import sudo-1.8.29-5.el8
This commit is contained in:
parent
c6383df712
commit
d3ad6b3add
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/sudo-1.8.25p1.tar.gz
|
||||
SOURCES/sudo-1.8.29.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
dc49b91ffbd9cd5e1d1eaaf001c42f71f869f377 SOURCES/sudo-1.8.25p1.tar.gz
|
||||
fdce342856f1803478eb549479190370001dca95 SOURCES/sudo-1.8.29.tar.gz
|
||||
|
@ -1,70 +0,0 @@
|
||||
diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok
|
||||
--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix 2018-09-24 18:10:37.235000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok 2018-09-24 18:11:40.153000000 +0200
|
||||
@@ -34,7 +34,7 @@
|
||||
},
|
||||
{
|
||||
"Binding": [
|
||||
- { "username": "%them" }
|
||||
+ { "usergroup": "them" }
|
||||
],
|
||||
"Options": [
|
||||
{ "set_home": true }
|
||||
@@ -42,7 +42,7 @@
|
||||
},
|
||||
{
|
||||
"Binding": [
|
||||
- { "username": "%: non UNIX 0 c" }
|
||||
+ { "nonunixgroup": " non UNIX 0 c" }
|
||||
],
|
||||
"Options": [
|
||||
{ "set_home": true }
|
||||
@@ -50,7 +50,7 @@
|
||||
},
|
||||
{
|
||||
"Binding": [
|
||||
- { "username": "+net" }
|
||||
+ { "netgroup": "net" }
|
||||
],
|
||||
"Options": [
|
||||
{ "set_home": true }
|
||||
diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok
|
||||
--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix 2018-09-24 18:10:25.216000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok 2018-09-24 18:11:45.213000000 +0200
|
||||
@@ -29,9 +29,9 @@ DEFAULTS_HOST BEGINSTR STRBODY ENDSTR WO
|
||||
#
|
||||
DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
|
||||
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
|
||||
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR NETGROUP DEFVAR
|
||||
|
||||
#
|
||||
DEFAULTS_RUNAS BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
diff -up sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.c
|
||||
--- sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/toke.c 2018-09-24 18:06:15.527000000 +0200
|
||||
@@ -2395,7 +2395,7 @@ YY_RULE_SETUP
|
||||
LEXTRACE("ERROR "); /* empty string */
|
||||
LEXRETURN(ERROR);
|
||||
}
|
||||
- if (prev_state == INITIAL) {
|
||||
+ if (prev_state == INITIAL || prev_state == GOTDEFS) {
|
||||
switch (sudoerslval.string[0]) {
|
||||
case '%':
|
||||
if (sudoerslval.string[1] == '\0' ||
|
||||
diff -up sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.l
|
||||
--- sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/toke.l 2018-09-24 18:06:15.528000000 +0200
|
||||
@@ -187,7 +187,7 @@ DEFVAR [a-z_]+
|
||||
LEXTRACE("ERROR "); /* empty string */
|
||||
LEXRETURN(ERROR);
|
||||
}
|
||||
- if (prev_state == INITIAL) {
|
||||
+ if (prev_state == INITIAL || prev_state == GOTDEFS) {
|
||||
switch (sudoerslval.string[0]) {
|
||||
case '%':
|
||||
if (sudoerslval.string[1] == '\0' ||
|
@ -1,27 +0,0 @@
|
||||
diff -up sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix sudo-1.8.23/plugins/sudoers/ldap.c
|
||||
--- sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix 2018-04-29 21:59:31.000000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/ldap.c 2018-06-18 08:34:01.202686941 +0200
|
||||
@@ -1189,8 +1189,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
|
||||
if (ldap_conf.search_filter)
|
||||
sz += strlen(ldap_conf.search_filter);
|
||||
|
||||
- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
|
||||
- sz += 29 + sudo_ldap_value_len(pw->pw_name);
|
||||
+ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */
|
||||
+ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name);
|
||||
|
||||
/* Add space for primary and supplementary groups and gids */
|
||||
if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
|
||||
@@ -1253,6 +1253,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
|
||||
CHECK_LDAP_VCAT(buf, pw->pw_name, sz);
|
||||
CHECK_STRLCAT(buf, ")", sz);
|
||||
|
||||
+ /* Append user uid */
|
||||
+ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid);
|
||||
+ (void) strlcat(buf, "(sudoUser=#", sz);
|
||||
+ (void) strlcat(buf, gidbuf, sz);
|
||||
+ (void) strlcat(buf, ")", sz);
|
||||
+
|
||||
/* Append primary group and gid */
|
||||
if (grp != NULL) {
|
||||
CHECK_STRLCAT(buf, "(sudoUser=%", sz);
|
@ -1,7 +1,7 @@
|
||||
diff -up ./plugins/sudoers/cvtsudoers.c.legacy-processing ./plugins/sudoers/cvtsudoers.c
|
||||
--- ./plugins/sudoers/cvtsudoers.c.legacy-processing 2018-09-26 12:27:13.087680204 +0200
|
||||
+++ ./plugins/sudoers/cvtsudoers.c 2018-09-26 12:30:59.222466620 +0200
|
||||
@@ -321,6 +321,15 @@ main(int argc, char *argv[])
|
||||
--- ./plugins/sudoers/cvtsudoers.c.legacy-processing 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./plugins/sudoers/cvtsudoers.c 2019-10-30 13:32:43.309480623 +0100
|
||||
@@ -347,6 +347,15 @@ main(int argc, char *argv[])
|
||||
sudo_fatalx("error: unhandled input %d", input_format);
|
||||
}
|
||||
|
||||
@ -18,9 +18,9 @@ diff -up ./plugins/sudoers/cvtsudoers.c.legacy-processing ./plugins/sudoers/cvts
|
||||
filter_userspecs(&parsed_policy, conf);
|
||||
filter_defaults(&parsed_policy, conf);
|
||||
diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaults.c
|
||||
--- ./plugins/sudoers/defaults.c.legacy-processing 2018-09-02 14:30:08.000000000 +0200
|
||||
+++ ./plugins/sudoers/defaults.c 2018-09-26 12:27:13.087680204 +0200
|
||||
@@ -86,6 +86,7 @@ static struct early_default early_defaul
|
||||
--- ./plugins/sudoers/defaults.c.legacy-processing 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./plugins/sudoers/defaults.c 2019-10-30 13:32:43.309480623 +0100
|
||||
@@ -93,6 +93,7 @@ static struct early_default early_defaul
|
||||
{ I_FQDN },
|
||||
#endif
|
||||
{ I_MATCH_GROUP_BY_GID },
|
||||
@ -28,7 +28,7 @@ diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaul
|
||||
{ I_GROUP_PLUGIN },
|
||||
{ I_RUNAS_DEFAULT },
|
||||
{ I_SUDOERS_LOCALE },
|
||||
@@ -487,6 +488,8 @@ init_defaults(void)
|
||||
@@ -494,6 +495,8 @@ init_defaults(void)
|
||||
}
|
||||
|
||||
/* First initialize the flags. */
|
||||
@ -38,10 +38,10 @@ diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaul
|
||||
def_long_otp_prompt = true;
|
||||
#endif
|
||||
diff -up ./plugins/sudoers/def_data.c.legacy-processing ./plugins/sudoers/def_data.c
|
||||
--- ./plugins/sudoers/def_data.c.legacy-processing 2018-08-18 16:10:15.000000000 +0200
|
||||
+++ ./plugins/sudoers/def_data.c 2018-09-26 12:27:13.087680204 +0200
|
||||
@@ -494,6 +494,10 @@ struct sudo_defs_types sudo_defs_table[]
|
||||
N_("Ignore case when matching group names"),
|
||||
--- ./plugins/sudoers/def_data.c.legacy-processing 2019-10-30 13:32:43.309480623 +0100
|
||||
+++ ./plugins/sudoers/def_data.c 2019-10-30 13:37:25.914602825 +0100
|
||||
@@ -506,6 +506,10 @@ struct sudo_defs_types sudo_defs_table[]
|
||||
N_("Log when a command is denied by sudoers"),
|
||||
NULL,
|
||||
}, {
|
||||
+ "legacy_group_processing", T_FLAG,
|
||||
@ -52,31 +52,31 @@ diff -up ./plugins/sudoers/def_data.c.legacy-processing ./plugins/sudoers/def_da
|
||||
}
|
||||
};
|
||||
diff -up ./plugins/sudoers/def_data.h.legacy-processing ./plugins/sudoers/def_data.h
|
||||
--- ./plugins/sudoers/def_data.h.legacy-processing 2018-08-18 16:10:15.000000000 +0200
|
||||
+++ ./plugins/sudoers/def_data.h 2018-09-26 12:27:13.087680204 +0200
|
||||
@@ -226,6 +226,8 @@
|
||||
#define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag)
|
||||
#define I_CASE_INSENSITIVE_GROUP 113
|
||||
#define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
|
||||
+#define I_LEGACY_GROUP_PROCESSING 114
|
||||
--- ./plugins/sudoers/def_data.h.legacy-processing 2019-10-30 13:32:43.310480638 +0100
|
||||
+++ ./plugins/sudoers/def_data.h 2019-10-30 13:40:59.651713757 +0100
|
||||
@@ -232,6 +232,8 @@
|
||||
#define def_log_allowed (sudo_defs_table[I_LOG_ALLOWED].sd_un.flag)
|
||||
#define I_LOG_DENIED 116
|
||||
#define def_log_denied (sudo_defs_table[I_LOG_DENIED].sd_un.flag)
|
||||
+#define I_LEGACY_GROUP_PROCESSING 117
|
||||
+#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
|
||||
|
||||
enum def_tuple {
|
||||
never,
|
||||
diff -up ./plugins/sudoers/def_data.in.legacy-processing ./plugins/sudoers/def_data.in
|
||||
--- ./plugins/sudoers/def_data.in.legacy-processing 2018-08-18 16:10:15.000000000 +0200
|
||||
+++ ./plugins/sudoers/def_data.in 2018-09-26 12:27:13.088680212 +0200
|
||||
@@ -357,3 +357,6 @@ case_insensitive_user
|
||||
case_insensitive_group
|
||||
--- ./plugins/sudoers/def_data.in.legacy-processing 2019-10-30 13:32:43.310480638 +0100
|
||||
+++ ./plugins/sudoers/def_data.in 2019-10-30 13:42:20.915896239 +0100
|
||||
@@ -366,3 +366,6 @@ log_allowed
|
||||
log_denied
|
||||
T_FLAG
|
||||
"Ignore case when matching group names"
|
||||
"Log when a command is denied by sudoers"
|
||||
+legacy_group_processing
|
||||
+ T_FLAG
|
||||
+ "Don't pre-resolve all group names"
|
||||
diff -up ./plugins/sudoers/sudoers.c.legacy-processing ./plugins/sudoers/sudoers.c
|
||||
--- ./plugins/sudoers/sudoers.c.legacy-processing 2018-08-18 16:10:25.000000000 +0200
|
||||
+++ ./plugins/sudoers/sudoers.c 2018-09-26 12:27:13.088680212 +0200
|
||||
@@ -212,6 +212,10 @@ sudoers_policy_init(void *info, char * c
|
||||
--- ./plugins/sudoers/sudoers.c.legacy-processing 2019-10-28 13:28:53.000000000 +0100
|
||||
+++ ./plugins/sudoers/sudoers.c 2019-10-30 13:32:43.310480638 +0100
|
||||
@@ -221,6 +221,10 @@ sudoers_policy_init(void *info, char * c
|
||||
if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
|
||||
ret = true;
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.c
|
||||
--- sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt 2018-06-18 09:36:34.249307795 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-18 09:43:12.122986032 +0200
|
||||
@@ -498,6 +498,10 @@ struct sudo_defs_types sudo_defs_table[]
|
||||
diff -up ./plugins/sudoers/def_data.c.nowait ./plugins/sudoers/def_data.c
|
||||
--- ./plugins/sudoers/def_data.c.nowait 2019-10-30 13:43:48.376168944 +0100
|
||||
+++ ./plugins/sudoers/def_data.c 2019-10-30 13:43:48.378168973 +0100
|
||||
@@ -510,6 +510,10 @@ struct sudo_defs_types sudo_defs_table[]
|
||||
N_("Don't pre-resolve all group names"),
|
||||
NULL,
|
||||
}, {
|
||||
@ -12,33 +12,32 @@ diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/su
|
||||
NULL, 0, NULL
|
||||
}
|
||||
};
|
||||
diff -up sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.h
|
||||
--- sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt 2018-06-18 09:36:34.250307792 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-18 09:43:44.541878327 +0200
|
||||
@@ -228,6 +228,8 @@
|
||||
#define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
|
||||
#define I_LEGACY_GROUP_PROCESSING 114
|
||||
diff -up ./plugins/sudoers/def_data.h.nowait ./plugins/sudoers/def_data.h
|
||||
--- ./plugins/sudoers/def_data.h.nowait 2019-10-30 13:43:48.378168973 +0100
|
||||
+++ ./plugins/sudoers/def_data.h 2019-10-30 13:45:38.425770365 +0100
|
||||
@@ -234,6 +234,8 @@
|
||||
#define def_log_denied (sudo_defs_table[I_LOG_DENIED].sd_un.flag)
|
||||
#define I_LEGACY_GROUP_PROCESSING 117
|
||||
#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
|
||||
+#define I_CMND_NO_WAIT 115
|
||||
+#define I_CMND_NO_WAIT 118
|
||||
+#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
|
||||
|
||||
enum def_tuple {
|
||||
never,
|
||||
diff -up sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.in
|
||||
--- sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt 2018-06-18 09:36:34.250307792 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-18 09:45:00.076627403 +0200
|
||||
@@ -360,3 +360,6 @@ case_insensitive_group
|
||||
diff -up ./plugins/sudoers/def_data.in.nowait ./plugins/sudoers/def_data.in
|
||||
--- ./plugins/sudoers/def_data.in.nowait 2019-10-30 13:43:48.376168944 +0100
|
||||
+++ ./plugins/sudoers/def_data.in 2019-10-30 13:43:48.379168987 +0100
|
||||
@@ -369,3 +369,6 @@ log_denied
|
||||
legacy_group_processing
|
||||
T_FLAG
|
||||
"Don't pre-resolve all group names"
|
||||
+cmnd_no_wait
|
||||
+ T_FLAG
|
||||
+ "Don't fork and wait for the command to finish, just exec it"
|
||||
diff -up sudo-1.8.23/plugins/sudoers/policy.c.nowaitopt sudo-1.8.23/plugins/sudoers/policy.c
|
||||
diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt sudo-1.8.23/plugins/sudoers/sudoers.c
|
||||
--- sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt 2018-06-18 11:31:51.883751328 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-18 11:31:03.670899166 +0200
|
||||
@@ -213,6 +213,20 @@ sudoers_policy_init(void *info, char * c
|
||||
diff -up ./plugins/sudoers/sudoers.c.nowait ./plugins/sudoers/sudoers.c
|
||||
--- ./plugins/sudoers/sudoers.c.nowait 2019-10-30 13:43:48.376168944 +0100
|
||||
+++ ./plugins/sudoers/sudoers.c 2019-10-30 13:43:48.379168987 +0100
|
||||
@@ -225,6 +225,20 @@ sudoers_policy_init(void *info, char * c
|
||||
def_match_group_by_gid = false;
|
||||
def_legacy_group_processing = false;
|
||||
}
|
||||
|
@ -1,103 +0,0 @@
|
||||
|
||||
# HG changeset patch
|
||||
# User Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
# Date 1544201494 25200
|
||||
# Node ID 656aa910fbaf0be517e012c9271c51eb85c1cca5
|
||||
# Parent ef83f35c9cb090a8b4fd36942f1e47e65c285dce
|
||||
The fix for bug #843 was incomplete and caused pam_end() to be called early.
|
||||
sudo_pam_approval() must not set the global pam status to an error
|
||||
value if it returns AUTH_SUCCESS. Otherwise, sudo_pam_cleanup()
|
||||
will call pam_end() before sudo_pam_begin_session(). This resulted
|
||||
in a NULL PAM handle being used in sudo_pam_begin_session().
|
||||
|
||||
diff -r ef83f35c9cb0 -r 656aa910fbaf plugins/sudoers/auth/pam.c
|
||||
--- a/plugins/sudoers/auth/pam.c Wed Dec 05 10:43:14 2018 -0700
|
||||
+++ b/plugins/sudoers/auth/pam.c Fri Dec 07 09:51:34 2018 -0700
|
||||
@@ -210,59 +210,68 @@
|
||||
sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
|
||||
{
|
||||
const char *s;
|
||||
+ int rc, status = AUTH_SUCCESS;
|
||||
int *pam_status = (int *) auth->data;
|
||||
debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
|
||||
|
||||
- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
|
||||
- switch (*pam_status) {
|
||||
+ rc = pam_acct_mgmt(pamh, PAM_SILENT);
|
||||
+ switch (rc) {
|
||||
case PAM_SUCCESS:
|
||||
- debug_return_int(AUTH_SUCCESS);
|
||||
+ break;
|
||||
case PAM_AUTH_ERR:
|
||||
log_warningx(0, N_("account validation failure, "
|
||||
"is your account locked?"));
|
||||
- debug_return_int(AUTH_FATAL);
|
||||
+ status = AUTH_FATAL;
|
||||
+ break;
|
||||
case PAM_NEW_AUTHTOK_REQD:
|
||||
/* Ignore if user is exempt from password restrictions. */
|
||||
if (exempt)
|
||||
- debug_return_int(AUTH_SUCCESS);
|
||||
+ break;
|
||||
/* New password required, try to change it. */
|
||||
log_warningx(0, N_("Account or password is "
|
||||
"expired, reset your password and try again"));
|
||||
- *pam_status = pam_chauthtok(pamh,
|
||||
- PAM_CHANGE_EXPIRED_AUTHTOK);
|
||||
- if (*pam_status == PAM_SUCCESS)
|
||||
- debug_return_int(AUTH_SUCCESS);
|
||||
- if ((s = pam_strerror(pamh, *pam_status)) == NULL)
|
||||
+ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
|
||||
+ if (rc == PAM_SUCCESS)
|
||||
+ break;
|
||||
+ if ((s = pam_strerror(pamh, rc)) == NULL)
|
||||
s = "unknown error";
|
||||
log_warningx(0,
|
||||
N_("unable to change expired password: %s"), s);
|
||||
- debug_return_int(AUTH_FAILURE);
|
||||
+ status = AUTH_FAILURE;
|
||||
+ break;
|
||||
case PAM_AUTHTOK_EXPIRED:
|
||||
/* Ignore if user is exempt from password restrictions. */
|
||||
if (exempt)
|
||||
- debug_return_int(AUTH_SUCCESS);
|
||||
+ break;
|
||||
/* Password expired, cannot be updated by user. */
|
||||
log_warningx(0,
|
||||
N_("Password expired, contact your system administrator"));
|
||||
- debug_return_int(AUTH_FATAL);
|
||||
+ status = AUTH_FATAL;
|
||||
+ break;
|
||||
case PAM_ACCT_EXPIRED:
|
||||
log_warningx(0,
|
||||
N_("Account expired or PAM config lacks an \"account\" "
|
||||
"section for sudo, contact your system administrator"));
|
||||
- debug_return_int(AUTH_FATAL);
|
||||
+ status = AUTH_FATAL;
|
||||
+ break;
|
||||
case PAM_AUTHINFO_UNAVAIL:
|
||||
case PAM_MAXTRIES:
|
||||
case PAM_PERM_DENIED:
|
||||
- s = pam_strerror(pamh, *pam_status);
|
||||
+ s = pam_strerror(pamh, rc);
|
||||
log_warningx(0, N_("PAM account management error: %s"),
|
||||
s ? s : "unknown error");
|
||||
- debug_return_int(AUTH_FAILURE);
|
||||
+ status = AUTH_FAILURE;
|
||||
+ break;
|
||||
default:
|
||||
- s = pam_strerror(pamh, *pam_status);
|
||||
+ s = pam_strerror(pamh, rc);
|
||||
log_warningx(0, N_("PAM account management error: %s"),
|
||||
s ? s : "unknown error");
|
||||
- debug_return_int(AUTH_FATAL);
|
||||
+ status = AUTH_FATAL;
|
||||
+ break;
|
||||
}
|
||||
+ /* Ignore errors if user is exempt from password restrictions. */
|
||||
+ *pam_status = exempt ? PAM_SUCCESS : rc;
|
||||
+ debug_return_int(status);
|
||||
}
|
||||
|
||||
int
|
||||
|
@ -1,56 +0,0 @@
|
||||
commit b2f7983c84fd01e0b29895d7df776b4b162fd8a5
|
||||
Author: Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
Date: Wed Jan 2 07:39:33 2019 -0700
|
||||
|
||||
Fix setting of utmp entry when running command in a pty.
|
||||
Regression introduced in sudo 1.8.22.
|
||||
|
||||
diff --git a/src/exec_pty.c b/src/exec_pty.c
|
||||
index cbcccca3..68312a98 100644
|
||||
--- a/src/exec_pty.c
|
||||
+++ b/src/exec_pty.c
|
||||
@@ -140,7 +140,7 @@ pty_cleanup(void)
|
||||
* and slavename globals.
|
||||
*/
|
||||
static bool
|
||||
-pty_setup(uid_t uid, const char *tty)
|
||||
+pty_setup(struct command_details *details, const char *tty)
|
||||
{
|
||||
debug_decl(pty_setup, SUDO_DEBUG_EXEC);
|
||||
|
||||
@@ -152,12 +152,15 @@ pty_setup(uid_t uid, const char *tty)
|
||||
}
|
||||
|
||||
if (!get_pty(&io_fds[SFD_MASTER], &io_fds[SFD_SLAVE],
|
||||
- slavename, sizeof(slavename), uid))
|
||||
+ slavename, sizeof(slavename), details->euid))
|
||||
sudo_fatal(U_("unable to allocate pty"));
|
||||
|
||||
/* Add entry to utmp/utmpx? */
|
||||
- if (utmp_user != NULL)
|
||||
+ if (ISSET(details->flags, CD_SET_UTMP)) {
|
||||
+ utmp_user =
|
||||
+ details->utmp_user ? details->utmp_user : user_details.username;
|
||||
utmp_login(tty, slavename, io_fds[SFD_SLAVE], utmp_user);
|
||||
+ }
|
||||
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO,
|
||||
"%s: %s fd %d, pty master fd %d, pty slave fd %d",
|
||||
@@ -1302,12 +1305,11 @@ exec_pty(struct command_details *details, struct command_status *cstat)
|
||||
/*
|
||||
* Allocate a pty.
|
||||
*/
|
||||
- if (pty_setup(details->euid, user_details.tty)) {
|
||||
- if (ISSET(details->flags, CD_SET_UTMP))
|
||||
- utmp_user = details->utmp_user ? details->utmp_user : user_details.username;
|
||||
- } else if (TAILQ_EMPTY(&io_plugins)) {
|
||||
- /* Not logging I/O and didn't allocate a pty. */
|
||||
- debug_return_bool(false);
|
||||
+ if (!pty_setup(details, user_details.tty)) {
|
||||
+ if (TAILQ_EMPTY(&io_plugins)) {
|
||||
+ /* Not logging I/O and didn't allocate a pty. */
|
||||
+ debug_return_bool(false);
|
||||
+ }
|
||||
}
|
||||
|
||||
/*
|
@ -1,25 +0,0 @@
|
||||
From 142b370c1f928549db3b357a495d151c7cd87f65 Mon Sep 17 00:00:00 2001
|
||||
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
|
||||
Date: Tue, 11 Dec 2018 09:05:04 -0700
|
||||
Subject: [PATCH 2/4] The -c option was missing from the help info; from
|
||||
Radovan Sroka
|
||||
|
||||
---
|
||||
plugins/sudoers/cvtsudoers.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/plugins/sudoers/cvtsudoers.c b/plugins/sudoers/cvtsudoers.c
|
||||
index 795936c1..0221314b 100644
|
||||
--- a/plugins/sudoers/cvtsudoers.c
|
||||
+++ b/plugins/sudoers/cvtsudoers.c
|
||||
@@ -1315,6 +1315,7 @@ help(void)
|
||||
usage(0);
|
||||
(void) puts(_("\nOptions:\n"
|
||||
" -b, --base=dn the base DN for sudo LDAP queries\n"
|
||||
+ " -c, --config=conf_file the path to the configuration file\n"
|
||||
" -d, --defaults=deftypes only convert Defaults of the specified types\n"
|
||||
" -e, --expand-aliases expand aliases when converting\n"
|
||||
" -f, --output-format=format set output format: JSON, LDIF or sudoers\n"
|
||||
--
|
||||
2.17.2
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,65 +0,0 @@
|
||||
From e1a402f1d65f4f107a40237bc19384e43b334546 Mon Sep 17 00:00:00 2001
|
||||
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
|
||||
Date: Tue, 16 Oct 2018 12:49:34 -0600
|
||||
Subject: [PATCH] sudo_ldap_parse_option() never returns '=' as the operator.
|
||||
When parsing command_timeout, role, type, privs and limitprivs, check that
|
||||
val is non-NULL instead. Found by PVS Studio.
|
||||
|
||||
---
|
||||
plugins/sudoers/ldap_util.c | 37 ++++++++++++++-----------------------
|
||||
1 file changed, 14 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/plugins/sudoers/ldap_util.c b/plugins/sudoers/ldap_util.c
|
||||
index d9be95a61..fecb7a6c5 100644
|
||||
--- a/plugins/sudoers/ldap_util.c
|
||||
+++ b/plugins/sudoers/ldap_util.c
|
||||
@@ -405,32 +405,23 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
|
||||
int op;
|
||||
|
||||
op = sudo_ldap_parse_option(opt, &var, &val);
|
||||
- if (strcmp(var, "command_timeout") == 0) {
|
||||
- if (op == '=')
|
||||
- cmndspec->timeout = parse_timeout(val);
|
||||
+ if (strcmp(var, "command_timeout") == 0 && val != NULL) {
|
||||
+ cmndspec->timeout = parse_timeout(val);
|
||||
#ifdef HAVE_SELINUX
|
||||
- } else if (strcmp(var, "role") == 0) {
|
||||
- if (op == '=') {
|
||||
- if ((cmndspec->role = strdup(val)) == NULL)
|
||||
- goto oom;
|
||||
- }
|
||||
- } else if (strcmp(var, "type") == 0) {
|
||||
- if (op == '=') {
|
||||
- if ((cmndspec->type = strdup(val)) == NULL)
|
||||
- goto oom;
|
||||
- }
|
||||
+ } else if (strcmp(var, "role") == 0 && val != NULL) {
|
||||
+ if ((cmndspec->role = strdup(val)) == NULL)
|
||||
+ goto oom;
|
||||
+ } else if (strcmp(var, "type") == 0 && val != NULL) {
|
||||
+ if ((cmndspec->type = strdup(val)) == NULL)
|
||||
+ goto oom;
|
||||
#endif /* HAVE_SELINUX */
|
||||
#ifdef HAVE_PRIV_SET
|
||||
- } else if (strcmp(var, "privs") == 0) {
|
||||
- if (op == '=') {
|
||||
- if ((cmndspec->privs = strdup(val)) == NULL)
|
||||
- goto oom;
|
||||
- }
|
||||
- } else if (strcmp(var, "limitprivs") == 0) {
|
||||
- if (op == '=') {
|
||||
- if ((cmndspec->limitprivs = strdup(val)) == NULL)
|
||||
- goto oom;
|
||||
- }
|
||||
+ } else if (strcmp(var, "privs") == 0 && val != NULL) {
|
||||
+ if ((cmndspec->privs = strdup(val)) == NULL)
|
||||
+ goto oom;
|
||||
+ } else if (strcmp(var, "limitprivs") == 0 && val != NULL) {
|
||||
+ if ((cmndspec->limitprivs = strdup(val)) == NULL)
|
||||
+ goto oom;
|
||||
#endif /* HAVE_PRIV_SET */
|
||||
} else if (store_options) {
|
||||
if (!sudo_ldap_add_default(var, val, op, source,
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,57 +0,0 @@
|
||||
From 60f0d65e22ba93988229453eb013728e47e5f84e Mon Sep 17 00:00:00 2001
|
||||
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
|
||||
Date: Wed, 17 Oct 2018 06:57:06 -0600
|
||||
Subject: [PATCH] Fix expected test output now that command_timeout is parsed
|
||||
correctly in LDIF.
|
||||
|
||||
---
|
||||
.../regress/sudoers/test17.ldif2sudo.ok | 20 +++++++++----------
|
||||
1 file changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok b/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok
|
||||
index 6bc2a36ed..608f52fc4 100644
|
||||
--- a/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok
|
||||
+++ b/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok
|
||||
@@ -1,29 +1,29 @@
|
||||
Defaults command_timeout=2d8h10m59s
|
||||
|
||||
# sudoRole user0
|
||||
-user0 ALL = /usr/bin/id, /usr/bin/who, /bin/ls
|
||||
+user0 ALL = TIMEOUT=619830 /usr/bin/id, /usr/bin/who, /bin/ls
|
||||
|
||||
# sudoRole user1
|
||||
-user1 ALL = /usr/bin/id
|
||||
+user1 ALL = TIMEOUT=619830 /usr/bin/id
|
||||
|
||||
# sudoRole user2
|
||||
-user2 ALL = /usr/bin/id
|
||||
+user2 ALL = TIMEOUT=15030 /usr/bin/id
|
||||
|
||||
# sudoRole user3
|
||||
-user3 ALL = /usr/bin/id
|
||||
+user3 ALL = TIMEOUT=630 /usr/bin/id
|
||||
|
||||
# sudoRole user4
|
||||
-user4 ALL = /usr/bin/id
|
||||
+user4 ALL = TIMEOUT=1209600 /usr/bin/id
|
||||
|
||||
# sudoRole user5
|
||||
-user5 ALL = /usr/bin/id
|
||||
+user5 ALL = TIMEOUT=300 /usr/bin/id
|
||||
|
||||
# sudoRole user6
|
||||
-user6 ALL = /usr/bin/id
|
||||
+user6 ALL = TIMEOUT=30 /usr/bin/id
|
||||
|
||||
# sudoRole user7
|
||||
-user7 ALL = /usr/bin/id
|
||||
+user7 ALL = TIMEOUT=45 /usr/bin/id
|
||||
|
||||
# sudoRole user8
|
||||
-user8 ALL = /usr/bin/id, /usr/bin/id, /usr/bin/id, /usr/bin/id, /usr/bin/id,\
|
||||
- /usr/bin/id
|
||||
+user8 ALL = TIMEOUT=619830 /usr/bin/id, /usr/bin/id, /usr/bin/id, /usr/bin/id,\
|
||||
+ /usr/bin/id, /usr/bin/id
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,27 +0,0 @@
|
||||
diff -up ./plugins/sudoers/sudoreplay.c.sudoreplay-help ./plugins/sudoers/sudoreplay.c
|
||||
--- ./plugins/sudoers/sudoreplay.c.sudoreplay-help 2018-12-11 18:12:56.715098760 +0100
|
||||
+++ ./plugins/sudoers/sudoreplay.c 2018-12-11 18:18:34.345184173 +0100
|
||||
@@ -1582,13 +1582,16 @@ help(void)
|
||||
(void) printf(_("%s - replay sudo session logs\n\n"), getprogname());
|
||||
usage(0);
|
||||
(void) puts(_("\nOptions:\n"
|
||||
- " -d, --directory=dir specify directory for session logs\n"
|
||||
- " -f, --filter=filter specify which I/O type(s) to display\n"
|
||||
- " -h, --help display help message and exit\n"
|
||||
- " -l, --list list available session IDs, with optional expression\n"
|
||||
- " -m, --max-wait=num max number of seconds to wait between events\n"
|
||||
- " -s, --speed=num speed up or slow down output\n"
|
||||
- " -V, --version display version information and exit"));
|
||||
+ " -d, --directory=dir specify directory for session logs\n"
|
||||
+ " -f, --filter=filter specify which I/O type(s) to display\n"
|
||||
+ " -h, --help display help message and exit\n"
|
||||
+ " -l, --list list available session IDs, with optional expression\n"
|
||||
+ " -m, --max-wait=num max number of seconds to wait between events\n"
|
||||
+ " -n, --non-interactive no prompts, session is sent to the standard output\n"
|
||||
+ " -R, --no-resize do not attempt to re-size the terminal\n"
|
||||
+ " -S, --suspend-wait wait while the command was suspended\n"
|
||||
+ " -s, --speed=num speed up or slow down output\n"
|
||||
+ " -V, --version display version information and exit"));
|
||||
exit(0);
|
||||
}
|
||||
|
@ -1,80 +0,0 @@
|
||||
From 04a4b3c1fcc1526ff1ea73597a1764cb160d400b Mon Sep 17 00:00:00 2001
|
||||
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
|
||||
Date: Tue, 11 Dec 2018 09:02:30 -0700
|
||||
Subject: [PATCH 1/4] Fix some typos; reported by Radovan Sroka
|
||||
|
||||
---
|
||||
doc/cvtsudoers.cat | 6 +++---
|
||||
doc/cvtsudoers.man.in | 6 +++---
|
||||
doc/cvtsudoers.mdoc.in | 6 +++---
|
||||
3 files changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/doc/cvtsudoers.cat b/doc/cvtsudoers.cat
|
||||
index 61bf3a28..9c1ef140 100644
|
||||
--- a/doc/cvtsudoers.cat
|
||||
+++ b/doc/cvtsudoers.cat
|
||||
@@ -24,7 +24,7 @@ DDEESSCCRRIIPPTTIIOONN
|
||||
--bb _d_n, ----bbaassee=_d_n
|
||||
The base DN (distinguished name) that will be used when
|
||||
performing LDAP queries. Typically this is of the form
|
||||
- ou=SUDOers,dc=-mydomain,dc=com for the domain my-domain.com.
|
||||
+ ou=SUDOers,dc=my-domain,dc=com for the domain my-domain.com.
|
||||
If this option is not specified, the value of the
|
||||
SUDOERS_BASE environment variable will be used instead. Only
|
||||
necessary when converting to LDIF format.
|
||||
@@ -60,7 +60,7 @@ DDEESSCCRRIIPPTTIIOONN
|
||||
Expand aliases in _i_n_p_u_t___f_i_l_e. Aliases are preserved by
|
||||
default when the output _f_o_r_m_a_t is JSON or sudoers.
|
||||
|
||||
- --ff _o_u_t_p_u_t___f_o_r_m_a_t, ----ffoorrmmaatt=_o_u_t_p_u_t___f_o_r_m_a_t
|
||||
+ --ff _o_u_t_p_u_t___f_o_r_m_a_t, ----oouuttppuutt--ffoorrmmaatt=_o_u_t_p_u_t___f_o_r_m_a_t
|
||||
Specify the output format (case-insensitive). The following
|
||||
formats are supported:
|
||||
|
||||
diff --git a/doc/cvtsudoers.man.in b/doc/cvtsudoers.man.in
|
||||
index b159ee5d..2f45ee1d 100644
|
||||
--- a/doc/cvtsudoers.man.in
|
||||
+++ b/doc/cvtsudoers.man.in
|
||||
@@ -59,7 +59,7 @@ The options are as follows:
|
||||
The base DN (distinguished name) that will be used when performing
|
||||
LDAP queries.
|
||||
Typically this is of the form
|
||||
-\fRou=SUDOers,dc=-mydomain,dc=com\fR
|
||||
+\fRou=SUDOers,dc=my-domain,dc=com\fR
|
||||
for the domain
|
||||
\fRmy-domain.com\fR.
|
||||
If this option is not specified, the value of the
|
||||
@@ -125,7 +125,7 @@ Aliases are preserved by default when the output
|
||||
\fIformat\fR
|
||||
is JSON or sudoers.
|
||||
.TP 12n
|
||||
-\fB\-f\fR \fIoutput_format\fR, \fB\--format\fR=\fIoutput_format\fR
|
||||
+\fB\-f\fR \fIoutput_format\fR, \fB\--output-format\fR=\fIoutput_format\fR
|
||||
Specify the output format (case-insensitive).
|
||||
The following formats are supported:
|
||||
.PP
|
||||
diff --git a/doc/cvtsudoers.mdoc.in b/doc/cvtsudoers.mdoc.in
|
||||
index 1812bc67..8261ddc6 100644
|
||||
--- a/doc/cvtsudoers.mdoc.in
|
||||
+++ b/doc/cvtsudoers.mdoc.in
|
||||
@@ -57,7 +57,7 @@ The options are as follows:
|
||||
The base DN (distinguished name) that will be used when performing
|
||||
LDAP queries.
|
||||
Typically this is of the form
|
||||
-.Li ou=SUDOers,dc=-mydomain,dc=com
|
||||
+.Li ou=SUDOers,dc=my-domain,dc=com
|
||||
for the domain
|
||||
.Li my-domain.com .
|
||||
If this option is not specified, the value of the
|
||||
@@ -110,7 +110,7 @@ Expand aliases in
|
||||
Aliases are preserved by default when the output
|
||||
.Ar format
|
||||
is JSON or sudoers.
|
||||
-.It Fl f Ar output_format , Fl -format Ns = Ns Ar output_format
|
||||
+.It Fl f Ar output_format , Fl -output-format Ns = Ns Ar output_format
|
||||
Specify the output format (case-insensitive).
|
||||
The following formats are supported:
|
||||
.Bl -tag -width 8n
|
||||
--
|
||||
2.17.2
|
||||
|
@ -1,96 +0,0 @@
|
||||
diff -up ./lib/util/regress/atofoo/atofoo_test.c.CVE-strtouid-test ./lib/util/regress/atofoo/atofoo_test.c
|
||||
--- ./lib/util/regress/atofoo/atofoo_test.c.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200
|
||||
+++ ./lib/util/regress/atofoo/atofoo_test.c 2019-10-16 09:38:31.851404545 +0200
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2014 Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
+ * Copyright (c) 2014-2019 Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
@@ -24,6 +24,7 @@
|
||||
#else
|
||||
# include "compat/stdbool.h"
|
||||
#endif
|
||||
+#include <errno.h>
|
||||
|
||||
#include "sudo_compat.h"
|
||||
#include "sudo_util.h"
|
||||
@@ -78,15 +79,20 @@ static struct strtoid_data {
|
||||
id_t id;
|
||||
const char *sep;
|
||||
const char *ep;
|
||||
+ int errnum;
|
||||
} strtoid_data[] = {
|
||||
- { "0,1", 0, ",", "," },
|
||||
- { "10", 10, NULL, NULL },
|
||||
- { "-2", -2, NULL, NULL },
|
||||
+ { "0,1", 0, ",", ",", 0 },
|
||||
+ { "10", 10, NULL, NULL, 0 },
|
||||
+ { "-1", 0, NULL, NULL, EINVAL },
|
||||
+ { "4294967295", 0, NULL, NULL, EINVAL },
|
||||
+ { "4294967296", 0, NULL, NULL, ERANGE },
|
||||
+ { "-2147483649", 0, NULL, NULL, ERANGE },
|
||||
+ { "-2", -2, NULL, NULL, 0 },
|
||||
#if SIZEOF_ID_T != SIZEOF_LONG_LONG
|
||||
- { "-2", (id_t)4294967294U, NULL, NULL },
|
||||
+ { "-2", (id_t)4294967294U, NULL, NULL, 0 },
|
||||
#endif
|
||||
- { "4294967294", (id_t)4294967294U, NULL, NULL },
|
||||
- { NULL, 0, NULL, NULL }
|
||||
+ { "4294967294", (id_t)4294967294U, NULL, NULL, 0 },
|
||||
+ { NULL, 0, NULL, NULL, 0 }
|
||||
};
|
||||
|
||||
static int
|
||||
@@ -102,11 +108,23 @@ test_strtoid(int *ntests)
|
||||
(*ntests)++;
|
||||
errstr = "some error";
|
||||
value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr);
|
||||
- if (errstr != NULL) {
|
||||
- if (d->id != (id_t)-1) {
|
||||
- sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
|
||||
+ if (d->errnum != 0) {
|
||||
+ if (errstr == NULL) {
|
||||
+ sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d",
|
||||
+ d->idstr, d->errnum);
|
||||
+ errors++;
|
||||
+ } else if (value != 0) {
|
||||
+ sudo_warnx_nodebug("FAIL: %s should return 0 on error",
|
||||
+ d->idstr);
|
||||
+ errors++;
|
||||
+ } else if (errno != d->errnum) {
|
||||
+ sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d",
|
||||
+ d->idstr, errno, d->errnum);
|
||||
errors++;
|
||||
}
|
||||
+ } else if (errstr != NULL) {
|
||||
+ sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
|
||||
+ errors++;
|
||||
} else if (value != d->id) {
|
||||
sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id);
|
||||
errors++;
|
||||
diff -up ./plugins/sudoers/regress/testsudoers/test5.out.ok.CVE-strtouid-test ./plugins/sudoers/regress/testsudoers/test5.out.ok
|
||||
--- ./plugins/sudoers/regress/testsudoers/test5.out.ok.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200
|
||||
+++ ./plugins/sudoers/regress/testsudoers/test5.out.ok 2019-10-16 09:29:50.246761680 +0200
|
||||
@@ -4,7 +4,7 @@ Parse error in sudoers near line 1.
|
||||
Entries for user root:
|
||||
|
||||
Command unmatched
|
||||
-testsudoers: test5.inc should be owned by gid 4294967295
|
||||
+testsudoers: test5.inc should be owned by gid 4294967294
|
||||
Parse error in sudoers near line 1.
|
||||
|
||||
Entries for user root:
|
||||
diff -up ./plugins/sudoers/regress/testsudoers/test5.sh.CVE-strtouid-test ./plugins/sudoers/regress/testsudoers/test5.sh
|
||||
--- ./plugins/sudoers/regress/testsudoers/test5.sh.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200
|
||||
+++ ./plugins/sudoers/regress/testsudoers/test5.sh 2019-10-16 09:29:50.246761680 +0200
|
||||
@@ -24,7 +24,7 @@ EOF
|
||||
|
||||
# Test group writable
|
||||
chmod 664 $TESTFILE
|
||||
-./testsudoers -U $MYUID -G -1 root id <<EOF
|
||||
+./testsudoers -U $MYUID -G -2 root id <<EOF
|
||||
#include $TESTFILE
|
||||
EOF
|
||||
|
@ -1,172 +0,0 @@
|
||||
Treat an ID of -1 as invalid since that means "no change".
|
||||
Fixes CVE-2019-14287.
|
||||
Found by Joe Vennix from Apple Information Security.
|
||||
|
||||
diff -r fcd7a6d8330e lib/util/strtoid.c
|
||||
--- a/lib/util/strtoid.c Fri Jan 11 13:31:15 2019 -0700
|
||||
+++ b/lib/util/strtoid.c Thu Oct 10 09:52:12 2019 -0600
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2013-2016 Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
+ * Copyright (c) 2013-2019 Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
@@ -47,6 +47,27 @@
|
||||
#include "sudo_util.h"
|
||||
|
||||
/*
|
||||
+ * Make sure that the ID ends with a valid separator char.
|
||||
+ */
|
||||
+static bool
|
||||
+valid_separator(const char *p, const char *ep, const char *sep)
|
||||
+{
|
||||
+ bool valid = false;
|
||||
+ debug_decl(valid_separator, SUDO_DEBUG_UTIL)
|
||||
+
|
||||
+ if (ep != p) {
|
||||
+ /* check for valid separator (including '\0') */
|
||||
+ if (sep == NULL)
|
||||
+ sep = "";
|
||||
+ do {
|
||||
+ if (*ep == *sep)
|
||||
+ valid = true;
|
||||
+ } while (*sep++ != '\0');
|
||||
+ }
|
||||
+ debug_return_bool(valid);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
* Parse a uid/gid in string form.
|
||||
* If sep is non-NULL, it contains valid separator characters (e.g. comma, space)
|
||||
* If endp is non-NULL it is set to the next char after the ID.
|
||||
@@ -60,38 +81,35 @@ sudo_strtoid_v1(const char *p, const cha
|
||||
char *ep;
|
||||
id_t ret = 0;
|
||||
long long llval;
|
||||
- bool valid = false;
|
||||
debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
|
||||
|
||||
/* skip leading space so we can pick up the sign, if any */
|
||||
while (isspace((unsigned char)*p))
|
||||
p++;
|
||||
- if (sep == NULL)
|
||||
- sep = "";
|
||||
+
|
||||
+ /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */
|
||||
errno = 0;
|
||||
llval = strtoll(p, &ep, 10);
|
||||
- if (ep != p) {
|
||||
- /* check for valid separator (including '\0') */
|
||||
- do {
|
||||
- if (*ep == *sep)
|
||||
- valid = true;
|
||||
- } while (*sep++ != '\0');
|
||||
+ if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) {
|
||||
+ errno = ERANGE;
|
||||
+ if (errstr != NULL)
|
||||
+ *errstr = N_("value too large");
|
||||
+ goto done;
|
||||
}
|
||||
- if (!valid) {
|
||||
+ if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) {
|
||||
+ errno = ERANGE;
|
||||
+ if (errstr != NULL)
|
||||
+ *errstr = N_("value too small");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* Disallow id -1, which means "no change". */
|
||||
+ if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) {
|
||||
if (errstr != NULL)
|
||||
*errstr = N_("invalid value");
|
||||
errno = EINVAL;
|
||||
goto done;
|
||||
}
|
||||
- if (errno == ERANGE) {
|
||||
- if (errstr != NULL) {
|
||||
- if (llval == LLONG_MAX)
|
||||
- *errstr = N_("value too large");
|
||||
- else
|
||||
- *errstr = N_("value too small");
|
||||
- }
|
||||
- goto done;
|
||||
- }
|
||||
ret = (id_t)llval;
|
||||
if (errstr != NULL)
|
||||
*errstr = NULL;
|
||||
@@ -106,30 +124,15 @@ sudo_strtoid_v1(const char *p, const cha
|
||||
{
|
||||
char *ep;
|
||||
id_t ret = 0;
|
||||
- bool valid = false;
|
||||
debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
|
||||
|
||||
/* skip leading space so we can pick up the sign, if any */
|
||||
while (isspace((unsigned char)*p))
|
||||
p++;
|
||||
- if (sep == NULL)
|
||||
- sep = "";
|
||||
+
|
||||
errno = 0;
|
||||
if (*p == '-') {
|
||||
long lval = strtol(p, &ep, 10);
|
||||
- if (ep != p) {
|
||||
- /* check for valid separator (including '\0') */
|
||||
- do {
|
||||
- if (*ep == *sep)
|
||||
- valid = true;
|
||||
- } while (*sep++ != '\0');
|
||||
- }
|
||||
- if (!valid) {
|
||||
- if (errstr != NULL)
|
||||
- *errstr = N_("invalid value");
|
||||
- errno = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) {
|
||||
errno = ERANGE;
|
||||
if (errstr != NULL)
|
||||
@@ -142,28 +145,31 @@ sudo_strtoid_v1(const char *p, const cha
|
||||
*errstr = N_("value too small");
|
||||
goto done;
|
||||
}
|
||||
- ret = (id_t)lval;
|
||||
- } else {
|
||||
- unsigned long ulval = strtoul(p, &ep, 10);
|
||||
- if (ep != p) {
|
||||
- /* check for valid separator (including '\0') */
|
||||
- do {
|
||||
- if (*ep == *sep)
|
||||
- valid = true;
|
||||
- } while (*sep++ != '\0');
|
||||
- }
|
||||
- if (!valid) {
|
||||
+
|
||||
+ /* Disallow id -1, which means "no change". */
|
||||
+ if (!valid_separator(p, ep, sep) || lval == -1) {
|
||||
if (errstr != NULL)
|
||||
*errstr = N_("invalid value");
|
||||
errno = EINVAL;
|
||||
goto done;
|
||||
}
|
||||
+ ret = (id_t)lval;
|
||||
+ } else {
|
||||
+ unsigned long ulval = strtoul(p, &ep, 10);
|
||||
if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) {
|
||||
errno = ERANGE;
|
||||
if (errstr != NULL)
|
||||
*errstr = N_("value too large");
|
||||
goto done;
|
||||
}
|
||||
+
|
||||
+ /* Disallow id -1, which means "no change". */
|
||||
+ if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) {
|
||||
+ if (errstr != NULL)
|
||||
+ *errstr = N_("invalid value");
|
||||
+ errno = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
ret = (id_t)ulval;
|
||||
}
|
||||
if (errstr != NULL)
|
@ -1,158 +0,0 @@
|
||||
diff -up ./src/tgetpass.c.bla ./src/tgetpass.c
|
||||
--- ./src/tgetpass.c.bla 2018-08-18 16:10:15.000000000 +0200
|
||||
+++ ./src/tgetpass.c 2020-02-05 17:15:16.216904891 +0100
|
||||
@@ -44,11 +44,18 @@
|
||||
#include "sudo.h"
|
||||
#include "sudo_plugin.h"
|
||||
|
||||
+enum tgetpass_errval {
|
||||
+ TGP_ERRVAL_NOERROR,
|
||||
+ TGP_ERRVAL_TIMEOUT,
|
||||
+ TGP_ERRVAL_NOPASSWORD,
|
||||
+ TGP_ERRVAL_READERROR
|
||||
+};
|
||||
+
|
||||
static volatile sig_atomic_t signo[NSIG];
|
||||
|
||||
static bool tty_present(void);
|
||||
static void tgetpass_handler(int);
|
||||
-static char *getln(int, char *, size_t, int);
|
||||
+static char *getln(int, char *, size_t, int, enum tgetpass_errval *);
|
||||
static char *sudo_askpass(const char *, const char *);
|
||||
|
||||
static int
|
||||
@@ -77,6 +84,27 @@ suspend(int signo, struct sudo_conv_call
|
||||
debug_return_int(ret);
|
||||
}
|
||||
|
||||
+static void
|
||||
+tgetpass_display_error(enum tgetpass_errval errval)
|
||||
+{
|
||||
+ debug_decl(tgetpass_display_error, SUDO_DEBUG_CONV)
|
||||
+
|
||||
+ switch (errval) {
|
||||
+ case TGP_ERRVAL_NOERROR:
|
||||
+ break;
|
||||
+ case TGP_ERRVAL_TIMEOUT:
|
||||
+ sudo_warnx(U_("timed out reading password"));
|
||||
+ break;
|
||||
+ case TGP_ERRVAL_NOPASSWORD:
|
||||
+ sudo_warnx(U_("no password was provided"));
|
||||
+ break;
|
||||
+ case TGP_ERRVAL_READERROR:
|
||||
+ sudo_warn(U_("unable to read password"));
|
||||
+ break;
|
||||
+ }
|
||||
+ debug_return;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Like getpass(3) but with timeout and echo flags.
|
||||
*/
|
||||
@@ -90,6 +118,7 @@ tgetpass(const char *prompt, int timeout
|
||||
static const char *askpass;
|
||||
static char buf[SUDO_CONV_REPL_MAX + 1];
|
||||
int i, input, output, save_errno, neednl = 0, need_restart;
|
||||
+ enum tgetpass_errval errval;
|
||||
debug_decl(tgetpass, SUDO_DEBUG_CONV)
|
||||
|
||||
(void) fflush(stdout);
|
||||
@@ -175,7 +204,7 @@ restart:
|
||||
|
||||
if (timeout > 0)
|
||||
alarm(timeout);
|
||||
- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK));
|
||||
+ pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval);
|
||||
alarm(0);
|
||||
save_errno = errno;
|
||||
|
||||
@@ -183,6 +212,7 @@ restart:
|
||||
if (write(output, "\n", 1) == -1)
|
||||
goto restore;
|
||||
}
|
||||
+ tgetpass_display_error(errval);
|
||||
|
||||
restore:
|
||||
/* Restore old signal handlers. */
|
||||
@@ -210,6 +240,8 @@ restore:
|
||||
for (i = 0; i < NSIG; i++) {
|
||||
if (signo[i]) {
|
||||
switch (i) {
|
||||
+ case SIGALRM:
|
||||
+ break;
|
||||
case SIGTSTP:
|
||||
case SIGTTIN:
|
||||
case SIGTTOU:
|
||||
@@ -239,6 +271,7 @@ sudo_askpass(const char *askpass, const
|
||||
{
|
||||
static char buf[SUDO_CONV_REPL_MAX + 1], *pass;
|
||||
struct sigaction sa, savechld;
|
||||
+ enum tgetpass_errval errval;
|
||||
int pfd[2], status;
|
||||
pid_t child;
|
||||
debug_decl(sudo_askpass, SUDO_DEBUG_CONV)
|
||||
@@ -281,9 +314,11 @@ sudo_askpass(const char *askpass, const
|
||||
|
||||
/* Get response from child (askpass). */
|
||||
(void) close(pfd[1]);
|
||||
- pass = getln(pfd[0], buf, sizeof(buf), 0);
|
||||
+ pass = getln(pfd[0], buf, sizeof(buf), 0, &errval);
|
||||
(void) close(pfd[0]);
|
||||
|
||||
+ tgetpass_display_error(errval);
|
||||
+
|
||||
/* Wait for child to exit. */
|
||||
for (;;) {
|
||||
pid_t rv = waitpid(child, &status, 0);
|
||||
@@ -305,7 +340,8 @@ sudo_askpass(const char *askpass, const
|
||||
extern int sudo_term_erase, sudo_term_kill;
|
||||
|
||||
static char *
|
||||
-getln(int fd, char *buf, size_t bufsiz, int feedback)
|
||||
+getln(int fd, char *buf, size_t bufsiz, int feedback,
|
||||
+ enum tgetpass_errval *errval)
|
||||
{
|
||||
size_t left = bufsiz;
|
||||
ssize_t nr = -1;
|
||||
@@ -313,7 +349,10 @@ getln(int fd, char *buf, size_t bufsiz,
|
||||
char c = '\0';
|
||||
debug_decl(getln, SUDO_DEBUG_CONV)
|
||||
|
||||
+ *errval = TGP_ERRVAL_NOERROR;
|
||||
+
|
||||
if (left == 0) {
|
||||
+ *errval = TGP_ERRVAL_READERROR;
|
||||
errno = EINVAL;
|
||||
debug_return_str(NULL); /* sanity */
|
||||
}
|
||||
@@ -354,14 +393,27 @@ getln(int fd, char *buf, size_t bufsiz,
|
||||
}
|
||||
}
|
||||
|
||||
- debug_return_str_masked(nr == 1 ? buf : NULL);
|
||||
+ if (nr != 1) {
|
||||
+ if (nr == 0) {
|
||||
+ *errval = TGP_ERRVAL_NOPASSWORD;
|
||||
+ } else if (nr == -1) {
|
||||
+ if (errno == EINTR) {
|
||||
+ if (signo[SIGALRM] == 1)
|
||||
+ *errval = TGP_ERRVAL_TIMEOUT;
|
||||
+ } else {
|
||||
+ *errval = TGP_ERRVAL_READERROR;
|
||||
+ }
|
||||
+ }
|
||||
+ debug_return_str(NULL);
|
||||
+ }
|
||||
+
|
||||
+ debug_return_str_masked(buf);
|
||||
}
|
||||
|
||||
static void
|
||||
tgetpass_handler(int s)
|
||||
{
|
||||
- if (s != SIGALRM)
|
||||
- signo[s] = 1;
|
||||
+ signo[s] = 1;
|
||||
}
|
||||
|
||||
static bool
|
@ -1,24 +1,24 @@
|
||||
diff -up ./src/tgetpass.c.CVE-2019-18634 ./src/tgetpass.c
|
||||
--- ./src/tgetpass.c.CVE-2019-18634 2020-02-05 17:16:07.601420697 +0100
|
||||
+++ ./src/tgetpass.c 2020-02-05 17:22:34.206301510 +0100
|
||||
@@ -55,7 +55,7 @@ static volatile sig_atomic_t signo[NSIG]
|
||||
--- ./src/tgetpass.c.CVE-2019-18634 2019-10-28 13:27:39.000000000 +0100
|
||||
+++ ./src/tgetpass.c 2020-02-05 14:08:27.516101197 +0100
|
||||
@@ -61,7 +61,7 @@ enum tgetpass_errval {
|
||||
static volatile sig_atomic_t signo[NSIG];
|
||||
|
||||
static bool tty_present(void);
|
||||
static void tgetpass_handler(int);
|
||||
-static char *getln(int, char *, size_t, int, enum tgetpass_errval *);
|
||||
+static char *getln(int, char *, size_t, bool, enum tgetpass_errval *);
|
||||
static char *sudo_askpass(const char *, const char *);
|
||||
|
||||
static int
|
||||
@@ -118,6 +118,7 @@ tgetpass(const char *prompt, int timeout
|
||||
static const char *askpass;
|
||||
@@ -125,6 +125,7 @@ tgetpass(const char *prompt, int timeout
|
||||
static char buf[SUDO_CONV_REPL_MAX + 1];
|
||||
int i, input, output, save_errno, neednl = 0, need_restart;
|
||||
int i, input, output, save_errno, ttyfd;
|
||||
bool need_restart, neednl = false;
|
||||
+ bool feedback = ISSET(flags, TGP_MASK);
|
||||
enum tgetpass_errval errval;
|
||||
debug_decl(tgetpass, SUDO_DEBUG_CONV)
|
||||
|
||||
@@ -165,7 +166,7 @@ restart:
|
||||
@@ -180,7 +181,7 @@ restart:
|
||||
*/
|
||||
if (!ISSET(flags, TGP_ECHO)) {
|
||||
for (;;) {
|
||||
@ -27,7 +27,7 @@ diff -up ./src/tgetpass.c.CVE-2019-18634 ./src/tgetpass.c
|
||||
neednl = sudo_term_cbreak(input);
|
||||
else
|
||||
neednl = sudo_term_noecho(input);
|
||||
@@ -179,6 +180,9 @@ restart:
|
||||
@@ -194,6 +195,9 @@ restart:
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -37,7 +37,7 @@ diff -up ./src/tgetpass.c.CVE-2019-18634 ./src/tgetpass.c
|
||||
|
||||
/*
|
||||
* Catch signals that would otherwise cause the user to end
|
||||
@@ -204,7 +208,7 @@ restart:
|
||||
@@ -224,7 +228,7 @@ restart:
|
||||
|
||||
if (timeout > 0)
|
||||
alarm(timeout);
|
||||
@ -46,16 +46,16 @@ diff -up ./src/tgetpass.c.CVE-2019-18634 ./src/tgetpass.c
|
||||
alarm(0);
|
||||
save_errno = errno;
|
||||
|
||||
@@ -340,7 +344,7 @@ sudo_askpass(const char *askpass, const
|
||||
extern int sudo_term_erase, sudo_term_kill;
|
||||
@@ -360,7 +364,7 @@ sudo_askpass(const char *askpass, const
|
||||
extern int sudo_term_eof, sudo_term_erase, sudo_term_kill;
|
||||
|
||||
static char *
|
||||
-getln(int fd, char *buf, size_t bufsiz, int feedback,
|
||||
+getln(int fd, char *buf, size_t bufsiz, bool feedback,
|
||||
enum tgetpass_errval *errval)
|
||||
enum tgetpass_errval *errval)
|
||||
{
|
||||
size_t left = bufsiz;
|
||||
@@ -366,15 +370,15 @@ getln(int fd, char *buf, size_t bufsiz,
|
||||
@@ -389,15 +393,15 @@ getln(int fd, char *buf, size_t bufsiz,
|
||||
while (cp > buf) {
|
||||
if (write(fd, "\b \b", 3) == -1)
|
||||
break;
|
169
SOURCES/sudo-1.8.29-CVE-2019-19232.patch
Normal file
169
SOURCES/sudo-1.8.29-CVE-2019-19232.patch
Normal file
@ -0,0 +1,169 @@
|
||||
diff -up ./doc/sudoers.man.in.CVE-2019-19232 ./doc/sudoers.man.in
|
||||
--- ./doc/sudoers.man.in.CVE-2019-19232 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./doc/sudoers.man.in 2020-01-14 15:34:46.908027286 +0100
|
||||
@@ -2942,6 +2942,23 @@ This flag is
|
||||
\fIoff\fR
|
||||
by default.
|
||||
.TP 18n
|
||||
+runas_allow_unknown_id
|
||||
+If enabled, allow matching of runas user and group IDs that are
|
||||
+not present in the password or group databases.
|
||||
+In addition to explicitly matching unknown user or group IDs in a
|
||||
+\fRRunas_List\fR,
|
||||
+this option also allows the
|
||||
+\fBALL\fR
|
||||
+alias to match unknown IDs.
|
||||
+This flag is
|
||||
+\fIoff\fR
|
||||
+by default.
|
||||
+.sp
|
||||
+This setting is only supported by version 1.8.29 or higher.
|
||||
+Older versions of
|
||||
+\fBsudo\fR
|
||||
+always allowed matching of unknown user and group IDs.
|
||||
+.TP 18n
|
||||
runaspw
|
||||
If set,
|
||||
\fBsudo\fR
|
||||
diff -up ./doc/sudoers.mdoc.in.CVE-2019-19232 ./doc/sudoers.mdoc.in
|
||||
--- ./doc/sudoers.mdoc.in.CVE-2019-19232 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./doc/sudoers.mdoc.in 2020-01-14 15:34:46.908027286 +0100
|
||||
@@ -2768,6 +2768,22 @@ when running a command or editing a file
|
||||
This flag is
|
||||
.Em off
|
||||
by default.
|
||||
+.It runas_allow_unknown_id
|
||||
+If enabled, allow matching of runas user and group IDs that are
|
||||
+not present in the password or group databases.
|
||||
+In addition to explicitly matching unknown user or group IDs in a
|
||||
+.Li Runas_List ,
|
||||
+this option also allows the
|
||||
+.Sy ALL
|
||||
+alias to match unknown IDs.
|
||||
+This flag is
|
||||
+.Em off
|
||||
+by default.
|
||||
+.Pp
|
||||
+This setting is only supported by version 1.8.29 or higher.
|
||||
+Older versions of
|
||||
+.Nm sudo
|
||||
+always allowed matching of unknown user and group IDs.
|
||||
.It runaspw
|
||||
If set,
|
||||
.Nm sudo
|
||||
diff -up ./plugins/sudoers/defaults.c.CVE-2019-19232 ./plugins/sudoers/defaults.c
|
||||
--- ./plugins/sudoers/defaults.c.CVE-2019-19232 2020-01-14 15:34:46.902027246 +0100
|
||||
+++ ./plugins/sudoers/defaults.c 2020-01-14 15:34:46.909027293 +0100
|
||||
@@ -581,6 +581,7 @@ init_defaults(void)
|
||||
def_fdexec = digest_only;
|
||||
def_log_allowed = true;
|
||||
def_log_denied = true;
|
||||
+ def_runas_allow_unknown_id = false;
|
||||
|
||||
/* Syslog options need special care since they both strings and ints */
|
||||
#if (LOGGING & SLOG_SYSLOG)
|
||||
diff -up ./plugins/sudoers/def_data.c.CVE-2019-19232 ./plugins/sudoers/def_data.c
|
||||
--- ./plugins/sudoers/def_data.c.CVE-2019-19232 2020-01-14 15:34:46.908027286 +0100
|
||||
+++ ./plugins/sudoers/def_data.c 2020-01-14 15:40:19.441555509 +0100
|
||||
@@ -514,6 +514,10 @@ struct sudo_defs_types sudo_defs_table[]
|
||||
N_("Don't fork and wait for the command to finish, just exec it"),
|
||||
NULL,
|
||||
}, {
|
||||
+ "runas_allow_unknown_id", T_FLAG,
|
||||
+ N_("Allow the use of unknown runas user and/or group ID"),
|
||||
+ NULL,
|
||||
+ }, {
|
||||
NULL, 0, NULL
|
||||
}
|
||||
};
|
||||
diff -up ./plugins/sudoers/def_data.h.CVE-2019-19232 ./plugins/sudoers/def_data.h
|
||||
--- ./plugins/sudoers/def_data.h.CVE-2019-19232 2020-01-14 15:34:46.909027293 +0100
|
||||
+++ ./plugins/sudoers/def_data.h 2020-01-14 15:41:33.658012401 +0100
|
||||
@@ -236,6 +236,8 @@
|
||||
#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
|
||||
#define I_CMND_NO_WAIT 118
|
||||
#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
|
||||
+#define I_RUNAS_ALLOW_UNKNOWN_ID 119
|
||||
+#define def_runas_allow_unknown_id (sudo_defs_table[I_RUNAS_ALLOW_UNKNOWN_ID].sd_un.flag)
|
||||
|
||||
enum def_tuple {
|
||||
never,
|
||||
diff -up ./plugins/sudoers/def_data.in.CVE-2019-19232 ./plugins/sudoers/def_data.in
|
||||
--- ./plugins/sudoers/def_data.in.CVE-2019-19232 2020-01-14 15:34:46.909027293 +0100
|
||||
+++ ./plugins/sudoers/def_data.in 2020-01-14 15:42:42.176481484 +0100
|
||||
@@ -372,3 +372,6 @@ legacy_group_processing
|
||||
cmnd_no_wait
|
||||
T_FLAG
|
||||
"Don't fork and wait for the command to finish, just exec it"
|
||||
+runas_allow_unknown_id
|
||||
+ T_FLAG
|
||||
+ "Allow the use of unknown runas user and/or group ID"
|
||||
diff -up ./plugins/sudoers/sudoers.c.CVE-2019-19232 ./plugins/sudoers/sudoers.c
|
||||
--- ./plugins/sudoers/sudoers.c.CVE-2019-19232 2020-01-14 15:34:46.905027266 +0100
|
||||
+++ ./plugins/sudoers/sudoers.c 2020-01-14 15:34:46.910027299 +0100
|
||||
@@ -105,6 +105,8 @@ static char *prev_user;
|
||||
static char *runas_user;
|
||||
static char *runas_group;
|
||||
static struct sudo_nss_list *snl;
|
||||
+static bool unknown_runas_uid;
|
||||
+static bool unknown_runas_gid;
|
||||
|
||||
#ifdef __linux__
|
||||
static struct rlimit nproclimit;
|
||||
@@ -354,6 +356,22 @@ sudoers_policy_main(int argc, char * con
|
||||
}
|
||||
}
|
||||
|
||||
+ /* Defer uid/gid checks until after defaults have been updated. */
|
||||
+ if (unknown_runas_uid && !def_runas_allow_unknown_id) {
|
||||
+ audit_failure(NewArgc, NewArgv, N_("unknown user: %s"),
|
||||
+ runas_pw->pw_name);
|
||||
+ sudo_warnx(U_("unknown user: %s"), runas_pw->pw_name);
|
||||
+ goto done;
|
||||
+ }
|
||||
+ if (runas_gr != NULL) {
|
||||
+ if (unknown_runas_gid && !def_runas_allow_unknown_id) {
|
||||
+ audit_failure(NewArgc, NewArgv, N_("unknown group: %s"),
|
||||
+ runas_gr->gr_name);
|
||||
+ sudo_warnx(U_("unknown group: %s"), runas_gr->gr_name);
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Look up the timestamp dir owner if one is specified.
|
||||
*/
|
||||
@@ -1167,12 +1185,15 @@ set_runaspw(const char *user, bool quiet
|
||||
struct passwd *pw = NULL;
|
||||
debug_decl(set_runaspw, SUDOERS_DEBUG_PLUGIN)
|
||||
|
||||
+ unknown_runas_uid = false;
|
||||
if (*user == '#') {
|
||||
const char *errstr;
|
||||
uid_t uid = sudo_strtoid(user + 1, &errstr);
|
||||
if (errstr == NULL) {
|
||||
- if ((pw = sudo_getpwuid(uid)) == NULL)
|
||||
+ if ((pw = sudo_getpwuid(uid)) == NULL) {
|
||||
+ unknown_runas_uid = true;
|
||||
pw = sudo_fakepwnam(user, user_gid);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
if (pw == NULL) {
|
||||
@@ -1198,12 +1219,15 @@ set_runasgr(const char *group, bool quie
|
||||
struct group *gr = NULL;
|
||||
debug_decl(set_runasgr, SUDOERS_DEBUG_PLUGIN)
|
||||
|
||||
+ unknown_runas_gid = false;
|
||||
if (*group == '#') {
|
||||
const char *errstr;
|
||||
gid_t gid = sudo_strtoid(group + 1, &errstr);
|
||||
if (errstr == NULL) {
|
||||
- if ((gr = sudo_getgrgid(gid)) == NULL)
|
||||
+ if ((gr = sudo_getgrgid(gid)) == NULL) {
|
||||
+ unknown_runas_gid = true;
|
||||
gr = sudo_fakegrnam(group);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
if (gr == NULL) {
|
439
SOURCES/sudo-1.8.29-CVE-2019-19234.patch
Normal file
439
SOURCES/sudo-1.8.29-CVE-2019-19234.patch
Normal file
@ -0,0 +1,439 @@
|
||||
diff -up ./config.h.in.CVE-2019-19234 ./config.h.in
|
||||
--- ./config.h.in.CVE-2019-19234 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./config.h.in 2020-01-14 15:53:40.506988064 +0100
|
||||
@@ -334,6 +334,9 @@
|
||||
/* Define to 1 if you have the `getuserattr' function. */
|
||||
#undef HAVE_GETUSERATTR
|
||||
|
||||
+/* Define to 1 if you have the `getusershell' function. */
|
||||
+#undef HAVE_GETUSERSHELL
|
||||
+
|
||||
/* Define to 1 if you have the `getutid' function. */
|
||||
#undef HAVE_GETUTID
|
||||
|
||||
diff -up ./configure.ac.CVE-2019-19234 ./configure.ac
|
||||
--- ./configure.ac.CVE-2019-19234 2020-01-14 15:53:40.496987995 +0100
|
||||
+++ ./configure.ac 2020-01-14 15:53:40.509988084 +0100
|
||||
@@ -2562,6 +2562,10 @@ AC_CHECK_FUNCS([getdelim], [], [
|
||||
SUDO_APPEND_COMPAT_EXP(sudo_getdelim)
|
||||
COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }getdelim_test"
|
||||
])
|
||||
+AC_CHECK_FUNCS([getusershell], [], [
|
||||
+ AC_LIBOBJ(getusershell)
|
||||
+ SUDO_APPEND_COMPAT_EXP(sudo_getusershell)
|
||||
+])
|
||||
AC_CHECK_FUNCS([reallocarray], [], [
|
||||
AC_LIBOBJ(reallocarray)
|
||||
SUDO_APPEND_COMPAT_EXP(sudo_reallocarray)
|
||||
diff -up ./configure.CVE-2019-19234 ./configure
|
||||
--- ./configure.CVE-2019-19234 2019-10-28 13:29:14.000000000 +0100
|
||||
+++ ./configure 2020-01-14 15:53:40.509988084 +0100
|
||||
@@ -19395,6 +19395,32 @@ esac
|
||||
fi
|
||||
done
|
||||
|
||||
+for ac_func in getusershell
|
||||
+do :
|
||||
+ ac_fn_c_check_func "$LINENO" "getusershell" "ac_cv_func_getusershell"
|
||||
+if test "x$ac_cv_func_getusershell" = xyes; then :
|
||||
+ cat >>confdefs.h <<_ACEOF
|
||||
+#define HAVE_GETUSERSHELL 1
|
||||
+_ACEOF
|
||||
+
|
||||
+else
|
||||
+
|
||||
+ case " $LIBOBJS " in
|
||||
+ *" getusershell.$ac_objext "* ) ;;
|
||||
+ *) LIBOBJS="$LIBOBJS getusershell.$ac_objext"
|
||||
+ ;;
|
||||
+esac
|
||||
+
|
||||
+
|
||||
+ for _sym in sudo_getusershell; do
|
||||
+ COMPAT_EXP="${COMPAT_EXP}${_sym}
|
||||
+"
|
||||
+ done
|
||||
+
|
||||
+
|
||||
+fi
|
||||
+done
|
||||
+
|
||||
for ac_func in reallocarray
|
||||
do :
|
||||
ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray"
|
||||
diff -up ./doc/sudoers.man.in.CVE-2019-19234 ./doc/sudoers.man.in
|
||||
--- ./doc/sudoers.man.in.CVE-2019-19234 2020-01-14 15:53:40.503988043 +0100
|
||||
+++ ./doc/sudoers.man.in 2020-01-14 15:53:40.510988091 +0100
|
||||
@@ -2959,6 +2959,28 @@ Older versions of
|
||||
\fBsudo\fR
|
||||
always allowed matching of unknown user and group IDs.
|
||||
.TP 18n
|
||||
+runas_check_shell
|
||||
+.br
|
||||
+If enabled,
|
||||
+\fBsudo\fR
|
||||
+will only run commands as a user whose shell appears in the
|
||||
+\fI/etc/shells\fR
|
||||
+file, even if the invoking user's
|
||||
+\fRRunas_List\fR
|
||||
+would otherwise permit it.
|
||||
+If no
|
||||
+\fI/etc/shells\fR
|
||||
+file is present, a system-dependent list of built-in default shells is used.
|
||||
+On many operating systems, system users such as
|
||||
+\(lqbin\(rq,
|
||||
+do not have a valid shell and this flag can be used to prevent
|
||||
+commands from being run as those users.
|
||||
+This flag is
|
||||
+\fIoff\fR
|
||||
+by default.
|
||||
+.sp
|
||||
+This setting is only supported by version 1.8.29 or higher.
|
||||
+.TP 18n
|
||||
runaspw
|
||||
If set,
|
||||
\fBsudo\fR
|
||||
diff -up ./doc/sudoers.mdoc.in.CVE-2019-19234 ./doc/sudoers.mdoc.in
|
||||
--- ./doc/sudoers.mdoc.in.CVE-2019-19234 2020-01-14 15:53:40.504988050 +0100
|
||||
+++ ./doc/sudoers.mdoc.in 2020-01-14 15:53:40.510988091 +0100
|
||||
@@ -2784,6 +2784,26 @@ This setting is only supported by versio
|
||||
Older versions of
|
||||
.Nm sudo
|
||||
always allowed matching of unknown user and group IDs.
|
||||
+.It runas_check_shell
|
||||
+If enabled,
|
||||
+.Nm sudo
|
||||
+will only run commands as a user whose shell appears in the
|
||||
+.Pa /etc/shells
|
||||
+file, even if the invoking user's
|
||||
+.Li Runas_List
|
||||
+would otherwise permit it.
|
||||
+If no
|
||||
+.Pa /etc/shells
|
||||
+file is present, a system-dependent list of built-in default shells is used.
|
||||
+On many operating systems, system users such as
|
||||
+.Dq bin ,
|
||||
+do not have a valid shell and this flag can be used to prevent
|
||||
+commands from being run as those users.
|
||||
+This flag is
|
||||
+.Em off
|
||||
+by default.
|
||||
+.Pp
|
||||
+This setting is only supported by version 1.8.29 or higher.
|
||||
.It runaspw
|
||||
If set,
|
||||
.Nm sudo
|
||||
diff -up ./include/sudo_compat.h.CVE-2019-19234 ./include/sudo_compat.h
|
||||
--- ./include/sudo_compat.h.CVE-2019-19234 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./include/sudo_compat.h 2020-01-14 15:53:40.511988098 +0100
|
||||
@@ -407,6 +407,17 @@ __dso_public ssize_t sudo_getdelim(char
|
||||
# undef getdelim
|
||||
# define getdelim(_a, _b, _c, _d) sudo_getdelim((_a), (_b), (_c), (_d))
|
||||
#endif /* HAVE_GETDELIM */
|
||||
+#ifndef HAVE_GETUSERSHELL
|
||||
+__dso_public char *sudo_getusershell(void);
|
||||
+# undef getusershell
|
||||
+# define getusershell() sudo_getusershell()
|
||||
+__dso_public void sudo_setusershell(void);
|
||||
+# undef setusershell
|
||||
+# define setusershell() sudo_setusershell()
|
||||
+__dso_public void sudo_endusershell(void);
|
||||
+# undef endusershell
|
||||
+# define endusershell() sudo_endusershell()
|
||||
+#endif /* HAVE_GETUSERSHELL */
|
||||
#ifndef HAVE_UTIMENSAT
|
||||
__dso_public int sudo_utimensat(int fd, const char *file, const struct timespec *times, int flag);
|
||||
# undef utimensat
|
||||
diff -up ./lib/util/getusershell.c.CVE-2019-19234 ./lib/util/getusershell.c
|
||||
--- ./lib/util/getusershell.c.CVE-2019-19234 2020-01-14 15:53:40.511988098 +0100
|
||||
+++ ./lib/util/getusershell.c 2020-01-14 15:53:40.511988098 +0100
|
||||
@@ -0,0 +1,138 @@
|
||||
+/*
|
||||
+ * SPDX-License-Identifier: ISC
|
||||
+ *
|
||||
+ * Copyright (c) 2019 Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
+ *
|
||||
+ * Permission to use, copy, modify, and distribute this software for any
|
||||
+ * purpose with or without fee is hereby granted, provided that the above
|
||||
+ * copyright notice and this permission notice appear in all copies.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * This is an open source non-commercial project. Dear PVS-Studio, please check it.
|
||||
+ * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
|
||||
+ */
|
||||
+
|
||||
+#include <config.h>
|
||||
+
|
||||
+#include <sys/types.h>
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <ctype.h>
|
||||
+#include <errno.h>
|
||||
+
|
||||
+#define DEFAULT_TEXT_DOMAIN "sudo"
|
||||
+#include "sudo_gettext.h" /* must be included before sudo_compat.h */
|
||||
+
|
||||
+#include "sudo_compat.h"
|
||||
+#include "sudo_debug.h"
|
||||
+#include "sudo_util.h"
|
||||
+
|
||||
+static char **allowed_shells, **current_shell;
|
||||
+static char *default_shells[] = {
|
||||
+ "/bin/sh",
|
||||
+ "/bin/ksh",
|
||||
+ "/bin/ksh93",
|
||||
+ "/bin/bash",
|
||||
+ "/bin/dash",
|
||||
+ "/bin/zsh",
|
||||
+ "/bin/csh",
|
||||
+ "/bin/tcsh",
|
||||
+ NULL
|
||||
+};
|
||||
+
|
||||
+static char **
|
||||
+read_shells(void)
|
||||
+{
|
||||
+ size_t maxshells = 16, nshells = 0;
|
||||
+ size_t linesize = 0;
|
||||
+ char *line = NULL;
|
||||
+ FILE *fp;
|
||||
+ debug_decl(read_shells, SUDO_DEBUG_UTIL)
|
||||
+
|
||||
+ if ((fp = fopen("/etc/shells", "r")) == NULL)
|
||||
+ goto bad;
|
||||
+
|
||||
+ free(allowed_shells);
|
||||
+ allowed_shells = reallocarray(NULL, maxshells, sizeof(char *));
|
||||
+ if (allowed_shells == NULL)
|
||||
+ goto bad;
|
||||
+
|
||||
+ while (sudo_parseln(&line, &linesize, NULL, fp, PARSELN_CONT_IGN) != -1) {
|
||||
+ if (nshells + 1 >= maxshells) {
|
||||
+ char **new_shells;
|
||||
+
|
||||
+ new_shells = reallocarray(NULL, maxshells + 16, sizeof(char *));
|
||||
+ if (new_shells == NULL)
|
||||
+ goto bad;
|
||||
+ allowed_shells = new_shells;
|
||||
+ maxshells += 16;
|
||||
+ }
|
||||
+ if ((allowed_shells[nshells] = strdup(line)) == NULL)
|
||||
+ goto bad;
|
||||
+ nshells++;
|
||||
+ }
|
||||
+ allowed_shells[nshells] = NULL;
|
||||
+
|
||||
+ free(line);
|
||||
+ fclose(fp);
|
||||
+ debug_return_ptr(allowed_shells);
|
||||
+bad:
|
||||
+ free(line);
|
||||
+ if (fp != NULL)
|
||||
+ fclose(fp);
|
||||
+ while (nshells != 0)
|
||||
+ free(allowed_shells[--nshells]);
|
||||
+ free(allowed_shells);
|
||||
+ allowed_shells = NULL;
|
||||
+ debug_return_ptr(default_shells);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+sudo_setusershell(void)
|
||||
+{
|
||||
+ debug_decl(setusershell, SUDO_DEBUG_UTIL)
|
||||
+
|
||||
+ current_shell = read_shells();
|
||||
+
|
||||
+ debug_return;
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+sudo_endusershell(void)
|
||||
+{
|
||||
+ debug_decl(endusershell, SUDO_DEBUG_UTIL)
|
||||
+
|
||||
+ if (allowed_shells != NULL) {
|
||||
+ char **shell;
|
||||
+
|
||||
+ for (shell = allowed_shells; *shell != NULL; shell++)
|
||||
+ free(*shell);
|
||||
+ free(allowed_shells);
|
||||
+ allowed_shells = NULL;
|
||||
+ }
|
||||
+ current_shell = NULL;
|
||||
+
|
||||
+ debug_return;
|
||||
+}
|
||||
+
|
||||
+char *
|
||||
+sudo_getusershell(void)
|
||||
+{
|
||||
+ debug_decl(getusershell, SUDO_DEBUG_UTIL)
|
||||
+
|
||||
+ if (current_shell == NULL)
|
||||
+ current_shell = read_shells();
|
||||
+
|
||||
+ debug_return_str(*current_shell++);
|
||||
+}
|
||||
diff -up ./lib/util/Makefile.in.CVE-2019-19234 ./lib/util/Makefile.in
|
||||
--- ./lib/util/Makefile.in.CVE-2019-19234 2019-10-28 13:28:53.000000000 +0100
|
||||
+++ ./lib/util/Makefile.in 2020-01-14 15:53:40.511988098 +0100
|
||||
@@ -678,6 +678,18 @@ gettime.i: $(srcdir)/gettime.c $(incdir)
|
||||
$(CC) -E -o $@ $(CPPFLAGS) $<
|
||||
gettime.plog: gettime.i
|
||||
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/gettime.c --i-file $< --output-file $@
|
||||
+getusershell.lo: $(srcdir)/getusershell.c $(incdir)/compat/stdbool.h \
|
||||
+ $(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
|
||||
+ $(incdir)/sudo_gettext.h $(incdir)/sudo_queue.h \
|
||||
+ $(incdir)/sudo_util.h $(top_builddir)/config.h
|
||||
+ $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/getusershell.c
|
||||
+getusershell.i: $(srcdir)/getusershell.c $(incdir)/compat/stdbool.h \
|
||||
+ $(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
|
||||
+ $(incdir)/sudo_gettext.h $(incdir)/sudo_queue.h \
|
||||
+ $(incdir)/sudo_util.h $(top_builddir)/config.h
|
||||
+ $(CC) -E -o $@ $(CPPFLAGS) $<
|
||||
+getusershell.plog: getusershell.i
|
||||
+ rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/getusershell.c --i-file $< --output-file $@
|
||||
gidlist.lo: $(srcdir)/gidlist.c $(incdir)/compat/stdbool.h \
|
||||
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
|
||||
$(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
|
||||
diff -up ./MANIFEST.CVE-2019-19234 ./MANIFEST
|
||||
--- ./MANIFEST.CVE-2019-19234 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./MANIFEST 2020-01-14 15:53:40.506988064 +0100
|
||||
@@ -103,6 +103,7 @@ lib/util/getgrouplist.c
|
||||
lib/util/gethostname.c
|
||||
lib/util/getopt_long.c
|
||||
lib/util/gettime.c
|
||||
+lib/util/getusershell.c
|
||||
lib/util/gidlist.c
|
||||
lib/util/glob.c
|
||||
lib/util/inet_ntop.c
|
||||
diff -up ./mkdep.pl.CVE-2019-19234 ./mkdep.pl
|
||||
--- ./mkdep.pl.CVE-2019-19234 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./mkdep.pl 2020-01-14 15:53:40.511988098 +0100
|
||||
@@ -116,7 +116,7 @@ sub mkdep {
|
||||
# XXX - fill in AUTH_OBJS from contents of the auth dir instead
|
||||
$makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:;
|
||||
$makefile =~ s:\@DIGEST\@:digest.lo digest_openssl.lo digest_gcrypt.lo:;
|
||||
- $makefile =~ s:\@LTLIBOBJS\@:arc4random.lo arc4random_uniform.lo closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getentropy.lo getgrouplist.lo getdelim.lo getopt_long.lo glob.lo inet_ntop_lo inet_pton.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo nanosleep.lo pw_dup.lo reallocarray.lo sha2.lo sig2str.lo siglist.lo signame.lo snprintf.lo str2sig.lo strlcat.lo strlcpy.lo strndup.lo strnlen.lo strsignal.lo utimens.lo vsyslog.lo pipe2.lo:;
|
||||
+ $makefile =~ s:\@LTLIBOBJS\@:arc4random.lo arc4random_uniform.lo closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getentropy.lo getgrouplist.lo getdelim.lo getopt_long.lo getusershell.lo glob.lo inet_ntop_lo inet_pton.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo nanosleep.lo pw_dup.lo reallocarray.lo sha2.lo sig2str.lo siglist.lo signame.lo snprintf.lo str2sig.lo strlcat.lo strlcpy.lo strndup.lo strnlen.lo strsignal.lo utimens.lo vsyslog.lo pipe2.lo:;
|
||||
|
||||
# Parse OBJS lines
|
||||
my %objs;
|
||||
diff -up ./plugins/sudoers/check.c.CVE-2019-19234 ./plugins/sudoers/check.c
|
||||
--- ./plugins/sudoers/check.c.CVE-2019-19234 2019-10-28 13:27:45.000000000 +0100
|
||||
+++ ./plugins/sudoers/check.c 2020-01-14 15:53:40.511988098 +0100
|
||||
@@ -333,3 +333,28 @@ get_authpw(int mode)
|
||||
|
||||
debug_return_ptr(pw);
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * Returns true if the specified shell is allowed by /etc/shells, else false.
|
||||
+ */
|
||||
+bool
|
||||
+check_user_shell(const struct passwd *pw)
|
||||
+{
|
||||
+ const char *shell;
|
||||
+ debug_decl(check_user_shell, SUDOERS_DEBUG_AUTH)
|
||||
+
|
||||
+ if (!def_runas_check_shell)
|
||||
+ debug_return_bool(true);
|
||||
+
|
||||
+ sudo_debug_printf(SUDO_DEBUG_INFO,
|
||||
+ "%s: checking /etc/shells for %s", __func__, pw->pw_shell);
|
||||
+
|
||||
+ setusershell();
|
||||
+ while ((shell = getusershell()) != NULL) {
|
||||
+ if (strcmp(shell, pw->pw_shell) == 0)
|
||||
+ debug_return_bool(true);
|
||||
+ }
|
||||
+ endusershell();
|
||||
+
|
||||
+ debug_return_bool(false);
|
||||
+}
|
||||
diff -up ./plugins/sudoers/def_data.c.CVE-2019-19234 ./plugins/sudoers/def_data.c
|
||||
--- ./plugins/sudoers/def_data.c.CVE-2019-19234 2020-01-14 15:53:40.504988050 +0100
|
||||
+++ ./plugins/sudoers/def_data.c 2020-01-14 15:53:40.511988098 +0100
|
||||
@@ -518,6 +518,10 @@ struct sudo_defs_types sudo_defs_table[]
|
||||
N_("Allow the use of unknown runas user and/or group ID"),
|
||||
NULL,
|
||||
}, {
|
||||
+ "runas_check_shell", T_FLAG,
|
||||
+ N_("Only permit running commands as a user with a valid shell"),
|
||||
+ NULL,
|
||||
+ }, {
|
||||
NULL, 0, NULL
|
||||
}
|
||||
};
|
||||
diff -up ./plugins/sudoers/def_data.h.CVE-2019-19234 ./plugins/sudoers/def_data.h
|
||||
--- ./plugins/sudoers/def_data.h.CVE-2019-19234 2020-01-14 15:53:40.512988105 +0100
|
||||
+++ ./plugins/sudoers/def_data.h 2020-01-14 15:58:06.927808982 +0100
|
||||
@@ -238,6 +238,8 @@
|
||||
#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
|
||||
#define I_RUNAS_ALLOW_UNKNOWN_ID 119
|
||||
#define def_runas_allow_unknown_id (sudo_defs_table[I_RUNAS_ALLOW_UNKNOWN_ID].sd_un.flag)
|
||||
+#define I_RUNAS_CHECK_SHELL 120
|
||||
+#define def_runas_check_shell (sudo_defs_table[I_RUNAS_CHECK_SHELL].sd_un.flag)
|
||||
|
||||
enum def_tuple {
|
||||
never,
|
||||
diff -up ./plugins/sudoers/def_data.in.CVE-2019-19234 ./plugins/sudoers/def_data.in
|
||||
--- ./plugins/sudoers/def_data.in.CVE-2019-19234 2020-01-14 15:53:40.505988057 +0100
|
||||
+++ ./plugins/sudoers/def_data.in 2020-01-14 15:53:40.512988105 +0100
|
||||
@@ -375,3 +375,7 @@ cmnd_no_wait
|
||||
runas_allow_unknown_id
|
||||
T_FLAG
|
||||
"Allow the use of unknown runas user and/or group ID"
|
||||
+runas_check_shell
|
||||
+ T_FLAG
|
||||
+ "Only permit running commands as a user with a valid shell"
|
||||
+
|
||||
diff -up ./plugins/sudoers/sudoers.c.CVE-2019-19234 ./plugins/sudoers/sudoers.c
|
||||
--- ./plugins/sudoers/sudoers.c.CVE-2019-19234 2020-01-14 15:53:40.505988057 +0100
|
||||
+++ ./plugins/sudoers/sudoers.c 2020-01-14 15:53:40.512988105 +0100
|
||||
@@ -273,7 +273,7 @@ sudoers_policy_main(int argc, char * con
|
||||
/* Not an audit event. */
|
||||
sudo_warnx(U_("sudoers specifies that root is not allowed to sudo"));
|
||||
goto bad;
|
||||
- }
|
||||
+ }
|
||||
|
||||
if (!set_perms(PERM_INITIAL))
|
||||
goto bad;
|
||||
@@ -412,6 +412,13 @@ sudoers_policy_main(int argc, char * con
|
||||
goto bad;
|
||||
}
|
||||
|
||||
+ /* Check runas user's shell. */
|
||||
+ if (!check_user_shell(runas_pw)) {
|
||||
+ log_warningx(SLOG_RAW_MSG, N_("invalid shell for user %s: %s"),
|
||||
+ runas_pw->pw_name, runas_pw->pw_shell);
|
||||
+ goto bad;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* We don't reset the environment for sudoedit or if the user
|
||||
* specified the -E command line flag and they have setenv privs.
|
||||
diff -up ./plugins/sudoers/sudoers.h.CVE-2019-19234 ./plugins/sudoers/sudoers.h
|
||||
--- ./plugins/sudoers/sudoers.h.CVE-2019-19234 2020-01-14 15:53:40.502988036 +0100
|
||||
+++ ./plugins/sudoers/sudoers.h 2020-01-14 15:53:40.512988105 +0100
|
||||
@@ -264,6 +264,7 @@ int find_path(const char *infile, char *
|
||||
|
||||
/* check.c */
|
||||
int check_user(int validate, int mode);
|
||||
+bool check_user_shell(const struct passwd *pw);
|
||||
bool user_is_exempt(void);
|
||||
|
||||
/* prompt.c */
|
108
SPECS/sudo.spec
108
SPECS/sudo.spec
@ -1,7 +1,7 @@
|
||||
Summary: Allows restricted root access for specified users
|
||||
Name: sudo
|
||||
Version: 1.8.25p1
|
||||
Release: 8%{?dist}.1
|
||||
Version: 1.8.29
|
||||
Release: 5%{?dist}
|
||||
License: ISC
|
||||
Group: Applications/System
|
||||
URL: http://www.courtesan.com/sudo/
|
||||
@ -39,44 +39,18 @@ Patch2: sudo-1.8.23-sudoldapconfman.patch
|
||||
Patch3: sudo-1.7.2p1-envdebug.patch
|
||||
# 1247591 - Sudo taking a long time when user information is stored externally.
|
||||
Patch4: sudo-1.8.23-legacy-group-processing.patch
|
||||
# 1135539 - sudo with ldap doesn't work with 'user id' in sudoUser option
|
||||
Patch5: sudo-1.8.23-ldapsearchuidfix.patch
|
||||
# 840980 - sudo creates a new parent process
|
||||
# Adds cmnd_no_wait Defaults option
|
||||
Patch6: sudo-1.8.23-nowaitopt.patch
|
||||
Patch5: sudo-1.8.23-nowaitopt.patch
|
||||
# 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure
|
||||
Patch7: sudo-1.8.6p7-logsudouser.patch
|
||||
# 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version
|
||||
Patch8: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch
|
||||
# 1613327 - Man page scan results for sudo
|
||||
Patch9: sudo-1.8.25-typos-manpages.patch
|
||||
Patch10: sudo-1.8.25-c-option-help.patch
|
||||
Patch11: sudo-1.8.25-sudoreplay-missing-options-help.patch
|
||||
|
||||
# RHEL 8.1
|
||||
# 1673886 - Problem with sudo-1.8.23 and 'who am i'
|
||||
Patch12: sudo-1.8.23-who-am-i.patch
|
||||
# 1676819 - Backporting sudo bug with expired passwords
|
||||
Patch13: sudo-1.8.23-pam-expired-passwords.patch
|
||||
# 1738326 - The LDAP backend is not properly parsing sudoOptions, resulting in
|
||||
# selinux roles not being applied
|
||||
# https://www.sudo.ws/repos/sudo/rev/10f8cff7cce7
|
||||
Patch14: sudo-1.8.25-ldap-backend-parsing-1.patch
|
||||
# 1738326 - The LDAP backend is not properly parsing sudoOptions, resulting in
|
||||
# selinux roles not being applied
|
||||
# https://www.sudo.ws/repos/sudo/rev/ba6cfd26330e
|
||||
Patch15: sudo-1.8.25-ldap-backend-parsing-2.patch
|
||||
# 738662 - sudo ipa_hostname not honored
|
||||
# Fix special handling of ipa_hostname that was lost in sudo
|
||||
Patch16: sudo-1.8.25-ipa-hostname.patch
|
||||
|
||||
# 1760696 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [rhel-7.8]
|
||||
Patch17: sudo-1.8.28-CVE-strtouid.patch
|
||||
Patch18: sudo-1.8.28-CVE-strtouid-test.patch
|
||||
|
||||
# 1798092 - CVE-2019-18634 sudo: Stack based buffer overflow in when pwfeedback is enabled [rhel-8.1.0.z]
|
||||
Patch19: sudo-1.8.29-CVE-2019-18634-part1.patch
|
||||
Patch20: sudo-1.8.29-CVE-2019-18634-part2.patch
|
||||
Patch6: sudo-1.8.6p7-logsudouser.patch
|
||||
# 1786987 - CVE-2019-19232 sudo: attacker with access to a Runas ALL sudoer account
|
||||
# can impersonate a nonexistent user [rhel-8]
|
||||
Patch7: sudo-1.8.29-CVE-2019-19232.patch
|
||||
# 1796518 - [RFE] add optional check for the target user shell
|
||||
Patch8: sudo-1.8.29-CVE-2019-19234.patch
|
||||
# 1798093 - CVE-2019-18634 sudo: Stack based buffer overflow in when pwfeedback is enabled [rhel-8.2.0]
|
||||
Patch9: sudo-1.8.29-CVE-2019-18634.patch
|
||||
|
||||
%description
|
||||
Sudo (superuser do) allows a system administrator to give certain
|
||||
@ -105,26 +79,11 @@ plugins that use %{name}.
|
||||
%patch2 -p1 -b .sudoldapconfman
|
||||
%patch3 -p1 -b .env-debug
|
||||
%patch4 -p1 -b .legacy-processing
|
||||
%patch5 -p1 -b .ldap-search-uid
|
||||
%patch6 -p1 -b .nowait
|
||||
%patch7 -p1 -b .logsudouser
|
||||
%patch8 -p1 -b .double-quote
|
||||
|
||||
%patch9 -p1 -b .typos
|
||||
%patch10 -p1 -b .c-option
|
||||
%patch11 -p1 -b .sudoreplay-help
|
||||
|
||||
%patch12 -p1 -b .whoami
|
||||
%patch13 -p1 -b .pam-expired
|
||||
%patch14 -p1 -b .ldap-backend1
|
||||
%patch15 -p1 -b .ldap-backend2
|
||||
%patch16 -p1 -b .ipa-hostname
|
||||
|
||||
%patch17 -p1 -b .cve-strtouid
|
||||
%patch18 -p1 -b .cve-strtouid-test
|
||||
|
||||
%patch19 -p1 -b .CVE-2019-18634-part1
|
||||
%patch20 -p1 -b .CVE-2019-18634-part2
|
||||
%patch5 -p1 -b .nowait
|
||||
%patch6 -p1 -b .logsudouser
|
||||
%patch7 -p1 -b .CVE-2019-19232
|
||||
%patch8 -p1 -b .target-shell
|
||||
%patch9 -p1 -b .CVE-2019-18634
|
||||
|
||||
%build
|
||||
# Remove bundled copy of zlib
|
||||
@ -284,15 +243,36 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_mandir}/man8/sudo_plugin.8*
|
||||
|
||||
%changelog
|
||||
* Wed Feb 05 2020 Radovan Sroka <rsroka@redhat.com> - 1.8.25p1-8.1
|
||||
- RHEL 8.1.0.Z ERRATUM
|
||||
* Wed Feb 05 2020 Radovan Sroka <rsroka@redhat.com> - 1.8.29-5
|
||||
- RHEL 8.2 ERRATUM
|
||||
- CVE-2019-18634
|
||||
Resolves: rhbz#1798092
|
||||
Resolves: rhbz#1798093
|
||||
|
||||
* Fri Oct 18 2019 Marek Tamaskovic <mtamasko@redhat.com> - 1.8.25p1-8
|
||||
- RHEL-8.1.0
|
||||
- fixed CVE-2019-14287
|
||||
Resolves: rhbz#1760696
|
||||
* Tue Jan 14 2020 Radovan Sroka <rsroka@redhat.com> - 1.8.29-4
|
||||
- RHEL 8.2 ERRATUM
|
||||
- CVE-2019-19232
|
||||
Resolves: rhbz#1786987
|
||||
Resolves: rhbz#1796518
|
||||
|
||||
* Wed Oct 30 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.29-2
|
||||
- RHEL 8.2 ERRATUM
|
||||
- rebase to 1.8.29
|
||||
Resolves: rhbz#1733961
|
||||
Resolves: rhbz#1651662
|
||||
|
||||
* Fri Oct 25 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28p1-1
|
||||
- RHEL 8.2 ERRATUM
|
||||
- rebase to 1.8.28p1
|
||||
Resolves: rhbz#1733961
|
||||
- fixed man page for always_set_home
|
||||
Resolves: rhbz#1576880
|
||||
- sudo does not work with notbefore/after
|
||||
Resolves: rhbz#1679508
|
||||
- NOTBEFORE showing value of sudoNotAfter Ldap attribute
|
||||
Resolves: rhbz#1715516
|
||||
- CVE-2019-14287 sudo
|
||||
- Privilege escalation via 'Runas' specification with 'ALL' keyword
|
||||
Resolves: rhbz#1760697
|
||||
|
||||
* Fri Aug 16 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-7
|
||||
- RHEL 8.1 ERRATUM
|
||||
|
Loading…
Reference in New Issue
Block a user