Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
sudo.32786
feature-upstream-restrict-sudo-U-other-l.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File feature-upstream-restrict-sudo-U-other-l.patch of Package sudo.32786
From 9f695f0fcc749b3cdebc453ba4fdeae84114f3ae Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" <Todd.Miller@sudo.ws> Date: Mon, 14 Feb 2022 13:09:55 -0700 Subject: [PATCH] Restrict "sudo -U other -l" to users with sudo ALL for root or "other". Having "sudo ALL" permissions in no longer sufficient to be able to list another user's privileges. The invoking user must now have "sudo ALL" for root or the target user. GitHub issue #134 --- docs/sudo.man.in | 11 ++++++----- docs/sudo.mdoc.in | 11 ++++++----- plugins/sudoers/parse.c | 34 ++++++++++++++++++++++++---------- plugins/sudoers/policy.c | 5 +++++ 4 files changed, 41 insertions(+), 20 deletions(-) Index: sudo-1.9.9/docs/sudo.man.in =================================================================== --- sudo-1.9.9.orig/docs/sudo.man.in +++ sudo-1.9.9/docs/sudo.man.in @@ -664,11 +664,12 @@ option to list the privileges for \fIuser\fR instead of for the invoking user. The security policy may restrict listing other users' privileges. -The +When using the \fIsudoers\fR -policy only allows root or a user with the -\fRALL\fR -privilege on the current host to use this option. +policy, only root or a user with the ability to run any command as +either root or the specified +\fIuser\fR +on the current host may use this option. .TP 12n \fB\-T\fR \fItimeout\fR, \fB\--command-timeout\fR=\fItimeout\fR Used to set a timeout for the command. Index: sudo-1.9.9/docs/sudo.mdoc.in =================================================================== --- sudo-1.9.9.orig/docs/sudo.mdoc.in +++ sudo-1.9.9/docs/sudo.mdoc.in @@ -620,11 +620,12 @@ option to list the privileges for .Ar user instead of for the invoking user. The security policy may restrict listing other users' privileges. -The +When using the .Em sudoers -policy only allows root or a user with the -.Li ALL -privilege on the current host to use this option. +policy, only root or a user with the ability to run any command as +either root or the specified +.Ar user +on the current host may use this option. .It Fl T Ar timeout , Fl -command-timeout Ns = Ns Ar timeout Used to set a timeout for the command. If the timeout expires before the command has exited, the Index: sudo-1.9.9/plugins/sudoers/parse.c =================================================================== --- sudo-1.9.9.orig/plugins/sudoers/parse.c +++ sudo-1.9.9/plugins/sudoers/parse.c @@ -43,24 +43,26 @@ static int sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct passwd *pw, int validated, int pwflag) { - int match; + struct passwd *root_pw = NULL; struct sudo_nss *nss; struct cmndspec *cs; struct privilege *priv; struct userspec *us; struct defaults *def; - int nopass; + int nopass, match = DENY; enum def_tuple pwcheck; debug_decl(sudoers_lookup_pseudo, SUDOERS_DEBUG_PARSER); pwcheck = (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple; nopass = (pwcheck == never || pwcheck == all) ? true : false; - if (list_pw == NULL) - SET(validated, FLAG_NO_CHECK); CLR(validated, FLAG_NO_USER); CLR(validated, FLAG_NO_HOST); - match = DENY; + if (list_pw != NULL) { + root_pw = sudo_getpwuid(ROOT_UID); + } else { + SET(validated, FLAG_NO_CHECK); + } TAILQ_FOREACH(nss, snl, entries) { if (nss->query(nss, pw) == -1) { /* The query function should have printed an error message. */ @@ -89,16 +91,28 @@ sudoers_lookup_pseudo(struct sudo_nss_li } if (match == ALLOW) continue; - /* Only check the command when listing another user. */ + + /* Only check runas/command when listing another user. */ if (user_uid == 0 || list_pw == NULL || - user_uid == list_pw->pw_uid || - cmnd_matches(nss->parse_tree, cs->cmnd, cs->runchroot, - NULL) == ALLOW) - match = ALLOW; + user_uid == list_pw->pw_uid) { + match = ALLOW; + continue; + } + /* Runas user must match list user or root. */ + if (userlist_matches(nss->parse_tree, list_pw, + cs->runasuserlist) == DENY || + userlist_matches(nss->parse_tree, root_pw, + cs->runasuserlist) != ALLOW) + continue; + if (cmnd_matches(nss->parse_tree, cs->cmnd, cs->runchroot, + NULL) == ALLOW) + match = ALLOW; } } } } + if (root_pw != NULL) + sudo_pw_delref(root_pw); if (match == ALLOW || user_uid == 0) { /* User has an entry for this host. */ SET(validated, VALIDATE_SUCCESS); Index: sudo-1.9.9/plugins/sudoers/policy.c =================================================================== --- sudo-1.9.9.orig/plugins/sudoers/policy.c +++ sudo-1.9.9/plugins/sudoers/policy.c @@ -1217,6 +1217,11 @@ sudoers_policy_list(int argc, char * con sudo_warnx(U_("unknown user %s"), list_user); debug_return_int(-1); } + /* A user may only list another user they have runas access to. */ + if (runas_pw != NULL) + sudo_pw_delref(runas_pw); + runas_pw = list_pw; + sudo_pw_addref(list_pw); } ret = sudoers_policy_main(argc, argv, I_LISTPW, NULL, verbose, NULL); if (list_user) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor