/var/db, /var/lib, /var/adm, /usr/adm
This directory should not be cleared when the system boots.
+ --with-tzdir=DIR
+ Set the directory to the system's time zone data files. This
+ is only used when sanitizing the TZ environment variable to
+ allow for fully-qualified paths in TZ.
+ By default, configure will look for an existing "zoneinfo"
+ directory in the following locations:
+ /usr/share /usr/share/lib /usr/lib /etc
+ If no zoneinfo directory is found, the TZ variable may not
+ contain a fully-qualified path.
+
Compilation options:
--disable-hardening
Disable the use of compiler/linker exploit mitigation options
* Fixed two potential crashes when sudo is run with very low
resource limits.
+ * The TZ environment variable is now checked for safety instead
+ of simply being copied to the environment of the command.
+
What's new in Sudo 1.8.11p2
* Fixed a bug where dynamic shared objects loaded from a plugin
with_rundir
with_vardir
with_iologdir
+with_tzdir
with_sendmail
with_sudoers_mode
with_sudoers_uid
--with-rundir=DIR path to the sudo time stamp parent dir
--with-vardir=DIR path to the sudo var dir
--with-iologdir=DIR directory to store sudo I/O log files in
+ --with-tzdir=DIR path to the time zone data directory
--with-sendmail set path to sendmail
--without-sendmail do not send mail at all
--with-sudoers-mode mode of sudoers file (defaults to 0440)
+# Check whether --with-tzdir was given.
+if test "${with_tzdir+set}" = set; then :
+ withval=$with_tzdir; case $with_tzdir in
+ yes) as_fn_error $? "\"must give --with-tzdir an argument.\"" "$LINENO" 5
+ ;;
+esac
+fi
+
+
+
# Check whether --with-sendmail was given.
if test "${with_sendmail+set}" = set; then :
withval=$with_sendmail; case $with_sendmail in
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $iolog_dir" >&5
$as_echo "$iolog_dir" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking time zone data directory" >&5
+$as_echo_n "checking time zone data directory... " >&6; }
+tzdir="$with_tzdir"
+if test -z "$tzdir"; then
+ tzdir=no
+ for d in /usr/share /usr/share/lib /usr/lib /etc; do
+ if test -d "$d/zoneinfo"; then
+ tzdir="$d/zoneinfo"
+ break
+ fi
+ done
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $tzdir" >&5
+$as_echo "$tzdir" >&6; }
+if test "${tzdir}" != "no"; then
+ cat >>confdefs.h <<EOF
+#define _PATH_ZONEINFO "$tzdir"
+EOF
+
+fi
+
ac_c_werror_flag=yes
;;
esac])
+AC_ARG_WITH(tzdir, [AS_HELP_STRING([--with-tzdir=DIR], [path to the time zone data directory])],
+[case $with_tzdir in
+ yes) AC_MSG_ERROR(["must give --with-tzdir an argument."])
+ ;;
+esac])
+
AC_ARG_WITH(sendmail, [AS_HELP_STRING([--with-sendmail], [set path to sendmail])
AS_HELP_STRING([--without-sendmail], [do not send mail at all])],
[case $with_sendmail in
SUDO_RUNDIR
SUDO_VARDIR
SUDO_IO_LOGDIR
+SUDO_TZDIR
dnl
dnl Turn warnings into errors.
L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
env_check Environment variables to be removed from the user's
- environment if the variable's value contains `%' or `/'
+ environment if unless they are considered ``safe''.
+ For all variables except TZ, ``safe'' means that the
+ variable's value does not contain any `%' or `/'
characters. This can be used to guard against printf-
style format vulnerabilities in poorly-written
- programs. The argument may be a double-quoted, space-
- separated list or a single value without double-quotes.
- The list can be replaced, added to, deleted from, or
- disabled by using the =, +=, -=, and ! operators
- respectively. Regardless of whether the env_reset
- option is enabled or disabled, variables specified by
- env_check will be preserved in the environment if they
- pass the aforementioned check. The default list of
- environment variables to check is displayed when s\bsu\bud\bdo\bo
- is run by root with the -\b-V\bV option.
+ programs. The TZ variable is considerd unsafe if any
+ of the following are true:
+
+ +\b+\bo\bo It consists of a fully-qualified path name that
+ does not match the location of the _\bz_\bo_\bn_\be_\bi_\bn_\bf_\bo
+ directory.
+
+ +\b+\bo\bo It contains a _\b._\b. path element.
+
+ +\b+\bo\bo It contains white space or non-printable
+ characters.
+
+ +\b+\bo\bo It is longer than the value of PATH_MAX.
+
+ The argument may be a double-quoted, space-separated
+ list or a single value without double-quotes. The list
+ can be replaced, added to, deleted from, or disabled by
+ using the =, +=, -=, and ! operators respectively.
+ Regardless of whether the env_reset option is enabled
+ or disabled, variables specified by env_check will be
+ preserved in the environment if they pass the
+ aforementioned check. The default list of environment
+ variables to check is displayed when s\bsu\bud\bdo\bo is run by
+ root with the -\b-V\bV option.
env_delete Environment variables to be removed from the user's
environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is not in effect.
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.12 January 21, 2015 Sudo 1.8.12
+Sudo 1.8.12 February 6, 2015 Sudo 1.8.12
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "5" "January 21, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "February 6, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
.TP 18n
env_check
Environment variables to be removed from the user's environment if
-the variable's value contains
+unless they are considered
+\(lqsafe\(rq.
+For all variables except
+\fRTZ\fR,
+\(lqsafe\(rq
+means that the variable's value does not contain any
\(oq%\(cq
or
\(oq/\(cq
characters.
This can be used to guard against printf-style format vulnerabilities
in poorly-written programs.
+The
+\fRTZ\fR
+variable is considerd unsafe if any of the following are true:
+.PP
+.RS 18n
+.PD 0
+.TP 4n
+\fB\(bu\fR
+It consists of a fully-qualified path name that does not match
+the location of the
+\fIzoneinfo\fR
+directory.
+.PD
+.TP 4n
+\fB\(bu\fR
+It contains a
+\fI..\fR
+path element.
+.TP 4n
+\fB\(bu\fR
+It contains white space or non-printable characters.
+.TP 4n
+\fB\(bu\fR
+It is longer than the value of
+\fRPATH_MAX\fR.
+.PP
The argument may be a double-quoted, space-separated list or a
single value without double-quotes.
The list can be replaced, added to, deleted from, or disabled by using
the
\fB\-V\fR
option.
+.RE
.TP 18n
env_delete
Environment variables to be removed from the user's environment when the
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd January 21, 2015
+.Dd February 6, 2015
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Bl -tag -width 16n
.It env_check
Environment variables to be removed from the user's environment if
-the variable's value contains
+unless they are considered
+.Dq safe .
+For all variables except
+.Li TZ ,
+.Dq safe
+means that the variable's value does not contain any
.Ql %
or
.Ql /
characters.
This can be used to guard against printf-style format vulnerabilities
in poorly-written programs.
+The
+.Li TZ
+variable is considerd unsafe if any of the following are true:
+.Bl -bullet
+.It
+It consists of a fully-qualified path name that does not match
+the location of the
+.Pa zoneinfo
+directory.
+.It
+It contains a
+.Pa ..
+path element.
+.It
+It contains white space or non-printable characters.
+.It
+It is longer than the value of
+.Li PATH_MAX .
+.El
+.Pp
The argument may be a double-quoted, space-separated list or a
single value without double-quotes.
The list can be replaced, added to, deleted from, or disabled by using
dnl Local m4 macros for autoconf (used by sudo)
dnl
-dnl Copyright (c) 1994-1996, 1998-2005, 2007-2014
+dnl Copyright (c) 1994-1996, 1998-2005, 2007-2015
dnl Todd C. Miller <Todd.Miller@courtesan.com>
dnl
dnl XXX - should cache values in all cases!!!
fi
])dnl
+dnl
+dnl Detect time zone file directory, if any.
+dnl
+AC_DEFUN([SUDO_TZDIR], [AC_MSG_CHECKING(time zone data directory)
+tzdir="$with_tzdir"
+if test -z "$tzdir"; then
+ tzdir=no
+ for d in /usr/share /usr/share/lib /usr/lib /etc; do
+ if test -d "$d/zoneinfo"; then
+ tzdir="$d/zoneinfo"
+ break
+ fi
+ done
+fi
+AC_MSG_RESULT([$tzdir])
+if test "${tzdir}" != "no"; then
+ SUDO_DEFINE_UNQUOTED(_PATH_ZONEINFO, "$tzdir")
+fi
+])dnl
+
dnl
dnl Parent directory for time stamp dir.
dnl
# undef _PATH_NETSVC_CONF
#endif /* _PATH_NETSVC_CONF */
+#ifndef _PATH_ZONEINFO
+# undef _PATH_ZONEINFO
+#endif /* _PATH_ZONEINFO */
+
/* On AIX, _PATH_BSHELL in paths.h is /usr/bin/bsh but we want /usr/bin/sh */
#ifndef _PATH_SUDO_BSHELL
# if defined(_AIX) && defined(HAVE_PATHS_H)
"LC_*",
"LINGUAS",
"TERM",
+ "TZ",
NULL
};
"PATH",
"PS1",
"PS2",
- "TZ",
"XAUTHORITY",
"XAUTHORIZATION",
NULL
debug_return_bool(matches_env_list(var, &def_env_delete, &full_match));
}
+/*
+ * Sanity-check the TZ environment variable.
+ * On many systems it is possible to set this to a pathname.
+ */
+static bool
+tz_is_sane(const char *tzval)
+{
+ const char *cp;
+ char lastch;
+ debug_decl(tz_is_sane, SUDOERS_DEBUG_ENV)
+
+ /* tzcode treats a value beginning with a ':' as a path. */
+ if (tzval[0] == ':')
+ tzval++;
+
+ /* Reject fully-qualified TZ that doesn't being with the zoneinfo dir. */
+ if (tzval[0] == '/') {
+#ifdef _PATH_ZONEINFO
+ if (strncmp(tzval, _PATH_ZONEINFO, sizeof(_PATH_ZONEINFO) - 1) != 0 ||
+ tzval[sizeof(_PATH_ZONEINFO) - 1] != '/')
+ debug_return_bool(false);
+#else
+ /* Assume the worst. */
+ debug_return_bool(false);
+#endif
+ }
+
+ /*
+ * Make sure TZ only contains printable non-space characters
+ * and does not contain a '..' path element.
+ */
+ lastch = '/';
+ for (cp = tzval; *cp != '\0'; cp++) {
+ if (isspace((unsigned char)*cp) || !isprint((unsigned char)*cp))
+ debug_return_bool(false);
+ if (lastch == '/' && cp[0] == '.' && cp[1] == '.' &&
+ (cp[2] == '/' || cp[2] == '\0'))
+ debug_return_bool(false);
+ lastch = *cp;
+ }
+
+ /* Reject extra long TZ values (even if not a path). */
+ if ((size_t)(cp - tzval) >= PATH_MAX)
+ debug_return_bool(false);
+
+ debug_return_bool(true);
+}
+
/*
* Apply the env_check list.
* Returns true if the variable is allowed, false if denied
/* Skip anything listed in env_check that includes '/' or '%'. */
if (matches_env_list(var, &def_env_check, full_match)) {
- const char *val = strchr(var, '=');
- if (val != NULL)
- keepit = !strpbrk(++val, "/%");
+ if (strncmp(var, "TZ=", 3) == 0) {
+ /* Special case for TZ */
+ keepit = tz_is_sane(var + 3);
+ } else {
+ const char *val = strchr(var, '=');
+ if (val != NULL)
+ keepit = !strpbrk(++val, "/%");
+ }
}
debug_return_bool(keepit);
}
projects / sudo / commitdiff