Revert pivot_root and go back to prepending the new root directory.

We cannot perform passwd/group lookups _after_ changing the root
directory.  This does mean that symbolic links in a path are not
currently handled properly when matching chroot()ed commands.

Fixes a local privilege escalation vulnerability where a user could
craft their own nsswitch.conf file to load a shared library of their
choosing and run arbitrary code.  CVE-2025-32463

Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU).

Author: millert

MANIFEST

@@ -687,8 +687,6 @@ plugins/sudoers/mkdefaults
 plugins/sudoers/parse.h
 plugins/sudoers/parse_ldif.c
 plugins/sudoers/parser_warnx.c
-plugins/sudoers/pivot.c
-plugins/sudoers/pivot.h
 plugins/sudoers/po/README
 plugins/sudoers/po/ast.mo
 plugins/sudoers/po/ast.po

plugins/sudoers/Makefile.in

@@ -147,7 +147,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
 	goto oom;
 
     /* If we can't find the editor in the user's PATH, give up. */
-    if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"),
+    if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL,
 	    false, allowlist) != FOUND) {
 	errno = ENOENT;
 	goto bad;

plugins/sudoers/editor.c

@@ -43,14 +43,14 @@
  * On failure, returns false.
  */
 static bool
-cmnd_allowed(char *cmnd, size_t cmnd_size, struct stat *cmnd_sbp,
-    char * const *allowlist)
+cmnd_allowed(char *cmnd, size_t cmnd_size, const char *runchroot,
+    struct stat *cmnd_sbp, char * const *allowlist)
 {
     const char *cmnd_base;
     char * const *al;
     debug_decl(cmnd_allowed, SUDOERS_DEBUG_UTIL);
 
-    if (!sudo_goodpath(cmnd, cmnd_sbp))
+    if (!sudo_goodpath(cmnd, runchroot, cmnd_sbp))
 	debug_return_bool(false);
 
     if (allowlist == NULL)
@@ -67,7 +67,7 @@ cmnd_allowed(char *cmnd, size_t cmnd_size, struct stat *cmnd_sbp,
 	if (strcmp(cmnd_base, base) != 0)
 	    continue;
 
-	if (sudo_goodpath(path, &sb) &&
+	if (sudo_goodpath(path, runchroot, &sb) &&
 	    sb.st_dev == cmnd_sbp->st_dev && sb.st_ino == cmnd_sbp->st_ino) {
 	    /* Overwrite cmnd with safe version from allowlist. */
 	    if (strlcpy(cmnd, path, cmnd_size) < cmnd_size)
@@ -87,7 +87,8 @@ cmnd_allowed(char *cmnd, size_t cmnd_size, struct stat *cmnd_sbp,
  */
 int
 find_path(const char *infile, char **outfile, struct stat *sbp,
-    const char *path, bool ignore_dot, char * const *allowlist)
+    const char *path, const char *runchroot, bool ignore_dot,
+    char * const *allowlist)
 {
     char command[PATH_MAX];
     const char *cp, *ep, *pathend;
@@ -108,7 +109,8 @@ find_path(const char *infile, char **outfile, struct stat *sbp,
 	    errno = ENAMETOOLONG;
 	    debug_return_int(NOT_FOUND_ERROR);
 	}
-	found = cmnd_allowed(command, sizeof(command), sbp, allowlist);
+	found = cmnd_allowed(command, sizeof(command), runchroot, sbp,
+	    allowlist);
 	goto done;
     }
 
@@ -137,7 +139,8 @@ find_path(const char *infile, char **outfile, struct stat *sbp,
 	    errno = ENAMETOOLONG;
 	    debug_return_int(NOT_FOUND_ERROR);
 	}
-	found = cmnd_allowed(command, sizeof(command), sbp, allowlist);
+	found = cmnd_allowed(command, sizeof(command), runchroot,
+	    sbp, allowlist);
 	if (found)
 	    break;
     }
@@ -151,7 +154,8 @@ find_path(const char *infile, char **outfile, struct stat *sbp,
 	    errno = ENAMETOOLONG;
 	    debug_return_int(NOT_FOUND_ERROR);
 	}
-	found = cmnd_allowed(command, sizeof(command), sbp, allowlist);
+	found = cmnd_allowed(command, sizeof(command), runchroot,
+	    sbp, allowlist);
 	if (found && ignore_dot)
 	    debug_return_int(NOT_FOUND_DOT);
     }

plugins/sudoers/find_path.c

@@ -39,13 +39,25 @@
  * Verify that path is a normal file and executable by root.
  */
 bool
-sudo_goodpath(const char *path, struct stat *sbp)
+sudo_goodpath(const char *path, const char *runchroot, struct stat *sbp)
 {
     bool ret = false;
-    struct stat sb;
     debug_decl(sudo_goodpath, SUDOERS_DEBUG_UTIL);
 
     if (path != NULL) {
+	char pathbuf[PATH_MAX];
+	struct stat sb;
+
+	if (runchroot != NULL) {
+	    /* XXX - handle symlinks and '..' in path outside chroot */
+	    const int len =
+		snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, path);
+	    if (len >= ssizeof(pathbuf)) {
+		errno = ENAMETOOLONG;
+		goto done;
+	    }
+	    path = pathbuf; // -V507
+	}
 	if (sbp == NULL)
 	    sbp = &sb;
 
@@ -57,5 +69,6 @@ sudo_goodpath(const char *path, struct stat *sbp)
 		errno = EACCES;
 	}
     }
+done:
     debug_return_bool(ret);
 }