diff options
author | Todd C. Miller <Todd.Miller@sudo.ws> | 2022-05-26 09:19:08 -0600 |
---|---|---|
committer | Todd C. Miller <Todd.Miller@sudo.ws> | 2022-05-26 09:19:08 -0600 |
commit | 4432b121f52e622c1199e902802b2e2a5d15ce33 (patch) | |
tree | 07d58a6e7eda5b15fc62bb66c6e264953dcdedbb | |
parent | 4a201e6e893240aa3797b3a0138d46d53a556750 (diff) | |
download | sudo-4432b121f52e622c1199e902802b2e2a5d15ce33.tar.gz |
Bump plugin minor version and document new intercept-related settings.
There should have been a minor version bump for sudo 1.9.8 when
intercept was originally implemented.
-rw-r--r-- | docs/sudo_plugin.man.in | 98 | ||||
-rw-r--r-- | docs/sudo_plugin.mdoc.in | 92 | ||||
-rw-r--r-- | include/sudo_plugin.h | 4 | ||||
-rw-r--r-- | plugins/python/regress/testdata/check_multiple_approval_plugin_and_arguments.stdout | 4 | ||||
-rw-r--r-- | src/exec.c | 2 |
5 files changed, 191 insertions, 9 deletions
diff --git a/docs/sudo_plugin.man.in b/docs/sudo_plugin.man.in index 8fee422f8..4fa699e21 100644 --- a/docs/sudo_plugin.man.in +++ b/docs/sudo_plugin.man.in @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.TH "SUDO_PLUGIN" "5" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDO_PLUGIN" "5" "May 26, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -291,6 +291,36 @@ implied_shell=bool If the user does not specify a program on the command line, \fBsudo\fR will pass the plugin the path to the user's shell and set +\fIimplied_shell\fR. +.TP 6n +intercept_ptrace=bool +Indicates whether or not the system supports intercept +mode using +ptrace(2). +This is currently only true for Linux systems that support +seccomp(2) +filtering and the +\(lqtrap\(rq +action. +Other systems will use a dynamic shared object to implement +intercept. +.TP 6n +intercept_setid=bool +Indicates whether or not the system supports running set-user-ID +and set-group-ID binaries in intercept mode. +This is currently only true for Linux systems that support +seccomp(2) +filtering and the +\(lqtrap\(rq +action. +On systems that use a dynamic shared object to implement +intercept, the dynamic linker (ld.so or the equivalent) +will disable preloading of shared objects when executing a +set-user-ID or set-group-ID binary. +This will disable intercept mode for that program and any other +programs that it executes. +The policy plugin may refuse to execute a set-user-ID or set-group-ID +binary in intercept mode to avoid this. .TP 6n login_class=string BSD @@ -1078,6 +1108,21 @@ The specified \fInumber\fR must refer to an open file descriptor. .TP 6n +intercept=bool +If specified, +\fBsudo\fR +will intercept attempts to execute a subsequent command and perform +a policy check via the policy plugin's +\fBcheck_policy\fR() +function to determine whether or not the command is permitted. +This can be used to prevent shell escapes on supported platforms +but it has a number of limitations. +See +\fBPreventing shell escapes\fR +in +sudoers(@mansectform@) +for details. +.TP 6n iolog_compress=bool Set to true if the I/O logging plugins, if any, should compress the log data. @@ -1142,6 +1187,24 @@ on BSD systems. .TP 6n +log_subcmds=bool +If specified, +\fBsudo\fR +will call the audit plugin's +\fBaccept\fR() +function to log when the command runs a subsequent command, if supported +by the system. +If +\fIintercept\fR +is also specified, +\fIlog_subcmds\fR +will be ignored. +See +\fBPreventing shell escapes\fR +in +sudoers(@mansectform@) +for more information. +.TP 6n noexec=bool If set, prevent the command from executing other programs. .TP 6n @@ -1466,6 +1529,16 @@ Force the value specified by the \fIumask\fR option to override any umask set by PAM or login.conf. .TP 6n +use_ptrace=bool +If specified, +\fBsudo\fR +will use +ptrace(2) +to implement intercept mode if supported by the system. +This setting has no effect unless +\fIintercept\fR +is also set. +.TP 6n use_pty=bool Allocate a pseudo-terminal to run the command in, regardless of whether or not I/O logging is in use. @@ -5280,7 +5353,7 @@ The \fIcmnd_chroot\fR and \fIcmnd_cwd\fR -enties were added to the +entries were added to the \fRsettings\fR list. .TP 6n @@ -5293,6 +5366,27 @@ Version 1.18 (sudo 1.9.9) The policy may now set resource limit values in the \fRcommand_info\fR list. +The +\fIintercept\fR +and +\fIlog_subcmds\fR +entries were added to the +\fRcommand_info\fR +list. +.TP 6n +Version 1.19 (sudo 1.9.11) +The +\fIintercept_ptrace\fR +and +\fIintercept_setid\fR +entries were added to the +\fRsettings\fR +list. +The +\fIuser_ptrace\fR +entry was added to the +\fRcommand_info\fR +list. .SH "SEE ALSO" sudo.conf(@mansectform@), sudoers(@mansectform@), diff --git a/docs/sudo_plugin.mdoc.in b/docs/sudo_plugin.mdoc.in index e4432b839..24f2f5976 100644 --- a/docs/sudo_plugin.mdoc.in +++ b/docs/sudo_plugin.mdoc.in @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd February 16, 2022 +.Dd May 26, 2022 .Dt SUDO_PLUGIN @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -269,6 +269,34 @@ to print a usage message and exit. If the user does not specify a program on the command line, .Nm sudo will pass the plugin the path to the user's shell and set +.Em implied_shell . +.It intercept_ptrace=bool +Indicates whether or not the system supports intercept +mode using +.Xr ptrace 2 . +This is currently only true for Linux systems that support +.Xr seccomp 2 +filtering and the +.Dq trap +action. +Other systems will use a dynamic shared object to implement +intercept. +.It intercept_setid=bool +Indicates whether or not the system supports running set-user-ID +and set-group-ID binaries in intercept mode. +This is currently only true for Linux systems that support +.Xr seccomp 2 +filtering and the +.Dq trap +action. +On systems that use a dynamic shared object to implement +intercept, the dynamic linker (ld.so or the equivalent) +will disable preloading of shared objects when executing a +set-user-ID or set-group-ID binary. +This will disable intercept mode for that program and any other +programs that it executes. +The policy plugin may refuse to execute a set-user-ID or set-group-ID +binary in intercept mode to avoid this. .It login_class=string .Bx login class to use when setting resource limits and nice value, @@ -965,6 +993,20 @@ system call to execute the command instead of The specified .Em number must refer to an open file descriptor. +.It intercept=bool +If specified, +.Nm sudo +will intercept attempts to execute a subsequent command and perform +a policy check via the policy plugin's +.Fn check_policy +function to determine whether or not the command is permitted. +This can be used to prevent shell escapes on supported platforms +but it has a number of limitations. +See +.Sy Preventing shell escapes +in +.Xr sudoers @mansectform@ +for details. .It iolog_compress=bool Set to true if the I/O logging plugins, if any, should compress the log data. @@ -1017,6 +1059,23 @@ The nice value, if specified, overrides the priority associated with the on .Bx systems. +.It log_subcmds=bool +If specified, +.Nm sudo +will call the audit plugin's +.Fn accept +function to log when the command runs a subsequent command, if supported +by the system. +If +.Em intercept +is also specified, +.Em log_subcmds +will be ignored. +See +.Sy Preventing shell escapes +in +.Xr sudoers @mansectform@ +for more information. .It noexec=bool If set, prevent the command from executing other programs. .It preserve_fds=list @@ -1311,6 +1370,15 @@ option is also set. Force the value specified by the .Em umask option to override any umask set by PAM or login.conf. +.It use_ptrace=bool +If specified, +.Nm sudo +will use +.Xr ptrace 2 +to implement intercept mode if supported by the system. +This setting has no effect unless +.Em intercept +is also set. .It use_pty=bool Allocate a pseudo-terminal to run the command in, regardless of whether or not I/O logging is in use. @@ -4676,7 +4744,7 @@ The .Em cmnd_chroot and .Em cmnd_cwd -enties were added to the +entries were added to the .Li settings list. .It Version 1.17 (sudo 1.9.4) @@ -4687,6 +4755,26 @@ field was added to the audit_plugin and approval_plugin structs. The policy may now set resource limit values in the .Li command_info list. +The +.Em intercept +and +.Em log_subcmds +entries were added to the +.Li command_info +list. +.It Version 1.19 (sudo 1.9.11) +The +.Em intercept_ptrace +and +.Em intercept_setid +entries were added to the +.Li settings +list. +The +.Em user_ptrace +entry was added to the +.Li command_info +list. .El .Sh SEE ALSO .Xr sudo.conf @mansectform@ , diff --git a/include/sudo_plugin.h b/include/sudo_plugin.h index 873805cdb..032a5fd48 100644 --- a/include/sudo_plugin.h +++ b/include/sudo_plugin.h @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2009-2020 Todd C. Miller <Todd.Miller@sudo.ws> + * Copyright (c) 2009-2022 Todd C. Miller <Todd.Miller@sudo.ws> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -21,7 +21,7 @@ /* API version major/minor */ #define SUDO_API_VERSION_MAJOR 1 -#define SUDO_API_VERSION_MINOR 18 +#define SUDO_API_VERSION_MINOR 19 #define SUDO_API_MKVERSION(x, y) (((x) << 16) | (y)) #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR, SUDO_API_VERSION_MINOR) diff --git a/plugins/python/regress/testdata/check_multiple_approval_plugin_and_arguments.stdout b/plugins/python/regress/testdata/check_multiple_approval_plugin_and_arguments.stdout index fa29e46a5..d0c1566cf 100644 --- a/plugins/python/regress/testdata/check_multiple_approval_plugin_and_arguments.stdout +++ b/plugins/python/regress/testdata/check_multiple_approval_plugin_and_arguments.stdout @@ -26,7 +26,7 @@ "INFO1=VALUE1", "info2=value2" ], - "version": "1.18" + "version": "1.19" } (APPROVAL 2) Constructed: { @@ -56,7 +56,7 @@ "INFO1=VALUE1", "info2=value2" ], - "version": "1.18" + "version": "1.19" } (APPROVAL 1) Show version was called with arguments: (0,) Python approval plugin (API 1.0): ApprovalTestPlugin (loaded from 'SRC_DIR/regress/plugin_approval_test.py') diff --git a/src/exec.c b/src/exec.c index 111ed2d02..db3c8f4ce 100644 --- a/src/exec.c +++ b/src/exec.c @@ -321,7 +321,7 @@ sudo_terminated(struct command_status *cstat) debug_return_bool(false); } -#if SUDO_API_VERSION != SUDO_API_MKVERSION(1, 18) +#if SUDO_API_VERSION != SUDO_API_MKVERSION(1, 19) # error "Update sudo_needs_pty() after changing the plugin API" #endif static bool |