From: Todd C. Miller Date: Tue, 19 Jan 2016 21:16:25 +0000 (-0700) Subject: Make sudoedit_checkdir the default and update the documentation accordingly. X-Git-Tag: SUDO_1_8_16^2~60 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=de0208a01b87feea002a1d28d40db1c6f4a084bc;p=sudo Make sudoedit_checkdir the default and update the documentation accordingly. --- diff --git a/doc/sudo.cat b/doc/sudo.cat index 90b061b8d..27bdd5ce4 100644 --- a/doc/sudo.cat +++ b/doc/sudo.cat @@ -126,12 +126,23 @@ DDEESSCCRRIIPPTTIIOONN copied back to their original location and the temporary versions are removed. - Unless explicitly allowed by the security policy, symbolic - links will not be opened. This helps prevent the editing of - unauthorized files when the file is located in a user- - writable directory. Versions of ssuuddoo prior to 1.8.15 do not - have this restriction. Users are never allowed to edit - device special files. + To help prevent the editing of unauthorized files, the + following restrictions are enforced unless explicitly allowed + by the security policy: + + ++oo Symbolic links may not be edited (version 1.8.15 and + higher). + + ++oo Symbolic links along the path to be edited are not + followed when the parent directory is writable by the + invoking user unless that user is root (version 1.8.16 + and higher). + + ++oo Files located in a directory that is writable by the + invoking user may not be edited unless that user is root + (version 1.8.16 and higher). + + Users are never allowed to edit device special files. If the specified file does not exist, it will be created. Note that unlike most commands run by _s_u_d_o, the editor is run @@ -440,14 +451,7 @@ SSEECCUURRIITTYY NNOOTTEESS Users should _n_e_v_e_r be granted ssuuddoo privileges to execute files that are writable by the user or that reside in a directory that is writable by the user. If the user can modify or replace the command there is no way - to limit what additional commands they can run. Likewise, users should - _n_e_v_e_r be granted ssuuddooeeddiitt permission to edit a file that resides in a - directory the user has write access to. A user with directory write - access could replace the legitimate file with a link to some other, - arbitrary, file. Starting with version 1.8.15, ssuuddooeeddiitt will refuse to - open a symbolic link unless the security policy explicitly permits it. - However, it is still possible to create a hard link if the directory is - writable and the link target resides on the same file system. + to limit what additional commands they can run. Please note that ssuuddoo will normally only log the command it explicitly runs. If a user runs a command such as sudo su or sudo sh, subsequent @@ -617,4 +621,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.16 November 20, 2015 Sudo 1.8.16 +Sudo 1.8.16 January 19, 2016 Sudo 1.8.16 diff --git a/doc/sudo.man.in b/doc/sudo.man.in index 6350b0566..0cc566a2d 100644 --- a/doc/sudo.man.in +++ b/doc/sudo.man.in @@ -1,7 +1,7 @@ .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! .\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in .\" -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2015 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2016 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDO" "8" "November 20, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" +.TH "SUDO" "8" "January 19, 2016" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -296,13 +296,23 @@ their original location and the temporary versions are removed. .RE .RS 12n .sp -Unless explicitly allowed by the security policy, symbolic links -will not be opened. -This helps prevent the editing of unauthorized files when the file -is located in a user-writable directory. -Versions of -\fBsudo\fR -prior to 1.8.15 do not have this restriction. +To help prevent the editing of unauthorized files, the following +restrictions are enforced unless explicitly allowed by the security policy: +.RS 16n +.TP 4n +\fB\(bu\fR +Symbolic links may not be edited (version 1.8.15 and higher). +.TP 4n +\fB\(bu\fR +Symbolic links along the path to be edited are not followed when the +parent directory is writable by the invoking user unless that user +is root (version 1.8.16 and higher). +.TP 4n +\fB\(bu\fR +Files located in a directory that is writable by the invoking user may +not be edited unless that user is root (version 1.8.16 and higher). +.RE +.sp Users are never allowed to edit device special files. .sp If the specified file does not exist, it will be created. @@ -883,20 +893,6 @@ privileges to execute files that are writable by the user or that reside in a directory that is writable by the user. If the user can modify or replace the command there is no way to limit what additional commands they can run. -Likewise, users should -\fInever\fR -be granted -\fBsudoedit\fR -permission to edit a file that resides in a directory the user has -write access to. -A user with directory write access could replace the legitimate -file with a link to some other, arbitrary, file. -Starting with version 1.8.15, -\fBsudoedit\fR -will refuse to open a symbolic link unless the security policy -explicitly permits it. -However, it is still possible to create a hard link if the directory -is writable and the link target resides on the same file system. .PP Please note that \fBsudo\fR diff --git a/doc/sudo.mdoc.in b/doc/sudo.mdoc.in index f2cb8d9fe..7f4a7fa39 100644 --- a/doc/sudo.mdoc.in +++ b/doc/sudo.mdoc.in @@ -1,5 +1,5 @@ .\" -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2015 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2016 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd November 20, 2015 +.Dd January 19, 2016 .Dt SUDO @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -269,13 +269,20 @@ If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed. .El .Pp -Unless explicitly allowed by the security policy, symbolic links -will not be opened. -This helps prevent the editing of unauthorized files when the file -is located in a user-writable directory. -Versions of -.Nm -prior to 1.8.15 do not have this restriction. +To help prevent the editing of unauthorized files, the following +restrictions are enforced unless explicitly allowed by the security policy: +.Bl -bullet -offset 4 +.It +Symbolic links may not be edited (version 1.8.15 and higher). +.It +Symbolic links along the path to be edited are not followed when the +parent directory is writable by the invoking user unless that user +is root (version 1.8.16 and higher). +.It +Files located in a directory that is writable by the invoking user may +not be edited unless that user is root (version 1.8.16 and higher). +.El +.Pp Users are never allowed to edit device special files. .Pp If the specified file does not exist, it will be created. @@ -818,20 +825,6 @@ privileges to execute files that are writable by the user or that reside in a directory that is writable by the user. If the user can modify or replace the command there is no way to limit what additional commands they can run. -Likewise, users should -.Em never -be granted -.Nm sudoedit -permission to edit a file that resides in a directory the user has -write access to. -A user with directory write access could replace the legitimate -file with a link to some other, arbitrary, file. -Starting with version 1.8.15, -.Nm sudoedit -will refuse to open a symbolic link unless the security policy -explicitly permits it. -However, it is still possible to create a hard link if the directory -is writable and the link target resides on the same file system. .Pp Please note that .Nm diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 4eda3319f..05fb4a942 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -614,9 +614,9 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how NOEXEC works and whether or not it will work on your system. - _F_O_L_L_O_W and _N_O_F_O_L_L_O_W Starting with version 1.8.15, ssuuddooeeddiitt will not - follow symbolic links when opening files unless the _s_u_d_o_e_d_i_t___f_o_l_l_o_w - option is enabled. The _F_O_L_L_O_W and _N_O_F_O_L_L_O_W tags override the value of + _F_O_L_L_O_W and _N_O_F_O_L_L_O_W Starting with version 1.8.15, ssuuddooeeddiitt will not open + a file that is a symbolic link unless the _s_u_d_o_e_d_i_t___f_o_l_l_o_w option is + enabled. The _F_O_L_L_O_W and _N_O_F_O_L_L_O_W tags override the value of _s_u_d_o_e_d_i_t___f_o_l_l_o_w and can be used to permit (or deny) the editing of symbolic links on a per-command basis. These tags are only effective for the _s_u_d_o_e_d_i_t command and are ignored for all other commands. @@ -1257,15 +1257,20 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS system call. This flag is _o_f_f by default. sudoedit_checkdir - If set, ssuuddooeeddiitt will check directories in the path to - be edited for writability by the invoking user. - Symbolic links will not be followed in writable - directories and ssuuddooeeddiitt will also refuse to edit a - file located in a writable directory. Theses - restrictions are not enforced when ssuuddooeeddiitt is invoked - as root. On many systems, this option requires that - all directories in the path to be edited be readable by - the target user. This flag is _o_f_f by default. + If set, ssuuddooeeddiitt will check all directory components of + the path to be edited for writability by the invoking + user. Symbolic links will not be followed in writable + directories and ssuuddooeeddiitt will refuse to edit a file + located in a writable directory. These restrictions + are not enforced when ssuuddooeeddiitt is run by root. On some + systems, if all directory components of the path to be + edited are not readable by the target user, ssuuddooeeddiitt + will be unable to edit the file. This flag is _o_n by + default. + + This setting was first introduced in version 1.8.15. + The check for symbolic links in writable intermediate + directories was added in version 1.8.16. sudoedit_follow By default, ssuuddooeeddiitt will not follow symbolic links when opening files. The _s_u_d_o_e_d_i_t___f_o_l_l_o_w option can be @@ -2378,12 +2383,14 @@ SSEECCUURRIITTYY NNOOTTEESS resides in a directory the user has write access to, either directly or via a wildcard. If the user has write access to the directory it is possible to replace the legitimate file with a link to another file, - allowing the editing of arbitrary files. Starting with version 1.8.15, + allowing the editing of arbitrary files. To prevent this, starting with + version 1.8.16, symbolic links will not be followed in writable + directories and ssuuddooeeddiitt will refuse to edit a file located in a writable + directory unless the _s_u_d_o_e_d_i_t___c_h_e_c_k_d_i_r option has been disabled or the + invoking user is root. Additionally, in version 1.8.15 and higher, ssuuddooeeddiitt will refuse to open a symbolic link unless either the - _s_u_d_o_e_d_i_t___f_o_l_l_o_w Defaults option is enabled or the _s_u_d_o_e_d_i_t command is - prefixed with the FOLLOW tag. However, it is still possible to create a - hard link if the directory is writable and the link target resides on the - same file system. + _s_u_d_o_e_d_i_t___f_o_l_l_o_w option is enabled or the _s_u_d_o_e_d_i_t command is prefixed + with the FOLLOW tag in the _s_u_d_o_e_r_s file. TTiimmee ssttaammpp ffiillee cchheecckkss ssuuddooeerrss will check the ownership of its time stamp directory @@ -2524,4 +2531,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.16 January 16, 2016 Sudo 1.8.16 +Sudo 1.8.16 January 19, 2016 Sudo 1.8.16 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 2ff876ed8..b3fac9181 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "5" "January 16, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "5" "January 19, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -1298,7 +1298,7 @@ works and whether or not it will work on your system. \fIFOLLOW\fR and \fINOFOLLOW\fR Starting with version 1.8.15, \fBsudoedit\fR -will not follow symbolic links when opening files unless the +will not open a file that is a symbolic link unless the \fIsudoedit_follow\fR option is enabled. The @@ -2687,19 +2687,25 @@ sudoedit_checkdir .br If set, \fBsudoedit\fR -will check directories in the path to be edited for writability +will check all directory components of the path to be edited for writability by the invoking user. Symbolic links will not be followed in writable directories and \fBsudoedit\fR -will also refuse to edit a file located in a writable directory. -Theses restrictions are not enforced when +will refuse to edit a file located in a writable directory. +These restrictions are not enforced when \fBsudoedit\fR -is invoked as root. -On many systems, this option requires that all directories -in the path to be edited be readable by the target user. +is run by root. +On some systems, if all directory components of the path to be edited +are not readable by the target user, +\fBsudoedit\fR +will be unable to edit the file. This flag is -\fIoff\fR +\fIon\fR by default. +.sp +This setting was first introduced in version 1.8.15. +The check for symbolic links in writable intermediate directories +was added in version 1.8.16. .TP 18n sudoedit_follow By default, @@ -4847,17 +4853,24 @@ has write access to, either directly or via a wildcard. If the user has write access to the directory it is possible to replace the legitimate file with a link to another file, allowing the editing of arbitrary files. -Starting with version 1.8.15, +To prevent this, starting with version 1.8.16, symbolic links will +not be followed in writable directories and +\fBsudoedit\fR +will refuse to edit a file located in a writable directory +unless the +\fIsudoedit_checkdir\fR +option has been disabled or the invoking user is root. +Additionally, in version 1.8.15 and higher, \fBsudoedit\fR will refuse to open a symbolic link unless either the \fIsudoedit_follow\fR -Defaults option is enabled or the +option is enabled or the \fIsudoedit\fR command is prefixed with the \fRFOLLOW\fR -tag. -However, it is still possible to create a hard link if the directory -is writable and the link target resides on the same file system. +tag in the +\fIsudoers\fR +file. .SS "Time stamp file checks" \fBsudoers\fR will check the ownership of its time stamp directory diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index c30556325..3d4f8de24 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd January 16, 2016 +.Dd January 19, 2016 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -1215,7 +1215,7 @@ works and whether or not it will work on your system. .It Em FOLLOW No and Em NOFOLLOW Starting with version 1.8.15, .Nm sudoedit -will not follow symbolic links when opening files unless the +will not open a file that is a symbolic link unless the .Em sudoedit_follow option is enabled. The @@ -2517,19 +2517,25 @@ by default. .It sudoedit_checkdir If set, .Nm sudoedit -will check directories in the path to be edited for writability +will check all directory components of the path to be edited for writability by the invoking user. Symbolic links will not be followed in writable directories and .Nm sudoedit -will also refuse to edit a file located in a writable directory. -Theses restrictions are not enforced when +will refuse to edit a file located in a writable directory. +These restrictions are not enforced when .Nm sudoedit -is invoked as root. -On many systems, this option requires that all directories -in the path to be edited be readable by the target user. +is run by root. +On some systems, if all directory components of the path to be edited +are not readable by the target user, +.Nm sudoedit +will be unable to edit the file. This flag is -.Em off +.Em on by default. +.Pp +This setting was first introduced in version 1.8.15. +The check for symbolic links in writable intermediate directories +was added in version 1.8.16. .It sudoedit_follow By default, .Nm sudoedit @@ -4468,17 +4474,24 @@ has write access to, either directly or via a wildcard. If the user has write access to the directory it is possible to replace the legitimate file with a link to another file, allowing the editing of arbitrary files. -Starting with version 1.8.15, +To prevent this, starting with version 1.8.16, symbolic links will +not be followed in writable directories and +.Nm sudoedit +will refuse to edit a file located in a writable directory +unless the +.Em sudoedit_checkdir +option has been disabled or the invoking user is root. +Additionally, in version 1.8.15 and higher, .Nm sudoedit will refuse to open a symbolic link unless either the .Em sudoedit_follow -Defaults option is enabled or the +option is enabled or the .Em sudoedit command is prefixed with the .Li FOLLOW -tag. -However, it is still possible to create a hard link if the directory -is writable and the link target resides on the same file system. +tag in the +.Em sudoers +file. .Ss Time stamp file checks .Nm sudoers will check the ownership of its time stamp directory diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c index 2309c64c4..16ee782b1 100644 --- a/plugins/sudoers/defaults.c +++ b/plugins/sudoers/defaults.c @@ -440,6 +440,7 @@ init_defaults(void) def_use_netgroups = true; #endif def_netgroup_tuple = false; + def_sudoedit_checkdir = true; /* Syslog options need special care since they both strings and ints */ #if (LOGGING & SLOG_SYSLOG) diff --git a/src/sudo.c b/src/sudo.c index 8fc564e0e..eaf05db8f 100644 --- a/src/sudo.c +++ b/src/sudo.c @@ -586,6 +586,7 @@ command_info_to_details(char * const info[], struct command_details *details) memset(details, 0, sizeof(*details)); details->closefrom = -1; details->execfd = -1; + details->flags = CD_SUDOEDIT_CHECKDIR; TAILQ_INIT(&details->preserved_fds); #define SET_STRING(s, n) \