CoCalc -- sudo_intercept.c

GitHub Repository: sudo-project/sudo
Path: blob/main/src/sudo_intercept.c
¹⁵³² views
1
/*
2
 * SPDX-License-Identifier: ISC
3
 *
4
 * Copyright (c) 2021-2022 Todd C. Miller <[email protected]>
5
 *
6
 * Permission to use, copy, modify, and distribute this software for any
7
 * purpose with or without fee is hereby granted, provided that the above
8
 * copyright notice and this permission notice appear in all copies.
9
 *
10
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
 */
18

19
#include <config.h>
20

21
#include <sys/types.h>
22
#include <sys/stat.h>
23
#include <sys/wait.h>
24

25
#include <errno.h>
26
#include <stdarg.h>
27
#include <stddef.h>
28
#include <stdio.h>
29
#include <stdlib.h>
30
#include <unistd.h>
31
#include <limits.h>
32
#include <string.h>
33
#include <signal.h>
34
#ifdef HAVE_STDBOOL_H
35
# include <stdbool.h>
36
#else
37
# include <compat/stdbool.h>
38
#endif /* HAVE_STDBOOL_H */
39
#if defined(HAVE_SHL_LOAD)
40
# include <dl.h>
41
#elif defined(HAVE_DLOPEN)
42
# include <dlfcn.h>
43
#endif
44
#ifdef HAVE_CRT_EXTERNS_H
45
# include <crt_externs.h>
46
#endif
47

48
#include <sudo_compat.h>
49
#include <sudo_debug.h>
50
#include <sudo_util.h>
51
#include <pathnames.h>
52

53
/* execl flavors */
54
#define SUDO_EXECL	0x0
55
#define SUDO_EXECLE	0x1
56
#define SUDO_EXECLP	0x2
57

58
#ifdef HAVE__NSGETENVIRON
59
# define environ (*_NSGetEnviron())
60
#else
61
extern char **environ;
62
#endif
63

64
extern bool command_allowed(const char *cmnd, char * const argv[], char * const envp[], char **ncmnd, char ***nargv, char ***nenvp);
65

66
typedef int (*sudo_fn_execve_t)(const char *, char *const *, char *const *);
67

68
static void
69
free_vector(char **vec)
70
{
71
    char **cur;
72
    debug_decl(free_vector, SUDO_DEBUG_EXEC);
73

74
    if (vec != NULL) {
75
	for (cur = vec; *cur != NULL; cur++) {
76
	    sudo_mmap_free(*cur);
77
	}
78
	sudo_mmap_free(vec);
79
    }
80

81
    debug_return;
82
}
83

84
static char **
85
copy_vector(char * const *src)
86
{
87
    char **copy;
88
    size_t i, len = 0;
89
    debug_decl(copy_vector, SUDO_DEBUG_EXEC);
90

91
    if (src != NULL) {
92
	while (src[len] != NULL)
93
	    len++;
94
    }
95
    copy = sudo_mmap_allocarray(len + 1, sizeof(char *));
96
    if (copy == NULL) {
97
	debug_return_ptr(NULL);
98
    }
99
    for (i = 0; i < len; i++) {
100
	copy[i] = sudo_mmap_strdup(src[i]);
101
	if (copy[i] == NULL) {
102
	    free_vector(copy);
103
	    debug_return_ptr(NULL);
104
	}
105
    }
106
    copy[i] = NULL;
107

108
    debug_return_ptr(copy);
109
}
110

111
/*
112
 * We do PATH resolution here rather than in the policy because we
113
 * want to use the PATH in the current environment.
114
 */
115
static bool
116
resolve_path(const char *cmnd, char *out_cmnd, size_t out_size)
117
{
118
    struct stat sb;
119
    int errval = ENOENT;
120
    char path[PATH_MAX];
121
    char **p, *cp, *endp;
122
    int dirlen, len;
123
    debug_decl(resolve_path, SUDO_DEBUG_EXEC);
124

125
    for (p = environ; (cp = *p) != NULL; p++) {
126
	if (strncmp(cp, "PATH=", sizeof("PATH=") - 1) == 0) {
127
	    cp += sizeof("PATH=") - 1;
128
	    break;
129
	}
130
    }
131
    if (cp == NULL) {
132
	errno = ENOENT;
133
	debug_return_bool(false);
134
    }
135

136
    endp = cp + strlen(cp);
137
    while (cp < endp) {
138
	char *colon = strchr(cp, ':');
139
	dirlen = colon ? (int)(colon - cp) : (int)(endp - cp);
140
	if (dirlen == 0) {
141
	    /* empty PATH component is the same as "." */
142
	    len = snprintf(path, sizeof(path), "./%s", cmnd);
143
	} else {
144
	    len = snprintf(path, sizeof(path), "%.*s/%s", dirlen, cp, cmnd);
145
	}
146
	cp = colon ? colon + 1 : endp;
147
	if (len >= ssizeof(path)) {
148
	    /* skip too long path */
149
	    errval = ENAMETOOLONG;
150
	    continue;
151
	}
152

153
	if (stat(path, &sb) == 0) {
154
	    if (!S_ISREG(sb.st_mode))
155
		continue;
156
	    if (strlcpy(out_cmnd, path, out_size) >= out_size) {
157
		errval = ENAMETOOLONG;
158
		break;
159
	    }
160
	    debug_return_bool(true);
161
	}
162
	switch (errno) {
163
	case EACCES:
164
	    errval = EACCES;
165
	    break;
166
	case ELOOP:
167
	case ENOTDIR:
168
	case ENOENT:
169
	    break;
170
	default:
171
	    debug_return_bool(false);
172
	}
173
    }
174
    errno = errval;
175
    debug_return_bool(false);
176
}
177

178
static int
179
exec_wrapper(const char *cmnd, char * const argv[], char * const envp[],
180
    bool is_execvp)
181
{
182
    char *cmnd_copy = NULL, **argv_copy = NULL, **envp_copy = NULL;
183
    char *ncmnd = NULL, **nargv = NULL, **nenvp = NULL;
184
    char cmnd_buf[PATH_MAX];
185
    void *fn = NULL;
186
    debug_decl(exec_wrapper, SUDO_DEBUG_EXEC);
187

188
    if (cmnd == NULL) {
189
	errno = EINVAL;
190
	debug_return_int(-1);
191
    }
192

193
    /* Only check PATH for the command for execlp/execvp/execvpe. */
194
    if (strchr(cmnd, '/') == NULL) {
195
	if (!is_execvp) {
196
	    errno = ENOENT;
197
	    goto bad;
198
	}
199
	if (!resolve_path(cmnd, cmnd_buf, sizeof(cmnd_buf))) {
200
	    goto bad;
201
	}
202
	cmnd = cmnd_buf;
203
    } else {
204
	struct stat sb;
205

206
	/* Absolute or relative path name. */
207
	if (stat(cmnd, &sb) == -1) {
208
	    /* Leave errno unchanged. */
209
	    goto bad;
210
	} else if (!S_ISREG(sb.st_mode)) {
211
	    errno = EACCES;
212
	    goto bad;
213
	}
214
    }
215

216
    /*
217
     * Make copies of cmnd, argv, and envp.
218
     */
219
    cmnd_copy = sudo_mmap_strdup(cmnd);
220
    if (cmnd_copy == NULL) {
221
	debug_return_int(-1);
222
    }
223
    sudo_mmap_protect(cmnd_copy);
224
    cmnd = cmnd_copy;
225

226
    argv_copy = copy_vector(argv);
227
    if (argv_copy == NULL) {
228
	goto bad;
229
    }
230
    sudo_mmap_protect(argv_copy);
231
    argv = argv_copy;
232

233
    envp_copy = copy_vector(envp);
234
    if (envp_copy == NULL) {
235
	goto bad;
236
    }
237
    sudo_mmap_protect(envp_copy);
238
    envp = envp_copy;
239

240
# if defined(HAVE___INTERPOSE)
241
    fn = execve;
242
# elif defined(HAVE_DLOPEN)
243
    fn = dlsym(RTLD_NEXT, "execve");
244
# elif defined(HAVE_SHL_LOAD)
245
    fn = sudo_shl_get_next("execve", TYPE_PROCEDURE);
246
# endif
247
    if (fn == NULL) {
248
        errno = EACCES;
249
	goto bad;
250
    }
251

252
    if (command_allowed(cmnd, argv, envp, &ncmnd, &nargv, &nenvp)) {
253
	/* Execute the command using the "real" execve() function. */
254
	((sudo_fn_execve_t)fn)(ncmnd, nargv, nenvp);
255

256
	/* Fall back to exec via shell for execvp and friends. */
257
	if (errno == ENOEXEC && is_execvp) {
258
	    int argc;
259
	    const char **shargv;
260

261
	    for (argc = 0; argv[argc] != NULL; argc++)
262
		continue;
263
	    shargv = sudo_mmap_allocarray((size_t)argc + 2, sizeof(char *));
264
	    if (shargv == NULL)
265
		goto bad;
266
	    shargv[0] = "sh";
267
	    shargv[1] = ncmnd;
268
	    memcpy(shargv + 2, nargv + 1, (size_t)argc * sizeof(char *));
269
	    ((sudo_fn_execve_t)fn)(_PATH_SUDO_BSHELL, (char **)shargv, nenvp);
270
	    sudo_mmap_free(shargv);
271
	}
272
    } else {
273
	errno = EACCES;
274
    }
275

276
bad:
277
    sudo_mmap_free(cmnd_copy);
278
    if (ncmnd != cmnd_copy)
279
	sudo_mmap_free(ncmnd);
280
    free_vector(argv_copy);
281
    if (nargv != argv_copy)
282
	free_vector(nargv);
283
    free_vector(envp_copy);
284
    /* Leaks allocated preload vars. */
285
    if (nenvp != envp_copy)
286
	sudo_mmap_free(nenvp);
287

288
    debug_return_int(-1);
289
}
290

291
static int
292
execl_wrapper(int type, const char *name, const char *arg, va_list ap)
293
{
294
    char * const *envp = environ;
295
    char **argv;
296
    int argc = 1;
297
    va_list ap2;
298
    debug_decl(execl_wrapper, SUDO_DEBUG_EXEC);
299

300
    if (name == NULL || arg == NULL) {
301
	errno = EINVAL;
302
	debug_return_int(-1);
303
    }
304

305
    va_copy(ap2, ap);
306
    while (va_arg(ap2, char *) != NULL)
307
	argc++;
308
    va_end(ap2);
309
    argv = sudo_mmap_allocarray((size_t)argc + 1, sizeof(char *));
310
    if (argv == NULL)
311
	debug_return_int(-1);
312

313
    argc = 0;
314
    argv[argc++] = (char *)arg;
315
    while ((argv[argc] = va_arg(ap, char *)) != NULL)
316
	argc++;
317
    if (type == SUDO_EXECLE)
318
	envp = va_arg(ap, char **);
319

320
    exec_wrapper(name, argv, envp, type == SUDO_EXECLP);
321
    sudo_mmap_free(argv);
322

323
    debug_return_int(-1);
324
}
325

326
static int
327
system_wrapper(const char *cmnd)
328
{
329
    const char * const argv[] = { "sh", "-c", cmnd, NULL };
330
    const char shell[] = _PATH_SUDO_BSHELL;
331
    struct sigaction saveint, savequit, sa;
332
    sigset_t mask, omask;
333
    pid_t child;
334
    int status;
335
    debug_decl(system_wrapper, SUDO_DEBUG_EXEC);
336

337
    /* Special case for NULL command, just check whether shell exists. */
338
    if (cmnd == NULL)
339
	debug_return_int(access(shell, X_OK) == 0);
340

341
    /* First, block signals to avoid potential race conditions. */
342
    sigemptyset(&mask);
343
    sigaddset(&mask, SIGCHLD);
344
    sigaddset(&mask, SIGINT);
345
    sigaddset(&mask, SIGQUIT);
346
    if (sigprocmask(SIG_BLOCK, &mask, &omask) == -1)
347
	debug_return_int(-1);
348

349
    switch (child = fork()) {
350
    case -1:
351
	/* error */
352
	(void)sigprocmask(SIG_SETMASK, &omask, NULL);
353
	debug_return_int(-1);
354
    case 0:
355
	/* child */
356
	if (sigprocmask(SIG_SETMASK, &omask, NULL) != -1)
357
	    exec_wrapper(shell, (char **)argv, environ, false);
358
	_exit(127);
359
    default:
360
	/* parent */
361
	break;
362
    }
363

364
    /* We must ignore SIGINT and SIGQUIT until the command finishes. */
365
    memset(&sa, 0, sizeof(sa));
366
    sigemptyset(&sa.sa_mask);
367
    sa.sa_handler = SIG_IGN;
368
    (void)sigaction(SIGINT, &sa, &saveint);
369
    (void)sigaction(SIGQUIT, &sa, &savequit);
370
    sigemptyset(&mask);
371
    sigaddset(&mask, SIGINT);
372
    sigaddset(&mask, SIGQUIT);
373
    (void)sigprocmask(SIG_UNBLOCK, &mask, NULL);
374

375
    for (;;) {
376
	if (waitpid(child, &status, 0) == -1) {
377
	    if (errno == EINTR)
378
		continue;
379
	    status = -1;
380
	}
381
	break;
382
    }
383

384
    /* Restore signal mask and handlers. */
385
    (void)sigprocmask(SIG_SETMASK, &omask, NULL);
386
    (void)sigaction(SIGINT, &saveint, NULL);
387
    (void)sigaction(SIGQUIT, &savequit, NULL);
388

389
    debug_return_int(status);
390
}
391

392
#ifdef HAVE___INTERPOSE
393
/*
394
 * Mac OS X 10.4 and above has support for library symbol interposition.
395
 * There is a good explanation of this in the Mac OS X Internals book.
396
 */
397
typedef struct interpose_s {
398
    void *new_func;
399
    void *orig_func;
400
} interpose_t;
401

402
static int
403
my_system(const char *cmnd)
404
{
405
    return system_wrapper(cmnd);
406
}
407

408
static int
409
my_execve(const char *cmnd, char * const argv[], char * const envp[])
410
{
411
    return exec_wrapper(cmnd, argv, envp, false);
412
}
413

414
static int
415
my_execv(const char *cmnd, char * const argv[])
416
{
417
    return exec_wrapper(cmnd, argv, environ, false);
418
}
419

420
#ifdef HAVE_EXECVPE
421
static int
422
my_execvpe(const char *cmnd, char * const argv[], char * const envp[])
423
{
424
    return exec_wrapper(cmnd, argv, envp, true);
425
}
426
#endif
427

428
static int
429
my_execvp(const char *cmnd, char * const argv[])
430
{
431
    return exec_wrapper(cmnd, argv, environ, true);
432
}
433

434
static int
435
my_execl(const char *name, const char *arg, ...)
436
{
437
    va_list ap;
438

439
    va_start(ap, arg);
440
    execl_wrapper(SUDO_EXECL, name, arg, ap);
441
    va_end(ap);
442

443
    return -1;
444
}
445

446
static int
447
my_execle(const char *name, const char *arg, ...)
448
{
449
    va_list ap;
450

451
    va_start(ap, arg);
452
    execl_wrapper(SUDO_EXECLE, name, arg, ap);
453
    va_end(ap);
454

455
    return -1;
456
}
457

458
static int
459
my_execlp(const char *name, const char *arg, ...)
460
{
461
    va_list ap;
462

463
    va_start(ap, arg);
464
    execl_wrapper(SUDO_EXECLP, name, arg, ap);
465
    va_end(ap);
466

467
    return -1;
468
}
469

470
/* Magic to tell dyld to do symbol interposition. */
471
__attribute__((__used__)) static const interpose_t interposers[]
472
__attribute__((__section__("__DATA,__interpose"))) = {
473
    { (void *)my_system, (void *)system },
474
    { (void *)my_execl, (void *)execl },
475
    { (void *)my_execle, (void *)execle },
476
    { (void *)my_execlp, (void *)execlp },
477
    { (void *)my_execv, (void *)execv },
478
    { (void *)my_execve, (void *)execve },
479
    { (void *)my_execvp, (void *)execvp },
480
#ifdef HAVE_EXECVPE
481
    { (void *)my_execvpe, (void *)execvpe }
482
#endif
483
};
484

485
#else /* HAVE___INTERPOSE */
486

487
# if defined(HAVE_SHL_LOAD)
488
static void *
489
sudo_shl_get_next(const char *symbol, short type)
490
{
491
    const char *name, *myname;
492
    struct shl_descriptor *desc;
493
    void *fn = NULL;
494
    int idx = 0;
495
    debug_decl(sudo_shl_get_next, SUDO_DEBUG_EXEC);
496

497
    /* Search for symbol but skip this shared object. */
498
    /* XXX - could be set to a different path in sudo.conf */
499
    myname = sudo_basename(_PATH_SUDO_INTERCEPT);
500
    while (shl_get(idx++, &desc) == 0) {
501
        name = sudo_basename(desc->filename);
502
        if (strcmp(name, myname) == 0)
503
            continue;
504
        if (shl_findsym(&desc->handle, symbol, type, &fn) == 0)
505
            break;
506
    }
507

508
    debug_return_ptr(fn);
509
}
510
# endif /* HAVE_SHL_LOAD */
511

512
sudo_dso_public int system(const char *cmnd);
513
sudo_dso_public int execve(const char *cmnd, char * const argv[], char * const envp[]);
514
sudo_dso_public int execv(const char *cmnd, char * const argv[]);
515
#ifdef HAVE_EXECVPE
516
sudo_dso_public int execvpe(const char *cmnd, char * const argv[], char * const envp[]);
517
#endif
518
sudo_dso_public int execvp(const char *cmnd, char * const argv[]);
519
sudo_dso_public int execl(const char *name, const char *arg, ...);
520
sudo_dso_public int execle(const char *name, const char *arg, ...);
521
sudo_dso_public int execlp(const char *name, const char *arg, ...);
522

523
int
524
system(const char *cmnd)
525
{
526
    return system_wrapper(cmnd);
527
}
528

529
int
530
execve(const char *cmnd, char * const argv[], char * const envp[])
531
{
532
    return exec_wrapper(cmnd, argv, envp, false);
533
}
534

535
int
536
execv(const char *cmnd, char * const argv[])
537
{
538
    return execve(cmnd, argv, environ);
539
}
540

541
#ifdef HAVE_EXECVPE
542
int
543
execvpe(const char *cmnd, char * const argv[], char * const envp[])
544
{
545
    return exec_wrapper(cmnd, argv, envp, true);
546
}
547
#endif
548

549
int
550
execvp(const char *cmnd, char * const argv[])
551
{
552
    return exec_wrapper(cmnd, argv, environ, true);
553
}
554

555
int
556
execl(const char *name, const char *arg, ...)
557
{
558
    va_list ap;
559

560
    va_start(ap, arg);
561
    execl_wrapper(SUDO_EXECL, name, arg, ap);
562
    va_end(ap);
563

564
    return -1;
565
}
566

567
int
568
execle(const char *name, const char *arg, ...)
569
{
570
    va_list ap;
571

572
    va_start(ap, arg);
573
    execl_wrapper(SUDO_EXECLE, name, arg, ap);
574
    va_end(ap);
575

576
    return -1;
577
}
578

579
int
580
execlp(const char *name, const char *arg, ...)
581
{
582
    va_list ap;
583

584
    va_start(ap, arg);
585
    execl_wrapper(SUDO_EXECLP, name, arg, ap);
586
    va_end(ap);
587

588
    return -1;
589
}
590
#endif /* HAVE___INTERPOSE) */
591

592
Product

Resources

Company
