mirror of
https://github.com/sudo-project/sudo.git
synced 2025-08-23 02:17:35 +00:00
Document the TOCTOU issue with intercept mode.
Describe how intercept_verify attempts to reduce the risk.
This commit is contained in:
Todd C. Miller
parent
3eb6e78569
commit
4de5e12ddb
@ -3410,6 +3410,12 @@ has completed but before the new command has had a chance to run.
|
||||
In the case of a path name or argument mismatch, the command will be sent a
|
||||
\fRSIGKILL\fR
|
||||
signal and terminated.
|
||||
This can help prevent a time of check vs. time of use issue with
|
||||
intercept mode where the
|
||||
execve(2)
|
||||
arguments could be altered after the
|
||||
\fBsudoers\fR
|
||||
policy check.
|
||||
This flag has no effect unless the
|
||||
\fIintercept\fR
|
||||
flag is enabled or the
|
||||
@ -7012,6 +7018,27 @@ you can always just try it out and check whether or not external
|
||||
commands run via a shell are logged when
|
||||
\fIintercept\fR
|
||||
is enabled.
|
||||
.sp
|
||||
There is an inherent race condition between when a command is checked against
|
||||
\fBsudoers\fR
|
||||
rules and when it is actually executed.
|
||||
If a user is allowed to run arbitrary commands, they may be able
|
||||
to change the
|
||||
execve(2)
|
||||
arguments in the program after the
|
||||
\fBsudoers\fR
|
||||
policy check has completed but before the new command is executed.
|
||||
Starting with version 1.9.12, the
|
||||
ptrace(2)
|
||||
method will verify that the command and its arguments have not changed after
|
||||
execve(2)
|
||||
has completed but before execution of the new program has had a chance to run.
|
||||
This is not the case with the
|
||||
\fIdso\fR
|
||||
method.
|
||||
See the description of the
|
||||
\fIintercept_verify\fR
|
||||
setting for more information.
|
||||
.RE
|
||||
.TP 10n
|
||||
log
|
||||
|
||||
@ -3231,6 +3231,12 @@ has completed but before the new command has had a chance to run.
|
||||
In the case of a path name or argument mismatch, the command will be sent a
|
||||
.Dv SIGKILL
|
||||
signal and terminated.
|
||||
This can help prevent a time of check vs. time of use issue with
|
||||
intercept mode where the
|
||||
.Xr execve 2
|
||||
arguments could be altered after the
|
||||
.Nm
|
||||
policy check.
|
||||
This flag has no effect unless the
|
||||
.Em intercept
|
||||
flag is enabled or the
|
||||
@ -6498,6 +6504,27 @@ you can always just try it out and check whether or not external
|
||||
commands run via a shell are logged when
|
||||
.Em intercept
|
||||
is enabled.
|
||||
.Pp
|
||||
There is an inherent race condition between when a command is checked against
|
||||
.Nm
|
||||
rules and when it is actually executed.
|
||||
If a user is allowed to run arbitrary commands, they may be able
|
||||
to change the
|
||||
.Xr execve 2
|
||||
arguments in the program after the
|
||||
.Nm
|
||||
policy check has completed but before the new command is executed.
|
||||
Starting with version 1.9.12, the
|
||||
.Xr ptrace 2
|
||||
method will verify that the command and its arguments have not changed after
|
||||
.Xr execve 2
|
||||
has completed but before execution of the new program has had a chance to run.
|
||||
This is not the case with the
|
||||
.Em dso
|
||||
method.
|
||||
See the description of the
|
||||
.Em intercept_verify
|
||||
setting for more information.
|
||||
.It log
|
||||
There are two separate but related ways to log additional commands.
|
||||
The first is to enable I/O logging using the
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user