mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 09:57:41 +00:00
Code Issues Releases Wiki Activity

Document the TOCTOU issue with intercept mode.

Browse Source 
Describe how intercept_verify attempts to reduce the risk.
This commit is contained in:
Todd C. Miller 2022-07-29 20:18:55 -06:00
parent 3eb6e78569
commit 4de5e12ddb
2 changed files with 54 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
docs/sudoers.man.in
View File

@ -3410,6 +3410,12 @@ has completed but before the new command has had a chance to run.
In the case of a path name or argument mismatch, the command will be sent a In the case of a path name or argument mismatch, the command will be sent a
\fRSIGKILL\fR \fRSIGKILL\fR
signal and terminated. signal and terminated.
This can help prevent a time of check vs. time of use issue with
intercept mode where the
execve(2)
arguments could be altered after the
\fBsudoers\fR
policy check.
This flag has no effect unless the This flag has no effect unless the
\fIintercept\fR \fIintercept\fR
flag is enabled or the flag is enabled or the
@ -7012,6 +7018,27 @@ you can always just try it out and check whether or not external
commands run via a shell are logged when commands run via a shell are logged when
\fIintercept\fR \fIintercept\fR
is enabled. is enabled.
.sp
There is an inherent race condition between when a command is checked against
\fBsudoers\fR
rules and when it is actually executed.
If a user is allowed to run arbitrary commands, they may be able
to change the
execve(2)
arguments in the program after the
\fBsudoers\fR
policy check has completed but before the new command is executed.
Starting with version 1.9.12, the
ptrace(2)
method will verify that the command and its arguments have not changed after
execve(2)
has completed but before execution of the new program has had a chance to run.
This is not the case with the
\fIdso\fR
method.
See the description of the
\fIintercept_verify\fR
setting for more information.
.RE .RE
.TP 10n .TP 10n
log log

27
docs/sudoers.mdoc.in
View File

@ -3231,6 +3231,12 @@ has completed but before the new command has had a chance to run.
In the case of a path name or argument mismatch, the command will be sent a In the case of a path name or argument mismatch, the command will be sent a
.Dv SIGKILL .Dv SIGKILL
signal and terminated. signal and terminated.
This can help prevent a time of check vs. time of use issue with
intercept mode where the
.Xr execve 2
arguments could be altered after the
.Nm
policy check.
This flag has no effect unless the This flag has no effect unless the
.Em intercept .Em intercept
flag is enabled or the flag is enabled or the
@ -6498,6 +6504,27 @@ you can always just try it out and check whether or not external
commands run via a shell are logged when commands run via a shell are logged when
.Em intercept .Em intercept
is enabled. is enabled.
.Pp
There is an inherent race condition between when a command is checked against
.Nm
rules and when it is actually executed.
If a user is allowed to run arbitrary commands, they may be able
to change the
.Xr execve 2
arguments in the program after the
.Nm
policy check has completed but before the new command is executed.
Starting with version 1.9.12, the
.Xr ptrace 2
method will verify that the command and its arguments have not changed after
.Xr execve 2
has completed but before execution of the new program has had a chance to run.
This is not the case with the
.Em dso
method.
See the description of the
.Em intercept_verify
setting for more information.
.It log .It log
There are two separate but related ways to log additional commands. There are two separate but related ways to log additional commands.
The first is to enable I/O logging using the The first is to enable I/O logging using the