mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-09-01 23:05:17 +00:00
Code Issues Releases Wiki Activity

Pass a secret value to sudo_intercept.so and verify after policy check.

Browse Source 
The goal is to make it harder for someone to have a fake policy checker.
This will not stop a determined adversary since the secret is present
in the address space of the running process.
This commit is contained in:
Todd C. Miller
2021-08-13 09:10:44 -06:00
parent c9d9225469
commit eaf03a382b
8 changed files with 57 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/sudo_intercept_common.c
View File

@@ -53,6 +53,7 @@
extern char **environ;
static int intercept_sock = -1;
static uint64_t secret;
/*
* Look up SUDO_INTERCEPT_FD in the environment.
@@ -82,6 +83,7 @@ sudo_interposer_init(void)
if (strncmp(*p, "SUDO_INTERCEPT_FD=", sizeof("SUDO_INTERCEPT_FD=") -1) == 0) {
const char *fdstr = *p + sizeof("SUDO_INTERCEPT_FD=") - 1;
const char *errstr;
char ch = INTERCEPT_REQ_SEC;
int fd;
fd = sudo_strtonum(fdstr, 0, INT_MAX, &errstr);
@@ -90,6 +92,19 @@ sudo_interposer_init(void)
"invalid SUDO_INTERCEPT_FD: %s: %s", fdstr, errstr);
break;
}
/* Request secret from parent. */
if (send(fd, &ch, sizeof(ch), 0) != sizeof(ch)) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"unable to request secret: %s", strerror(errno));
break;
}
if (recv(fd, &secret, sizeof(secret), 0) != sizeof(secret)) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"unable to read secret: %s", strerror(errno));
break;
}
intercept_sock = fd;
break;
}
@@ -308,6 +323,10 @@ command_allowed(const char *cmnd, char * const argv[], char * const envp[],
"unable to unpack %s size %u", "PolicyCheckResult", res_len);
goto done;
}
if (res->secret != secret) {
sudo_warnx("secret mismatch\r");
goto done;
}
switch (res->type_case) {
case POLICY_CHECK_RESULT__TYPE_ACCEPT_MSG:
if (sudo_debug_needed(SUDO_DEBUG_INFO)) {