isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,830 Commits 1 Branch 0 Tags
main
Commit Graph

3874 Commits

Author SHA1 Message Date
isa
f7f0457b92 Initial realm_auth_sudo plugin commit
Some checks failed
CodeQL / Analyze (cpp) (push) Has been cancelled
Details
CodeQL / Analyze (python) (push) Has been cancelled
Details
CIFuzz / Fuzzing (push) Has been cancelled
Details
2025-02-11 23:06:36 -05:00
Todd C. Miller
27963e39f3 Pass "make spell" with updated codespell.
Some checks are pending
CodeQL / Analyze (cpp) (push) Waiting to run
Details
CodeQL / Analyze (python) (push) Waiting to run
Details
CIFuzz / Fuzzing (push) Waiting to run
Details
2024-04-29 09:19:52 -06:00
Todd C. Miller
e770c857f4 Fix copy and paste error in the fix for GitHub issue #369 
Fixes GitHub issue #371
 2024-04-28 08:13:52 -06:00
Todd C. Miller
c429220693 Store mulitple command digests of the same type as an array. 
Otherwise, we end up with duplicated keys in the object.
GitHub issue #370
 2024-04-25 09:27:04 -06:00
Todd C. Miller
78699a8f7a Call gettext() on insults when displayed, not when declared. 2024-04-22 08:15:39 -06:00
alberic89
8666c66ff1 Make insults translatable 2024-04-22 07:46:33 -06:00
Todd C. Miller
26ce75110f When converting CWD and CHROOT tags, store them as objects. 
Fixes GitHub issue #369
 2024-04-19 08:18:59 -06:00
Todd C. Miller
ecdf0c80f3 Add pam_silent sudoers option. 
Inspired by PR #368
GitHub issue #216
 2024-04-17 19:30:11 -06:00
Todd C. Miller
f0823c70c6 Remove offensive insults that were disabled by default anyway. 
Bug #1058
 2024-03-18 09:14:15 -06:00
Todd C. Miller
b6175b78ad Remove EVLOG_JSON, callers must use EVLOG_JSON_COMPACT or EVLOG_JSON_PRETTY 2024-03-09 11:42:07 -07:00
Todd C. Miller
46e31a74d7 Add "json_pretty" log format, currently the same as "json". 
In a future version, "json" will be an alias for "json_compact"
instead.  GitHub issue #357.
 2024-03-09 10:59:54 -07:00
Todd C. Miller
1debad3bec Add json_compact log type for compact/minified JSON. 
The "json_compact" log type logs one event per line in compact/minified
JSON format.  GitHub issue #357.
 2024-03-08 16:31:39 -07:00
Todd C. Miller
b3ade1c5f9 Fix typo 2024-03-08 13:58:36 -07:00
Todd C. Miller
602a58e86a Set SUDO_HOME to the invoking user's home directory. 
GitHub issue #358
 2024-03-08 09:15:36 -07:00
Todd C. Miller
72cee2fa25 Explicitly link check_symbols with zlib. 
Fixes a test failure on some systems when using sudo's built-in zlib.
 2024-02-29 12:41:36 -07:00
Todd C. Miller
81acb2bd7b Regenerate dependencies 2024-02-21 13:17:54 -07:00
Todd C. Miller
3944ab1fbe Use $(CPP) instead if $(CC) -E when buiding .i files from .c. 2024-02-21 12:31:50 -07:00
Rose
725d3fdc20 Prefer putchar over fputc where possible 
putchar is easier to understand than fputc and printf and does less work than those two do.
 2024-01-13 15:24:43 -07:00
Rose
7fc7d69532 Add restrict qualifiers to strlcpy_no_slash 
It's just strlcpy except it replaces '/' with '_'.
 2024-01-13 15:20:10 -07:00
Todd C. Miller
67e328d6f8 Only log "a password is required" for "sudo -n" if a command is specified. 
This means that it is not logged for "sudo -nv" and "sudo -nl".
We only log this message when sudo's -n flag is specified (and not
when the user presses ^C at the password prompt) so that there is
a record of failed non-interactive commands.
 2024-01-10 13:54:41 -07:00
Todd C. Miller
ff3dbe60b1 Update "!use_pty" example to only disable it for non-root users. 
Also add a commented out entry for "exec_background" which can also
be used to prevent sudo from consuming tty input.
Related to GitHub issue #338
 2024-01-08 14:16:29 -07:00
Todd C. Miller
e4057faca2 Properly handle sysconf(_SC_LOGIN_NAME_MAX) returning -1 on failure. 
The cast to size_t needs to be outside the MAX() macro or the -1
will get cast to unsigned.
 2023-12-28 09:00:49 -07:00
Todd C. Miller
ad4dc22d5a Automatically migrate lecture file path from name-based to uid-based. 
GitHub issue #342.
 2023-12-22 09:39:24 -07:00
Todd C. Miller
5fbf7a3625 Disable netgroup_query when netgroup_base is not set. 
The logic was inverted when support for netgroup_query was added.
This supercedes PR #341.
 2023-12-19 20:16:35 -07:00
Todd C. Miller
7019148160 Fix printing of warning when a Defaults setting is missing a value. 
This is a bug in parse_default_entry() introduced in sudo 1.8.19
when support for using the default syslog facility was added at the
wrong place in a switch().
 2023-12-16 08:08:44 -07:00
Todd C. Miller
f67a7e623e Sprinkle some more const in defaults.c. 2023-12-15 15:05:02 -07:00
Todd C. Miller
2df637b262 Fix evaluation of a tuple used in "true" boolean context. 
Previously, a tuple in boolean context was always treated as a
negated entry, which doesn't match the documentation.  We assume
that there are at least two tuple entries where the first maps to
boolean false and the second maps to boolean true.
 2023-12-15 14:57:59 -07:00
Todd C. Miller
fbc4c50d4d sudoers_lookup_pseudo: init match to UNSPEC for sudo_nss_can_continue(). 
Otherwise, processing will stop after the first sudoers nsswitch
service specification where [SUCCESS=return] is present.
 2023-12-15 10:45:22 -07:00
Todd C. Miller
de242c5738 Pass back Solaris privs as "runas_privs" and "runas_limitprivs". 
The "runas_" prefix got inadvertantly removed in the big sudoers_context
refactor.
 2023-12-11 13:31:56 -07:00
Todd C. Miller
d17e28ad61 setup_terminal: fix an editing error introduced in 1.9.15. 2023-12-07 07:27:06 -07:00
Todd C. Miller
0c2de39da3 command_matches_regex: retry with canonicalized path if possible 
If ctx->user.cmnd doesn't match, use ctx->user.cmnd_dir (if present)
to construct a canonicalized path and match on that.
 2023-12-06 10:27:57 -07:00
Todd C. Miller
44f0908e73 command_matches_fnmatch: retry with canonicalized path if possible 
If ctx->user.cmnd doesn't match, use ctx->user.cmnd_dir (if present)
to construct a canonicalized path and match on that.
 2023-12-04 18:35:08 -07:00
Todd C. Miller
8faf432499 Fall back to "localhost" if gethostname() fails. 
GitHub issue #332
 2023-12-04 09:21:56 -07:00
Todd C. Miller
8dd2967766 command_matches_glob: fix comparison of canonicalized parent directories 
Bug #1062
 2023-12-04 09:08:52 -07:00
Todd C. Miller
9c3eb2feca Add missing print_member_list_csv() return value check. 2023-12-01 15:14:59 -07:00
Todd C. Miller
79ed29c4a3 Check sudoers_debug_register() return value. 2023-12-01 15:00:08 -07:00
Todd C. Miller
77700a4b7a Add cmddenial_message to def_data.in 2023-11-28 15:19:24 -07:00
THE-Spellchecker
5eba4b48cf Typographical and Grammatical fixes 2023-11-28 15:00:04 -07:00
Guillaume Destuynder
a4cbfecdae Add support for a custom message when the command execution is denied. 2023-11-28 14:19:26 -07:00
Todd C. Miller
522f1b634f tsdump: quiet compiler warnings on some platforms. 
Quiet a -Wshadow warning from gcc.
Cast major() and minor() to unsigned int when printing.
 2023-11-26 09:27:46 -07:00
Todd C. Miller
288593875d tsdump: display both the terminal path and device number. 
If no terminal device can be found, print "major, minor" device
numbers instead.
 2023-11-26 09:07:25 -07:00
Todd C. Miller
66c9a636d1 Build tsdump by default so it does not suffer bit rot. 2023-11-26 08:45:43 -07:00
Todd C. Miller
5ff6f49653 tsdump: update to use a uid-based path by default 
This matches the changes in sudo 1.9.15 to the sudoers policy module.
 2023-11-26 08:21:05 -07:00
Todd C. Miller
ce74f50b44 Update for plugin version 1.22. 2023-11-25 18:51:28 -07:00
Todd C. Miller
a85494b5c4 Add ttydev to sudoers_user_context and use for timestamp file. 
GitHub issue #329
 2023-11-25 16:26:45 -07:00
Todd C. Miller
b9275b7eab Rename submit_time -> event_time in struct eventlog. 2023-11-23 09:08:04 -05:00
Todd C. Miller
0e53d5fddf We can use evlog.submit_time in the call to eventlog_alert(). 
This is set to the current wallclock time by sudoers_to_eventlog().
 2023-11-23 09:08:04 -05:00
Todd C. Miller
39ea3176c1 Replace submit_time in struct sudoers_context with start_time. 
We need to track the (monotonic) command start time to be able to
generate an accurate run time.  Instead of setting submit time when
the policy initializes (and using that time for logging purposes),
set evlog->submit_time to the current wallclock time when we need
to perform logging.  This is more consistent with how sudo logging
was performed in the past.  Fixes GitHub issues #327.
 2023-11-23 09:08:04 -05:00
Todd C. Miller
432b085558 log_server_open: always pass in awake time, not wallclock time. 
The timespec passed to log_server_open() should be from
sudo_gettime_awake() since it is used to build the command run time.
 2023-11-23 09:08:04 -05:00
Todd C. Miller
6965e1b0aa log_server_alert: use fmt_alert_message not fmt_reject_message 
Only affects intercepted commands.
 2023-11-23 09:08:04 -05:00