Blame SOURCES/sudo-1.8.29-CVE-2019-19234.patch

a2b174
diff -up ./config.h.in.CVE-2019-19234 ./config.h.in
a2b174
--- ./config.h.in.CVE-2019-19234	2019-10-28 13:28:52.000000000 +0100
a2b174
+++ ./config.h.in	2020-01-14 15:53:40.506988064 +0100
a2b174
@@ -334,6 +334,9 @@
a2b174
 /* Define to 1 if you have the `getuserattr' function. */
a2b174
 #undef HAVE_GETUSERATTR
a2b174
 
a2b174
+/* Define to 1 if you have the `getusershell' function. */
a2b174
+#undef HAVE_GETUSERSHELL
a2b174
+
a2b174
 /* Define to 1 if you have the `getutid' function. */
a2b174
 #undef HAVE_GETUTID
a2b174
 
a2b174
diff -up ./configure.ac.CVE-2019-19234 ./configure.ac
a2b174
--- ./configure.ac.CVE-2019-19234	2020-01-14 15:53:40.496987995 +0100
a2b174
+++ ./configure.ac	2020-01-14 15:53:40.509988084 +0100
a2b174
@@ -2562,6 +2562,10 @@ AC_CHECK_FUNCS([getdelim], [], [
a2b174
     SUDO_APPEND_COMPAT_EXP(sudo_getdelim)
a2b174
     COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }getdelim_test"
a2b174
 ])
a2b174
+AC_CHECK_FUNCS([getusershell], [], [
a2b174
+    AC_LIBOBJ(getusershell)
a2b174
+    SUDO_APPEND_COMPAT_EXP(sudo_getusershell)
a2b174
+])
a2b174
 AC_CHECK_FUNCS([reallocarray], [], [
a2b174
     AC_LIBOBJ(reallocarray)
a2b174
     SUDO_APPEND_COMPAT_EXP(sudo_reallocarray)
a2b174
diff -up ./configure.CVE-2019-19234 ./configure
a2b174
--- ./configure.CVE-2019-19234	2019-10-28 13:29:14.000000000 +0100
a2b174
+++ ./configure	2020-01-14 15:53:40.509988084 +0100
a2b174
@@ -19395,6 +19395,32 @@ esac
a2b174
 fi
a2b174
 done
a2b174
 
a2b174
+for ac_func in getusershell
a2b174
+do :
a2b174
+  ac_fn_c_check_func "$LINENO" "getusershell" "ac_cv_func_getusershell"
a2b174
+if test "x$ac_cv_func_getusershell" = xyes; then :
a2b174
+  cat >>confdefs.h <<_ACEOF
a2b174
+#define HAVE_GETUSERSHELL 1
a2b174
+_ACEOF
a2b174
+
a2b174
+else
a2b174
+
a2b174
+    case " $LIBOBJS " in
a2b174
+  *" getusershell.$ac_objext "* ) ;;
a2b174
+  *) LIBOBJS="$LIBOBJS getusershell.$ac_objext"
a2b174
+ ;;
a2b174
+esac
a2b174
+
a2b174
+
a2b174
+    for _sym in sudo_getusershell; do
a2b174
+	COMPAT_EXP="${COMPAT_EXP}${_sym}
a2b174
+"
a2b174
+    done
a2b174
+
a2b174
+
a2b174
+fi
a2b174
+done
a2b174
+
a2b174
 for ac_func in reallocarray
a2b174
 do :
a2b174
   ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray"
a2b174
diff -up ./doc/sudoers.man.in.CVE-2019-19234 ./doc/sudoers.man.in
a2b174
--- ./doc/sudoers.man.in.CVE-2019-19234	2020-01-14 15:53:40.503988043 +0100
a2b174
+++ ./doc/sudoers.man.in	2020-01-14 15:53:40.510988091 +0100
a2b174
@@ -2959,6 +2959,28 @@ Older versions of
a2b174
 \fBsudo\fR
a2b174
 always allowed matching of unknown user and group IDs.
a2b174
 .TP 18n
a2b174
+runas_check_shell
a2b174
+.br
a2b174
+If enabled,
a2b174
+\fBsudo\fR
a2b174
+will only run commands as a user whose shell appears in the
a2b174
+\fI/etc/shells\fR
a2b174
+file, even if the invoking user's
a2b174
+\fRRunas_List\fR
a2b174
+would otherwise permit it.
a2b174
+If no
a2b174
+\fI/etc/shells\fR
a2b174
+file is present, a system-dependent list of built-in default shells is used.
a2b174
+On many operating systems, system users such as
a2b174
+\(lqbin\(rq,
a2b174
+do not have a valid shell and this flag can be used to prevent
a2b174
+commands from being run as those users.
a2b174
+This flag is
a2b174
+\fIoff\fR
a2b174
+by default.
a2b174
+.sp
a2b174
+This setting is only supported by version 1.8.29 or higher.
a2b174
+.TP 18n
a2b174
 runaspw
a2b174
 If set,
a2b174
 \fBsudo\fR
a2b174
diff -up ./doc/sudoers.mdoc.in.CVE-2019-19234 ./doc/sudoers.mdoc.in
a2b174
--- ./doc/sudoers.mdoc.in.CVE-2019-19234	2020-01-14 15:53:40.504988050 +0100
a2b174
+++ ./doc/sudoers.mdoc.in	2020-01-14 15:53:40.510988091 +0100
a2b174
@@ -2784,6 +2784,26 @@ This setting is only supported by versio
a2b174
 Older versions of
a2b174
 .Nm sudo
a2b174
 always allowed matching of unknown user and group IDs.
a2b174
+.It runas_check_shell
a2b174
+If enabled,
a2b174
+.Nm sudo
a2b174
+will only run commands as a user whose shell appears in the
a2b174
+.Pa /etc/shells
a2b174
+file, even if the invoking user's
a2b174
+.Li Runas_List
a2b174
+would otherwise permit it.
a2b174
+If no
a2b174
+.Pa /etc/shells
a2b174
+file is present, a system-dependent list of built-in default shells is used.
a2b174
+On many operating systems, system users such as
a2b174
+.Dq bin ,
a2b174
+do not have a valid shell and this flag can be used to prevent
a2b174
+commands from being run as those users.
a2b174
+This flag is
a2b174
+.Em off
a2b174
+by default.
a2b174
+.Pp
a2b174
+This setting is only supported by version 1.8.29 or higher.
a2b174
 .It runaspw
a2b174
 If set,
a2b174
 .Nm sudo
a2b174
diff -up ./include/sudo_compat.h.CVE-2019-19234 ./include/sudo_compat.h
a2b174
--- ./include/sudo_compat.h.CVE-2019-19234	2019-10-28 13:28:52.000000000 +0100
a2b174
+++ ./include/sudo_compat.h	2020-01-14 15:53:40.511988098 +0100
a2b174
@@ -407,6 +407,17 @@ __dso_public ssize_t sudo_getdelim(char
a2b174
 # undef getdelim
a2b174
 # define getdelim(_a, _b, _c, _d) sudo_getdelim((_a), (_b), (_c), (_d))
a2b174
 #endif /* HAVE_GETDELIM */
a2b174
+#ifndef HAVE_GETUSERSHELL
a2b174
+__dso_public char *sudo_getusershell(void);
a2b174
+# undef getusershell
a2b174
+# define getusershell() sudo_getusershell()
a2b174
+__dso_public void sudo_setusershell(void);
a2b174
+# undef setusershell
a2b174
+# define setusershell() sudo_setusershell()
a2b174
+__dso_public void sudo_endusershell(void);
a2b174
+# undef endusershell
a2b174
+# define endusershell() sudo_endusershell()
a2b174
+#endif /* HAVE_GETUSERSHELL */
a2b174
 #ifndef HAVE_UTIMENSAT
a2b174
 __dso_public int sudo_utimensat(int fd, const char *file, const struct timespec *times, int flag);
a2b174
 # undef utimensat
a2b174
diff -up ./lib/util/getusershell.c.CVE-2019-19234 ./lib/util/getusershell.c
a2b174
--- ./lib/util/getusershell.c.CVE-2019-19234	2020-01-14 15:53:40.511988098 +0100
a2b174
+++ ./lib/util/getusershell.c	2020-01-14 15:53:40.511988098 +0100
a2b174
@@ -0,0 +1,138 @@
a2b174
+/*
a2b174
+ * SPDX-License-Identifier: ISC
a2b174
+ *
a2b174
+ * Copyright (c) 2019 Todd C. Miller <Todd.Miller@courtesan.com>
a2b174
+ *
a2b174
+ * Permission to use, copy, modify, and distribute this software for any
a2b174
+ * purpose with or without fee is hereby granted, provided that the above
a2b174
+ * copyright notice and this permission notice appear in all copies.
a2b174
+ *
a2b174
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
a2b174
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
a2b174
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
a2b174
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
a2b174
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
a2b174
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
a2b174
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
a2b174
+ */
a2b174
+
a2b174
+/*
a2b174
+ * This is an open source non-commercial project. Dear PVS-Studio, please check it.
a2b174
+ * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
a2b174
+ */
a2b174
+
a2b174
+#include <config.h>
a2b174
+
a2b174
+#include <sys/types.h>
a2b174
+
a2b174
+#include <stdio.h>
a2b174
+#include <stdlib.h>
a2b174
+#include <string.h>
a2b174
+#include <ctype.h>
a2b174
+#include <errno.h>
a2b174
+
a2b174
+#define DEFAULT_TEXT_DOMAIN     "sudo"
a2b174
+#include "sudo_gettext.h"       /* must be included before sudo_compat.h */
a2b174
+
a2b174
+#include "sudo_compat.h"
a2b174
+#include "sudo_debug.h"
a2b174
+#include "sudo_util.h"
a2b174
+
a2b174
+static char **allowed_shells, **current_shell;
a2b174
+static char *default_shells[] = {
a2b174
+    "/bin/sh",
a2b174
+    "/bin/ksh",
a2b174
+    "/bin/ksh93",
a2b174
+    "/bin/bash",
a2b174
+    "/bin/dash",
a2b174
+    "/bin/zsh",
a2b174
+    "/bin/csh",
a2b174
+    "/bin/tcsh",
a2b174
+    NULL
a2b174
+};
a2b174
+
a2b174
+static char **
a2b174
+read_shells(void)
a2b174
+{
a2b174
+    size_t maxshells = 16, nshells = 0;
a2b174
+    size_t linesize = 0;
a2b174
+    char *line = NULL;
a2b174
+    FILE *fp;
a2b174
+    debug_decl(read_shells, SUDO_DEBUG_UTIL)
a2b174
+
a2b174
+    if ((fp = fopen("/etc/shells", "r")) == NULL)
a2b174
+	goto bad;
a2b174
+
a2b174
+    free(allowed_shells);
a2b174
+    allowed_shells = reallocarray(NULL, maxshells, sizeof(char *));
a2b174
+    if (allowed_shells == NULL)
a2b174
+	goto bad;
a2b174
+
a2b174
+    while (sudo_parseln(&line, &linesize, NULL, fp, PARSELN_CONT_IGN) != -1) {
a2b174
+	if (nshells + 1 >= maxshells) {
a2b174
+	    char **new_shells;
a2b174
+
a2b174
+	    new_shells = reallocarray(NULL, maxshells + 16, sizeof(char *));
a2b174
+	    if (new_shells == NULL)
a2b174
+		goto bad;
a2b174
+	    allowed_shells = new_shells;
a2b174
+	    maxshells += 16;
a2b174
+	}
a2b174
+	if ((allowed_shells[nshells] = strdup(line)) == NULL)
a2b174
+	    goto bad;
a2b174
+	nshells++;
a2b174
+    }
a2b174
+    allowed_shells[nshells] = NULL;
a2b174
+
a2b174
+    free(line);
a2b174
+    fclose(fp);
a2b174
+    debug_return_ptr(allowed_shells);
a2b174
+bad:
a2b174
+    free(line);
a2b174
+    if (fp != NULL)
a2b174
+	fclose(fp);
a2b174
+    while (nshells != 0)
a2b174
+	free(allowed_shells[--nshells]);
a2b174
+    free(allowed_shells);
a2b174
+    allowed_shells = NULL;
a2b174
+    debug_return_ptr(default_shells);
a2b174
+}
a2b174
+
a2b174
+void
a2b174
+sudo_setusershell(void)
a2b174
+{
a2b174
+    debug_decl(setusershell, SUDO_DEBUG_UTIL)
a2b174
+
a2b174
+    current_shell = read_shells();
a2b174
+
a2b174
+    debug_return;
a2b174
+}
a2b174
+
a2b174
+void
a2b174
+sudo_endusershell(void)
a2b174
+{
a2b174
+    debug_decl(endusershell, SUDO_DEBUG_UTIL)
a2b174
+
a2b174
+    if (allowed_shells != NULL) {
a2b174
+	char **shell;
a2b174
+
a2b174
+	for (shell = allowed_shells; *shell != NULL; shell++)
a2b174
+	    free(*shell);
a2b174
+	free(allowed_shells);
a2b174
+	allowed_shells = NULL;
a2b174
+    }
a2b174
+    current_shell = NULL;
a2b174
+
a2b174
+    debug_return;
a2b174
+}
a2b174
+
a2b174
+char *
a2b174
+sudo_getusershell(void)
a2b174
+{
a2b174
+    debug_decl(getusershell, SUDO_DEBUG_UTIL)
a2b174
+
a2b174
+    if (current_shell == NULL)
a2b174
+	current_shell = read_shells();
a2b174
+
a2b174
+    debug_return_str(*current_shell++);
a2b174
+}
a2b174
diff -up ./lib/util/Makefile.in.CVE-2019-19234 ./lib/util/Makefile.in
a2b174
--- ./lib/util/Makefile.in.CVE-2019-19234	2019-10-28 13:28:53.000000000 +0100
a2b174
+++ ./lib/util/Makefile.in	2020-01-14 15:53:40.511988098 +0100
a2b174
@@ -678,6 +678,18 @@ gettime.i: $(srcdir)/gettime.c $(incdir)
a2b174
 	$(CC) -E -o $@ $(CPPFLAGS) $<
a2b174
 gettime.plog: gettime.i
a2b174
 	rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/gettime.c --i-file $< --output-file $@
a2b174
+getusershell.lo: $(srcdir)/getusershell.c $(incdir)/compat/stdbool.h \
a2b174
+                 $(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
a2b174
+                 $(incdir)/sudo_gettext.h $(incdir)/sudo_queue.h \
a2b174
+                 $(incdir)/sudo_util.h $(top_builddir)/config.h
a2b174
+	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/getusershell.c
a2b174
+getusershell.i: $(srcdir)/getusershell.c $(incdir)/compat/stdbool.h \
a2b174
+                 $(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
a2b174
+                 $(incdir)/sudo_gettext.h $(incdir)/sudo_queue.h \
a2b174
+                 $(incdir)/sudo_util.h $(top_builddir)/config.h
a2b174
+	$(CC) -E -o $@ $(CPPFLAGS) $<
a2b174
+getusershell.plog: getusershell.i
a2b174
+	rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/getusershell.c --i-file $< --output-file $@
a2b174
 gidlist.lo: $(srcdir)/gidlist.c $(incdir)/compat/stdbool.h \
a2b174
             $(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
a2b174
             $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
a2b174
diff -up ./MANIFEST.CVE-2019-19234 ./MANIFEST
a2b174
--- ./MANIFEST.CVE-2019-19234	2019-10-28 13:28:52.000000000 +0100
a2b174
+++ ./MANIFEST	2020-01-14 15:53:40.506988064 +0100
a2b174
@@ -103,6 +103,7 @@ lib/util/getgrouplist.c
a2b174
 lib/util/gethostname.c
a2b174
 lib/util/getopt_long.c
a2b174
 lib/util/gettime.c
a2b174
+lib/util/getusershell.c
a2b174
 lib/util/gidlist.c
a2b174
 lib/util/glob.c
a2b174
 lib/util/inet_ntop.c
a2b174
diff -up ./mkdep.pl.CVE-2019-19234 ./mkdep.pl
a2b174
--- ./mkdep.pl.CVE-2019-19234	2019-10-28 13:28:52.000000000 +0100
a2b174
+++ ./mkdep.pl	2020-01-14 15:53:40.511988098 +0100
a2b174
@@ -116,7 +116,7 @@ sub mkdep {
a2b174
     # XXX - fill in AUTH_OBJS from contents of the auth dir instead
a2b174
     $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:;
a2b174
     $makefile =~ s:\@DIGEST\@:digest.lo digest_openssl.lo digest_gcrypt.lo:;
a2b174
-    $makefile =~ s:\@LTLIBOBJS\@:arc4random.lo arc4random_uniform.lo closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getentropy.lo getgrouplist.lo getdelim.lo getopt_long.lo glob.lo inet_ntop_lo inet_pton.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo nanosleep.lo pw_dup.lo reallocarray.lo sha2.lo sig2str.lo siglist.lo signame.lo snprintf.lo str2sig.lo strlcat.lo strlcpy.lo strndup.lo strnlen.lo strsignal.lo utimens.lo vsyslog.lo pipe2.lo:;
a2b174
+    $makefile =~ s:\@LTLIBOBJS\@:arc4random.lo arc4random_uniform.lo closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getentropy.lo getgrouplist.lo getdelim.lo getopt_long.lo getusershell.lo glob.lo inet_ntop_lo inet_pton.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo nanosleep.lo pw_dup.lo reallocarray.lo sha2.lo sig2str.lo siglist.lo signame.lo snprintf.lo str2sig.lo strlcat.lo strlcpy.lo strndup.lo strnlen.lo strsignal.lo utimens.lo vsyslog.lo pipe2.lo:;
a2b174
 
a2b174
     # Parse OBJS lines
a2b174
     my %objs;
a2b174
diff -up ./plugins/sudoers/check.c.CVE-2019-19234 ./plugins/sudoers/check.c
a2b174
--- ./plugins/sudoers/check.c.CVE-2019-19234	2019-10-28 13:27:45.000000000 +0100
a2b174
+++ ./plugins/sudoers/check.c	2020-01-14 15:53:40.511988098 +0100
a2b174
@@ -333,3 +333,28 @@ get_authpw(int mode)
a2b174
 
a2b174
     debug_return_ptr(pw);
a2b174
 }
a2b174
+
a2b174
+/*
a2b174
+ * Returns true if the specified shell is allowed by /etc/shells, else false.
a2b174
+ */
a2b174
+bool
a2b174
+check_user_shell(const struct passwd *pw)
a2b174
+{
a2b174
+    const char *shell;
a2b174
+    debug_decl(check_user_shell, SUDOERS_DEBUG_AUTH)
a2b174
+
a2b174
+    if (!def_runas_check_shell)
a2b174
+	debug_return_bool(true);
a2b174
+
a2b174
+    sudo_debug_printf(SUDO_DEBUG_INFO,
a2b174
+	"%s: checking /etc/shells for %s", __func__, pw->pw_shell);
a2b174
+
a2b174
+    setusershell();
a2b174
+    while ((shell = getusershell()) != NULL) {
a2b174
+	if (strcmp(shell, pw->pw_shell) == 0)
a2b174
+	    debug_return_bool(true);
a2b174
+    }
a2b174
+    endusershell();
a2b174
+
a2b174
+    debug_return_bool(false);
a2b174
+}
a2b174
diff -up ./plugins/sudoers/def_data.c.CVE-2019-19234 ./plugins/sudoers/def_data.c
a2b174
--- ./plugins/sudoers/def_data.c.CVE-2019-19234	2020-01-14 15:53:40.504988050 +0100
a2b174
+++ ./plugins/sudoers/def_data.c	2020-01-14 15:53:40.511988098 +0100
a2b174
@@ -518,6 +518,10 @@ struct sudo_defs_types sudo_defs_table[]
a2b174
 	N_("Allow the use of unknown runas user and/or group ID"),
a2b174
 	NULL,
a2b174
     }, {
a2b174
+	"runas_check_shell", T_FLAG,
a2b174
+	N_("Only permit running commands as a user with a valid shell"),
a2b174
+	NULL,
a2b174
+    }, {
a2b174
 	NULL, 0, NULL
a2b174
     }
a2b174
 };
a2b174
diff -up ./plugins/sudoers/def_data.h.CVE-2019-19234 ./plugins/sudoers/def_data.h
a2b174
--- ./plugins/sudoers/def_data.h.CVE-2019-19234	2020-01-14 15:53:40.512988105 +0100
a2b174
+++ ./plugins/sudoers/def_data.h	2020-01-14 15:58:06.927808982 +0100
a2b174
@@ -238,6 +238,8 @@
a2b174
 #define def_cmnd_no_wait        (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
a2b174
 #define I_RUNAS_ALLOW_UNKNOWN_ID 119
a2b174
 #define def_runas_allow_unknown_id (sudo_defs_table[I_RUNAS_ALLOW_UNKNOWN_ID].sd_un.flag)
a2b174
+#define I_RUNAS_CHECK_SHELL     120
a2b174
+#define def_runas_check_shell   (sudo_defs_table[I_RUNAS_CHECK_SHELL].sd_un.flag)
a2b174
 
a2b174
 enum def_tuple {
a2b174
 	never,
a2b174
diff -up ./plugins/sudoers/def_data.in.CVE-2019-19234 ./plugins/sudoers/def_data.in
a2b174
--- ./plugins/sudoers/def_data.in.CVE-2019-19234	2020-01-14 15:53:40.505988057 +0100
a2b174
+++ ./plugins/sudoers/def_data.in	2020-01-14 15:53:40.512988105 +0100
a2b174
@@ -375,3 +375,7 @@ cmnd_no_wait
a2b174
 runas_allow_unknown_id
a2b174
 	T_FLAG
a2b174
 	"Allow the use of unknown runas user and/or group ID"
a2b174
+runas_check_shell
a2b174
+	T_FLAG
a2b174
+	"Only permit running commands as a user with a valid shell"
a2b174
+
a2b174
diff -up ./plugins/sudoers/sudoers.c.CVE-2019-19234 ./plugins/sudoers/sudoers.c
a2b174
--- ./plugins/sudoers/sudoers.c.CVE-2019-19234	2020-01-14 15:53:40.505988057 +0100
a2b174
+++ ./plugins/sudoers/sudoers.c	2020-01-14 15:53:40.512988105 +0100
a2b174
@@ -273,7 +273,7 @@ sudoers_policy_main(int argc, char * con
a2b174
 	/* Not an audit event. */
a2b174
 	sudo_warnx(U_("sudoers specifies that root is not allowed to sudo"));
a2b174
 	goto bad;
a2b174
-    }    
a2b174
+    }
a2b174
 
a2b174
     if (!set_perms(PERM_INITIAL))
a2b174
 	goto bad;
a2b174
@@ -412,6 +412,13 @@ sudoers_policy_main(int argc, char * con
a2b174
 	goto bad;
a2b174
     }
a2b174
 
a2b174
+    /* Check runas user's shell. */
a2b174
+    if (!check_user_shell(runas_pw)) {
a2b174
+	log_warningx(SLOG_RAW_MSG, N_("invalid shell for user %s: %s"),
a2b174
+	    runas_pw->pw_name, runas_pw->pw_shell);
a2b174
+	goto bad;
a2b174
+    }
a2b174
+
a2b174
     /*
a2b174
      * We don't reset the environment for sudoedit or if the user
a2b174
      * specified the -E command line flag and they have setenv privs.
a2b174
diff -up ./plugins/sudoers/sudoers.h.CVE-2019-19234 ./plugins/sudoers/sudoers.h
a2b174
--- ./plugins/sudoers/sudoers.h.CVE-2019-19234	2020-01-14 15:53:40.502988036 +0100
a2b174
+++ ./plugins/sudoers/sudoers.h	2020-01-14 15:53:40.512988105 +0100
a2b174
@@ -264,6 +264,7 @@ int find_path(const char *infile, char *
a2b174
 
a2b174
 /* check.c */
a2b174
 int check_user(int validate, int mode);
a2b174
+bool check_user_shell(const struct passwd *pw);
a2b174
 bool user_is_exempt(void);
a2b174
 
a2b174
 /* prompt.c */