From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Sun, 6 Dec 2015 22:34:53 +0000 (-0700)
Subject: Document the race condition between the digest check and command
X-Git-Tag: SUDO_1_8_16^2~99
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=96201a275ec9d2f54c870aa725dc96115da08ce7;p=sudo

Document the race condition between the digest check and command
execution.
---

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 55d893ae0..0faa7cb6c 100644
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -392,13 +392,11 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
 
      If a command name is prefixed with a Digest_Spec, the command will only
      match successfully if it can be verified using the specified SHA-2
-     digest.  This may be useful in situations where the user invoking ssuuddoo
-     has write access to the command or its parent directory.  The following
-     digest formats are supported: sha224, sha256, sha384 and sha512.  The
-     string may be specified in either hex or base64 format (base64 is more
-     compact).  There are several utilities capable of generating SHA-2
-     digests in hex format such as openssl, shasum, sha224sum, sha256sum,
-     sha384sum, sha512sum.
+     digest.  The following digest formats are supported: sha224, sha256,
+     sha384 and sha512.  The string may be specified in either hex or base64
+     format (base64 is more compact).  There are several utilities capable of
+     generating SHA-2 digests in hex format such as openssl, shasum,
+     sha224sum, sha256sum, sha384sum, sha512sum.
 
      For example, using openssl:
 
@@ -410,6 +408,11 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
      $ openssl dgst -binary -sha224 /bin/ls | openssl base64
      EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
 
+     If the user has write access to either the command itself or the
+     directory in which the command is located (directly or via a ssuuddoo
+     command) it may be possible for the user to replace the command after the
+     digest check has been performed but before the command is executed.
+
      Command digests are only supported by version 1.8.7 or higher.
 
    DDeeffaauullttss
diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 69bb1cc5f..a4aa8c09e 100644
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -850,9 +850,6 @@ is prefixed with a
 \fRDigest_Spec\fR,
 the command will only match successfully if it can be verified
 using the specified SHA-2 digest.
-This may be useful in situations where the user invoking
-\fBsudo\fR
-has write access to the command or its parent directory.
 The following digest formats are supported: sha224, sha256, sha384 and sha512.
 The string may be specified in either hex or base64 format
 (base64 is more compact).
@@ -877,6 +874,13 @@ EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
 .RE
 .fi
 .PP
+If the user has write access to either the command itself or the
+directory in which the command is located (directly or via a
+\fBsudo\fR
+command) it may be possible for the user to replace the command
+after the digest check has been performed but before the command
+is executed.
+.PP
 Command digests are only supported by version 1.8.7 or higher.
 .SS "Defaults"
 Certain configuration options may be changed from their default
diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index 59d7cbed5..a17e4b6f3 100644
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -813,9 +813,6 @@ is prefixed with a
 .Li Digest_Spec ,
 the command will only match successfully if it can be verified
 using the specified SHA-2 digest.
-This may be useful in situations where the user invoking
-.Nm sudo
-has write access to the command or its parent directory.
 The following digest formats are supported: sha224, sha256, sha384 and sha512.
 The string may be specified in either hex or base64 format
 (base64 is more compact).
@@ -834,6 +831,13 @@ $ openssl dgst -binary -sha224 /bin/ls | openssl base64
 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
 .Ed
 .Pp
+If the user has write access to either the command itself or the
+directory in which the command is located (directly or via a
+.Nm sudo
+command) it may be possible for the user to replace the command
+after the digest check has been performed but before the command
+is executed.
+.Pp
 Command digests are only supported by version 1.8.7 or higher.
 .Ss Defaults
 Certain configuration options may be changed from their default