isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,830 Commits 1 Branch 0 Tags
main
Commit Graph

500 Commits

Author SHA1 Message Date
Todd C. Miller
7ab66eb3a8 sudo -i: missing NULL terminator when moving argv to make room for --login 
Fixes a potential crash for "sudo -i" when the target user has bash
as the shell (which needs the --login option).  Bug #998.
 2021-09-19 13:58:56 -06:00
Todd C. Miller
bb5843055e Replace messages like "unknown foo: %s" with "unknown foo %s". 
The colon really doesn't belong there; we generally use a colon to
separate a message from the warning detail.
 2021-08-19 09:44:11 -06:00
Todd C. Miller
9798fd86bf Add garbage collection to resolve_editor(). 
Fixes a leak when evaluating the policy multiple times if sudoedit
is set.
 2021-08-10 12:58:18 -06:00
Todd C. Miller
462e8ab471 Avoid some double frees in the fuzzer 
Now that sudoers free old values of NewArgv and command_info the
fuzzer needs to reset those values.  Otherwise we end up with
stashed values that have already been garbage collected.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
3a090dcdcd Plug some memory leaks when sudoers_policy_main is called multiple times. 
These would get cleaned up a policy close time but we don't want
to bloat sudo's memory footprint when running a shell with multiple
commands.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
788708c9ff Add intercept_authenticate sudoers option, defaults to false. 
By default, sudoers will not require authentication of commands run
via an intercepted session.  To require authenticaton of subsequent
commands, enable intercept_authenticate in sudoers.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
132936f8f0 Make it possible to call the sudoers policy check function multiple times. 
We need to reset the Defaults values to their original state.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
48669edd35 Do not free sudo_user.iolog_{file,path} in sudo_user_free(). 
They are not dynamically allocated.
 2021-02-25 19:37:27 -07:00
Todd C. Miller
aaf3d5643b Fix compilation error on Solaris introduced with sudo_user_free(). 2021-02-18 05:41:20 -07:00
Todd C. Miller
df91e15b82 In sudoers_policy_close() call sudoers_cleanup() instead of sudo_user_free(). 
If we didn't call sudoers_policy_main() due to an early error there
may be more things to clean up.
 2021-02-16 10:37:04 -07:00
Todd C. Miller
ae3a098d2f Always dynamically allocate user_cmnd, it is freed in sudo_user_free(). 
Instead of setting user_cmnd in the policy functions, always set argv.
Calling sudoers_policy_main() with argc of 0 is no longer allowed.
 2021-02-16 09:32:34 -07:00
Todd C. Miller
52e3fcc795 Free struct sudo_user in sudoers_policy_close() and sudoers_cleanup(). 
Also, do not NULL out the close function if NO_LEAKS is defined.
 2021-02-15 08:29:47 -07:00
Todd C. Miller
7f3c670a13 Fix sudoers garbage collection and run it in policy fuzzer. 2021-02-14 14:01:31 -07:00
Todd C. Miller
776c57a81e Move create_admin_success_flag() to timestamp.c. 2021-02-13 15:48:21 -07:00
Todd C. Miller
197d6600fa Cleanup sudoers sources on denial and error too. 2021-02-12 19:52:11 -07:00
Todd C. Miller
df2931588a Fuzz sudoers policy module API. 
Includes a test case to reproduce CVE-2021-3156.
 2021-02-12 15:36:18 -07:00
Todd C. Miller
0663ffbc3f Use sudo_basename() instead of doing the equivalent manually. 2021-02-10 15:14:08 -07:00
Todd C. Miller
6c8242c357 Update comment about return values for resolve_host(). 2021-01-29 06:24:31 -07:00
Todd C. Miller
8ca47cc99d Fix compilation on systems without a native strlcpy() function. 2021-01-28 09:15:36 -07:00
Todd C. Miller
29acc64192 Refactor code to flatten an argument vector into a string. 
This is used when building up the user_args string.
 2021-01-27 21:27:14 -07:00
Todd C. Miller
2804c2c78e Add strlcpy_unescape() function to undo escaping from front-end. 
Includes unit test.
 2021-01-27 15:41:54 -07:00
Todd C. Miller
1f8638577d Fix potential buffer overflow when unescaping backslashes in user_args. 
Also, do not try to unescaping backslashes unless in run mode *and*
we are running the command via a shell.
Found by Qualys, this fixes CVE-2021-3156.
 2021-01-23 08:43:59 -07:00
Todd C. Miller
741cf082a3 Use debug_return_int() not debug_return_bool() to return -1. 
Found by PVS Studio.
 2021-01-04 14:48:43 -07:00
Todd C. Miller
b3173fdedc The runas user must be set before applying runas-based Defaults. 
This effectively backs out changeset f738f5ac5350, which made
it possible to log the command when an invalid user was specified.
The policy plugin API doesn't supply the command until the check
function, at which point we've already denied the command due to
the invalid user.  Bug #951.
 2020-12-20 08:43:34 -07:00
Todd C. Miller
63739dd326 Store the user-provided runas user and group name in struct sudo_user. 
This makes it available for event logging in case the name doesn't resolve.
 2020-12-05 09:05:42 -07:00
Todd C. Miller
008a0e8dc1 Store iolog_path in struct sudo_user for use in the event log. 2020-12-05 08:31:46 -07:00
Todd C. Miller
fd39e2d7d6 Defer lookup of runas user until sudoers_main() for better logging. 
The log message now includes user info and the command attempted.
 2020-12-04 13:49:37 -07:00
Todd C. Miller
7d0b19d2a0 Don't free the private copy of the environment until the close function. 
We may need to use it when logging from the audit reject function.
 2020-11-17 13:44:32 -07:00
Todd C. Miller
62547746d3 Rename iolog_client -> log_client. 
The logsrvd client code is now used for more than just I/O logging.
 2020-11-09 17:13:04 -07:00
Todd C. Miller
e0c2635fb3 Apply Google inclusive language guidelines. 
Also replace backwards with backward.
 2020-10-30 10:15:30 -06:00
Todd C. Miller
28d6771d24 Add log_format sudoers setting to select sudo or json format logs. 
Defaults to sudo-format logs.
 2020-10-27 15:26:02 -06:00
Todd C. Miller
fdae4bdbbb Add support for file log line wrapping in libeventlog. 2020-10-26 16:16:46 -06:00
Todd C. Miller
d899fe5936 Use real setters for the eventlog config. 
This makes it possible to have a base config that the callers can
modify instead of replacing the config wholesale.
 2020-10-26 16:10:42 -06:00
Todd C. Miller
a5a5cc7f85 sudoers_policy_store() -> sudoers_policy_store_result() 2020-10-16 05:56:03 -06:00
Todd C. Miller
bf9d208662 Rename sudoers_policy_exec_setup() -> sudoers_policy_store(). 
It is called even when there is no command to execute.
Also pass in status of whether or not the command was accepted.
 2020-10-14 06:33:35 -06:00
Todd C. Miller
88dcdcd11d Fix -Wshadow warnings. 2020-09-25 15:09:45 -06:00
Todd C. Miller
f1d19f1d6e Add SLOG_AUDIT flag for log_warningx() to also audit the message. 
This lets us combine audit_failure() and log_warningx() calls with
the same message.
 2020-09-23 08:18:55 -06:00
Todd C. Miller
6ee731caff Log when user-specified command line options are rejected by sudoers. 
We already audit those but in some cases they were not logged as well.
 2020-09-23 08:02:43 -06:00
Todd C. Miller
6f8e1b9741 Fix potential NULL deref in debug code. 2020-09-23 08:59:18 -06:00
Todd C. Miller
c200e71637 Add callback for runchroot Defaults and require password -D/-R checks. 
Using a command-based Default for runchroot will still only work for
paths that exist both in and outside the chroot.
 2020-09-09 19:18:24 -06:00
Todd C. Miller
10d3d69aa1 Pass a struct to the match functions to track the resolved command. 
This makes it possible to update user_cmnd and cmnd_status modified
by per-rule CHROOT settings.
 2020-09-09 15:26:45 -06:00
Todd C. Miller
b6dbfe5094 Take the chroot into account when search for the command. 
This could a a user-specific chroot via the -R option, a runchroot
Defaults value, or a per-command CHROOT spec in the sudoers rule.
 2020-09-09 15:26:44 -06:00
Todd C. Miller
226307591c Log the runcwd not submitcwd in the sudo-style log file. 
The log entry should reflect the working directory the command
actually ran in.
 2020-09-02 11:23:26 -06:00
Todd C. Miller
1676f0ceeb Support "*" for CWD/CHROOT to allow user to specify cwd or chroot. 
Adds two new command line options, -D (--chdir) and -R (--chroot)
that can only be used when sudoers sets runcwd or runchroot to "*".
 2020-09-01 14:10:02 -06:00
Todd C. Miller
961a4afe67 Fix some warnings from pvs-studio 2020-08-12 13:45:09 -06:00
Todd C. Miller
cbad17a994 Move inclusion of compat headers up with the system headers. 
Now that sudo_dso_public is defined in config.h we don't need sudo_compat.h
before including the compat headers.
 2020-08-12 10:07:07 -06:00
Todd C. Miller
852d8c7953 Fix a typo in the audit string when "sudo -E" is not allowed. 2020-06-07 08:37:32 -06:00
Todd C. Miller
b519481912 Defer logging of the successful command until approval plugins have run. 
This adds audit plugin support to the sudoers module, currently
only used for accept events.  As a result, the sudoers file is now
initially parsed as an audit plugin.
 2020-06-02 09:07:46 -06:00
Todd C. Miller
446ae3f507 Include string.h unconditionally and only use strings.h for strn?casecmp() 
In the pre-POSIX days BSD had strings.h, not string.h.
Now strings.h is only used for non-ANSI string functions.
 2020-05-18 07:59:24 -06:00
Todd C. Miller
dd88460800 We no longer need to include headers we don't use for sudo*.h files. 
Previously we needed to include headers required by the various
sudo*h files.  Now those files are more self-sufficient and we
should only include headers needed by code in the various .c files.
 2020-05-18 06:47:04 -06:00