"noexec_file", T_STR|T_PATH,
"File containing dummy exec functions: %s",
NULL,
+ }, {
+ "ignore_local_sudoers", T_FLAG,
+ "If LDAP directory is up, do we ignore local sudoers file",
+ NULL,
+ }, {
+ "monitor", T_FLAG,
+ "Monitor children of cmnd and apply sudoers restrictions to them",
+ NULL,
+ }, {
+ "closefrom", T_INT,
+ "File descriptors >= %d will be closed before executing a command",
+ NULL,
+ }, {
+ "closefrom_override", T_FLAG,
+ "If set, users may override the value of `closefrom' with the -O option",
+ NULL,
}, {
"env_check", T_LIST|T_BOOL,
"Environment variables to check for sanity:",
"env_keep", T_LIST|T_BOOL,
"Environment variables to preserve:",
NULL,
- }, {
- "ignore_local_sudoers", T_FLAG,
- "If LDAP directory is up, do we ignore local sudoers file",
- NULL,
- }, {
- "monitor", T_FLAG,
- "Monitor children of cmnd and apply sudoers restrictions to them",
- NULL,
}, {
NULL, 0, NULL
}
#define I_NOEXEC 53
#define def_noexec_file (sudo_defs_table[54].sd_un.str)
#define I_NOEXEC_FILE 54
-#define def_env_check (sudo_defs_table[55].sd_un.list)
-#define I_ENV_CHECK 55
-#define def_env_delete (sudo_defs_table[56].sd_un.list)
-#define I_ENV_DELETE 56
-#define def_env_keep (sudo_defs_table[57].sd_un.list)
-#define I_ENV_KEEP 57
-#define def_ignore_local_sudoers (sudo_defs_table[58].sd_un.flag)
-#define I_IGNORE_LOCAL_SUDOERS 58
-#define def_monitor (sudo_defs_table[59].sd_un.flag)
-#define I_MONITOR 59
+#define def_ignore_local_sudoers (sudo_defs_table[55].sd_un.flag)
+#define I_IGNORE_LOCAL_SUDOERS 55
+#define def_monitor (sudo_defs_table[56].sd_un.flag)
+#define I_MONITOR 56
+#define def_closefrom (sudo_defs_table[57].sd_un.ival)
+#define I_CLOSEFROM 57
+#define def_closefrom_override (sudo_defs_table[58].sd_un.flag)
+#define I_CLOSEFROM_OVERRIDE 58
+#define def_env_check (sudo_defs_table[59].sd_un.list)
+#define I_ENV_CHECK 59
+#define def_env_delete (sudo_defs_table[60].sd_un.list)
+#define I_ENV_DELETE 60
+#define def_env_keep (sudo_defs_table[61].sd_un.list)
+#define I_ENV_KEEP 61
enum def_tupple {
never,
noexec_file
T_STR|T_PATH
"File containing dummy exec functions: %s"
+ignore_local_sudoers
+ T_FLAG
+ "If LDAP directory is up, do we ignore local sudoers file"
+monitor
+ T_FLAG
+ "Monitor children of cmnd and apply sudoers restrictions to them"
+closefrom
+ T_INT
+ "File descriptors >= %d will be closed before executing a command"
+closefrom_override
+ T_FLAG
+ "If set, users may override the value of `closefrom' with the -O option"
env_check
T_LIST|T_BOOL
"Environment variables to check for sanity:"
env_keep
T_LIST|T_BOOL
"Environment variables to preserve:"
-ignore_local_sudoers
- T_FLAG
- "If LDAP directory is up, do we ignore local sudoers file"
-monitor
- T_FLAG
- "Monitor children of cmnd and apply sudoers restrictions to them"
def_env_editor = TRUE;
#endif
def_set_logname = TRUE;
+ def_closefrom = STDERR_FILENO + 1;
/* Syslog options need special care since they both strings and ints */
#if (LOGGING & SLOG_SYSLOG)
}
argv[i] = NULL;
- /* Close password and group files so we don't leak fds. */
+ /* Close password, group and other fds so we don't leak. */
sudo_endpwent();
sudo_endgrent();
+ closefrom(STDERR_FILENO + 1);
/*
* Depending on the config, either run the mailer as root
int Argc, NewArgc;
char **Argv, **NewArgv;
char *prev_user;
+static int user_closefrom = -1;
struct sudo_user sudo_user;
struct passwd *auth_pw, *list_pw;
struct interface *interfaces;
(void) sigaction(SIGCHLD, &sa, &saved_sa_chld);
/*
- * Turn off core dumps and close open files.
+ * Turn off core dumps and make sure fds 0-2 are open.
*/
initial_setup();
sudo_setpwent();
exit(1);
}
+ /* Check for -C overriding def_closefrom. */
+ if (user_closefrom >= 0 && user_closefrom != def_closefrom) {
+ if (!def_closefrom_override)
+ errorx(1, "you are not permitted to use the -O option");
+ else
+ def_closefrom = user_closefrom;
+ }
+
cmnd_status = set_cmnd(sudo_mode);
#ifdef HAVE_LDAP
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
(void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
+ closefrom(def_closefrom + 1);
+
#ifndef PROFILING
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)
exit(0);
NewArgv++;
break;
#endif
+ case 'C':
+ if (NewArgv[1] == NULL)
+ usage(1);
+ if ((user_closefrom = atoi(NewArgv[1])) < 3) {
+ warningx("the argument to -O must be at least 3");
+ usage(1);
+ }
+ NewArgc--;
+ NewArgv++;
+ break;
case 'b':
SET(rval, MODE_BACKGROUND);
break;
(void) dup2(devnull, STDOUT_FILENO);
if (miss[STDERR_FILENO])
(void) dup2(devnull, STDERR_FILENO);
+ if (devnull > STDERR_FILENO)
+ close(devnull);
}
}
- closefrom(STDERR_FILENO + 1);
}
#ifdef HAVE_LOGIN_CAP_H
#ifdef HAVE_BSD_AUTH_H
" [-a auth_type]",
#endif
+ " [-C fd]",
#ifdef HAVE_LOGIN_CAP_H
" [-c class|-]",
#endif
B<sudo> S<[B<-U> I<username>]> S<[B<-u> I<username>|I<#uid>]> B<-l> [I<command>]
-B<sudo> [B<-HPSb>] S<[B<-a> I<auth_type>]> S<[B<-c> I<class>|I<->]>
-S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]>
+B<sudo> [B<-HPSb>] S<[B<-a> I<auth_type>]> S<[B<-C> I<fd>]>
+S<[B<-
c> I<class>|I<->]> S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]>
S<{B<-e> file [...] | B<-i> | B<-s> | I<command>}>
B<sudoedit> [B<-S>] S<[B<-a> I<auth_type>]>
=over 4
+=item -C fd
+
+Normally, B<sudo> will close all open file descriptors other than
+standard input, standard output and standard error. The B<-C>
+(I<close from>) option allows the user to specify a starting point
+above the standard error (file descriptor three). Values less than
+three are not permitted. This option is only available if the
+administrator has enabled the I<closefrom_override> option in
+L<sudoers(@mansectform@)>.
+
=item -H
The B<-H> (I<HOME>) option sets the C<HOME> environment variable
have been matched, this sudoOption is only meaningful for the cn=defaults
section. This flag is I<off> by default.
+=item closefrom_override
+
+If set, the user may use B<sudo>'s B<-O> option which
+overrides the default starting point at which B<sudo> begins
+closing open file descriptors. This flag is I<off> by default.
+
=back
B<Integers>:
Umask to use when running the command. Negate this option or set
it to 0777 to preserve the user's umask. The default is C<@sudo_umask@>.
+=item closefrom
+
+Before it executes a command, B<sudo> will close all open file
+descriptors other than standard input, standard output and standard
+error (ie: file descriptors 0-2). The I<closefrom> option can be used
+to specify a different file descriptor at which to start closing.
+The default is 3.
+
=back
B<Strings>:
projects / sudo / commitdiff