sudoers entries should be prefixed with a digest spec

[jandubois]

Allowing password-less execution of /usr/local/bin/vde_vmnet as root is a vulnerability when the user has non-sudo write access to /usr/local/bin (which is typically the case when using homebrew), because they could simply replace vde_vmnet with any other command or script and then execute that under root.

This can be mitigated by including a checksum of the executable in the sudo rule, e.g.

$ sha256sum /usr/local/bin/vde_vmnet
cabb4c8bac4a2923a1feb21f597ae6c8145de25e44f408b75ec254da6ffa09ce  /usr/local/bin/vde_vmnet

should lead to a rule such as (untested):

%staff ALL=(root:root) NOPASSWD:NOSETENV: sha256:cabb4c8bac4a2923a1feb21f597ae6c8145de25e44f408b75ec254da6ffa09ce /usr/local/bin/vde_vmnet --vmnet-gateway=192.168.105.1 /var/run/vde.ctl

[jandubois]

Most compact supported checksum seems to be sha224 in base64 format:

$ openssl dgst -binary -sha224 /usr/local/bin/vde_vmnet | openssl base64
ZcbnYBmyNCQZGuamPvTkKBDoj4RXqZw/OyPHoA==

leading to

%staff ALL=(root:root) NOPASSWD:NOSETENV: sha224:ZcbnYBmyNCQZGuamPvTkKBDoj4RXqZw/OyPHoA== /usr/local/bin/vde_vmnet --vmnet-gateway=192.168.105.1 /var/run/vde.ctl

[AkihiroSuda]

Thanks, opened #20