isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,387 Commits 1 Branch 0 Tags
05e7cac89b549b83e756b8f04d97d2326bd9fd99
Commit Graph

828 Commits

Author SHA1 Message Date
Todd C. Miller
f7dc1d849f Use "a password is required" instead of "password required" when 
the -n flag is used and we need to read a password.
 2012-07-11 16:28:40 -04:00
Todd C. Miller
5f83d35f78 regen 2012-07-10 14:53:52 -04:00
Todd C. Miller
8b03f3e7d0 Move log_denial() calls and logic to log_failure(). 
Move authentication failure logging to log_auth_failure().
Both of these call audit_failure() for us.

This subtly changes logging for commands that are denied by sudoers
but where the user failed to enter the correct password.  Previously,
these would be logged as "N incorrect password attempts" but now
are logged as "command not allowed".  Fixes bug #563
 2012-07-10 12:42:33 -04:00
Todd C. Miller
f8f0021710 Add configure check for building PIE executables instead of doing 
it in mkpkg.
 2012-07-02 10:12:41 -04:00
Todd C. Miller
3c57d6a06d Add support for ldaps using Tivoli LDAP libraries. 
Add ldap.conf option to specify Tivoli key db password.
Allow TLS ciphers to be configured for Tivoli.
 2012-06-29 12:14:45 -04:00
Todd C. Miller
f56bada404 Tivoli Directory Server 6.3 libs always return a (bogus) error 
when setting LDAP_OPT_CONNECT_TIMEOUT.
 2012-06-28 15:42:38 -04:00
Todd C. Miller
cfe0034cdf Treat LDAP_OPT_CONNECT_TIMEOUT (Tivoli Directory Server 6.3) the 
same as LDAP_OPT_CONNECT_TIMEOUT (OpenSSH).
Don't make failure to a set an ldap option fatal.
 2012-06-28 14:58:15 -04:00
Todd C. Miller
7d5048a5be Zero pointers in sudo_user struct after freeing, just in case. 2012-06-27 17:04:39 -04:00
Todd C. Miller
899fcc05ac Free user_gids in close function if it has not already been freed. 2012-06-27 16:56:55 -04:00
Todd C. Miller
1cd50d0bce Defer group ID to name resolution until we actually need it. 2012-06-27 16:50:56 -04:00
Todd C. Miller
e9f5a38398 Use MAX_UID_T_LEN + 1 for uid/gid buffers, not MAX_UID_T_LEN to 
prevent potential truncation.  Bug #562.
 2012-06-27 13:41:58 -04:00
Todd C. Miller
9497df293a Don't run regress tests or sudoers sanity check (using the newly-built 
visudo) when cross compiling.  Bug #560
 2012-06-20 13:38:17 -04:00
Todd C. Miller
bcfeddc998 Rename foo.sym -> foo.exp 
Remove foo.map from the repo and generate it on demand
Use a loader option file for HP-UX ld to explicitly export symbols
 2012-06-20 12:58:16 -04:00
Todd C. Miller
a49238e3f1 Don't check for errorx as an exported symbols as it is now a macro. 
Check for user_in_group() instead.
 2012-06-20 09:38:25 -04:00
Todd C. Miller
45fea137f9 Fix compilation on gcc 2.95 and other compilers that only allow 
variable declarations at the beginning of a block.
 2012-06-18 13:47:01 -04:00
Todd C. Miller
fdcc8e1fce Link check_symbols with SUDO_LIBS to make sure we link with the 
requisite libraries to successfully dlopen sudoers.so.  This is
needed on HP-UX where a program dlopen()ing a shared object that
uses pthreads must also be linked with pthreads (and HP-UX LDAP
uses pthreads).
 2012-06-18 10:21:05 -04:00
Todd C. Miller
86cececc16 Add check for exported local symbols. This will cause a "make 
check" failure on systems where we don't support symbol hiding.
 2012-06-18 10:21:01 -04:00
Todd C. Miller
437978bd35 No need to provide a name for the scope in the map file since we 
don't use the it for versioning.
 2012-06-18 09:25:29 -04:00
Todd C. Miller
2a83d1c6d5 Add regress test for symbol visibility. 2012-06-17 20:23:21 -04:00
Todd C. Miller
203abd98b9 Use the expanded io log dir when updating the sequence number. 
Includes a workaround for older versions of sudo where the
sequence number was stored in the unexpanded io log dir.
 2012-06-15 12:33:12 -04:00
Todd C. Miller
47abbb90a2 Don't use a map file for sudo_noexec.so since Solaris ld doesn't 
allow '*' in the global section.  The libtool export flag is now
added to LT_LDFLAGS instead of commenting/uncommenting lines.
 2012-06-14 11:35:02 -04:00
Todd C. Miller
649edc3192 Export group cache from sudoers.so for system_group.so to use. 2012-06-13 16:21:45 -04:00
Todd C. Miller
6f6b0dec6c Use gcc's visibility attribute to specify when symbols are visible 
or hidden, if available.  If not available, use an ELF version
script if it is supported.  If all else fails, fall back to using
libtool's -export-symbols.
 2012-06-13 14:01:16 -04:00
Todd C. Miller
a8e0687ca9 Install shared objects with mode 0644 except on HP-UX which needs 
the executable bit set.
 2012-06-11 10:45:34 -04:00
Todd C. Miller
c131cb36f5 Make installed file modes consistent with the file modes in the 
sudo package.
 2012-06-11 10:17:19 -04:00
Todd C. Miller
54cfac04d1 If there are no privs to print, write the message to the lbuf instead 
of printing it directly.
 2012-06-01 16:27:17 -04:00
Todd C. Miller
b406b51da0 No need to loop over atomic_writev(), it guarantees to write all 
data or return an error.

Fix handling of stdout/stderr that contains "\r\n" and handle a
"\r\n" pair that spans a buffer.
 2012-05-30 10:46:02 -04:00
Todd C. Miller
12be3e7f54 Instead of doing extra write()s when replaying stdout, build up a 
vector for writev() instead.  This results in far fewer system
calls.
 2012-05-29 13:46:28 -04:00
Todd C. Miller
7a6cad5026 When replaying a log of stdout or stderr, do newline to carriage 
return + linefeed conversion.  We cannot have termios do this for
us since we've disabled output postprocessing (POST) when setting
raw mode.
 2012-05-25 16:24:42 -04:00
Todd C. Miller
ca9331d498 Add tests for sudoers mode, owner and group checks. 2012-05-21 15:39:24 -04:00
Todd C. Miller
0d82c4c7ee If sudoers_mode is group-readable but the actual sudoers file is 
not, open the file as uid 0, not uid 1.  This fixes a problem when
sudoers has a more restrictive mode than what sudo expects to find.
In older versions, sudo would silently chmod the file to add the
group-readable bit.
 2012-05-21 13:59:02 -04:00
Todd C. Miller
4f296fe211 Add basic tests for #include and #includedir 2012-05-18 14:29:55 -04:00
Todd C. Miller
b35cd75533 Add -U sudoers_uid option to testsudoers. 2012-05-18 14:29:29 -04:00
Todd C. Miller
8a7ac44590 Fix #includedir; from Mike Frysinger 2012-05-17 15:42:57 -04:00
Todd C. Miller
2b7659f709 Don't prompt for a password if the user is in the exempt group, is 
root, or is running the command as themselves even if the -k option
was specified.  This makes "sudo -k command" consistent with the
behavior one would get if the user ran "sudo -k" immediately before
running the command.
 2012-05-17 10:20:14 -04:00
Todd C. Miller
0d5a941319 Add missing break between AF_INET and AF_INET6 in addr_matches_if_netmask() 2012-05-14 14:47:48 -04:00
Todd C. Miller
d841ae9cd0 Move systrace monitor code to the attic 2012-05-14 09:47:17 -04:00
Todd C. Miller
0d69580776 Fix an alignment problem on NetBSD systems with a 64-bit time_t and 
strict alignment.  Based on a patch from Martin Husemann.
 2012-05-10 11:06:46 -04:00
Todd C. Miller
c690ac2073 update depends 2012-05-08 16:57:06 -04:00
Todd C. Miller
aa3defa3f0 Only call gr_delref() when use sudo's password caching functions. 2012-05-08 16:39:37 -04:00
Todd C. Miller
75d70b334b Add missing dependency on libreplace.la 2012-05-08 16:38:36 -04:00
Todd C. Miller
994d2ff69a Add group plugin that does lookups by name using the system group 
database.
 2012-05-08 13:35:52 -04:00
Todd C. Miller
4455139d54 sync with translationproject.org 2012-05-08 10:57:07 -04:00
Todd C. Miller
64178f8b67 sync with translationproject.org 2012-05-03 15:46:39 -04:00
Todd C. Miller
4b8982ebde regen 2012-04-24 13:42:28 -04:00
Todd C. Miller
e82b67314c Need to call ldapssl_clientauth_init() for start_tls on Mozilla 
LDAP SDK.
 2012-04-24 12:52:36 -04:00
Todd C. Miller
28268ed99c Fix printing of invalid uri 2012-04-24 10:34:02 -04:00
Todd C. Miller
989361c275 Pass PAM_SILENT when deleting creds to remove an annoying warning 
message on Solaris.
 2012-04-24 09:48:58 -04:00
Todd C. Miller
f6c7ae2519 sudo_ldap_set_options_global() should not take an LDAP handle as 
an argument since the options affect the global settings.
 2012-04-23 19:56:41 -04:00
Todd C. Miller
23b7a1fa5c Call the policy's init_session() function before we fork the child. 
That way, the session is created and destroyed in the same process,
which is needed by some modules, such as  pam_mount.
 2012-04-23 16:38:16 -04:00