jobcore/sudo/sudo-enable-secure_path-by-default.patch
2024-07-20 03:31:31 +03:00

171 lines
5.8 KiB
Diff

From e0e24456bc3fcdf5506660be69186e01583ff383 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Mon, 10 Jun 2024 20:37:05 -0600
Subject: [PATCH] Enable secure_path in default sudoers file.
It is still disabled by default in the sudo binary.
---
INSTALL.md | 3 ++-
configure | 22 ++++++++++++++--------
configure.ac | 15 +++++++++------
docs/sudoers.mdoc.in | 2 +-
plugins/sudoers/sudoers.in | 8 +++++---
5 files changed, 31 insertions(+), 19 deletions(-)
diff --git a/INSTALL.md b/INSTALL.md
index 59c67b8366..2261504b6c 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -999,7 +999,8 @@ Defaults are listed in brackets after the description.
be separate from the "user path." You will need to customize the
path for your site. This is not applied to users in the group
specified by --with-exemptgroup. If you do not specify a path,
- "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.
+ "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+ is used.
Sudoers option: secure_path
--with-sendmail=PATH
diff --git a/configure b/configure
index 237d5cf580..e7f1b1d91e 100755
--- a/configure
+++ b/configure
@@ -733,6 +733,7 @@ plugindir
pam_login_service
pam_session
editor
+secure_path_set
secure_path
netsvc_conf
nsswitch_conf
@@ -3680,6 +3681,7 @@ sudoers_path='$(sysconfdir)/sudoers'
+
#
@@ -3727,7 +3729,8 @@ noexec_file="$libexecdir/sudo/sudo_noexec.so"
sesh_file="$libexecdir/sudo/sesh"
visudo="$sbindir/visudo"
nsswitch_conf=/etc/nsswitch.conf
-secure_path="not set"
+secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+secure_path_set="disabled"
pam_session=on
pam_login_service=sudo
plugindir="$libexecdir/sudo"
@@ -6308,19 +6311,22 @@ EOF
if test ${with_secure_path+y}
then :
withval=$with_secure_path; case $with_secure_path in
- yes) with_secure_path="/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc"
- printf "%s\n" "#define SECURE_PATH \"$with_secure_path\"" >>confdefs.h
-
- secure_path="set to $with_secure_path"
+ yes) with_secure_path="$secure_path"
;;
no) ;;
- *) printf "%s\n" "#define SECURE_PATH \"$with_secure_path\"" >>confdefs.h
-
- secure_path="set to $with_secure_path"
+ *) secure_path="$with_secure_path"
;;
esac
fi
+if test "${with_secure_path-no}" != "no"
+then :
+
+ printf "%s\n" "#define SECURE_PATH \"$secure_path\"" >>confdefs.h
+
+ secure_path_set="set to $secure_path"
+
+fi
# Check whether --with-interfaces was given.
diff --git a/configure.ac b/configure.ac
index f4d96eccd0..61b2115300 100644
--- a/configure.ac
+++ b/configure.ac
@@ -177,6 +177,7 @@ AC_SUBST([sssd_lib])
AC_SUBST([nsswitch_conf])
AC_SUBST([netsvc_conf])
AC_SUBST([secure_path])
+AC_SUBST([secure_path_set])
AC_SUBST([editor])
AC_SUBST([pam_session])
AC_SUBST([pam_login_service])
@@ -228,7 +229,8 @@ noexec_file="$libexecdir/sudo/sudo_noexec.so"
sesh_file="$libexecdir/sudo/sesh"
visudo="$sbindir/visudo"
nsswitch_conf=/etc/nsswitch.conf
-secure_path="not set"
+secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+secure_path_set="disabled"
pam_session=on
pam_login_service=sudo
plugindir="$libexecdir/sudo"
@@ -1068,15 +1070,16 @@ SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$ldap_secret", [Path to the ldap.secret
AC_ARG_WITH(secure-path, [AS_HELP_STRING([--with-secure-path], [override the user's path with a built-in one])],
[case $with_secure_path in
- yes) with_secure_path="/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc"
- AC_DEFINE_UNQUOTED(SECURE_PATH, "$with_secure_path")
- secure_path="set to $with_secure_path"
+ yes) with_secure_path="$secure_path"
;;
no) ;;
- *) AC_DEFINE_UNQUOTED(SECURE_PATH, "$with_secure_path")
- secure_path="set to $with_secure_path"
+ *) secure_path="$with_secure_path"
;;
esac])
+AS_IF([test "${with_secure_path-no}" != "no"], [
+ AC_DEFINE_UNQUOTED(SECURE_PATH, "$secure_path")
+ secure_path_set="set to $secure_path"
+])
AC_ARG_WITH(interfaces, [AS_HELP_STRING([--without-interfaces], [don't try to read the ip addr of network interfaces])],
[case $with_interfaces in
diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in
index ef9657f139..f53f1e0e01 100644
--- a/docs/sudoers.mdoc.in
+++ b/docs/sudoers.mdoc.in
@@ -5305,7 +5305,7 @@ Users in the group specified by the
.Em exempt_group
option are not affected by
.Em secure_path .
-This option is @secure_path@ by default.
+This option is @secure_path_set@ by default.
.It syslog
Syslog facility if syslog is being used for logging (negate to
disable syslog logging).
diff --git a/plugins/sudoers/sudoers.in b/plugins/sudoers/sudoers.in
index 703c9d5f01..b0d464160f 100644
--- a/plugins/sudoers/sudoers.in
+++ b/plugins/sudoers/sudoers.in
@@ -45,6 +45,11 @@
## To preserve these for all commands, remove the "!visudo" qualifier.
Defaults!@visudo@ env_keep += "SUDO_EDITOR EDITOR VISUAL"
##
+## Use a hard-coded PATH instead of the user's to find commands.
+## This also helps prevent poorly written scripts from running
+## artbitrary commands under sudo.
+Defaults secure_path="@secure_path@"
+##
## You may wish to keep some of the following environment variables
## when running commands via sudo.
##
@@ -69,9 +74,6 @@ Defaults!@visudo@ env_keep += "SUDO_EDITOR EDITOR VISUAL"
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
##
-## Uncomment to use a hard-coded PATH instead of the user's to find commands
-# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-##
## Uncomment to disable "use_pty" when running commands as root.
## Commands run as non-root users will run in a pseudo-terminal,
## not the user's own terminal, to prevent command injection.