mirror of
https://github.com/sudo-project/sudo.git
synced 2025-08-31 06:15:37 +00:00
Escape control characters in log messages and "sudoreplay -l" output.
The log message contains user-controlled strings that could include things like terminal control characters. Space characters in the command path are now also escaped. Command line arguments that contain spaces are surrounded with single quotes and any literal single quote or backslash characters are escaped with a backslash. This makes it possible to distinguish multiple command line arguments from a single argument that contains spaces. Issue found by Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com).
This commit is contained in:
Todd C. Miller
@@ -5877,14 +5877,31 @@ can log events via
|
||||
syslog(3),
|
||||
to a local log file, or both.
|
||||
The log format is almost identical in both cases.
|
||||
Any control characters present in the log data are formatted in octal
|
||||
with a leading
|
||||
\(oq#\(cq
|
||||
character.
|
||||
For example, a horizontal tab is stored as
|
||||
\(oq#011\(cq
|
||||
and an embedded carriage return is stored as
|
||||
\(oq#015\(cq.
|
||||
In addition, space characters in the command path are stored as
|
||||
\(oq#040\(cq.
|
||||
Command line arguments that contain spaces are enclosed in single quotes
|
||||
('').
|
||||
This makes it possible to distinguish multiple command line arguments
|
||||
from a single argument that contains spaces.
|
||||
Literal single quotes and backslash characters
|
||||
(\(oq\e\(cq)
|
||||
in command line arguments are escaped with a backslash.
|
||||
.SS "Accepted command log entries"
|
||||
Commands that sudo runs are logged using the following format (split
|
||||
into multiple lines for readability):
|
||||
.nf
|
||||
.sp
|
||||
.RS 4n
|
||||
date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
|
||||
USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
|
||||
date hostname progname: username : TTY=ttyname ; CHROOT=chroot ; \e
|
||||
PWD=cwd ; USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
|
||||
ENV=env_vars COMMAND=command
|
||||
.RE
|
||||
.fi
|
||||
@@ -5933,6 +5950,9 @@ was run on, or
|
||||
\(lqunknown\(rq
|
||||
if there was no terminal present.
|
||||
.TP 14n
|
||||
chroot
|
||||
The root directory that the command was run in, if one was specified.
|
||||
.TP 14n
|
||||
cwd
|
||||
The current working directory that
|
||||
\fBsudo\fR
|
||||
@@ -5957,7 +5977,7 @@ A list of environment variables specified on the command line,
|
||||
if specified.
|
||||
.TP 14n
|
||||
command
|
||||
The actual command that was executed.
|
||||
The actual command that was executed, including any command line arguments.
|
||||
.PP
|
||||
Messages are logged using the locale specified by
|
||||
\fIsudoers_locale\fR,
|
||||
@@ -6195,17 +6215,21 @@ with a few important differences:
|
||||
1.\&
|
||||
The
|
||||
\fIprogname\fR
|
||||
and
|
||||
\fIhostname\fR
|
||||
fields are not present.
|
||||
field is not present.
|
||||
.TP 5n
|
||||
2.\&
|
||||
If the
|
||||
\fIlog_year\fR
|
||||
option is enabled,
|
||||
the date will also include the year.
|
||||
The
|
||||
\fIhostname\fR
|
||||
is only logged if the
|
||||
\fIlog_host\fR
|
||||
option is enabled.
|
||||
.TP 5n
|
||||
3.\&
|
||||
The date does not include the year unless the
|
||||
\fIlog_year\fR
|
||||
option is enabled.
|
||||
.TP 5n
|
||||
4.\&
|
||||
Lines that are longer than
|
||||
\fIloglinelen\fR
|
||||
characters (80 by default) are word-wrapped and continued on the
|
||||
|
||||
@@ -5503,12 +5503,29 @@ can log events via
|
||||
.Xr syslog 3 ,
|
||||
to a local log file, or both.
|
||||
The log format is almost identical in both cases.
|
||||
Any control characters present in the log data are formatted in octal
|
||||
with a leading
|
||||
.Ql #
|
||||
character.
|
||||
For example, a horizontal tab is stored as
|
||||
.Ql #011
|
||||
and an embedded carriage return is stored as
|
||||
.Ql #015 .
|
||||
In addition, space characters in the command path are stored as
|
||||
.Ql #040 .
|
||||
Command line arguments that contain spaces are enclosed in single quotes
|
||||
.Pq '' .
|
||||
This makes it possible to distinguish multiple command line arguments
|
||||
from a single argument that contains spaces.
|
||||
Literal single quotes and backslash characters
|
||||
.Pq Ql \e
|
||||
in command line arguments are escaped with a backslash.
|
||||
.Ss Accepted command log entries
|
||||
Commands that sudo runs are logged using the following format (split
|
||||
into multiple lines for readability):
|
||||
.Bd -literal -offset 4n
|
||||
date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
|
||||
USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
|
||||
date hostname progname: username : TTY=ttyname ; CHROOT=chroot ; \e
|
||||
PWD=cwd ; USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
|
||||
ENV=env_vars COMMAND=command
|
||||
.Ed
|
||||
.Pp
|
||||
@@ -5551,6 +5568,8 @@ or
|
||||
was run on, or
|
||||
.Dq unknown
|
||||
if there was no terminal present.
|
||||
.It chroot
|
||||
The root directory that the command was run in, if one was specified.
|
||||
.It cwd
|
||||
The current working directory that
|
||||
.Nm sudo
|
||||
@@ -5570,7 +5589,7 @@ option is enabled.
|
||||
A list of environment variables specified on the command line,
|
||||
if specified.
|
||||
.It command
|
||||
The actual command that was executed.
|
||||
The actual command that was executed, including any command line arguments.
|
||||
.El
|
||||
.Pp
|
||||
Messages are logged using the locale specified by
|
||||
@@ -5794,14 +5813,17 @@ with a few important differences:
|
||||
.It
|
||||
The
|
||||
.Em progname
|
||||
and
|
||||
.Em hostname
|
||||
fields are not present.
|
||||
field is not present.
|
||||
.It
|
||||
If the
|
||||
The
|
||||
.Em hostname
|
||||
is only logged if the
|
||||
.Em log_host
|
||||
option is enabled.
|
||||
.It
|
||||
The date does not include the year unless the
|
||||
.Em log_year
|
||||
option is enabled,
|
||||
the date will also include the year.
|
||||
option is enabled.
|
||||
.It
|
||||
Lines that are longer than
|
||||
.Em loglinelen
|
||||
|
||||
@@ -170,6 +170,15 @@ In this mode,
|
||||
will list available sessions in a format similar to the
|
||||
\fBsudo\fR
|
||||
log file format, sorted by file name (or sequence number).
|
||||
Any control characters present in the log data are formated in octal
|
||||
with a leading
|
||||
\(oq#\(cq
|
||||
character.
|
||||
For example, a horizontal tab is displayed as
|
||||
\(oq#011\(cq
|
||||
and an embedded carriage return is displayed as
|
||||
\(oq#015\(cq.
|
||||
.sp
|
||||
If a
|
||||
\fIsearch expression\fR
|
||||
is specified, it will be used to restrict the IDs that are displayed.
|
||||
|
||||
@@ -162,6 +162,16 @@ In this mode,
|
||||
will list available sessions in a format similar to the
|
||||
.Nm sudo
|
||||
log file format, sorted by file name (or sequence number).
|
||||
Any control characters present in the log data are formatted in octal
|
||||
with a leading
|
||||
.Ql #
|
||||
character.
|
||||
For example, a horizontal tab is displayed as
|
||||
.Ql #011
|
||||
and an embedded carriage return is displayed as
|
||||
.Ql #015 .
|
||||
Space characters in the command name and arguments are also formatted in octal.
|
||||
.Pp
|
||||
If a
|
||||
.Ar search expression
|
||||
is specified, it will be used to restrict the IDs that are displayed.
|
||||
|
||||
Reference in New Issue
Block a user