Release 0.2.7 (#1155)

Author: squell

CHANGELOG.md

@@ -1,5 +1,27 @@
 # Changelog
 
+## [0.2.7] - 2025-07-01
+
+### Added
+- Linux kernels older than 5.9 are now supported.
+- Support for `Defaults noexec`/`NOEXEC:` on Linux systems based on seccomp
+  filtering to prevent shell escapes in wide range of cases. This should also
+  work on programs not written in C and statically linked executables.
+- Support for `passwd_timeout`
+- Support for `umask` and `umask_override`
+- `--preserve-env=VAR` is now supported to preserve selected environment
+  variables in a more convenient way
+
+### Changed
+- sudo-rs now uses CLOEXEC to close open file descriptors in the child process
+- Relative paths like `./` in `secure_path`/`PATH` are now ignored.
+- `apparmor.so` is dynamically loaded by sudo itself, as-needed
+
+### Fixed
+- Usernames that start with `_` or have non-western characters were not supported
+  as a valid username in /etc/sudoers (#1149)
+- Other usability improvements in /etc/sudoers (#1117, #1126, #1134, #1157)
+
 ## [0.2.6] - 2025-05-06
 
 ### Added

Cargo.lock

@@ -1,7 +1,7 @@
 [package]
 name = "sudo-rs"
 description = "A memory safe implementation of sudo and su."
-version = "0.2.6"
+version = "0.2.7"
 license = "Apache-2.0 OR MIT"
 edition = "2021"
 repository = "https://github.com/trifectatechfoundation/sudo-rs"

Cargo.toml

@@ -51,11 +51,11 @@ We currently only offer these for x86-64 systems.
 We recommend installing sudo-rs and su-s in your `/usr/local` hierarchy so it can co-exist with
 your existing sudo installation. You can achieve this using the commands:
 ```sh
-sudo tar -C /usr/local -xvf sudo-0.2.6.tar.gz
+sudo tar -C /usr/local -xvf sudo-0.2.7.tar.gz
 ```
 and for su-rs:
 ```sh
-sudo tar -C /usr/local -xvf su-0.2.6.tar.gz
+sudo tar -C /usr/local -xvf su-0.2.7.tar.gz
 ```
 This will install sudo-rs and su-rs in `/usr/local/bin` using the usual commands `sudo` and `su`; it
 will also install our version of `visudo` in that location.

README.md

@@ -1,6 +1,6 @@
 .\" Automatically generated by Pandoc 3.6.3
 .\"
-.TH "SU" "1" "" "sudo\-rs 0.2.6" "sudo\-rs"
+.TH "SU" "1" "" "sudo\-rs 0.2.7" "sudo\-rs"
 .SH NAME
 \f[CR]su\f[R] \- run a shell or command as another user
 .SH SYNOPSIS

docs/man/su.1.man

@@ -1,5 +1,5 @@
 ---
-title: SU(1) sudo-rs 0.2.6 | sudo-rs
+title: SU(1) sudo-rs 0.2.7 | sudo-rs
 ---
 
 # NAME

docs/man/su.1.md

@@ -1,6 +1,6 @@
 .\" Automatically generated by Pandoc 3.6.3
 .\"
-.TH "SUDO" "8" "" "sudo\-rs 0.2.6" "sudo\-rs"
+.TH "SUDO" "8" "" "sudo\-rs 0.2.7" "sudo\-rs"
 .SH NAME
 \f[CR]sudo\f[R] \- execute a command as another user
 .SH SYNOPSIS
@@ -108,8 +108,8 @@ The following percent (`%') escape sequences are supported:
 .PP
 The custom prompt will override the default prompt or the one specified
 by the SUDO_PROMPT environment variable.
-No \f[I]prompt\f[R] will suppress the the prompt provided by PAM, unless
-the requested \f[I]prompt\f[R] is empty (\f[CR]\[dq]\[dq]\f[R])
+No \f[I]prompt\f[R] will suppress the prompt provided by PAM, unless the
+requested \f[I]prompt\f[R] is empty (\f[CR]\[dq]\[dq]\f[R])
 .RE
 .TP
 \f[CR]\-S\f[R], \f[CR]\-\-stdin\f[R]

docs/man/sudo.8.man

@@ -1,5 +1,5 @@
 ---
-title: SUDO(8) sudo-rs 0.2.6 | sudo-rs
+title: SUDO(8) sudo-rs 0.2.7 | sudo-rs
 ---
 
 # NAME

docs/man/sudo.8.md

@@ -366,7 +366,9 @@ parameters.
 
  Chdir_Spec ::= \[aq]CWD=directory\[aq]
 
- Tag_Spec ::= (\[aq]PASSWD:\[aq] | \[aq]NOPASSWD:\[aq] | \[aq]SETENV:\[aq] | \[aq]NOSETENV:\[aq])
+ Tag_Spec ::= (\[aq]PASSWD:\[aq] | \[aq]NOPASSWD:\[aq] |
+               \[aq]SETENV:\[aq] | \[aq]NOSETENV:\[aq]
+               \[aq]EXEC:\[aq]   | \[aq]NOEXEC\[aq])
 
  AppArmor_Spec ::= \[aq]APPARMOR_PROFILE=profile\[aq]
 .EE
@@ -493,6 +495,19 @@ NOSETENV.
 Once a tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List,
 inherit the tag unless it is overridden by the opposite tag (in other
 words, PASSWD overrides NOPASSWD and NOSETENV overrides SETENV).
+.SS EXEC and NOEXEC
+On Linux systems, the NOEXEC tag can be used to prevent an executable
+from running further commands itself.
+.PP
+In the following example, user aaron may run /usr/bin/more and
+/usr/bin/vi but shell escapes will be disabled.
+.IP
+.EX
+    aaron   shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+.EE
+.PP
+See the Preventing shell escapes section below for more details on how
+NOEXEC works and whether or not it suits your purpose.
 .SS PASSWD and NOPASSWD
 By default, sudo requires that a user authenticate before running a
 command.
@@ -697,6 +712,16 @@ A list of all supported Defaults parameters, grouped by type, are listed
 below.
 .SS Boolean Flags:
 .IP \[bu] 2
+noexec
+.RS 2
+.PP
+If set, all commands run via sudo will behave as if the NOEXEC tag has
+been set, unless overridden by an EXEC tag.
+See the description of EXEC and NOEXEC as well as the Preventing shell
+escapes section at the end of this manual.
+This flag is off by default.
+.RE
+.IP \[bu] 2
 env_editor
 .RS 2
 .PP
@@ -937,10 +962,23 @@ Common programs that permit shell escapes include shells (obviously),
 editors, paginators (such as \f[I]less\f[R]), mail, and terminal
 programs.
 .PP
-sudo\-rs currently doesn\[cq]t offer Todd Miller\[cq]s sudo\[cq]s
-protection mechanisms; i.e.\ be very careful that when a user is not
-supposed to receive shell access, that the commands that they have
-access to does not allow escaping to the shell.
+On Linux, sudo\-rs has sudo\[cq]s \f[B]noexec* functionality, based on a
+seccomp() filter.
+Programs that are run in \f[R]noexec** mode cannot run other programs.
+The implementation in sudo\-rs is different than in Todd Miller\[cq]s
+sudo, and should also work on statically linked binaries.
+.PP
+Note that restricting shell escapes is not a panacea.
+Programs running as root are still capable of many potentially hazardous
+operations (such as changing or overwriting files) that could lead to
+unintended privilege escalation.
+NOEXEC is also not a protection against malicious programs.
+It doesn\[cq]t prevent mapping memory as executable, nor does it protect
+against future syscalls that can do an exec() like the proposed
+\f[CR]io_uring\f[R] exec feature in Linux.
+And it also doesn\[cq]t protect against honest programs that
+intentionally or not allow the user to write to /proc/self/mem for the
+same reasons as that it doesn\[cq]t protect against malicious programs.
 .SS Timestamp file checks
 sudo\-rs will check the ownership of its timestamp directory
 (/run/sudo/ts by default) and ignore the directory\[cq]s contents if it

docs/man/sudoers.5.man

@@ -1,6 +1,6 @@
 .\" Automatically generated by Pandoc 3.6.3
 .\"
-.TH "VISUDO" "8" "" "sudo\-rs 0.2.6" "sudo\-rs"
+.TH "VISUDO" "8" "" "sudo\-rs 0.2.7" "sudo\-rs"
 .SH NAME
 \f[CR]visudo\f[R] \- safely edit the sudoers file
 .SH SYNOPSIS

docs/man/visudo.8.man

@@ -1,5 +1,5 @@
 ---
-title: VISUDO(8) sudo-rs 0.2.6 | sudo-rs
+title: VISUDO(8) sudo-rs 0.2.7 | sudo-rs
 ---
 
 # NAME

docs/man/visudo.8.md

@@ -14,7 +14,7 @@ DATE=$(grep -m1 '^##' "$PROJECT_DIR"/CHANGELOG.md | grep -o '[0-9]\{4\}-[0-9]\{2
 # Build binaries
 docker build --pull --tag "$BUILDER_IMAGE_TAG" --file "$SCRIPT_DIR/Dockerfile-release" "$SCRIPT_DIR"
 docker run --rm --user "$(id -u):$(id -g)" -v "$PROJECT_DIR:/build" -w "/build" "$BUILDER_IMAGE_TAG" cargo clean
-docker run --rm --user "$(id -u):$(id -g)" -v "$PROJECT_DIR:/build" -w "/build" "$BUILDER_IMAGE_TAG" cargo build --release --features pam-login
+docker run --rm --user "$(id -u):$(id -g)" -v "$PROJECT_DIR:/build" -w "/build" "$BUILDER_IMAGE_TAG" cargo build --release --features pam-login,apparmor
 
 # Generate man pages
 "$PROJECT_DIR/util/generate-docs.sh"
@@ -64,7 +64,7 @@ EOF
 mkdir -p "$target_dir_su/bin"
 mkdir -p "$target_dir_su/share/man/man1"
 cp "$PROJECT_DIR/target/release/su" "$target_dir_su/bin/su"
-cp "$PROJECT_DIR/target/docs/man/su.1" "$target_dir_su/share/man/man1/su.1"
+cp "$PROJECT_DIR/docs/man/su.1.man" "$target_dir_su/share/man/man1/su.1"
 mkdir -p "$target_dir_su/share/doc/sudo-rs/su"
 cp "$PROJECT_DIR/README.md" "$target_dir_su/share/doc/sudo-rs/su/README.md"
 cp "$PROJECT_DIR/CHANGELOG.md" "$target_dir_su/share/doc/sudo-rs/su/CHANGELOG.md"