[sudo-workers] Re: closing all the file descriptors

Anthony Iano-Fletcher Anthony.Iano-Fletcher at nih.gov
Fri Dec 10 10:21:06 EST 2004

On 09 Dec 2004 at 17:27:47, Todd C. Miller wrote:
> so spake Anthony Iano-Fletcher (Anthony.Iano-Fletcher):
> > There is a way to pass such info via file descriptor 3, but sudo
> > closes all its file descriptors greater than stderr (2). Would a patch
> > to add an option to change this behaviour be accepted? I'll happily make
> > such a patch.
> This is fairly easy to do.  What would you suggest as a command
> line option for this.  Maybe -O for "keep open"?
>  - todd

-O sounds good. Perhaps it should have an argument which is the upper
limit of file descriptors to keep open (such as -O 4).  This would
limit the side effects but allow for a variable number of extra

What would be the security implications of allowing any user to do this?
As I see it:
	. the targer user might be able to write some files previously
	opened by the source user, but the source user needs to beware.

	. the source user mmight know of a buffer overflow in some
	command when reading a high file descriptor. Administrator
	beware. Of course this is more likely for STDIN than anything

Is a sudoers file flag required because of the latter issue?


Anthony R Iano-Fletcher        
  Room 2033, Building 12A,        http://dcb.cit.nih.gov/~arif
  National Institutes of Health,  Anthony.Iano-Fletcher at nih.gov
  12A South Drive, Bethesda,      Phone: (+1) 301 402 1741.
  MD 20892-5624, USA.

More information about the sudo-workers mailing list