File sudo-no-passwd-for-nonexisting-cmd.patch of Package sudo

Overview Repositories Revisions Requests Users Attributes Meta

File sudo-no-passwd-for-nonexisting-cmd.patch of Package sudo

Author: Ali Abdallah <ali.abdallah@suse.com>
Date:   Wed Jan 18 12:05:32 2022 +0100

A non-existent file is not an error for "sudo ALL".

---
 plugins/sudoers/match_command.c |   27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

--- a/plugins/sudoers/match_command.c
+++ b/plugins/sudoers/match_command.c
@@ -122,6 +122,24 @@ do_stat(int fd, const char *path, const
     }
     debug_return_int(ret);
 }
+/*
+ * Perform intercept-specific checks.
+ * Returns true if allowed, else false.
+ */
+static bool
+intercept_ok(const char *path, bool intercepted, struct stat *sb)
+{
+    debug_decl(intercept_ok, SUDOERS_DEBUG_MATCH);
+
+    if (intercepted) {
+	if (!def_intercept_allow_setid && ISSET(sb->st_mode, S_ISUID|S_ISGID)) {
+	    sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
+		"rejecting setid command %s", path);
+	    debug_return_bool(false);
+	}
+    }
+    debug_return_bool(true);
+}
 #endif /* SUDOERS_NAME_MATCH */
 
 /*
@@ -348,6 +366,9 @@ static bool
 command_matches_all(const char *runchroot,
     bool intercepted, const struct command_digest_list *digests)
 {
+#ifndef SUDOERS_NAME_MATCH
+    struct stat sb;
+#endif
     int fd = -1;
     debug_decl(command_matches_all, SUDOERS_DEBUG_MATCH);
 
@@ -356,8 +377,10 @@ command_matches_all(const char *runchroo
 	if (!open_cmnd(user_cmnd, runchroot, digests, &fd))
 	    goto bad;
 #ifndef SUDOERS_NAME_MATCH
-	if (!do_stat(fd, user_cmnd, runchroot, intercepted, NULL))
-	    goto bad;
+	if (do_stat(fd, user_cmnd, runchroot, intercepted, &sb)) {
+	    if (!intercept_ok(user_cmnd, intercepted, &sb))
+		goto bad;
+	}
 #endif
     }

Places

File sudo-no-passwd-for-nonexisting-cmd.patch of Package sudo

Places