mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-29 13:28:10 +00:00
Code Issues Releases Wiki Activity

Better document the limitations of intercept mode.

Browse Source 
Also mention log_children under "Preventing shell escapes"
This commit is contained in:
Todd C. Miller 2021-08-16 12:44:49 -06:00
parent e4809d634d
commit fc9a01936c
4 changed files with 145 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/sudo.man.in
View File

@ -2,7 +2,7 @@
.\" .\"
.\" SPDX-License-Identifier: ISC .\" SPDX-License-Identifier: ISC
.\" .\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2020 .\" Copyright (c) 1994-1996, 1998-2005, 2007-2021
.\" Todd C. Miller <Todd.Miller@sudo.ws> .\" Todd C. Miller <Todd.Miller@sudo.ws>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.TH "SUDO" "@mansectsu@" "September 1, 2020" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .TH "SUDO" "@mansectsu@" "August 16, 2021" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -1069,7 +1069,7 @@ Because of this, care must be taken when giving users access to commands via
\fBsudo\fR \fBsudo\fR
to verify that the command does not inadvertently give the user an to verify that the command does not inadvertently give the user an
effective root shell. effective root shell.
For more information, please see the For information on ways to address this, please see the
\fIPreventing shell escapes\fR \fIPreventing shell escapes\fR
section in section in
sudoers(@mansectform@). sudoers(@mansectform@).

6
doc/sudo.mdoc.in
View File

@ -1,7 +1,7 @@
.\" .\"
.\" SPDX-License-Identifier: ISC .\" SPDX-License-Identifier: ISC
.\" .\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2020 .\" Copyright (c) 1994-1996, 1998-2005, 2007-2021
.\" Todd C. Miller <Todd.Miller@sudo.ws> .\" Todd C. Miller <Todd.Miller@sudo.ws>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
@ -24,7 +24,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.Dd September 1, 2020 .Dd August 16, 2021
.Dt SUDO @mansectsu@ .Dt SUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -1010,7 +1010,7 @@ Because of this, care must be taken when giving users access to commands via
.Nm .Nm
to verify that the command does not inadvertently give the user an to verify that the command does not inadvertently give the user an
effective root shell. effective root shell.
For more information, please see the For information on ways to address this, please see the
.Em Preventing shell escapes .Em Preventing shell escapes
section in section in
.Xr sudoers @mansectform@ . .Xr sudoers @mansectform@ .

82
doc/sudoers.man.in
View File

@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "August 15, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "@mansectform@" "August 16, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -1049,7 +1049,7 @@ Warning, if the user has write access to the command itself (directly or via a
command), it may be possible for the user to replace the command after the command), it may be possible for the user to replace the command after the
digest check has been performed but before the command is executed. digest check has been performed but before the command is executed.
A similar race condition exists on systems that lack the A similar race condition exists on systems that lack the
fexecve(2) \fBfexecve\fR()
system call when the directory in which the command is located system call when the directory in which the command is located
is writable by the user. is writable by the user.
See the description of the See the description of the
@ -1846,7 +1846,7 @@ has been compiled with
\fIintercept\fR \fIintercept\fR
support and the underlying operating system supports it, the support and the underlying operating system supports it, the
\fRINTERCEPT\fR \fRINTERCEPT\fR
tag can be used to cause programs spawned by a command to be checked against tag can be used to cause programs spawned by a command to be validated against
\fIsudoers\fR \fIsudoers\fR
and logged just like they would be if run through and logged just like they would be if run through
\fBsudo\fR \fBsudo\fR
@ -2761,7 +2761,10 @@ This setting is only supported by version 1.8.29 or higher.
log_children log_children
If set, If set,
\fBsudoers\fR \fBsudoers\fR
will log when a command runs a child process. will log when a command spawns a child process and executes a program
using the
\fBexecve\fR()
system call.
For example, if a shell is run by For example, if a shell is run by
\fBsudo\fR, \fBsudo\fR,
the individual commands run via the shell will be logged. the individual commands run via the shell will be logged.
@ -4490,7 +4493,7 @@ alias.
.sp .sp
This setting is only supported by version 1.8.20 or higher. This setting is only supported by version 1.8.20 or higher.
If the operating system does not support the If the operating system does not support the
fexecve(2) \fBfexecve\fR()
system call, this setting has no effect. system call, this setting has no effect.
.RE .RE
.TP 14n .TP 14n
@ -5547,12 +5550,12 @@ if no terminal was present.
.TP 10n .TP 10n
runargv runargv
A JSON array representing the command's argument vector as passed to the A JSON array representing the command's argument vector as passed to the
execve(2) \fBexecve\fR()
system call. system call.
.TP 10n .TP 10n
runenv runenv
A JSON array representing the command's environment as passed to the A JSON array representing the command's environment as passed to the
execve(2) \fBexecve\fR()
system call. system call.
.TP 10n .TP 10n
rungid rungid
@ -6250,7 +6253,7 @@ access control and logging.
Common programs that permit shell escapes include shells (obviously), Common programs that permit shell escapes include shells (obviously),
editors, paginators, mail and terminal programs. editors, paginators, mail and terminal programs.
.PP .PP
There are three basic approaches to this problem: There are four basic approaches to this problem:
.TP 10n .TP 10n
restrict restrict
Avoid giving users access to commands that allow the user to run Avoid giving users access to commands that allow the user to run
@ -6277,15 +6280,25 @@ On such systems,
\fIintercept\fR \fIintercept\fR
functionality can be used to transparently intercept an attempt to functionality can be used to transparently intercept an attempt to
run a new command, allow or deny it based on run a new command, allow or deny it based on
\fIsudoers\fR, \fIsudoers\fR
and log the result. rules, and log the result.
For example, this can be used to restrict the commands run from For example, this can be used to restrict the commands run from
within a shell. within a privileged shell.
Note, however, that this applies only to dynamically-linked Note, however, that this applies only to dynamically-linked
executables. executables.
Statically-linked executables and executables Statically-linked executables and executables
running under binary emulation are not affected. running under binary emulation are not affected.
Also, many shells support built-in commands that cannot be intercepted by Also, most shells support built-in commands and the ability to read
or write sensitive files that cannot be intercepted by
\fBsudo\fR.
.sp
Currently,
\fBsudo\fR's
\fIintercept\fR
functionality only works for programs that use the
\fBexecve\fR()
system call to run the new command.
This may be expanded in a future release of
\fBsudo\fR. \fBsudo\fR.
.sp .sp
The The
@ -6327,6 +6340,29 @@ commands run via a shell are logged when
is enabled. is enabled.
.RE .RE
.TP 10n .TP 10n
log
There are two separate but related ways to log additional commands.
The first is to enable I/O logging using the
\fIlog_output\fR
flag.
This will log the command's output but will not create an event log
entry when the additional command is run.
The second is to enable the
\fIlog_children\fR
flag in
\fIsudoers\fR
which will create an event log entry every time a new command is run.
If I/O logging is also enabled, the log entry will include a time offset
into the I/O log to indicate when the command was run.
This offset can be passed to the
sudoreplay(@mansectsu@)
utility to replay the I/O log at the exact moment when the command was run.
The
\fIlog_children\fR
flag uses the same mechanism as
\fIintercept\fR
(see above) and has the same limitations.
.TP 10n
noexec noexec
\fBsudo\fR's \fBsudo\fR's
\fInoexec\fR \fInoexec\fR
@ -6336,6 +6372,28 @@ from executing any other programs.
On most systems, it uses the same mechanism as On most systems, it uses the same mechanism as
\fIintercept\fR \fIintercept\fR
(see above) and thus the same caveats apply. (see above) and thus the same caveats apply.
The
\fInoexec\fR
functionality
is capable of blocking execution of commands run via the
\fBexecl\fR(),
\fBexecle\fR(),
\fBexeclp\fR(),
\fBexecv\fR(),
\fBexecveat\fR(),
\fBexecvp\fR(),
\fBexecve\fR(),
\fBexecvP\fR(),
\fBexecvpe\fR(),
\fBexect\fR(),
\fBfexecve\fR(),
\fBposix_spawn\fR(),
\fBposix_spawnp\fR(),
\fBsystem\fR(),
\fBpopen\fR(),
and
\fBwordexp\fR()
functions.
On Linux, a On Linux, a
\fBseccomp\fR() \fBseccomp\fR()
filter is used to implement filter is used to implement

81
doc/sudoers.mdoc.in
View File

@ -24,7 +24,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.Dd August 15, 2021 .Dd August 16, 2021
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -1006,7 +1006,7 @@ Warning, if the user has write access to the command itself (directly or via a
command), it may be possible for the user to replace the command after the command), it may be possible for the user to replace the command after the
digest check has been performed but before the command is executed. digest check has been performed but before the command is executed.
A similar race condition exists on systems that lack the A similar race condition exists on systems that lack the
.Xr fexecve 2 .Fn fexecve
system call when the directory in which the command is located system call when the directory in which the command is located
is writable by the user. is writable by the user.
See the description of the See the description of the
@ -1746,7 +1746,7 @@ has been compiled with
.Em intercept .Em intercept
support and the underlying operating system supports it, the support and the underlying operating system supports it, the
.Li INTERCEPT .Li INTERCEPT
tag can be used to cause programs spawned by a command to be checked against tag can be used to cause programs spawned by a command to be validated against
.Em sudoers .Em sudoers
and logged just like they would be if run through and logged just like they would be if run through
.Nm sudo .Nm sudo
@ -2601,7 +2601,10 @@ This setting is only supported by version 1.8.29 or higher.
.It log_children .It log_children
If set, If set,
.Nm .Nm
will log when a command runs a child process. will log when a command spawns a child process and executes a program
using the
.Fn execve
system call.
For example, if a shell is run by For example, if a shell is run by
.Nm sudo , .Nm sudo ,
the individual commands run via the shell will be logged. the individual commands run via the shell will be logged.
@ -4210,7 +4213,7 @@ alias.
.Pp .Pp
This setting is only supported by version 1.8.20 or higher. This setting is only supported by version 1.8.20 or higher.
If the operating system does not support the If the operating system does not support the
.Xr fexecve 2 .Fn fexecve
system call, this setting has no effect. system call, this setting has no effect.
.It group_plugin .It group_plugin
A string containing a A string containing a
@ -5171,11 +5174,11 @@ The number of lines of the terminal the command ran on, or zero
if no terminal was present. if no terminal was present.
.It runargv .It runargv
A JSON array representing the command's argument vector as passed to the A JSON array representing the command's argument vector as passed to the
.Xr execve 2 .Fn execve
system call. system call.
.It runenv .It runenv
A JSON array representing the command's environment as passed to the A JSON array representing the command's environment as passed to the
.Xr execve 2 .Fn execve
system call. system call.
.It rungid .It rungid
The group ID the command ran as. The group ID the command ran as.
@ -5774,7 +5777,7 @@ access control and logging.
Common programs that permit shell escapes include shells (obviously), Common programs that permit shell escapes include shells (obviously),
editors, paginators, mail and terminal programs. editors, paginators, mail and terminal programs.
.Pp .Pp
There are three basic approaches to this problem: There are four basic approaches to this problem:
.Bl -tag -width 8n .Bl -tag -width 8n
.It restrict .It restrict
Avoid giving users access to commands that allow the user to run Avoid giving users access to commands that allow the user to run
@ -5799,15 +5802,25 @@ On such systems,
.Em intercept .Em intercept
functionality can be used to transparently intercept an attempt to functionality can be used to transparently intercept an attempt to
run a new command, allow or deny it based on run a new command, allow or deny it based on
.Em sudoers , .Em sudoers
and log the result. rules, and log the result.
For example, this can be used to restrict the commands run from For example, this can be used to restrict the commands run from
within a shell. within a privileged shell.
Note, however, that this applies only to dynamically-linked Note, however, that this applies only to dynamically-linked
executables. executables.
Statically-linked executables and executables Statically-linked executables and executables
running under binary emulation are not affected. running under binary emulation are not affected.
Also, many shells support built-in commands that cannot be intercepted by Also, most shells support built-in commands and the ability to read
or write sensitive files that cannot be intercepted by
.Nm sudo .
.Pp
Currently,
.Nm sudo Ns 's
.Em intercept
functionality only works for programs that use the
.Fn execve
system call to run the new command.
This may be expanded in a future release of
.Nm sudo . .Nm sudo .
.Pp .Pp
The The
@ -5843,6 +5856,28 @@ you can always just try it out and check whether or not external
commands run via a shell are logged when commands run via a shell are logged when
.Em intercept .Em intercept
is enabled. is enabled.
.It log
There are two separate but related ways to log additional commands.
The first is to enable I/O logging using the
.Em log_output
flag.
This will log the command's output but will not create an event log
entry when the additional command is run.
The second is to enable the
.Em log_children
flag in
.Em sudoers
which will create an event log entry every time a new command is run.
If I/O logging is also enabled, the log entry will include a time offset
into the I/O log to indicate when the command was run.
This offset can be passed to the
.Xr sudoreplay @mansectsu@
utility to replay the I/O log at the exact moment when the command was run.
The
.Em log_children
flag uses the same mechanism as
.Em intercept
(see above) and has the same limitations.
.It noexec .It noexec
.Nm sudo Ns 's .Nm sudo Ns 's
.Em noexec .Em noexec
@ -5852,6 +5887,28 @@ from executing any other programs.
On most systems, it uses the same mechanism as On most systems, it uses the same mechanism as
.Em intercept .Em intercept
(see above) and thus the same caveats apply. (see above) and thus the same caveats apply.
The
.Em noexec
functionality
is capable of blocking execution of commands run via the
.Fn execl ,
.Fn execle ,
.Fn execlp ,
.Fn execv ,
.Fn execveat ,
.Fn execvp ,
.Fn execve ,
.Fn execvP ,
.Fn execvpe ,
.Fn exect ,
.Fn fexecve ,
.Fn posix_spawn ,
.Fn posix_spawnp ,
.Fn system ,
.Fn popen ,
and
.Fn wordexp
functions.
On Linux, a On Linux, a
.Fn seccomp .Fn seccomp
filter is used to implement filter is used to implement