 @@ set_runasgr(const char *group, bool quie
|
||||
struct group *gr = NULL;
|
||||
debug_decl(set_runasgr, SUDOERS_DEBUG_PLUGIN)
|
||||
|
||||
+ unknown_runas_gid = false;
|
||||
if (*group == '#') {
|
||||
const char *errstr;
|
||||
gid_t gid = sudo_strtoid(group + 1, &errstr);
|
||||
if (errstr == NULL) {
|
||||
- if ((gr = sudo_getgrgid(gid)) == NULL)
|
||||
+ if ((gr = sudo_getgrgid(gid)) == NULL) {
|
||||
+ unknown_runas_gid = true;
|
||||
gr = sudo_fakegrnam(group);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
if (gr == NULL) {
|
|
@ -0,0 +1,439 @@
|
|||
diff -up ./config.h.in.CVE-2019-19234 ./config.h.in
|
||||
--- ./config.h.in.CVE-2019-19234 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./config.h.in 2020-01-14 15:53:40.506988064 +0100
|
||||
@@ -334,6 +334,9 @@
|
||||
/* Define to 1 if you have the `getuserattr' function. */
|
||||
#undef HAVE_GETUSERATTR
|
||||
|
||||
+/* Define to 1 if you have the `getusershell' function. */
|
||||
+#undef HAVE_GETUSERSHELL
|
||||
+
|
||||
/* Define to 1 if you have the `getutid' function. */
|
||||
#undef HAVE_GETUTID
|
||||
|
||||
diff -up ./configure.ac.CVE-2019-19234 ./configure.ac
|
||||
--- ./configure.ac.CVE-2019-19234 2020-01-14 15:53:40.496987995 +0100
|
||||
+++ ./configure.ac 2020-01-14 15:53:40.509988084 +0100
|
||||
@@ -2562,6 +2562,10 @@ AC_CHECK_FUNCS([getdelim], [], [
|
||||
SUDO_APPEND_COMPAT_EXP(sudo_getdelim)
|
||||
COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }getdelim_test"
|
||||
])
|
||||
+AC_CHECK_FUNCS([getusershell], [], [
|
||||
+ AC_LIBOBJ(getusershell)
|
||||
+ SUDO_APPEND_COMPAT_EXP(sudo_getusershell)
|
||||
+])
|
||||
AC_CHECK_FUNCS([reallocarray], [], [
|
||||
AC_LIBOBJ(reallocarray)
|
||||
SUDO_APPEND_COMPAT_EXP(sudo_reallocarray)
|
||||
diff -up ./configure.CVE-2019-19234 ./configure
|
||||
--- ./configure.CVE-2019-19234 2019-10-28 13:29:14.000000000 +0100
|
||||
+++ ./configure 2020-01-14 15:53:40.509988084 +0100
|
||||
@@ -19395,6 +19395,32 @@ esac
|
||||
fi
|
||||
done
|
||||
|
||||
+for ac_func in getusershell
|
||||
+do :
|
||||
+ ac_fn_c_check_func "$LINENO" "getusershell" "ac_cv_func_getusershell"
|
||||
+if test "x$ac_cv_func_getusershell" = xyes; then :
|
||||
+ cat >>confdefs.h <<_ACEOF
|
||||
+#define HAVE_GETUSERSHELL 1
|
||||
+_ACEOF
|
||||
+
|
||||
+else
|
||||
+
|
||||
+ case " $LIBOBJS " in
|
||||
+ *" getusershell.$ac_objext "* ) ;;
|
||||
+ *) LIBOBJS="$LIBOBJS getusershell.$ac_objext"
|
||||
+ ;;
|
||||
+esac
|
||||
+
|
||||
+
|
||||
+ for _sym in sudo_getusershell; do
|
||||
+ COMPAT_EXP="${COMPAT_EXP}${_sym}
|
||||
+"
|
||||
+ done
|
||||
+
|
||||
+
|
||||
+fi
|
||||
+done
|
||||
+
|
||||
for ac_func in reallocarray
|
||||
do :
|
||||
ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray"
|
||||
diff -up ./doc/sudoers.man.in.CVE-2019-19234 ./doc/sudoers.man.in
|
||||
--- ./doc/sudoers.man.in.CVE-2019-19234 2020-01-14 15:53:40.503988043 +0100
|
||||
+++ ./doc/sudoers.man.in 2020-01-14 15:53:40.510988091 +0100
|
||||
@@ -2959,6 +2959,28 @@ Older versions of
|
||||
\fBsudo\fR
|
||||
always allowed matching of unknown user and group IDs.
|
||||
.TP 18n
|
||||
+runas_check_shell
|
||||
+.br
|
||||
+If enabled,
|
||||
+\fBsudo\fR
|
||||
+will only run commands as a user whose shell appears in the
|
||||
+\fI/etc/shells\fR
|
||||
+file, even if the invoking user's
|
||||
+\fRRunas_List\fR
|
||||
+would otherwise permit it.
|
||||
+If no
|
||||
+\fI/etc/shells\fR
|
||||
+file is present, a system-dependent list of built-in default shells is used.
|
||||
+On many operating systems, system users such as
|
||||
+\(lqbin\(rq,
|
||||
+do not have a valid shell and this flag can be used to prevent
|
||||
+commands from being run as those users.
|
||||
+This flag is
|
||||
+\fIoff\fR
|
||||
+by default.
|
||||
+.sp
|
||||
+This setting is only supported by version 1.8.29 or higher.
|
||||
+.TP 18n
|
||||
runaspw
|
||||
If set,
|
||||
\fBsudo\fR
|
||||
diff -up ./doc/sudoers.mdoc.in.CVE-2019-19234 ./doc/sudoers.mdoc.in
|
||||
--- ./doc/sudoers.mdoc.in.CVE-2019-19234 2020-01-14 15:53:40.504988050 +0100
|
||||
+++ ./doc/sudoers.mdoc.in 2020-01-14 15:53:40.510988091 +0100
|
||||
@@ -2784,6 +2784,26 @@ This setting is only supported by versio
|
||||
Older versions of
|
||||
.Nm sudo
|
||||
always allowed matching of unknown user and group IDs.
|
||||
+.It runas_check_shell
|
||||
+If enabled,
|
||||
+.Nm sudo
|
||||
+will only run commands as a user whose shell appears in the
|
||||
+.Pa /etc/shells
|
||||
+file, even if the invoking user's
|
||||
+.Li Runas_List
|
||||
+would otherwise permit it.
|
||||
+If no
|
||||
+.Pa /etc/shells
|
||||
+file is present, a system-dependent list of built-in default shells is used.
|
||||
+On many operating systems, system users such as
|
||||
+.Dq bin ,
|
||||
+do not have a valid shell and this flag can be used to prevent
|
||||
+commands from being run as those users.
|
||||
+This flag is
|
||||
+.Em off
|
||||
+by default.
|
||||
+.Pp
|
||||
+This setting is only supported by version 1.8.29 or higher.
|
||||
.It runaspw
|
||||
If set,
|
||||
.Nm sudo
|
||||
diff -up ./include/sudo_compat.h.CVE-2019-19234 ./include/sudo_compat.h
|
||||
--- ./include/sudo_compat.h.CVE-2019-19234 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./include/sudo_compat.h 2020-01-14 15:53:40.511988098 +0100
|
||||
@@ -407,6 +407,17 @@ __dso_public ssize_t sudo_getdelim(char
|
||||
# undef getdelim
|
||||
# define getdelim(_a, _b, _c, _d) sudo_getdelim((_a), (_b), (_c), (_d))
|
||||
#endif /* HAVE_GETDELIM */
|
||||
+#ifndef HAVE_GETUSERSHELL
|
||||
+__dso_public char *sudo_getusershell(void);
|
||||
+# undef getusershell
|
||||
+# define getusershell() sudo_getusershell()
|
||||
+__dso_public void sudo_setusershell(void);
|
||||
+# undef setusershell
|
||||
+# define setusershell() sudo_setusershell()
|
||||
+__dso_public void sudo_endusershell(void);
|
||||
+# undef endusershell
|
||||
+# define endusershell() sudo_endusershell()
|
||||
+#endif /* HAVE_GETUSERSHELL */
|
||||
#ifndef HAVE_UTIMENSAT
|
||||
__dso_public int sudo_utimensat(int fd, const char *file, const struct timespec *times, int flag);
|
||||
# undef utimensat
|
||||
diff -up ./lib/util/getusershell.c.CVE-2019-19234 ./lib/util/getusershell.c
|
||||
--- ./lib/util/getusershell.c.CVE-2019-19234 2020-01-14 15:53:40.511988098 +0100
|
||||
+++ ./lib/util/getusershell.c 2020-01-14 15:53:40.511988098 +0100
|
||||
@@ -0,0 +1,138 @@
|
||||
+/*
|
||||
+ * SPDX-License-Identifier: ISC
|
||||
+ *
|
||||
+ * Copyright (c) 2019 Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
+ *
|
||||
+ * Permission to use, copy, modify, and distribute this software for any
|
||||
+ * purpose with or without fee is hereby granted, provided that the above
|
||||
+ * copyright notice and this permission notice appear in all copies.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * This is an open source non-commercial project. Dear PVS-Studio, please check it.
|
||||
+ * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
|
||||
+ */
|
||||
+
|
||||
+#include <config.h>
|
||||
+
|
||||
+#include <sys/types.h>
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <ctype.h>
|
||||
+#include <errno.h>
|
||||
+
|
||||
+#define DEFAULT_TEXT_DOMAIN "sudo"
|
||||
+#include "sudo_gettext.h" /* must be included before sudo_compat.h */
|
||||
+
|
||||
+#include "sudo_compat.h"
|
||||
+#include "sudo_debug.h"
|
||||
+#include "sudo_util.h"
|
||||
+
|
||||
+static char **allowed_shells, **current_shell;
|
||||
+static char *default_shells[] = {
|
||||
+ "/bin/sh",
|
||||
+ "/bin/ksh",
|
||||
+ "/bin/ksh93",
|
||||
+ "/bin/bash",
|
||||
+ "/bin/dash",
|
||||
+ "/bin/zsh",
|
||||
+ "/bin/csh",
|
||||
+ "/bin/tcsh",
|
||||
+ NULL
|
||||
+};
|
||||
+
|
||||
+static char **
|
||||
+read_shells(void)
|
||||
+{
|
||||
+ size_t maxshells = 16, nshells = 0;
|
||||
+ size_t linesize = 0;
|
||||
+ char *line = NULL;
|
||||
+ FILE *fp;
|
||||
+ debug_decl(read_shells, SUDO_DEBUG_UTIL)
|
||||
+
|
||||
+ if ((fp = fopen("/etc/shells", "r")) == NULL)
|
||||
+ goto bad;
|
||||
+
|
||||
+ free(allowed_shells);
|
||||
+ allowed_shells = reallocarray(NULL, maxshells, sizeof(char *));
|
||||
+ if (allowed_shells == NULL)
|
||||
+ goto bad;
|
||||
+
|
||||
+ while (sudo_parseln(&line, &linesize, NULL, fp, PARSELN_CONT_IGN) != -1) {
|
||||
+ if (nshells + 1 >= maxshells) {
|
||||
+ char **new_shells;
|
||||
+
|
||||
+ new_shells = reallocarray(NULL, maxshells + 16, sizeof(char *));
|
||||
+ if (new_shells == NULL)
|
||||
+ goto bad;
|
||||
+ allowed_shells = new_shells;
|
||||
+ maxshells += 16;
|
||||
+ }
|
||||
+ if ((allowed_shells[nshells] = strdup(line)) == NULL)
|
||||
+ goto bad;
|
||||
+ nshells++;
|
||||
+ }
|
||||
+ allowed_shells[nshells] = NULL;
|
||||
+
|
||||
+ free(line);
|
||||
+ fclose(fp);
|
||||
+ debug_return_ptr(allowed_shells);
|
||||
+bad:
|
||||
+ free(line);
|
||||
+ if (fp != NULL)
|
||||
+ fclose(fp);
|
||||
+ while (nshells != 0)
|
||||
+ free(allowed_shells[--nshells]);
|
||||
+ free(allowed_shells);
|
||||
+ allowed_shells = NULL;
|
||||
+ debug_return_ptr(default_shells);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+sudo_setusershell(void)
|
||||
+{
|
||||
+ debug_decl(setusershell, SUDO_DEBUG_UTIL)
|
||||
+
|
||||
+ current_shell = read_shells();
|
||||
+
|
||||
+ debug_return;
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+sudo_endusershell(void)
|
||||
+{
|
||||
+ debug_decl(endusershell, SUDO_DEBUG_UTIL)
|
||||
+
|
||||
+ if (allowed_shells != NULL) {
|
||||
+ char **shell;
|
||||
+
|
||||
+ for (shell = allowed_shells; *shell != NULL; shell++)
|
||||
+ free(*shell);
|
||||
+ free(allowed_shells);
|
||||
+ allowed_shells = NULL;
|
||||
+ }
|
||||
+ current_shell = NULL;
|
||||
+
|
||||
+ debug_return;
|
||||
+}
|
||||
+
|
||||
+char *
|
||||
+sudo_getusershell(void)
|
||||
+{
|
||||
+ debug_decl(getusershell, SUDO_DEBUG_UTIL)
|
||||
+
|
||||
+ if (current_shell == NULL)
|
||||
+ current_shell = read_shells();
|
||||
+
|
||||
+ debug_return_str(*current_shell++);
|
||||
+}
|
||||
diff -up ./lib/util/Makefile.in.CVE-2019-19234 ./lib/util/Makefile.in
|
||||
--- ./lib/util/Makefile.in.CVE-2019-19234 2019-10-28 13:28:53.000000000 +0100
|
||||
+++ ./lib/util/Makefile.in 2020-01-14 15:53:40.511988098 +0100
|
||||
@@ -678,6 +678,18 @@ gettime.i: $(srcdir)/gettime.c $(incdir)
|
||||
$(CC) -E -o $@ $(CPPFLAGS) $<
|
||||
gettime.plog: gettime.i
|
||||
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/gettime.c --i-file $< --output-file $@
|
||||
+getusershell.lo: $(srcdir)/getusershell.c $(incdir)/compat/stdbool.h \
|
||||
+ $(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
|
||||
+ $(incdir)/sudo_gettext.h $(incdir)/sudo_queue.h \
|
||||
+ $(incdir)/sudo_util.h $(top_builddir)/config.h
|
||||
+ $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/getusershell.c
|
||||
+getusershell.i: $(srcdir)/getusershell.c $(incdir)/compat/stdbool.h \
|
||||
+ $(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
|
||||
+ $(incdir)/sudo_gettext.h $(incdir)/sudo_queue.h \
|
||||
+ $(incdir)/sudo_util.h $(top_builddir)/config.h
|
||||
+ $(CC) -E -o $@ $(CPPFLAGS) $<
|
||||
+getusershell.plog: getusershell.i
|
||||
+ rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/getusershell.c --i-file $< --output-file $@
|
||||
gidlist.lo: $(srcdir)/gidlist.c $(incdir)/compat/stdbool.h \
|
||||
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
|
||||
$(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
|
||||
diff -up ./MANIFEST.CVE-2019-19234 ./MANIFEST
|
||||
--- ./MANIFEST.CVE-2019-19234 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./MANIFEST 2020-01-14 15:53:40.506988064 +0100
|
||||
@@ -103,6 +103,7 @@ lib/util/getgrouplist.c
|
||||
lib/util/gethostname.c
|
||||
lib/util/getopt_long.c
|
||||
lib/util/gettime.c
|
||||
+lib/util/getusershell.c
|
||||
lib/util/gidlist.c
|
||||
lib/util/glob.c
|
||||
lib/util/inet_ntop.c
|
||||
diff -up ./mkdep.pl.CVE-2019-19234 ./mkdep.pl
|
||||
--- ./mkdep.pl.CVE-2019-19234 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./mkdep.pl 2020-01-14 15:53:40.511988098 +0100
|
||||
@@ -116,7 +116,7 @@ sub mkdep {
|
||||
# XXX - fill in AUTH_OBJS from contents of the auth dir instead
|
||||
$makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:;
|
||||
$makefile =~ s:\@DIGEST\@:digest.lo digest_openssl.lo digest_gcrypt.lo:;
|
||||
- $makefile =~ s:\@LTLIBOBJS\@:arc4random.lo arc4random_uniform.lo closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getentropy.lo getgrouplist.lo getdelim.lo getopt_long.lo glob.lo inet_ntop_lo inet_pton.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo nanosleep.lo pw_dup.lo reallocarray.lo sha2.lo sig2str.lo siglist.lo signame.lo snprintf.lo str2sig.lo strlcat.lo strlcpy.lo strndup.lo strnlen.lo strsignal.lo utimens.lo vsyslog.lo pipe2.lo:;
|
||||
+ $makefile =~ s:\@LTLIBOBJS\@:arc4random.lo arc4random_uniform.lo closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getentropy.lo getgrouplist.lo getdelim.lo getopt_long.lo getusershell.lo glob.lo inet_ntop_lo inet_pton.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo nanosleep.lo pw_dup.lo reallocarray.lo sha2.lo sig2str.lo siglist.lo signame.lo snprintf.lo str2sig.lo strlcat.lo strlcpy.lo strndup.lo strnlen.lo strsignal.lo utimens.lo vsyslog.lo pipe2.lo:;
|
||||
|
||||
# Parse OBJS lines
|
||||
my %objs;
|
||||
diff -up ./plugins/sudoers/check.c.CVE-2019-19234 ./plugins/sudoers/check.c
|
||||
--- ./plugins/sudoers/check.c.CVE-2019-19234 2019-10-28 13:27:45.000000000 +0100
|
||||
+++ ./plugins/sudoers/check.c 2020-01-14 15:53:40.511988098 +0100
|
||||
@@ -333,3 +333,28 @@ get_authpw(int mode)
|
||||
|
||||
debug_return_ptr(pw);
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * Returns true if the specified shell is allowed by /etc/shells, else false.
|
||||
+ */
|
||||
+bool
|
||||
+check_user_shell(const struct passwd *pw)
|
||||
+{
|
||||
+ const char *shell;
|
||||
+ debug_decl(check_user_shell, SUDOERS_DEBUG_AUTH)
|
||||
+
|
||||
+ if (!def_runas_check_shell)
|
||||
+ debug_return_bool(true);
|
||||
+
|
||||
+ sudo_debug_printf(SUDO_DEBUG_INFO,
|
||||
+ "%s: checking /etc/shells for %s", __func__, pw->pw_shell);
|
||||
+
|
||||
+ setusershell();
|
||||
+ while ((shell = getusershell()) != NULL) {
|
||||
+ if (strcmp(shell, pw->pw_shell) == 0)
|
||||
+ debug_return_bool(true);
|
||||
+ }
|
||||
+ endusershell();
|
||||
+
|
||||
+ debug_return_bool(false);
|
||||
+}
|
||||
diff -up ./plugins/sudoers/def_data.c.CVE-2019-19234 ./plugins/sudoers/def_data.c
|
||||
--- ./plugins/sudoers/def_data.c.CVE-2019-19234 2020-01-14 15:53:40.504988050 +0100
|
||||
+++ ./plugins/sudoers/def_data.c 2020-01-14 15:53:40.511988098 +0100
|
||||
@@ -518,6 +518,10 @@ struct sudo_defs_types sudo_defs_table[]
|
||||
N_("Allow the use of unknown runas user and/or group ID"),
|
||||
NULL,
|
||||
}, {
|
||||
+ "runas_check_shell", T_FLAG,
|
||||
+ N_("Only permit running commands as a user with a valid shell"),
|
||||
+ NULL,
|
||||
+ }, {
|
||||
NULL, 0, NULL
|
||||
}
|
||||
};
|
||||
diff -up ./plugins/sudoers/def_data.h.CVE-2019-19234 ./plugins/sudoers/def_data.h
|
||||
--- ./plugins/sudoers/def_data.h.CVE-2019-19234 2020-01-14 15:53:40.512988105 +0100
|
||||
+++ ./plugins/sudoers/def_data.h 2020-01-14 15:58:06.927808982 +0100
|
||||
@@ -238,6 +238,8 @@
|
||||
#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
|
||||
#define I_RUNAS_ALLOW_UNKNOWN_ID 119
|
||||
#define def_runas_allow_unknown_id (sudo_defs_table[I_RUNAS_ALLOW_UNKNOWN_ID].sd_un.flag)
|
||||
+#define I_RUNAS_CHECK_SHELL 120
|
||||
+#define def_runas_check_shell (sudo_defs_table[I_RUNAS_CHECK_SHELL].sd_un.flag)
|
||||
|
||||
enum def_tuple {
|
||||
never,
|
||||
diff -up ./plugins/sudoers/def_data.in.CVE-2019-19234 ./plugins/sudoers/def_data.in
|
||||
--- ./plugins/sudoers/def_data.in.CVE-2019-19234 2020-01-14 15:53:40.505988057 +0100
|
||||
+++ ./plugins/sudoers/def_data.in 2020-01-14 15:53:40.512988105 +0100
|
||||
@@ -375,3 +375,7 @@ cmnd_no_wait
|
||||
runas_allow_unknown_id
|
||||
T_FLAG
|
||||
"Allow the use of unknown runas user and/or group ID"
|
||||
+runas_check_shell
|
||||
+ T_FLAG
|
||||
+ "Only permit running commands as a user with a valid shell"
|
||||
+
|
||||
diff -up ./plugins/sudoers/sudoers.c.CVE-2019-19234 ./plugins/sudoers/sudoers.c
|
||||
--- ./plugins/sudoers/sudoers.c.CVE-2019-19234 2020-01-14 15:53:40.505988057 +0100
|
||||
+++ ./plugins/sudoers/sudoers.c 2020-01-14 15:53:40.512988105 +0100
|
||||
@@ -273,7 +273,7 @@ sudoers_policy_main(int argc, char * con
|
||||
/* Not an audit event. */
|
||||
sudo_warnx(U_("sudoers specifies that root is not allowed to sudo"));
|
||||
goto bad;
|
||||
- }
|
||||
+ }
|
||||
|
||||
if (!set_perms(PERM_INITIAL))
|
||||
goto bad;
|
||||
@@ -412,6 +412,13 @@ sudoers_policy_main(int argc, char * con
|
||||
goto bad;
|
||||
}
|
||||
|
||||
+ /* Check runas user's shell. */
|
||||
+ if (!check_user_shell(runas_pw)) {
|
||||
+ log_warningx(SLOG_RAW_MSG, N_("invalid shell for user %s: %s"),
|
||||
+ runas_pw->pw_name, runas_pw->pw_shell);
|
||||
+ goto bad;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* We don't reset the environment for sudoedit or if the user
|
||||
* specified the -E command line flag and they have setenv privs.
|
||||
diff -up ./plugins/sudoers/sudoers.h.CVE-2019-19234 ./plugins/sudoers/sudoers.h
|
||||
--- ./plugins/sudoers/sudoers.h.CVE-2019-19234 2020-01-14 15:53:40.502988036 +0100
|
||||
+++ ./plugins/sudoers/sudoers.h 2020-01-14 15:53:40.512988105 +0100
|
||||
@@ -264,6 +264,7 @@ int find_path(const char *infile, char *
|
||||
|
||||
/* check.c */
|
||||
int check_user(int validate, int mode);
|
||||
+bool check_user_shell(const struct passwd *pw);
|
||||
bool user_is_exempt(void);
|
||||
|
||||
/* prompt.c */
|
|
@ -0,0 +1,90 @@
|
|||
From 06b46ae226fecd4188af372ac0ccd7aa582e21c8 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Sykora <tosykora@redhat.com>
|
||||
Date: Wed, 17 Aug 2016 10:12:11 +0200
|
||||
Subject: [PATCH] Sudo logs username root instead of realuser
|
||||
|
||||
RHEL7 sudo logs username root instead of realuser in /var/log/secure
|
||||
|
||||
Rebased from:
|
||||
Patch50: sudo-1.8.6p7-logsudouser.patch
|
||||
|
||||
Resolves:
|
||||
rhbz#1312486
|
||||
---
|
||||
plugins/sudoers/logging.c | 14 +++++++-------
|
||||
plugins/sudoers/sudoers.h | 1 +
|
||||
2 files changed, 8 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
|
||||
index 45cae67..74b2220 100644
|
||||
--- a/plugins/sudoers/logging.c
|
||||
+++ b/plugins/sudoers/logging.c
|
||||
@@ -104,7 +104,7 @@ do_syslog(int pri, char *msg)
|
||||
* Log the full line, breaking into multiple syslog(3) calls if necessary
|
||||
*/
|
||||
fmt = _("%8s : %s");
|
||||
- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name));
|
||||
+ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
|
||||
for (p = msg; *p != '\0'; ) {
|
||||
len = strlen(p);
|
||||
if (len > maxlen) {
|
||||
@@ -120,7 +120,7 @@ do_syslog(int pri, char *msg)
|
||||
save = *tmp;
|
||||
*tmp = '\0';
|
||||
|
||||
- mysyslog(pri, fmt, user_name, p);
|
||||
+ mysyslog(pri, fmt, sudo_user_name, p);
|
||||
|
||||
*tmp = save; /* restore saved character */
|
||||
|
||||
@@ -128,11 +128,11 @@ do_syslog(int pri, char *msg)
|
||||
for (p = tmp; *p == ' '; p++)
|
||||
continue;
|
||||
} else {
|
||||
- mysyslog(pri, fmt, user_name, p);
|
||||
+ mysyslog(pri, fmt, sudo_user_name, p);
|
||||
p += len;
|
||||
}
|
||||
fmt = _("%8s : (command continued) %s");
|
||||
- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name));
|
||||
+ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
|
||||
}
|
||||
|
||||
sudoers_setlocale(oldlocale, NULL);
|
||||
@@ -179,10 +179,10 @@ do_logfile(const char *msg)
|
||||
timestr = "invalid date";
|
||||
if (def_log_host) {
|
||||
len = asprintf(&full_line, "%s : %s : HOST=%s : %s",
|
||||
- timestr, user_name, user_srunhost, msg);
|
||||
+ timestr, sudo_user_name, user_srunhost, msg);
|
||||
} else {
|
||||
len = asprintf(&full_line, "%s : %s : %s",
|
||||
- timestr, user_name, msg);
|
||||
+ timestr, sudo_user_name, msg);
|
||||
}
|
||||
if (len == -1) {
|
||||
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
|
||||
@@ -746,7 +746,7 @@ send_mail(const char *fmt, ...)
|
||||
|
||||
if ((timestr = get_timestr(time(NULL), def_log_year)) == NULL)
|
||||
timestr = "invalid date";
|
||||
- (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, user_name);
|
||||
+ (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, sudo_user_name);
|
||||
va_start(ap, fmt);
|
||||
(void) vfprintf(mail, fmt, ap);
|
||||
va_end(ap);
|
||||
diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
|
||||
index cfd5abb..c69a043 100644
|
||||
--- a/plugins/sudoers/sudoers.h
|
||||
+++ b/plugins/sudoers/sudoers.h
|
||||
@@ -180,6 +180,7 @@ struct sudo_user {
|
||||
/*
|
||||
* Shortcuts for sudo_user contents.
|
||||
*/
|
||||
+#define sudo_user_name (sudo_user.pw->pw_name)
|
||||
#define user_name (sudo_user.name)
|
||||
#define user_uid (sudo_user.uid)
|
||||
#define user_gid (sudo_user.gid)
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -0,0 +1,86 @@
|
|||
## BINDDN DN
|
||||
## The BINDDN parameter specifies the identity, in the form of a Dis‐
|
||||
## tinguished Name (DN), to use when performing LDAP operations. If
|
||||
## not specified, LDAP operations are performed with an anonymous
|
||||
## identity. By default, most LDAP servers will allow anonymous
|
||||
## access.
|
||||
##
|
||||
#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
|
||||
|
||||
## BINDPW secret
|
||||
## The BINDPW parameter specifies the password to use when performing
|
||||
## LDAP operations. This is typically used in conjunction with the
|
||||
## BINDDN parameter.
|
||||
##
|
||||
#bindpw secret
|
||||
|
||||
## SSL start_tls
|
||||
## If the SSL parameter is set to start_tls, the LDAP server connec‐
|
||||
## tion is initiated normally and TLS encryption is begun before the
|
||||
## bind credentials are sent. This has the advantage of not requiring
|
||||
## a dedicated port for encrypted communications. This parameter is
|
||||
## only supported by LDAP servers that honor the start_tls extension,
|
||||
## such as the OpenLDAP and Tivoli Directory servers.
|
||||
##
|
||||
#ssl start_tls
|
||||
|
||||
## TLS_CACERTFILE file name
|
||||
## The path to a certificate authority bundle which contains the cer‐
|
||||
## tificates for all the Certificate Authorities the client knows to
|
||||
## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐
|
||||
## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries
|
||||
## use the same certificate database for CA and client certificates
|
||||
## (see TLS_CERT).
|
||||
##
|
||||
#tls_cacertfile /path/to/CA.crt
|
||||
|
||||
## TLS_CHECKPEER on/true/yes/off/false/no
|
||||
## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐
|
||||
## cated to be verified. If the server's TLS certificate cannot be
|
||||
## verified (usually because it is signed by an unknown certificate
|
||||
## authority), sudo will be unable to connect to it. If TLS_CHECKPEER
|
||||
## is disabled, no check is made. Note that disabling the check cre‐
|
||||
## ates an opportunity for man-in-the-middle attacks since the
|
||||
## server's identity will not be authenticated. If possible, the CA's
|
||||
## certificate should be installed locally so it can be verified.
|
||||
## This option is not supported by the Tivoli Directory Server LDAP
|
||||
## libraries.
|
||||
#tls_checkpeer yes
|
||||
|
||||
##
|
||||
## URI ldap[s]://[hostname[:port]] ...
|
||||
## Specifies a whitespace-delimited list of one or more
|
||||
## URIs describing the LDAP server(s) to connect to.
|
||||
##
|
||||
#uri ldap://ldapserver
|
||||
|
||||
##
|
||||
## SUDOERS_BASE base
|
||||
## The base DN to use when performing sudo LDAP queries.
|
||||
## Multiple SUDOERS_BASE lines may be specified, in which
|
||||
## case they are queried in the order specified.
|
||||
##
|
||||
#sudoers_base ou=SUDOers,dc=example,dc=com
|
||||
|
||||
##
|
||||
## BIND_TIMELIMIT seconds
|
||||
## The BIND_TIMELIMIT parameter specifies the amount of
|
||||
## time to wait while trying to connect to an LDAP server.
|
||||
##
|
||||
#bind_timelimit 30
|
||||
|
||||
##
|
||||
## TIMELIMIT seconds
|
||||
## The TIMELIMIT parameter specifies the amount of time
|
||||
## to wait for a response to an LDAP query.
|
||||
##
|
||||
#timelimit 30
|
||||
|
||||
##
|
||||
## SUDOERS_DEBUG debug_level
|
||||
## This sets the debug level for sudo LDAP queries. Debugging
|
||||
## information is printed to the standard error. A value of 1
|
||||
## results in a moderate amount of debugging information.
|
||||
## A value of 2 shows the results of the matches themselves.
|
||||
##
|
||||
#sudoers_debug 1
|
|
@ -0,0 +1,57 @@
|
|||
#
|
||||
# Default /etc/sudo.conf file
|
||||
#
|
||||
# Format:
|
||||
# Plugin plugin_name plugin_path plugin_options ...
|
||||
# Path askpass /path/to/askpass
|
||||
# Path noexec /path/to/sudo_noexec.so
|
||||
# Debug sudo /var/log/sudo_debug all@warn
|
||||
# Set disable_coredump true
|
||||
#
|
||||
# Sudo plugins:
|
||||
#
|
||||
# The plugin_path is relative to ${prefix}/libexec unless fully qualified.
|
||||
# The plugin_name corresponds to a global symbol in the plugin
|
||||
# that contains the plugin interface structure.
|
||||
# The plugin_options are optional.
|
||||
#
|
||||
# The sudoers plugin is used by default if no Plugin lines are present.
|
||||
Plugin sudoers_policy sudoers.so
|
||||
Plugin sudoers_io sudoers.so
|
||||
|
||||
#
|
||||
# Sudo askpass:
|
||||
#
|
||||
# An askpass helper program may be specified to provide a graphical
|
||||
# password prompt for "sudo -A" support. Sudo does not ship with its
|
||||
# own passpass program but can use the OpenSSH askpass.
|
||||
#
|
||||
# Use the OpenSSH askpass
|
||||
#Path askpass /usr/X11R6/bin/ssh-askpass
|
||||
#
|
||||
# Use the Gnome OpenSSH askpass
|
||||
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
||||
|
||||
#
|
||||
# Sudo noexec:
|
||||
#
|
||||
# Path to a shared library containing dummy versions of the execv(),
|
||||
# execve() and fexecve() library functions that just return an error.
|
||||
# This is used to implement the "noexec" functionality on systems that
|
||||
# support C<LD_PRELOAD> or its equivalent.
|
||||
# The compiled-in value is usually sufficient and should only be changed
|
||||
# if you rename or move the sudo_noexec.so file.
|
||||
#
|
||||
#Path noexec /usr/libexec/sudo_noexec.so
|
||||
|
||||
#
|
||||
# Core dumps:
|
||||
#
|
||||
# By default, sudo disables core dumps while it is executing (they
|
||||
# are re-enabled for the command that is run).
|
||||
# To aid in debugging sudo problems, you may wish to enable core
|
||||
# dumps by setting "disable_coredump" to false.
|
||||
#
|
||||
# Set to false here so as not to interfere with /proc/sys/fs/suid_dumpable
|
||||
#
|
||||
Set disable_coredump false
|
|
@ -0,0 +1,120 @@
|
|||
## Sudoers allows particular users to run various commands as
|
||||
## the root user, without needing the root password.
|
||||
##
|
||||
## Examples are provided at the bottom of the file for collections
|
||||
## of related commands, which can then be delegated out to particular
|
||||
## users or groups.
|
||||
##
|
||||
## This file must be edited with the 'visudo' command.
|
||||
|
||||
## Host Aliases
|
||||
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||
## wildcards for entire domains) or IP addresses instead.
|
||||
# Host_Alias FILESERVERS = fs1, fs2
|
||||
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||
|
||||
## User Aliases
|
||||
## These aren't often necessary, as you can use regular groups
|
||||
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||
## rather than USERALIAS
|
||||
# User_Alias ADMINS = jsmith, mikem
|
||||
|
||||
|
||||
## Command Aliases
|
||||
## These are groups of related commands...
|
||||
|
||||
## Networking
|
||||
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||
|
||||
## Installation and management of software
|
||||
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||
|
||||
## Services
|
||||
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||
|
||||
## Updating the locate database
|
||||
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||
|
||||
## Storage
|
||||
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||
|
||||
## Delegating permissions
|
||||
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||
|
||||
## Processes
|
||||
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||
|
||||
## Drivers
|
||||
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||
|
||||
# Defaults specification
|
||||
|
||||
#
|
||||
# Refuse to run if unable to disable echo on the tty.
|
||||
#
|
||||
Defaults !visiblepw
|
||||
|
||||
#
|
||||
# Preserving HOME has security implications since many programs
|
||||
# use it when searching for configuration files. Note that HOME
|
||||
# is already set when the the env_reset option is enabled, so
|
||||
# this option is only effective for configurations where either
|
||||
# env_reset is disabled or HOME is present in the env_keep list.
|
||||
#
|
||||
Defaults always_set_home
|
||||
Defaults match_group_by_gid
|
||||
|
||||
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||
# found in the system group database were passed to the group
|
||||
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||
# %:group are resolved via the group plugin by default.
|
||||
# We enable always_query_group_plugin to restore old behavior.
|
||||
# Disable this option for new behavior.
|
||||
Defaults always_query_group_plugin
|
||||
|
||||
Defaults env_reset
|
||||
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||
|
||||
#
|
||||
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||
# commands via sudo.
|
||||
#
|
||||
# Defaults env_keep += "HOME"
|
||||
|
||||
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
## Next comes the main part: which users can run what software on
|
||||
## which machines (the sudoers file can be shared between multiple
|
||||
## systems).
|
||||
## Syntax:
|
||||
##
|
||||
## user MACHINE=COMMANDS
|
||||
##
|
||||
## The COMMANDS section may have other options added to it.
|
||||
##
|
||||
## Allow root to run any commands anywhere
|
||||
root ALL=(ALL) ALL
|
||||
|
||||
## Allows members of the 'sys' group to run networking, software,
|
||||
## service management apps and more.
|
||||
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||
|
||||
## Allows people in group wheel to run all commands
|
||||
%wheel ALL=(ALL) ALL
|
||||
|
||||
## Same thing without a password
|
||||
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||
|
||||
## Allows members of the users group to mount and unmount the
|
||||
## cdrom as root
|
||||
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||
|
||||
## Allows members of the users group to shutdown this system
|
||||
# %users localhost=/sbin/shutdown -h now
|
||||
|
||||
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||
#includedir /etc/sudoers.d
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue