Blob Blame History Raw
diff -up ./config.h.in.CVE-2019-19234 ./config.h.in
--- ./config.h.in.CVE-2019-19234	2019-10-28 13:28:52.000000000 +0100
+++ ./config.h.in	2020-01-14 15:53:40.506988064 +0100
@@ -334,6 +334,9 @@
 /* Define to 1 if you have the `getuserattr' function. */
 #undef HAVE_GETUSERATTR
 
+/* Define to 1 if you have the `getusershell' function. */
+#undef HAVE_GETUSERSHELL
+
 /* Define to 1 if you have the `getutid' function. */
 #undef HAVE_GETUTID
 
diff -up ./configure.ac.CVE-2019-19234 ./configure.ac
--- ./configure.ac.CVE-2019-19234	2020-01-14 15:53:40.496987995 +0100
+++ ./configure.ac	2020-01-14 15:53:40.509988084 +0100
@@ -2562,6 +2562,10 @@ AC_CHECK_FUNCS([getdelim], [], [
     SUDO_APPEND_COMPAT_EXP(sudo_getdelim)
     COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }getdelim_test"
 ])
+AC_CHECK_FUNCS([getusershell], [], [
+    AC_LIBOBJ(getusershell)
+    SUDO_APPEND_COMPAT_EXP(sudo_getusershell)
+])
 AC_CHECK_FUNCS([reallocarray], [], [
     AC_LIBOBJ(reallocarray)
     SUDO_APPEND_COMPAT_EXP(sudo_reallocarray)
diff -up ./configure.CVE-2019-19234 ./configure
--- ./configure.CVE-2019-19234	2019-10-28 13:29:14.000000000 +0100
+++ ./configure	2020-01-14 15:53:40.509988084 +0100
@@ -19395,6 +19395,32 @@ esac
 fi
 done
 
+for ac_func in getusershell
+do :
+  ac_fn_c_check_func "$LINENO" "getusershell" "ac_cv_func_getusershell"
+if test "x$ac_cv_func_getusershell" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_GETUSERSHELL 1
+_ACEOF
+
+else
+
+    case " $LIBOBJS " in
+  *" getusershell.$ac_objext "* ) ;;
+  *) LIBOBJS="$LIBOBJS getusershell.$ac_objext"
+ ;;
+esac
+
+
+    for _sym in sudo_getusershell; do
+	COMPAT_EXP="${COMPAT_EXP}${_sym}
+"
+    done
+
+
+fi
+done
+
 for ac_func in reallocarray
 do :
   ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray"
diff -up ./doc/sudoers.man.in.CVE-2019-19234 ./doc/sudoers.man.in
--- ./doc/sudoers.man.in.CVE-2019-19234	2020-01-14 15:53:40.503988043 +0100
+++ ./doc/sudoers.man.in	2020-01-14 15:53:40.510988091 +0100
@@ -2959,6 +2959,28 @@ Older versions of
 \fBsudo\fR
 always allowed matching of unknown user and group IDs.
 .TP 18n
+runas_check_shell
+.br
+If enabled,
+\fBsudo\fR
+will only run commands as a user whose shell appears in the
+\fI/etc/shells\fR
+file, even if the invoking user's
+\fRRunas_List\fR
+would otherwise permit it.
+If no
+\fI/etc/shells\fR
+file is present, a system-dependent list of built-in default shells is used.
+On many operating systems, system users such as
+\(lqbin\(rq,
+do not have a valid shell and this flag can be used to prevent
+commands from being run as those users.
+This flag is
+\fIoff\fR
+by default.
+.sp
+This setting is only supported by version 1.8.29 or higher.
+.TP 18n
 runaspw
 If set,
 \fBsudo\fR
diff -up ./doc/sudoers.mdoc.in.CVE-2019-19234 ./doc/sudoers.mdoc.in
--- ./doc/sudoers.mdoc.in.CVE-2019-19234	2020-01-14 15:53:40.504988050 +0100
+++ ./doc/sudoers.mdoc.in	2020-01-14 15:53:40.510988091 +0100
@@ -2784,6 +2784,26 @@ This setting is only supported by versio
 Older versions of
 .Nm sudo
 always allowed matching of unknown user and group IDs.
+.It runas_check_shell
+If enabled,
+.Nm sudo
+will only run commands as a user whose shell appears in the
+.Pa /etc/shells
+file, even if the invoking user's
+.Li Runas_List
+would otherwise permit it.
+If no
+.Pa /etc/shells
+file is present, a system-dependent list of built-in default shells is used.
+On many operating systems, system users such as
+.Dq bin ,
+do not have a valid shell and this flag can be used to prevent
+commands from being run as those users.
+This flag is
+.Em off
+by default.
+.Pp
+This setting is only supported by version 1.8.29 or higher.
 .It runaspw
 If set,
 .Nm sudo
diff -up ./include/sudo_compat.h.CVE-2019-19234 ./include/sudo_compat.h
--- ./include/sudo_compat.h.CVE-2019-19234	2019-10-28 13:28:52.000000000 +0100
+++ ./include/sudo_compat.h	2020-01-14 15:53:40.511988098 +0100
@@ -407,6 +407,17 @@ __dso_public ssize_t sudo_getdelim(char
 # undef getdelim
 # define getdelim(_a, _b, _c, _d) sudo_getdelim((_a), (_b), (_c), (_d))
 #endif /* HAVE_GETDELIM */
+#ifndef HAVE_GETUSERSHELL
+__dso_public char *sudo_getusershell(void);
+# undef getusershell
+# define getusershell() sudo_getusershell()
+__dso_public void sudo_setusershell(void);
+# undef setusershell
+# define setusershell() sudo_setusershell()
+__dso_public void sudo_endusershell(void);
+# undef endusershell
+# define endusershell() sudo_endusershell()
+#endif /* HAVE_GETUSERSHELL */
 #ifndef HAVE_UTIMENSAT
 __dso_public int sudo_utimensat(int fd, const char *file, const struct timespec *times, int flag);
 # undef utimensat
diff -up ./lib/util/getusershell.c.CVE-2019-19234 ./lib/util/getusershell.c
--- ./lib/util/getusershell.c.CVE-2019-19234	2020-01-14 15:53:40.511988098 +0100
+++ ./lib/util/getusershell.c	2020-01-14 15:53:40.511988098 +0100
@@ -0,0 +1,138 @@
+/*
+ * SPDX-License-Identifier: ISC
+ *
+ * Copyright (c) 2019 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This is an open source non-commercial project. Dear PVS-Studio, please check it.
+ * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <errno.h>
+
+#define DEFAULT_TEXT_DOMAIN     "sudo"
+#include "sudo_gettext.h"       /* must be included before sudo_compat.h */
+
+#include "sudo_compat.h"
+#include "sudo_debug.h"
+#include "sudo_util.h"
+
+static char **allowed_shells, **current_shell;
+static char *default_shells[] = {
+    "/bin/sh",
+    "/bin/ksh",
+    "/bin/ksh93",
+    "/bin/bash",
+    "/bin/dash",
+    "/bin/zsh",
+    "/bin/csh",
+    "/bin/tcsh",
+    NULL
+};
+
+static char **
+read_shells(void)
+{
+    size_t maxshells = 16, nshells = 0;
+    size_t linesize = 0;
+    char *line = NULL;
+    FILE *fp;
+    debug_decl(read_shells, SUDO_DEBUG_UTIL)
+
+    if ((fp = fopen("/etc/shells", "r")) == NULL)
+	goto bad;
+
+    free(allowed_shells);
+    allowed_shells = reallocarray(NULL, maxshells, sizeof(char *));
+    if (allowed_shells == NULL)
+	goto bad;
+
+    while (sudo_parseln(&line, &linesize, NULL, fp, PARSELN_CONT_IGN) != -1) {
+	if (nshells + 1 >= maxshells) {
+	    char **new_shells;
+
+	    new_shells = reallocarray(NULL, maxshells + 16, sizeof(char *));
+	    if (new_shells == NULL)
+		goto bad;
+	    allowed_shells = new_shells;
+	    maxshells += 16;
+	}
+	if ((allowed_shells[nshells] = strdup(line)) == NULL)
+	    goto bad;
+	nshells++;
+    }
+    allowed_shells[nshells] = NULL;
+
+    free(line);
+    fclose(fp);
+    debug_return_ptr(allowed_shells);
+bad:
+    free(line);
+    if (fp != NULL)
+	fclose(fp);
+    while (nshells != 0)
+	free(allowed_shells[--nshells]);
+    free(allowed_shells);
+    allowed_shells = NULL;
+    debug_return_ptr(default_shells);
+}
+
+void
+sudo_setusershell(void)
+{
+    debug_decl(setusershell, SUDO_DEBUG_UTIL)
+
+    current_shell = read_shells();
+
+    debug_return;
+}
+
+void
+sudo_endusershell(void)
+{
+    debug_decl(endusershell, SUDO_DEBUG_UTIL)
+
+    if (allowed_shells != NULL) {
+	char **shell;
+
+	for (shell = allowed_shells; *shell != NULL; shell++)
+	    free(*shell);
+	free(allowed_shells);
+	allowed_shells = NULL;
+    }
+    current_shell = NULL;
+
+    debug_return;
+}
+
+char *
+sudo_getusershell(void)
+{
+    debug_decl(getusershell, SUDO_DEBUG_UTIL)
+
+    if (current_shell == NULL)
+	current_shell = read_shells();
+
+    debug_return_str(*current_shell++);
+}
diff -up ./lib/util/Makefile.in.CVE-2019-19234 ./lib/util/Makefile.in
--- ./lib/util/Makefile.in.CVE-2019-19234	2019-10-28 13:28:53.000000000 +0100
+++ ./lib/util/Makefile.in	2020-01-14 15:53:40.511988098 +0100
@@ -678,6 +678,18 @@ gettime.i: $(srcdir)/gettime.c $(incdir)
 	$(CC) -E -o $@ $(CPPFLAGS) $<
 gettime.plog: gettime.i
 	rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/gettime.c --i-file $< --output-file $@
+getusershell.lo: $(srcdir)/getusershell.c $(incdir)/compat/stdbool.h \
+                 $(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
+                 $(incdir)/sudo_gettext.h $(incdir)/sudo_queue.h \
+                 $(incdir)/sudo_util.h $(top_builddir)/config.h
+	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/getusershell.c
+getusershell.i: $(srcdir)/getusershell.c $(incdir)/compat/stdbool.h \
+                 $(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
+                 $(incdir)/sudo_gettext.h $(incdir)/sudo_queue.h \
+                 $(incdir)/sudo_util.h $(top_builddir)/config.h
+	$(CC) -E -o $@ $(CPPFLAGS) $<
+getusershell.plog: getusershell.i
+	rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/getusershell.c --i-file $< --output-file $@
 gidlist.lo: $(srcdir)/gidlist.c $(incdir)/compat/stdbool.h \
             $(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
             $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
diff -up ./MANIFEST.CVE-2019-19234 ./MANIFEST
--- ./MANIFEST.CVE-2019-19234	2019-10-28 13:28:52.000000000 +0100
+++ ./MANIFEST	2020-01-14 15:53:40.506988064 +0100
@@ -103,6 +103,7 @@ lib/util/getgrouplist.c
 lib/util/gethostname.c
 lib/util/getopt_long.c
 lib/util/gettime.c
+lib/util/getusershell.c
 lib/util/gidlist.c
 lib/util/glob.c
 lib/util/inet_ntop.c
diff -up ./mkdep.pl.CVE-2019-19234 ./mkdep.pl
--- ./mkdep.pl.CVE-2019-19234	2019-10-28 13:28:52.000000000 +0100
+++ ./mkdep.pl	2020-01-14 15:53:40.511988098 +0100
@@ -116,7 +116,7 @@ sub mkdep {
     # XXX - fill in AUTH_OBJS from contents of the auth dir instead
     $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:;
     $makefile =~ s:\@DIGEST\@:digest.lo digest_openssl.lo digest_gcrypt.lo:;
-    $makefile =~ s:\@LTLIBOBJS\@:arc4random.lo arc4random_uniform.lo closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getentropy.lo getgrouplist.lo getdelim.lo getopt_long.lo glob.lo inet_ntop_lo inet_pton.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo nanosleep.lo pw_dup.lo reallocarray.lo sha2.lo sig2str.lo siglist.lo signame.lo snprintf.lo str2sig.lo strlcat.lo strlcpy.lo strndup.lo strnlen.lo strsignal.lo utimens.lo vsyslog.lo pipe2.lo:;
+    $makefile =~ s:\@LTLIBOBJS\@:arc4random.lo arc4random_uniform.lo closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getentropy.lo getgrouplist.lo getdelim.lo getopt_long.lo getusershell.lo glob.lo inet_ntop_lo inet_pton.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo nanosleep.lo pw_dup.lo reallocarray.lo sha2.lo sig2str.lo siglist.lo signame.lo snprintf.lo str2sig.lo strlcat.lo strlcpy.lo strndup.lo strnlen.lo strsignal.lo utimens.lo vsyslog.lo pipe2.lo:;
 
     # Parse OBJS lines
     my %objs;
diff -up ./plugins/sudoers/check.c.CVE-2019-19234 ./plugins/sudoers/check.c
--- ./plugins/sudoers/check.c.CVE-2019-19234	2019-10-28 13:27:45.000000000 +0100
+++ ./plugins/sudoers/check.c	2020-01-14 15:53:40.511988098 +0100
@@ -333,3 +333,28 @@ get_authpw(int mode)
 
     debug_return_ptr(pw);
 }
+
+/*
+ * Returns true if the specified shell is allowed by /etc/shells, else false.
+ */
+bool
+check_user_shell(const struct passwd *pw)
+{
+    const char *shell;
+    debug_decl(check_user_shell, SUDOERS_DEBUG_AUTH)
+
+    if (!def_runas_check_shell)
+	debug_return_bool(true);
+
+    sudo_debug_printf(SUDO_DEBUG_INFO,
+	"%s: checking /etc/shells for %s", __func__, pw->pw_shell);
+
+    setusershell();
+    while ((shell = getusershell()) != NULL) {
+	if (strcmp(shell, pw->pw_shell) == 0)
+	    debug_return_bool(true);
+    }
+    endusershell();
+
+    debug_return_bool(false);
+}
diff -up ./plugins/sudoers/def_data.c.CVE-2019-19234 ./plugins/sudoers/def_data.c
--- ./plugins/sudoers/def_data.c.CVE-2019-19234	2020-01-14 15:53:40.504988050 +0100
+++ ./plugins/sudoers/def_data.c	2020-01-14 15:53:40.511988098 +0100
@@ -518,6 +518,10 @@ struct sudo_defs_types sudo_defs_table[]
 	N_("Allow the use of unknown runas user and/or group ID"),
 	NULL,
     }, {
+	"runas_check_shell", T_FLAG,
+	N_("Only permit running commands as a user with a valid shell"),
+	NULL,
+    }, {
 	NULL, 0, NULL
     }
 };
diff -up ./plugins/sudoers/def_data.h.CVE-2019-19234 ./plugins/sudoers/def_data.h
--- ./plugins/sudoers/def_data.h.CVE-2019-19234	2020-01-14 15:53:40.512988105 +0100
+++ ./plugins/sudoers/def_data.h	2020-01-14 15:58:06.927808982 +0100
@@ -238,6 +238,8 @@
 #define def_cmnd_no_wait        (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
 #define I_RUNAS_ALLOW_UNKNOWN_ID 119
 #define def_runas_allow_unknown_id (sudo_defs_table[I_RUNAS_ALLOW_UNKNOWN_ID].sd_un.flag)
+#define I_RUNAS_CHECK_SHELL     120
+#define def_runas_check_shell   (sudo_defs_table[I_RUNAS_CHECK_SHELL].sd_un.flag)
 
 enum def_tuple {
 	never,
diff -up ./plugins/sudoers/def_data.in.CVE-2019-19234 ./plugins/sudoers/def_data.in
--- ./plugins/sudoers/def_data.in.CVE-2019-19234	2020-01-14 15:53:40.505988057 +0100
+++ ./plugins/sudoers/def_data.in	2020-01-14 15:53:40.512988105 +0100
@@ -375,3 +375,7 @@ cmnd_no_wait
 runas_allow_unknown_id
 	T_FLAG
 	"Allow the use of unknown runas user and/or group ID"
+runas_check_shell
+	T_FLAG
+	"Only permit running commands as a user with a valid shell"
+
diff -up ./plugins/sudoers/sudoers.c.CVE-2019-19234 ./plugins/sudoers/sudoers.c
--- ./plugins/sudoers/sudoers.c.CVE-2019-19234	2020-01-14 15:53:40.505988057 +0100
+++ ./plugins/sudoers/sudoers.c	2020-01-14 15:53:40.512988105 +0100
@@ -273,7 +273,7 @@ sudoers_policy_main(int argc, char * con
 	/* Not an audit event. */
 	sudo_warnx(U_("sudoers specifies that root is not allowed to sudo"));
 	goto bad;
-    }    
+    }
 
     if (!set_perms(PERM_INITIAL))
 	goto bad;
@@ -412,6 +412,13 @@ sudoers_policy_main(int argc, char * con
 	goto bad;
     }
 
+    /* Check runas user's shell. */
+    if (!check_user_shell(runas_pw)) {
+	log_warningx(SLOG_RAW_MSG, N_("invalid shell for user %s: %s"),
+	    runas_pw->pw_name, runas_pw->pw_shell);
+	goto bad;
+    }
+
     /*
      * We don't reset the environment for sudoedit or if the user
      * specified the -E command line flag and they have setenv privs.
diff -up ./plugins/sudoers/sudoers.h.CVE-2019-19234 ./plugins/sudoers/sudoers.h
--- ./plugins/sudoers/sudoers.h.CVE-2019-19234	2020-01-14 15:53:40.502988036 +0100
+++ ./plugins/sudoers/sudoers.h	2020-01-14 15:53:40.512988105 +0100
@@ -264,6 +264,7 @@ int find_path(const char *infile, char *
 
 /* check.c */
 int check_user(int validate, int mode);
+bool check_user_shell(const struct passwd *pw);
 bool user_is_exempt(void);
 
 /* prompt.c */