diff options
| author | Todd C. Miller <Todd.Miller@sudo.ws> | 2023-05-04 13:08:23 -0600 |
|---|---|---|
| committer | Todd C. Miller <Todd.Miller@sudo.ws> | 2023-05-04 13:08:23 -0600 |
| commit | 6039bffcdf1d4af8ad35b5287ec75dee3094ebf8 (patch) | |
| tree | 9ca09a8096af8b41c4604d5ed53f632e52baff1e | |
| parent | eb96cfe459a08537811631911688148915b61fff (diff) | |
| download | sudo-6039bffcdf1d4af8ad35b5287ec75dee3094ebf8.tar.gz | |
Make timestamp_uid and timestamp_gid private to timestamp.c.
Add getter (for set_perms.c) and setter (for sudoers.c).
| -rw-r--r-- | plugins/sudoers/check.h | 2 | ||||
| -rw-r--r-- | plugins/sudoers/regress/fuzz/fuzz_stubs.c | 7 | ||||
| -rw-r--r-- | plugins/sudoers/set_perms.c | 17 | ||||
| -rw-r--r-- | plugins/sudoers/sudoers.c | 5 | ||||
| -rw-r--r-- | plugins/sudoers/sudoers.h | 2 | ||||
| -rw-r--r-- | plugins/sudoers/timestamp.c | 25 |
6 files changed, 44 insertions, 14 deletions
diff --git a/plugins/sudoers/check.h b/plugins/sudoers/check.h index 41a5daf1a..de57fdbb5 100644 --- a/plugins/sudoers/check.h +++ b/plugins/sudoers/check.h @@ -82,6 +82,8 @@ void timestamp_close(void *vcookie); bool timestamp_lock(void *vcookie, struct passwd *pw); bool timestamp_update(void *vcookie, struct passwd *pw); int timestamp_status(void *vcookie, struct passwd *pw); +uid_t timestamp_get_uid(void); +void timestamp_set_owner(uid_t uid, gid_t gid); int get_starttime(pid_t pid, struct timespec *starttime); bool already_lectured(void); int set_lectured(void); diff --git a/plugins/sudoers/regress/fuzz/fuzz_stubs.c b/plugins/sudoers/regress/fuzz/fuzz_stubs.c index 1b6b598cd..324cb4ae4 100644 --- a/plugins/sudoers/regress/fuzz/fuzz_stubs.c +++ b/plugins/sudoers/regress/fuzz/fuzz_stubs.c @@ -39,6 +39,7 @@ #include <netdb.h> #include "sudoers.h" +#include "check.h" #include "interfaces.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); @@ -92,6 +93,12 @@ rewind_perms(void) return true; } +void +timestamp_set_owner(uid_t uid, gid_t gid) +{ + return; +} + bool sudo_nss_can_continue(const struct sudo_nss *nss, int match) { diff --git a/plugins/sudoers/set_perms.c b/plugins/sudoers/set_perms.c index 77ce395d0..9eb88b44a 100644 --- a/plugins/sudoers/set_perms.c +++ b/plugins/sudoers/set_perms.c @@ -40,6 +40,7 @@ #include <grp.h> #include "sudoers.h" +#include "check.h" /* * Prototypes @@ -341,7 +342,7 @@ set_perms(int perm) state->egid = ostate->egid; state->sgid = ostate->sgid; state->ruid = ROOT_UID; - state->euid = timestamp_uid; + state->euid = timestamp_get_uid(); state->suid = ROOT_UID; sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_TIMESTAMP: uid: " "[%d, %d, %d] -> [%d, %d, %d]", __func__, @@ -674,7 +675,7 @@ set_perms(int perm) state->egid = ostate->egid; state->sgid = ostate->sgid; state->ruid = ROOT_UID; - state->euid = timestamp_uid; + state->euid = timestamp_get_uid(); state->suid = ROOT_UID; sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_TIMESTAMP: uid: " "[%d, %d, %d] -> [%d, %d, %d]", __func__, @@ -689,10 +690,10 @@ set_perms(int perm) goto bad; } } - if (setuidx(ID_EFFECTIVE, timestamp_uid)) { + if (setuidx(ID_EFFECTIVE, state->euid)) { (void)snprintf(errbuf, sizeof(errbuf), "PERM_TIMESTAMP: setuidx(ID_EFFECTIVE, %d)", - (int)timestamp_uid); + (int)state->euid); goto bad; } } @@ -1053,7 +1054,7 @@ set_perms(int perm) state->rgid = ostate->rgid; state->egid = ostate->egid; state->ruid = ROOT_UID; - state->euid = timestamp_uid; + state->euid = timestamp_get_uid(); sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_TIMESTAMP: uid: " "[%d, %d] -> [%d, %d]", __func__, (int)ostate->ruid, (int)ostate->euid, (int)state->ruid, (int)state->euid); @@ -1361,13 +1362,13 @@ set_perms(int perm) state->rgid = ostate->rgid; state->egid = ostate->egid; state->ruid = ROOT_UID; - state->euid = timestamp_uid; + state->euid = timestamp_get_uid(); sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_TIMESTAMP: uid: " "[%d, %d] -> [%d, %d]", __func__, (int)ostate->ruid, (int)ostate->euid, (int)state->ruid, (int)state->euid); - if (seteuid(timestamp_uid)) { + if (seteuid(state->euid)) { (void)snprintf(errbuf, sizeof(errbuf), - "PERM_TIMESTAMP: seteuid(%d)", (int)timestamp_uid); + "PERM_TIMESTAMP: seteuid(%d)", (int)state->euid); goto bad; } break; diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c index 15a476439..c7f1b6f74 100644 --- a/plugins/sudoers/sudoers.c +++ b/plugins/sudoers/sudoers.c @@ -83,8 +83,6 @@ static void set_callbacks(void); */ struct sudo_user sudo_user; struct passwd *list_pw; -uid_t timestamp_uid = ROOT_UID; -gid_t timestamp_gid = ROOT_GID; bool force_umask; int sudo_mode; @@ -1640,8 +1638,7 @@ cb_timestampowner(const char *file, int line, int column, column, user); debug_return_bool(false); } - timestamp_uid = pw->pw_uid; - timestamp_gid = pw->pw_gid; + timestamp_set_owner(pw->pw_uid, pw->pw_gid); sudo_pw_delref(pw); debug_return_bool(true); diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h index 02168367d..e94e67db4 100644 --- a/plugins/sudoers/sudoers.h +++ b/plugins/sudoers/sudoers.h @@ -435,8 +435,6 @@ extern struct passwd *list_pw; extern bool force_umask; extern int sudo_mode; extern int sudoedit_nfiles; -extern uid_t timestamp_uid; -extern gid_t timestamp_gid; extern sudo_conv_t sudo_conv; extern sudo_printf_t sudo_printf; extern struct sudo_plugin_event * (*plugin_event_alloc)(void); diff --git a/plugins/sudoers/timestamp.c b/plugins/sudoers/timestamp.c index 825eec6b7..fa956c6dc 100644 --- a/plugins/sudoers/timestamp.c +++ b/plugins/sudoers/timestamp.c @@ -66,6 +66,31 @@ struct ts_cookie { struct timestamp_entry key; }; +static uid_t timestamp_uid = ROOT_UID; +static gid_t timestamp_gid = ROOT_GID; + +/* + * Set timestamp_uid and timestamp_gid. + */ +void +timestamp_set_owner(uid_t uid, gid_t gid) +{ + debug_decl(timestamp_owner, SUDOERS_DEBUG_AUTH); + + if (uid != (uid_t)-1) + timestamp_uid = uid; + if (gid != (gid_t)-1) + timestamp_gid = gid; + + debug_return; +} + +uid_t +timestamp_get_uid(void) +{ + return timestamp_uid; +} + /* * Returns true if entry matches key, else false. * We don't match on the sid or actual time stamp. |