Ask question: How to use the sudo -C parameter of version 1.8.29

[rtczza]

The -C parameter is described as follows:

Close all file descriptors greater than or equal to num before executing a command. 
Values less than three are not permitted. 
By default, sudo will close all open file descriptors other than standard input, standard output, and standard error when executing a command. 
The security policy may restrict the user's ability to use this option. 
The sudoers policy only permits use of the -C option when the administrator has enabled the [closefrom_override](https://www.sudo.ws/docs/man/sudo.man/#closefrom_override) option.

Using the following command, first create 2 fd and then use sudo -C, and there is no difference between using the -C parameter.

[test@localhost sudo]$ cat 1.txt 
111111111
[test@localhost sudo]$ cat 2.txt 
222222222
[test@localhost sudo]$ exec 4<>1.txt && echo $$ &&  exec 5<>2.txt && ls /proc/`echo $$`/fd -l && echo $$  && sudo -C 4 echo $$ &&  ls /proc/`echo $$`/fd -l && echo $$
2047801
total consumption 0
lrwx------. 1 test test 64 10月 19 08:53 0 -> /dev/pts/10
lrwx------. 1 test test 64 10月 19 08:53 1 -> /dev/pts/10
lrwx------. 1 test test 64 10月 19 08:53 2 -> /dev/pts/10
lrwx------. 1 test test 64 10月 19 08:55 255 -> /dev/pts/10
lr-x------. 1 test test 64 10月 19 08:53 3 -> /var/lib/sss/mc/passwd
lrwx------. 1 test test 64 10月 19 08:53 4 -> /home/test/sudo/1.txt
lrwx------. 1 test test 64 10月 19 08:55 5 -> /home/test/sudo/2.txt
2047801
[sudo] test passwd：
2047801
total consumption  0
lrwx------. 1 test test 64 10月 19 08:53 0 -> /dev/pts/10
lrwx------. 1 test test 64 10月 19 08:53 1 -> /dev/pts/10
lrwx------. 1 test test 64 10月 19 08:53 2 -> /dev/pts/10
lrwx------. 1 test test 64 10月 19 08:55 255 -> /dev/pts/10
lr-x------. 1 test test 64 10月 19 08:53 3 -> /var/lib/sss/mc/passwd
lrwx------. 1 test test 64 10月 19 08:53 4 -> /home/test/sudo/1.txt
lrwx------. 1 test test 64 10月 19 08:55 5 -> /home/test/sudo/2.txt
2047801
[test@localhost sudo]$ 

The question I want to ask you is how to use the -C parameter, or how to prove that the -C parameter works. What is the application scenario of the -C parameter?

Thank you very much and look forward to your reply.

[millert]

In your test you open fds 4-5 but then run "sudo -C 4" which closes fds 4 and up. Here's what I see with sudo 1.9.14p3:

$ exec 4<>/dev/null && exec 5<>/dev/null && ls /dev/fd
0  1  2  3  4  5

$ exec 4<>/dev/null && exec 5<>/dev/null && sudo ls /dev/fd
0  1  2  3

$ exec 4<>/dev/null && exec 5<>/dev/null && sudo -C 6 ls /dev/fd
0  1  2  3  4  5

The use case for the -C option is to be able to preserve inherited file descriptors that sudo would otherwise close. It is only allowed if sudoers has the _closefromoverride option enabled for the invoking user.

[rtczza]

Thanks, I've already enabled closefrom_override in sudoers

According to the command you provided, I have tested on 1.8.29, and the situation is the same as that of 1.9.14p3, which meets my expectations.

[test@localhost sudo]$ sudo -V
Sudo version 1.8.29
Sudoers policy plugin version 1.8.29
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.29
[test@localhost sudo]$ 
[test@localhost sudo]$ exec 4<>/dev/null && exec 5<>/dev/null && ls /dev/fd
0  1  2  3  4  5
[test@localhost sudo]$ exec 4<>/dev/null && exec 5<>/dev/null && sudo ls /dev/fd
0  1  2  3
[test@localhost sudo]$ 
[test@localhost sudo]$  exec 4<>/dev/null && exec 5<>/dev/null && sudo -C 5 ls /dev/fd
0  1  2  3  4
[test@localhost sudo]$ 

Thanks again

[rtczza]

but，

exec 4<>1.txt && echo $$ &&  exec 5<>2.txt && ls /proc/`echo $$`/fd -l && echo $$  && sudo -C 4 echo $$ &&  ls /proc/`echo $$`/fd -l && echo $$

Why not closes fds 4 and up, I don't think clearly. Don't know what's wrong with it

[millert]

In your example you are listing the file descriptors that are open in the shell, which is sudo's parent process. The fds are only closed in the sudo process itself and the command it runs, which in your example is echo. Changes in a child process do not affect the parent.