Add test for runas_check_shell and check_user_shell()

2025-08-22 01:49:11 +00:00 · 2023-06-30 10:43:39 -06:00 · 2023-06-30 10:43:39 -06:00 · ac9b6c94d9
commit ac9b6c94d9
parent bdc8a7f35e
6 changed files with 45 additions and 1 deletions
--- a/2
+++ b/2
@ -1095,6 +1095,8 @@ plugins/sudoers/regress/testsudoers/test25.out.ok
 plugins/sudoers/regress/testsudoers/test25.sh
 plugins/sudoers/regress/testsudoers/test26.out.ok
 plugins/sudoers/regress/testsudoers/test26.sh
+plugins/sudoers/regress/testsudoers/test27.out.ok
+plugins/sudoers/regress/testsudoers/test27.sh
 plugins/sudoers/regress/testsudoers/test3.out.ok
 plugins/sudoers/regress/testsudoers/test3.sh
 plugins/sudoers/regress/testsudoers/test4.out.ok
--- a/plugins/sudoers/regress/testsudoers/group
+++ b/plugins/sudoers/regress/testsudoers/group
@ -12,5 +12,6 @@ games:*:13:
 staff:*:20:root
 guest:*:31:root
 admin:*:1000:
+fakeshell:*:1001:
 nogroup:*:32766:
 nobody:*:32767:
--- a/plugins/sudoers/regress/testsudoers/passwd
+++ b/plugins/sudoers/regress/testsudoers/passwd
@ -3,4 +3,5 @@ daemon:*:1:1:The devil himself:/root:/sbin/nologin
 operator:*:2:5:System &:/operator:/sbin/nologin
 bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
 admin:*:1000:1000:Admin user:/home/admin:/bin/sh
+fakeshell:*:1001:1001:Shell test user:/home/fakeshell:/shell/does/not/exist
 nobody:*:32767:32767:Unprivileged user:/nonexistent:/sbin/nologin
--- a/plugins/sudoers/regress/testsudoers/test27.out.ok
+++ b/plugins/sudoers/regress/testsudoers/test27.out.ok
@ -0,0 +1,12 @@
+Parses OK
+
+Entries for user admin:
+
+ALL = (ALL) /bin/ls
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Invalid shell for user fakeshell: /shell/does/not/exist
+
+Command denied
--- a/plugins/sudoers/regress/testsudoers/test27.sh
+++ b/plugins/sudoers/regress/testsudoers/test27.sh
@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Verify that runas_check_shell works as expected.
+#
+
+: ${TESTSUDOERS=testsudoers}
+
+exec 2>&1
+
+# This should fail due to fakeshell's shell
+$TESTSUDOERS -u fakeshell -p ${TESTDIR}/passwd -P ${TESTDIR}/group \
+    admin /bin/ls <<'EOF'
+Defaults runas_check_shell
+admin ALL = (ALL) /bin/ls
+EOF
+
+# Expected failure
+if [ $? -eq 0 ]; then
+    exit 1
+else
+    exit 0
+fi
--- a/plugins/sudoers/testsudoers.c
+++ b/plugins/sudoers/testsudoers.c
@ -353,8 +353,14 @@ main(int argc, char *argv[])
    validated = sudoers_lookup(&snl, sudo_user.pw, now, &callbacks, &status,
 	false);

-    /* Validate user-specified chroot or cwd (if any). */
+    /* Validate user-specified chroot or cwd (if any) and runas user shell. */
    if (ISSET(validated, VALIDATE_SUCCESS)) {
+	if (!check_user_shell(runas_pw)) {
+	    printf(U_("\nInvalid shell for user %s: %s\n"),
+		runas_pw->pw_name, runas_pw->pw_shell);
+	    CLR(validated, VALIDATE_SUCCESS);
+	    SET(validated, VALIDATE_FAILURE);
+	}
 	if (check_user_runchroot() != true) {
 	    printf("\nUser %s is not allowed to change root directory to %s\n",
 		user_name, user_runchroot);