From 719de4dd4a6b70829c904ee6940d7fc2aea5558f Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Thu, 17 May 2012 12:09:56 -0400
Subject: [PATCH] Relax the user/group/mode checks on sudoers files.  As long
 as the file is owned by the right user, not world-writable and not writable
 by a group other than the one specified at configure time (gid 0 byile is
 considered OK.  Note that visudo will still set the mode to the value
 specified at configure time.

--HG--
branch : 1.7
---
 Makefile.in   | 18 +++++-----
 secure_path.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++
 secure_path.h | 31 +++++++++++++++++
 3 files changed, 135 insertions(+), 9 deletions(-)
 create mode 100644 secure_path.c
 create mode 100644 secure_path.h

diff --git a/Makefile.in b/Makefile.in
index dcdff1890..d641c8b78 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -111,12 +111,12 @@ SRCS = aix.c alias.c alloc.c audit.c boottime.c bsm_audit.c check.c \
        getspwuid.c gettime.c glob.c goodpath.c gram.c gram.y interfaces.c \
        iolog.c isblank.c lbuf.c ldap.c linux_audit.c list.c logging.c \
        logwrap.c match.c mksiglist.c mkstemps.c memrchr.c nanosleep.c parse.c \
-       parse_args.c pwutil.c set_perms.c setsid.c sigaction.c snprintf.c \
-       strcasecmp.c strerror.c strlcat.c strlcpy.c strsignal.c sudo.c \
-       sudo_noexec.c sudo_edit.c sudo_nss.c term.c testsudoers.c tgetpass.c \
-       toke.c toke.l toke_util.c tsgetgrpw.c ttyname.c utimes.c vasgroups.c \
-       visudo.c zero_bytes.c redblack.c selinux.c sesh.c sudoreplay.c \
-       getdate.c getdate.y getline.c timestr.c $(AUTH_SRCS)
+       parse_args.c pwutil.c secure_path.c set_perms.c setsid.c sigaction.c \
+       snprintf.c strcasecmp.c strerror.c strlcat.c strlcpy.c strsignal.c \
+       sudo.c sudo_noexec.c sudo_edit.c sudo_nss.c term.c testsudoers.c \
+       tgetpass.c toke.c toke.l toke_util.c tsgetgrpw.c ttyname.c utimes.c \
+       vasgroups.c visudo.c zero_bytes.c redblack.c selinux.c sesh.c \
+       sudoreplay.c getdate.c getdate.y getline.c timestr.c $(AUTH_SRCS)
 
 AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \
 	    auth/kerb4.c auth/kerb5.c auth/pam.c auth/passwd.c auth/rfc1938.c \
@@ -126,9 +126,9 @@ AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \
 HDRS = alloc.h bsm_audit.h def_data.h defaults.h error.h ins_2001.h \
        ins_classic.h ins_csops.h ins_goons.h insults.h interfaces.h lbuf.h \
        linux_audit.h list.h logging.h missing.h mksiglist.h nonunix.h \
-       redblack.h parse.h sudo.h sudo_exec.h sudo_nss.h gram.h toke.h \
-       auth/sudo_auth.h emul/charclass.h emul/fnmatch.h emul/glob.h \
-       emul/timespec.h emul/utime.h
+       redblack.h parse.h secure_path.h sudo.h sudo_exec.h sudo_nss.h \
+       gram.h toke.h auth/sudo_auth.h emul/charclass.h emul/fnmatch.h \
+       emul/glob.h emul/timespec.h emul/utime.h
 
 AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
 
diff --git a/secure_path.c b/secure_path.c
new file mode 100644
index 000000000..e5e10eb33
--- /dev/null
+++ b/secure_path.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (c) 2012 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/param.h>
+#include <stdio.h>
+#ifdef HAVE_STRING_H
+# include <string.h>
+#endif /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif /* HAVE_UNISTD_H */
+#include <errno.h>
+
+#include "missing.h"
+#include "secure_path.h"
+
+/*
+ * Verify that path is the right type and not writable by other users.
+ */
+int
+sudo_secure_path(path, type, uid, gid, sbp)
+    const char *path;
+    int type;
+    uid_t uid;
+    gid_t gid;
+    struct stat *sbp;
+{
+    struct stat sb;
+    int rval = SUDO_PATH_MISSING;
+
+    if (path != NULL && stat_sudoers(path, &sb) == 0) {
+	if ((sb.st_mode & _S_IFMT) != type) {
+	    rval = SUDO_PATH_BAD_TYPE;
+	} else if (uid != (uid_t)-1 && sb.st_uid != uid) {
+	    rval = SUDO_PATH_WRONG_OWNER;
+	} else if (sb.st_mode & S_IWOTH) {
+	    rval = SUDO_PATH_WORLD_WRITABLE;
+	} else if (ISSET(sb.st_mode, S_IWGRP) &&
+	    (gid == (gid_t)-1 || sb.st_gid != gid)) {
+	    rval = SUDO_PATH_GROUP_WRITABLE;
+	} else {
+	    rval = SUDO_PATH_SECURE;
+	}
+	if (sbp)
+	    (void) memcpy(sbp, &sb, sizeof(struct stat));
+    }
+
+    return rval;
+}
+
+/*
+ * Verify that path is a regular file and not writable by other users.
+ */
+int
+sudo_secure_file(path, uid, gid, sbp)
+    const char *path;
+    uid_t uid;
+    gid_t gid;
+    struct stat *sbp;
+{
+    return sudo_secure_path(path, _S_IFREG, uid, gid, sbp);
+}
+
+/*
+ * Verify that path is a directory and not writable by other users.
+ */
+int
+sudo_secure_dir(path, uid, gid, sbp)
+    const char *path;
+    uid_t uid;
+    gid_t gid;
+    struct stat *sbp;
+{
+    return sudo_secure_path(path, _S_IFDIR, uid, gid, sbp);
+}
diff --git a/secure_path.h b/secure_path.h
new file mode 100644
index 000000000..2dc32192b
--- /dev/null
+++ b/secure_path.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 2012 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _SUDO_SECURE_PATH_H
+#define _SUDO_SECURE_PATH_H
+
+#define SUDO_PATH_SECURE		0
+#define SUDO_PATH_MISSING		-1
+#define SUDO_PATH_BAD_TYPE		-2
+#define SUDO_PATH_WRONG_OWNER		-3
+#define SUDO_PATH_WORLD_WRITABLE	-4
+#define SUDO_PATH_GROUP_WRITABLE	-5
+
+int sudo_secure_dir __P((const char *path, uid_t uid, gid_t gid, struct stat *sbp));
+int sudo_secure_file __P((const char *path, uid_t uid, gid_t gid, struct stat *sbp));
+int sudo_secure_path __P((const char *path, int type, uid_t uid, gid_t gid, struct stat *sbp));
+
+#endif /* _SUDO_SECURE_PATH_H */
-- 
2.40.0