isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
8,469 Commits 1 Branch 0 Tags
0181bf2c2358e6a3e81320eafcb3a9857d1b51fe
Commit Graph

1835 Commits

Author SHA1 Message Date
Todd C. Miller
881814c9f9 Don't try to support line continuation in /etc/environment. 2016-09-01 14:35:40 -06:00
Todd C. Miller
c0db5c1234 No line continuation support in ldap.conf. 2016-09-01 12:45:42 -06:00
Todd C. Miller
17ad75d50b Add a flags option to sudo_parseln() and a flag to only mach comments 
at the beginning of the line.  Use the flag when parsing ldap.conf.
 2016-09-01 09:19:20 -06:00
Todd C. Miller
c9572db75a use strict 2016-08-31 14:33:24 -06:00
Todd C. Miller
7a54b49fc4 Define def_foo in terms of the I_FOO index instead of a bare number. 2016-08-31 14:27:40 -06:00
Todd C. Miller
8ee6f0d1de sync with translationproject.org 2016-08-31 12:31:27 -06:00
Todd C. Miller
b610137efa regen 2016-08-31 05:50:18 -06:00
Todd C. Miller
9cfd556853 Add match_group_by_gid Defaults option to allow sites with slow 
group lookups and a small number of groups in sudoers to match
groups by group ID instead of by group name.
 2016-08-30 13:42:42 -06:00
Todd C. Miller
5b51b7f11a Fix "sudo -l command" in the LDAP and SSS backends when the command 
is not allowed.
 2016-08-29 10:04:24 -06:00
Todd C. Miller
7918f7e7eb Use sudo_strsplit() instead of doing the equivalent manually. 2016-08-26 11:07:19 -06:00
Todd C. Miller
a246c9570a Fix memset size typo in previous commit. 2016-08-25 10:36:53 -06:00
Todd C. Miller
c5cfc9584c Add regress for check_defaults() use-after-free bug. 2016-08-25 08:33:07 -06:00
Todd C. Miller
99b9699793 Fix use-after-free in check_defaults(), reported by Radovan Sroka 
of RedHat.
 2016-08-25 08:32:45 -06:00
Todd C. Miller
8d89d8395f sync with translationproject.org 2016-08-21 19:23:52 -06:00
Todd C. Miller
ba91ebb14b regen pot files 2016-08-21 14:10:56 -06:00
Todd C. Miller
d8a65715d6 Avoid duplicate warnings when we cannot write to the log file. 
Also send the warning in mail if possible.
 2016-08-17 14:51:20 -06:00
Todd C. Miller
3e4c7eed31 Move the ignoring of I/O log plugin errors into the I/O log plugin 
itself.
 2016-08-17 14:38:00 -06:00
Todd C. Miller
ed18d0d5f8 Make the behavior when we cannot write to a log or audit file 
configurable.  File log failures are ignored by default for consistency
with syslog.  Audit errors are ignored by default to allow the admin
to fix the issue.  I/O log file errors are still fatal by default
since if I/O logging is activated it is usually to have an audit trail.
Bug #751
 2016-08-17 07:22:51 -06:00
Todd C. Miller
9ccd260842 Make sure we print an error message to stderr (and not just send 
mail) if do_logfile() fails.  Bug #751
 2016-08-15 07:25:18 -06:00
Todd C. Miller
043b3d223b Separate out the supplemental group ID checks from the supplemental 
group name checks in user_in_group().  We now call sudo_get_gidlist()
only when the group name in sudoers begins with a '#' (which is
seldom used).
 2016-08-13 21:12:22 -06:00
Todd C. Miller
985ab1dd3e Cache the user's group IDs and group names separately and only 
resolve group IDs -> names when needed.  If the sudoers file doesn't
contain groups we will no longer try to resolve all the user's group
IDs to names, which can be expensive on some systems.
 2016-08-13 16:27:44 -06:00
Todd C. Miller
c3b8e97a6e Remove the "op" parameter from all the store_foo() functions except 
store_list() where it is actually needed.  For the others, a NULL
value indicates the setting was negated.  This unconfuses static
analyzers (and perhaps humans too).
 2016-08-12 16:41:51 -06:00
Todd C. Miller
8c2b6fb34e Flags always have a NULL value. Regression introduced by refactor 
of set_default_entry().
 2016-08-12 15:03:54 -06:00
Todd C. Miller
1ca261c305 Set rc to true when setting a flag Defaults value. 2016-08-12 11:32:36 -06:00
Todd C. Miller
caf064e17b Refactor the error parts of set_default_entry() so the switch() is 
mostly just calls to store_foo() functions.  Avoids a lot of
duplicated error checking and silences a cppcheck false positive.
 2016-08-12 10:37:41 -06:00
Todd C. Miller
9051c92cb3 In set_default_entry() check for unsupported Defaults type. 2016-08-12 09:37:11 -06:00
Todd C. Miller
7ac77b094c Check sudoers_initlocale return value and treat as oom. 
Coverity CID 141832
 2016-08-12 06:00:17 -06:00
Todd C. Miller
a08ea1b14d Set runas_pw early and adjust runaslist_matches() to deal. Since 
we now set runas_default early there is no need to call update_defaults
with SETDEF_RUNAS after sudoers has been parsed.
 2016-08-10 10:56:05 -06:00
Todd C. Miller
56ead73886 Load sudoers group plugin via an early callback. 2016-08-09 13:14:31 -06:00
Todd C. Miller
9d94ee11c0 Avoid passing around struct defaults when it is not needed. As a 
result, we no longer need to include gram.h in the LDAP and SSSD
backends.
 2016-08-08 20:09:59 -06:00
Todd C. Miller
0bf2d9b162 Instead of deferring setting early defaults until we have traversed 
the entire defaults list, just defer running the callbacks.  Otherwise,
if the last early default setting we see has a bad value we won't
set any defaults of that type even if there was an earlier one that
was valid.
 2016-08-08 17:04:20 -06:00
Todd C. Miller
e5a7891ec8 Run callbacks once in set_default_entry() instead of each of the 
store_foo() functions.
 2016-08-08 16:47:11 -06:00
Todd C. Miller
54efa54c0e Only check SUDO_USER if euid is 0 2016-07-31 18:47:36 -06:00
Todd C. Miller
f85e95329f Initialize sudo_user based on the SUDO_USER environment variable 
if present.  This allows things like :Defaults:username editor=foo"
to work when visudo is run via sudo.
 2016-07-30 15:27:36 -06:00
Todd C. Miller
2b150925dc Flag settings have a NULL value so we can't use that to test whether 
an entry in struct early_default is set or not.  Add a "set" member
and use that instead.
 2016-07-28 06:05:39 -06:00
Todd C. Miller
a014a2abd4 Fix --with-fqdn, the value should be NULL since it is a flag. 2016-07-27 15:03:48 -06:00
Todd C. Miller
16551031f9 Add support for early defaults to the ldap and sssd backends. 2016-07-27 14:20:17 -06:00
Todd C. Miller
2c21663b22 Split set_default_entry() out of set_default() so we can call it 
from check_defaults() to validate the defaults value.  In visudo,
suppress warnings from update_defaults() and rely on check_defaults()
to provide warnings.
 2016-07-23 09:10:48 -06:00
Todd C. Miller
29d842dbaf Split binding match code out of default_type_matches() into 
default_binding_matches().  We can now use default_type_matches()
in check_defaults().
 2016-07-23 08:45:43 -06:00
Todd C. Miller
e0ac766473 Pass quiet flag to init_parser() and update_defaults() when doing 
first parse of sudoers.
 2016-07-23 05:53:35 -06:00
Todd C. Miller
256ca993b9 Update defaults in visudo after sudoers has been edited so we pick 
up locale changes.  The init_defaults() function will now re-init
the sudoers locale.
 2016-07-22 10:41:56 -06:00
Todd C. Miller
65579b69eb Set sudoers locale before calling sudoersparse(). We don't need 
to restore the user's locale since warnings are displayed in the
user's locale anyway.
 2016-07-20 19:58:42 -06:00
Todd C. Miller
ef24bd5c3c Set the locale to the sudoers locale when parsing and restore the 
user's locale afterward.  Also set the warn/fatal locale helper
function so warning messages during a sudoers parse are displayed
in the user's own locale.
 2016-07-20 16:41:23 -06:00
Todd C. Miller
6ba2769ba8 Add forward decl of union sudo_defs_val to silence a gcc warning. 2016-07-20 16:39:26 -06:00
Todd C. Miller
e257f2c9e3 Set the warn/fatal locale helper function in sudoers_policy_init() 
so warning messages during sudoers loading are displayed in the
user's own locale.
 2016-07-20 15:52:32 -06:00
Todd C. Miller
b5c2ca2fe5 Move sudoers locale callback function to locale.c and user it in 
visudo and testsudoers.
 2016-07-20 14:16:00 -06:00
Todd C. Miller
30f7ecca10 In cb_sudoers_locale() actually set the locale in addition to storing 
its name.  Otherwise, it won't take effect until sudoers lookup time.
 2016-07-20 13:36:45 -06:00
Todd C. Miller
684161618d Fix regression that would cause early defaults entries to be 
set multiple times.
 2016-07-20 13:35:04 -06:00
Todd C. Miller
6daf3c5ce1 Only set early defaults once, regardless of how many times the 
variable is set in sudoers.  This avoids running an early callback
more than once.  For example, we don't want to call cb_fqdn() if
sudo is compiled with FQDN set but sudoers has "Defaults !fqdn".
 2016-07-19 14:58:06 -06:00
Todd C. Miller
5e9173df7a Make strings const in functions that set defaults as they are 
not modified.
 2016-07-19 14:55:27 -06:00