Blame SOURCES/sudo-1.8.29-CVE-2019-19232.patch

9d1b3f
diff -up ./doc/sudoers.man.in.CVE-2019-19232 ./doc/sudoers.man.in
9d1b3f
--- ./doc/sudoers.man.in.CVE-2019-19232	2019-10-28 13:28:52.000000000 +0100
9d1b3f
+++ ./doc/sudoers.man.in	2020-01-14 15:34:46.908027286 +0100
9d1b3f
@@ -2942,6 +2942,23 @@ This flag is
9d1b3f
 \fIoff\fR
9d1b3f
 by default.
9d1b3f
 .TP 18n
9d1b3f
+runas_allow_unknown_id
9d1b3f
+If enabled, allow matching of runas user and group IDs that are
9d1b3f
+not present in the password or group databases.
9d1b3f
+In addition to explicitly matching unknown user or group IDs in a
9d1b3f
+\fRRunas_List\fR,
9d1b3f
+this option also allows the
9d1b3f
+\fBALL\fR
9d1b3f
+alias to match unknown IDs.
9d1b3f
+This flag is
9d1b3f
+\fIoff\fR
9d1b3f
+by default.
9d1b3f
+.sp
9d1b3f
+This setting is only supported by version 1.8.29 or higher.
9d1b3f
+Older versions of
9d1b3f
+\fBsudo\fR
9d1b3f
+always allowed matching of unknown user and group IDs.
9d1b3f
+.TP 18n
9d1b3f
 runaspw
9d1b3f
 If set,
9d1b3f
 \fBsudo\fR
9d1b3f
diff -up ./doc/sudoers.mdoc.in.CVE-2019-19232 ./doc/sudoers.mdoc.in
9d1b3f
--- ./doc/sudoers.mdoc.in.CVE-2019-19232	2019-10-28 13:28:52.000000000 +0100
9d1b3f
+++ ./doc/sudoers.mdoc.in	2020-01-14 15:34:46.908027286 +0100
9d1b3f
@@ -2768,6 +2768,22 @@ when running a command or editing a file
9d1b3f
 This flag is
9d1b3f
 .Em off
9d1b3f
 by default.
9d1b3f
+.It runas_allow_unknown_id
9d1b3f
+If enabled, allow matching of runas user and group IDs that are
9d1b3f
+not present in the password or group databases.
9d1b3f
+In addition to explicitly matching unknown user or group IDs in a
9d1b3f
+.Li Runas_List ,
9d1b3f
+this option also allows the
9d1b3f
+.Sy ALL
9d1b3f
+alias to match unknown IDs.
9d1b3f
+This flag is
9d1b3f
+.Em off
9d1b3f
+by default.
9d1b3f
+.Pp
9d1b3f
+This setting is only supported by version 1.8.29 or higher.
9d1b3f
+Older versions of
9d1b3f
+.Nm sudo
9d1b3f
+always allowed matching of unknown user and group IDs.
9d1b3f
 .It runaspw
9d1b3f
 If set,
9d1b3f
 .Nm sudo
9d1b3f
diff -up ./plugins/sudoers/defaults.c.CVE-2019-19232 ./plugins/sudoers/defaults.c
9d1b3f
--- ./plugins/sudoers/defaults.c.CVE-2019-19232	2020-01-14 15:34:46.902027246 +0100
9d1b3f
+++ ./plugins/sudoers/defaults.c	2020-01-14 15:34:46.909027293 +0100
9d1b3f
@@ -581,6 +581,7 @@ init_defaults(void)
9d1b3f
     def_fdexec = digest_only;
9d1b3f
     def_log_allowed = true;
9d1b3f
     def_log_denied = true;
9d1b3f
+    def_runas_allow_unknown_id = false;
9d1b3f
 
9d1b3f
     /* Syslog options need special care since they both strings and ints */
9d1b3f
 #if (LOGGING & SLOG_SYSLOG)
9d1b3f
diff -up ./plugins/sudoers/def_data.c.CVE-2019-19232 ./plugins/sudoers/def_data.c
9d1b3f
--- ./plugins/sudoers/def_data.c.CVE-2019-19232	2020-01-14 15:34:46.908027286 +0100
9d1b3f
+++ ./plugins/sudoers/def_data.c	2020-01-14 15:40:19.441555509 +0100
9d1b3f
@@ -514,6 +514,10 @@ struct sudo_defs_types sudo_defs_table[]
9d1b3f
 	N_("Don't fork and wait for the command to finish, just exec it"),
9d1b3f
 	NULL,
9d1b3f
     }, {
9d1b3f
+	"runas_allow_unknown_id", T_FLAG,
9d1b3f
+	N_("Allow the use of unknown runas user and/or group ID"),
9d1b3f
+	NULL,
9d1b3f
+    }, {
9d1b3f
 	NULL, 0, NULL
9d1b3f
     }
9d1b3f
 };
9d1b3f
diff -up ./plugins/sudoers/def_data.h.CVE-2019-19232 ./plugins/sudoers/def_data.h
9d1b3f
--- ./plugins/sudoers/def_data.h.CVE-2019-19232	2020-01-14 15:34:46.909027293 +0100
9d1b3f
+++ ./plugins/sudoers/def_data.h	2020-01-14 15:41:33.658012401 +0100
9d1b3f
@@ -236,6 +236,8 @@
9d1b3f
 #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
9d1b3f
 #define I_CMND_NO_WAIT          118
9d1b3f
 #define def_cmnd_no_wait        (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
9d1b3f
+#define I_RUNAS_ALLOW_UNKNOWN_ID 119
9d1b3f
+#define def_runas_allow_unknown_id (sudo_defs_table[I_RUNAS_ALLOW_UNKNOWN_ID].sd_un.flag)
9d1b3f
 
9d1b3f
 enum def_tuple {
9d1b3f
 	never,
9d1b3f
diff -up ./plugins/sudoers/def_data.in.CVE-2019-19232 ./plugins/sudoers/def_data.in
9d1b3f
--- ./plugins/sudoers/def_data.in.CVE-2019-19232	2020-01-14 15:34:46.909027293 +0100
9d1b3f
+++ ./plugins/sudoers/def_data.in	2020-01-14 15:42:42.176481484 +0100
9d1b3f
@@ -372,3 +372,6 @@ legacy_group_processing
9d1b3f
 cmnd_no_wait
9d1b3f
 	T_FLAG
9d1b3f
 	"Don't fork and wait for the command to finish, just exec it"
9d1b3f
+runas_allow_unknown_id
9d1b3f
+	T_FLAG
9d1b3f
+	"Allow the use of unknown runas user and/or group ID"
9d1b3f
diff -up ./plugins/sudoers/sudoers.c.CVE-2019-19232 ./plugins/sudoers/sudoers.c
9d1b3f
--- ./plugins/sudoers/sudoers.c.CVE-2019-19232	2020-01-14 15:34:46.905027266 +0100
9d1b3f
+++ ./plugins/sudoers/sudoers.c	2020-01-14 15:34:46.910027299 +0100
9d1b3f
@@ -105,6 +105,8 @@ static char *prev_user;
9d1b3f
 static char *runas_user;
9d1b3f
 static char *runas_group;
9d1b3f
 static struct sudo_nss_list *snl;
9d1b3f
+static bool unknown_runas_uid;
9d1b3f
+static bool unknown_runas_gid;
9d1b3f
 
9d1b3f
 #ifdef __linux__
9d1b3f
 static struct rlimit nproclimit;
9d1b3f
@@ -354,6 +356,22 @@ sudoers_policy_main(int argc, char * con
9d1b3f
 	}
9d1b3f
     }
9d1b3f
 
9d1b3f
+    /* Defer uid/gid checks until after defaults have been updated. */
9d1b3f
+    if (unknown_runas_uid && !def_runas_allow_unknown_id) {
9d1b3f
+	audit_failure(NewArgc, NewArgv, N_("unknown user: %s"),
9d1b3f
+	    runas_pw->pw_name);
9d1b3f
+	sudo_warnx(U_("unknown user: %s"), runas_pw->pw_name);
9d1b3f
+	goto done;
9d1b3f
+    }
9d1b3f
+    if (runas_gr != NULL) {
9d1b3f
+	if (unknown_runas_gid && !def_runas_allow_unknown_id) {
9d1b3f
+	    audit_failure(NewArgc, NewArgv, N_("unknown group: %s"),
9d1b3f
+		runas_gr->gr_name);
9d1b3f
+	    sudo_warnx(U_("unknown group: %s"), runas_gr->gr_name);
9d1b3f
+	    goto done;
9d1b3f
+	}
9d1b3f
+    }
9d1b3f
+
9d1b3f
     /*
9d1b3f
      * Look up the timestamp dir owner if one is specified.
9d1b3f
      */
9d1b3f
@@ -1167,12 +1185,15 @@ set_runaspw(const char *user, bool quiet
9d1b3f
     struct passwd *pw = NULL;
9d1b3f
     debug_decl(set_runaspw, SUDOERS_DEBUG_PLUGIN)
9d1b3f
 
9d1b3f
+    unknown_runas_uid = false;
9d1b3f
     if (*user == '#') {
9d1b3f
 	const char *errstr;
9d1b3f
 	uid_t uid = sudo_strtoid(user + 1, &errstr);
9d1b3f
 	if (errstr == NULL) {
9d1b3f
-	    if ((pw = sudo_getpwuid(uid)) == NULL)
9d1b3f
+	    if ((pw = sudo_getpwuid(uid)) == NULL) {
9d1b3f
+		unknown_runas_uid = true;
9d1b3f
 		pw = sudo_fakepwnam(user, user_gid);
9d1b3f
+	    }
9d1b3f
 	}
9d1b3f
     }
9d1b3f
     if (pw == NULL) {
9d1b3f
@@ -1198,12 +1219,15 @@ set_runasgr(const char *group, bool quie
9d1b3f
     struct group *gr = NULL;
9d1b3f
     debug_decl(set_runasgr, SUDOERS_DEBUG_PLUGIN)
9d1b3f
 
9d1b3f
+    unknown_runas_gid = false;
9d1b3f
     if (*group == '#') {
9d1b3f
 	const char *errstr;
9d1b3f
 	gid_t gid = sudo_strtoid(group + 1, &errstr);
9d1b3f
 	if (errstr == NULL) {
9d1b3f
-	    if ((gr = sudo_getgrgid(gid)) == NULL)
9d1b3f
+	    if ((gr = sudo_getgrgid(gid)) == NULL) {
9d1b3f
+		unknown_runas_gid = true;
9d1b3f
 		gr = sudo_fakegrnam(group);
9d1b3f
+	    }
9d1b3f
 	}
9d1b3f
     }
9d1b3f
     if (gr == NULL) {