[sudo-workers] Re: closing all the file descriptors
Anthony Iano-Fletcher
Anthony.Iano-Fletcher at nih.gov
Fri Dec 10 10:21:06 EST 2004
On 09 Dec 2004 at 17:27:47, Todd C. Miller wrote:
> so spake Anthony Iano-Fletcher (Anthony.Iano-Fletcher):
>
> > There is a way to pass such info via file descriptor 3, but sudo
> > closes all its file descriptors greater than stderr (2). Would a patch
> > to add an option to change this behaviour be accepted? I'll happily make
> > such a patch.
>
> This is fairly easy to do. What would you suggest as a command
> line option for this. Maybe -O for "keep open"?
>
> - todd
-O sounds good. Perhaps it should have an argument which is the upper
limit of file descriptors to keep open (such as -O 4). This would
limit the side effects but allow for a variable number of extra
side-bands.
What would be the security implications of allowing any user to do this?
As I see it:
. the targer user might be able to write some files previously
opened by the source user, but the source user needs to beware.
. the source user mmight know of a buffer overflow in some
command when reading a high file descriptor. Administrator
beware. Of course this is more likely for STDIN than anything
else.
Is a sudoers file flag required because of the latter issue?
Anthony.
--
Anthony R Iano-Fletcher
Room 2033, Building 12A, http://dcb.cit.nih.gov/~arif
National Institutes of Health, Anthony.Iano-Fletcher at nih.gov
12A South Drive, Bethesda, Phone: (+1) 301 402 1741.
MD 20892-5624, USA.
More information about the sudo-workers
mailing list