mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 01:49:11 +00:00
Code Issues Releases Wiki Activity

Add test for runas_check_shell and check_user_shell()

Browse Source
This commit is contained in:
Todd C. Miller 2023-06-30 10:43:39 -06:00
parent bdc8a7f35e
commit ac9b6c94d9
6 changed files with 45 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
MANIFEST
View File

@ -1095,6 +1095,8 @@ plugins/sudoers/regress/testsudoers/test25.out.ok
plugins/sudoers/regress/testsudoers/test25.sh plugins/sudoers/regress/testsudoers/test25.sh
plugins/sudoers/regress/testsudoers/test26.out.ok plugins/sudoers/regress/testsudoers/test26.out.ok
plugins/sudoers/regress/testsudoers/test26.sh plugins/sudoers/regress/testsudoers/test26.sh
plugins/sudoers/regress/testsudoers/test27.out.ok
plugins/sudoers/regress/testsudoers/test27.sh
plugins/sudoers/regress/testsudoers/test3.out.ok plugins/sudoers/regress/testsudoers/test3.out.ok
plugins/sudoers/regress/testsudoers/test3.sh plugins/sudoers/regress/testsudoers/test3.sh
plugins/sudoers/regress/testsudoers/test4.out.ok plugins/sudoers/regress/testsudoers/test4.out.ok

1
plugins/sudoers/regress/testsudoers/group
View File

@ -12,5 +12,6 @@ games:*:13:
staff:*:20:root staff:*:20:root
guest:*:31:root guest:*:31:root
admin:*:1000: admin:*:1000:
fakeshell:*:1001:
nogroup:*:32766: nogroup:*:32766:
nobody:*:32767: nobody:*:32767:

1
plugins/sudoers/regress/testsudoers/passwd
View File

@ -3,4 +3,5 @@ daemon:*:1:1:The devil himself:/root:/sbin/nologin
operator:*:2:5:System &:/operator:/sbin/nologin operator:*:2:5:System &:/operator:/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
admin:*:1000:1000:Admin user:/home/admin:/bin/sh admin:*:1000:1000:Admin user:/home/admin:/bin/sh
fakeshell:*:1001:1001:Shell test user:/home/fakeshell:/shell/does/not/exist
nobody:*:32767:32767:Unprivileged user:/nonexistent:/sbin/nologin nobody:*:32767:32767:Unprivileged user:/nonexistent:/sbin/nologin

12
plugins/sudoers/regress/testsudoers/test27.out.ok Normal file
View File

@ -0,0 +1,12 @@
Parses OK
Entries for user admin:
ALL = (ALL) /bin/ls
host allowed
runas allowed
cmnd allowed
Invalid shell for user fakeshell: /shell/does/not/exist
Command denied

22
plugins/sudoers/regress/testsudoers/test27.sh Normal file
View File

@ -0,0 +1,22 @@
#!/bin/sh
#
# Verify that runas_check_shell works as expected.
#
: ${TESTSUDOERS=testsudoers}
exec 2>&1
# This should fail due to fakeshell's shell
$TESTSUDOERS -u fakeshell -p ${TESTDIR}/passwd -P ${TESTDIR}/group \
admin /bin/ls <<'EOF'
Defaults runas_check_shell
admin ALL = (ALL) /bin/ls
EOF
# Expected failure
if [ $? -eq 0 ]; then
exit 1
else
exit 0
fi

8
plugins/sudoers/testsudoers.c
View File

@ -353,8 +353,14 @@ main(int argc, char *argv[])
validated = sudoers_lookup(&snl, sudo_user.pw, now, &callbacks, &status, validated = sudoers_lookup(&snl, sudo_user.pw, now, &callbacks, &status,
false); false);
/* Validate user-specified chroot or cwd (if any). */ /* Validate user-specified chroot or cwd (if any) and runas user shell. */
if (ISSET(validated, VALIDATE_SUCCESS)) { if (ISSET(validated, VALIDATE_SUCCESS)) {
if (!check_user_shell(runas_pw)) {
printf(U_("\nInvalid shell for user %s: %s\n"),
runas_pw->pw_name, runas_pw->pw_shell);
CLR(validated, VALIDATE_SUCCESS);
SET(validated, VALIDATE_FAILURE);
}
if (check_user_runchroot() != true) { if (check_user_runchroot() != true) {
printf("\nUser %s is not allowed to change root directory to %s\n", printf("\nUser %s is not allowed to change root directory to %s\n",
user_name, user_runchroot); user_name, user_runchroot);