Revert pivot_root and go back to prepending the new root directory.

We cannot perform passwd/group lookups _after_ changing the root directory. This does mean that symbolic links in a path are not currently handled properly when matching chroot()ed commands. Fixes a local privilege escalation vulnerability where a user could craft their own nsswitch.conf file to load a shared library of their choosing and run arbitrary code. CVE-2025-32463 Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU).
2025-08-31 14:25:15 +00:00 · 2025-04-06 08:28:46 -06:00
parent f8ff956e17
commit fffcc07c53
18 changed files with 641 additions and 822 deletions
--- a/plugins/sudoers/sudoers.h
+++ b/plugins/sudoers/sudoers.h
@@ -49,7 +49,6 @@
 #include <defaults.h>
 #include <logging.h>
 #include <parse.h>
-#include <pivot.h>

 /*
 * Info passed in from the sudo front-end.
@@ -314,15 +313,16 @@ struct stat;
 * Function prototypes
 */
 /* goodpath.c */
-bool sudo_goodpath(const char *path, struct stat *sbp);
+bool sudo_goodpath(const char *path, const char *runchroot, struct stat *sbp);

 /* findpath.c */
 int find_path(const char *infile, char **outfile, struct stat *sbp,
-    const char *path, bool ignore_dot, char * const *allowlist);
+    const char *path, const char *runchroot, bool ignore_dot,
+    char * const *allowlist);

 /* resolve_cmnd.c */
 int resolve_cmnd(struct sudoers_context *ctx, const char *infile,
-    char **outfile, const char *path);
+    char **outfile, const char *path, const char *runchroot);

 /* check.c */
 int check_user(struct sudoers_context *ctx, unsigned int validated, unsigned int mode);