The new sesh_edit_create_tfiles() and sesh_edit_copy_tfiles() functions
are analogous to sudo_edit_create_tfiles() and sudo_edit_copy_tfiles().
Also use "sudoedit" in the warning/error messages from sesh_sudoedit().
Otherwise, the user gets a mix of messages from sudoedit and sesh.
Otherwise, it may be possible for the user running sudoedit to
replace the newly-created temporary files with a symbolic link and
have sudoedit set the owner of an arbitrary file.
Problem reported by Matthias Gerstner of SUSE.
When creating a new file, sudoedit checks to make sure the parent
directory exists so it can provide the user with a sensible error
message. However, this could be used to test for the existence of
directories not normally accessible to the user by pointing to them
with a symbolic link when the parent directory is controlled by the
user. Problem reported by Matthias Gerstner of SUSE.
Previously we needed to include headers required by the various
sudo*h files. Now those files are more self-sufficient and we
should only include headers needed by code in the various .c files.
We can't use run_command() to run sesh, that will use the sudo event
loop (and might run it in a pty!).
There's no need to relabel the tty when copying files.
Get the path to sesh from sudo.conf.
Currently, for SELinux RBAC, the editor runs with the target user's
security context. This defeats the purpose of sudoedit. Fixing
that requires passing file descriptors between the main sudo process
(running with the invoking user's security context) and sesh (runnning
with the target user's security context).
Instead of opening the original file for writing w/ tuncation, we
first extend the file with zeroes (by writing, not seeking), then
overwrite it. This should allow sudo to fail early if the disk is
out of space before it overwrites the original file.
Fixes sudoedit on macOS 10.15 and above where the root file system
is mounted read-only. See https://support.apple.com/en-us/HT210650.
From Dan Villiom Podlaski Christiansen. Bug #913
even if no changes were made to the file, it was returning 1 instead
which would be interpreted as the command having received SIGHUP.
Use the W_EXITCODE() to construct a proper wait status in the error
case too.
without O_NOFOLLOW, it must be done relative to dfd. Previously
the lstat() would always fail, possibly leading to a false positive.
Also add an early symlink check like in sudo_edit() while here.
sudo_edit_open() whether the path to be opened is symlink before
opening it. This is racey but we detect losing the last post-open
and it is better to fail early if possible. When editing a link
to a non-existent file, a zero-length file will be left behind but
it is too dangerous to try and remove it after the fact.
Bug #753
