diff options
Diffstat (limited to 'src/Core/Unix/CoreService.cpp')
| -rw-r--r-- | src/Core/Unix/CoreService.cpp | 48 |
1 files changed, 37 insertions, 11 deletions
diff --git a/src/Core/Unix/CoreService.cpp b/src/Core/Unix/CoreService.cpp index e4b75dd3..dc2f4e6b 100644 --- a/src/Core/Unix/CoreService.cpp +++ b/src/Core/Unix/CoreService.cpp @@ -4,7 +4,7 @@ by the TrueCrypt License 3.0. Modifications and additions to the original source code (contained in this file) - and all other portions of this file are Copyright (c) 2013-2017 IDRIX + and all other portions of this file are Copyright (c) 2013-2025 IDRIX and are governed by the Apache License 2.0 the full text of which is contained in the file License.txt included in VeraCrypt binary and source code distribution packages. @@ -99,6 +99,11 @@ namespace VeraCrypt { shared_ptr <CoreServiceRequest> request = Serializable::DeserializeNew <CoreServiceRequest> (inputStream); + // Update Core properties based on the received request + Core->SetUserEnvPATH (request->UserEnvPATH); + Core->ForceUseDummySudoPassword(request->UseDummySudoPassword); + Core->SetAllowInsecureMount(request->AllowInsecureMount); + try { // ExitRequest @@ -283,24 +288,34 @@ namespace VeraCrypt static Mutex mutex; ScopeLock lock (mutex); + // Copy Core properties to the request so that they can be transferred to the elevated process + request.ApplicationExecutablePath = Core->GetApplicationExecutablePath(); + request.UserEnvPATH = Core->GetUserEnvPATH(); + request.UseDummySudoPassword = Core->GetUseDummySudoPassword(); + request.AllowInsecureMount = Core->GetAllowInsecureMount(); + if (request.RequiresElevation()) { request.ElevateUserPrivileges = true; request.FastElevation = !ElevatedServiceAvailable; - request.ApplicationExecutablePath = Core->GetApplicationExecutablePath(); - + while (!ElevatedServiceAvailable) { // Test if the user has an active "sudo" session. bool authCheckDone = false; if (!Core->GetUseDummySudoPassword ()) { - // sudo man page: "If the -l option was specified without a command, sudo, will exit - // with a value of 0 if the user is allowed to run sudo, and they authenticated successfully" // We are using -n to avoid prompting the user for a password. // We are redirecting stderr to stdout and discarding both to avoid any output. // This approach also works on newer macOS versions (12.0 and later). - FILE* pipe = popen("sudo -n -l > /dev/null 2>&1", "r"); // redirect stderr to stdout and discard both. + std::string errorMsg; + + string sudoAbsolutePath = Process::FindSystemBinary("sudo", errorMsg); + if (sudoAbsolutePath.empty()) + throw SystemException(SRC_POS, errorMsg); + + std::string popenCommand = sudoAbsolutePath + " -n true > /dev/null 2>&1"; // We redirect stderr to stdout (2>&1) to be able to catch the result of the command + FILE* pipe = popen(popenCommand.c_str(), "r"); if (pipe) { // We only care about the exit code @@ -396,15 +411,26 @@ namespace VeraCrypt { try { + // Throw exception if sudo is not found in secure locations + std::string errorMsg; + string sudoPath = Process::FindSystemBinary("sudo", errorMsg); + if (sudoPath.empty()) + throw SystemException(SRC_POS, errorMsg); + + string appPath = request.ApplicationExecutablePath; + // if appPath is empty or not absolute, use FindSystemBinary to get the full path of veracrpyt executable + if (appPath.empty() || appPath[0] != '/') + { + appPath = Process::FindSystemBinary("veracrypt", errorMsg); + if (appPath.empty()) + throw SystemException(SRC_POS, errorMsg); + } + throw_sys_if (dup2 (inPipe->GetReadFD(), STDIN_FILENO) == -1); throw_sys_if (dup2 (outPipe->GetWriteFD(), STDOUT_FILENO) == -1); throw_sys_if (dup2 (errPipe.GetWriteFD(), STDERR_FILENO) == -1); - string appPath = request.ApplicationExecutablePath; - if (appPath.empty()) - appPath = "veracrypt"; - - const char *args[] = { "sudo", "-S", "-p", "", appPath.c_str(), TC_CORE_SERVICE_CMDLINE_OPTION, nullptr }; + const char *args[] = { sudoPath.c_str(), "-S", "-p", "", appPath.c_str(), TC_CORE_SERVICE_CMDLINE_OPTION, nullptr }; execvp (args[0], ((char* const*) args)); throw SystemException (SRC_POS, args[0]); } |