version 1.1.1.2, 2012/10/09 09:29:52
|
version 1.1.1.5, 2014/06/15 16:12:55
|
Line 1
|
Line 1
|
/* |
/* |
* Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com> | * Copyright (c) 2009-2013 Todd C. Miller <Todd.Miller@courtesan.com> |
* |
* |
* Permission to use, copy, modify, and distribute this software for any |
* Permission to use, copy, modify, and distribute this software for any |
* purpose with or without fee is hereby granted, provided that the above |
* purpose with or without fee is hereby granted, provided that the above |
Line 17
|
Line 17
|
#include <config.h> |
#include <config.h> |
|
|
#include <sys/types.h> |
#include <sys/types.h> |
#include <sys/param.h> |
|
#include <stdio.h> |
#include <stdio.h> |
#ifdef STDC_HEADERS |
#ifdef STDC_HEADERS |
# include <stdlib.h> |
# include <stdlib.h> |
Line 40
|
Line 39
|
# include <priv.h> |
# include <priv.h> |
#endif |
#endif |
#include <errno.h> |
#include <errno.h> |
|
#include <fcntl.h> |
#include <signal.h> |
#include <signal.h> |
|
|
#include "sudo.h" |
#include "sudo.h" |
Line 65 disable_execute(char *const envp[])
|
Line 65 disable_execute(char *const envp[])
|
|
|
#ifdef HAVE_PRIV_SET |
#ifdef HAVE_PRIV_SET |
/* Solaris privileges, remove PRIV_PROC_EXEC post-execve. */ |
/* Solaris privileges, remove PRIV_PROC_EXEC post-execve. */ |
|
(void)priv_set(PRIV_ON, PRIV_INHERITABLE, "PRIV_FILE_DAC_READ", NULL); |
|
(void)priv_set(PRIV_ON, PRIV_INHERITABLE, "PRIV_FILE_DAC_WRITE", NULL); |
|
(void)priv_set(PRIV_ON, PRIV_INHERITABLE, "PRIV_FILE_DAC_SEARCH", NULL); |
if (priv_set(PRIV_OFF, PRIV_LIMIT, "PRIV_PROC_EXEC", NULL) == 0) |
if (priv_set(PRIV_OFF, PRIV_LIMIT, "PRIV_PROC_EXEC", NULL) == 0) |
debug_return_ptr(envp); | debug_return_const_ptr(envp); |
warning(_("unable to remove PRIV_PROC_EXEC from PRIV_LIMIT")); | warning(U_("unable to remove PRIV_PROC_EXEC from PRIV_LIMIT")); |
#endif /* HAVE_PRIV_SET */ |
#endif /* HAVE_PRIV_SET */ |
|
|
#ifdef _PATH_SUDO_NOEXEC |
#ifdef _PATH_SUDO_NOEXEC |
Line 109 disable_execute(char *const envp[])
|
Line 112 disable_execute(char *const envp[])
|
preload = fmt_string(RTLD_PRELOAD_VAR, sudo_conf_noexec_path()); |
preload = fmt_string(RTLD_PRELOAD_VAR, sudo_conf_noexec_path()); |
# endif |
# endif |
if (preload == NULL) |
if (preload == NULL) |
errorx(1, _("unable to allocate memory")); | fatal(NULL); |
nenvp[env_len++] = preload; |
nenvp[env_len++] = preload; |
nenvp[env_len] = NULL; |
nenvp[env_len] = NULL; |
} else { |
} else { |
Line 127 disable_execute(char *const envp[])
|
Line 130 disable_execute(char *const envp[])
|
envp = nenvp; |
envp = nenvp; |
#endif /* _PATH_SUDO_NOEXEC */ |
#endif /* _PATH_SUDO_NOEXEC */ |
|
|
debug_return_ptr(envp); | debug_return_const_ptr(envp); |
} |
} |
|
|
/* |
/* |
Line 135 disable_execute(char *const envp[])
|
Line 138 disable_execute(char *const envp[])
|
* ala execvp(3) if we get ENOEXEC. |
* ala execvp(3) if we get ENOEXEC. |
*/ |
*/ |
int |
int |
sudo_execve(const char *path, char *const argv[], char *const envp[], int noexec) | sudo_execve(const char *path, char *const argv[], char *const envp[], bool noexec) |
{ |
{ |
/* Modify the environment as needed to disable further execve(). */ |
/* Modify the environment as needed to disable further execve(). */ |
if (noexec) |
if (noexec) |