isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,939 Commits 1 Branch 0 Tags
096eacb21c5cd3f789f69d77e0ee68987c63b41c
Commit Graph

11939 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
8c482bfeb2 sudo_mkdir_parents: just use memcpy() to copy the path component. 
Using snprintf() for this is overkill, we need to do the same
length check either way.
 2022-09-21 19:06:53 -06:00
Todd C. Miller
e916201448 regen 2022-09-21 11:29:38 -06:00
Todd C. Miller
c823ca1e45 Quiet libgcrypt run-time warning about not being initialized. 
Fixes Debian bug #1019428 and Ubuntu bug #1397663.
 2022-09-20 16:13:31 -06:00
Todd C. Miller
ce387a6849 Split log_{input,output} into log_{stdin,ttyin} and log_{ttyout,stdout,stderr} 
If log_input is set, log_{stdin,ttyin} will be set as well.
If log_output is set, log_{stdout,stderr,ttyout} will be set as well.
This provides more fine-grained control over I/O logging and makes it
possible to disable logging piped or redirected intput or output.
 2022-09-20 14:35:12 -06:00
Todd C. Miller
4ee0caf07d Update to protobuf-c 1.4.1 
We already had all the relevant fixes so this is just cosmetic.
 2022-09-20 11:27:40 -06:00
Todd C. Miller
7464b300d9 new_container: no need to initialize container pointer in declaration. 
From Li zeming.
 2022-09-20 10:18:09 -06:00
Todd C. Miller
4989856321 Use tcpgid if passed from sudo front-end and use it in tty_present(). 
This can be used as another indicator that a terminal is present
without having to open /dev/tty.
 2022-09-15 16:34:49 -06:00
Todd C. Miller
304726a215 Move gcc-style __attribute__ macros to config.h.in 
Renamed __malloc -> sudo_malloclike, __printflike -> sudo_printflike,
__printf0like -> sudo_printf0like.
Add sudo_noreturn instead of __attribute__((__noreturn__)).
We do not use stdnoreturn.h since it has been deprecated in C23
in favor of the [[noreturn]] attribute.
 2022-09-07 07:48:31 -06:00
Todd C. Miller
c341608072 Remove most uses of the deprecated Li macro which has no effect. 
Also fix some other incorrect markup.
 2022-09-13 19:56:45 -06:00
Todd C. Miller
a326411903 Use $(GREP) and $(EGREP) variables in Makefile.in files. 2022-09-12 16:30:52 -06:00
Todd C. Miller
f235390d1e Merge pull request #177 from a1346054/fixes 
Makefile.in: replace `egrep` and fix target name
 2022-09-12 16:18:50 -06:00
a1346054
5c1c276e28 Fix incorrect makefile target name 2022-09-12 21:54:53 +00:00
a1346054
6fac1f5186 Use grep -E instead of egrep 2022-09-12 21:52:32 +00:00
Todd C. Miller
3194d16674 Document apparmor_profile, intercept_verify, and update_ticket. 2022-09-11 19:06:26 -06:00
Todd C. Miller
5bcec02442 Fix some of the markup to be more consistent with sudo_plugin.mdoc.in. 
Also reword a few awkward phrases.
 2022-09-11 19:06:25 -06:00
Todd C. Miller
a7b200d014 Use correct markup of function arguments and struct members. 
Also remove most uses of the deprecated Li macro which has no effect.
 2022-09-11 19:06:24 -06:00
Todd C. Miller
3f6ffead0b Move the init_session() errstr description to where it belongs. 2022-09-11 19:06:23 -06:00
Todd C. Miller
b85f95cb30 Fix a typo 2022-09-11 19:06:22 -06:00
Todd C. Miller
d6c7abd42e log_parse_error: make errstr const to quiet a -Wwrite-strings warning 2022-09-07 14:45:47 -06:00
Todd C. Miller
89a40741b4 Add __printf0like to visudo_track_error(). 2022-09-07 07:25:31 -06:00
Todd C. Miller
7f169da832 Back out unintended change in last commit. 2022-09-06 15:47:29 -06:00
Todd C. Miller
965e2a0c09 It is possibble for sudoerserrorf() to be called with a NULL format. 
So log_parse_error() needs to check fmt for NULL before using it.
 2022-09-06 15:40:59 -06:00
Todd C. Miller
67be673856 Mention how to restore the historic core resource limit behavior. 2022-09-03 09:50:00 -06:00
Todd C. Miller
2815b77e47 Update with latest changes. 2022-09-02 15:28:33 -06:00
Todd C. Miller
02e92c2afd Set MODE_POLICY_INTERCEPTED for log_subcmds too. 
This fixes a problem where sub-commands were not being logged to
the remote log server, if configured.  Since we don't go through
sudoers_policy_main() again for log_subcmds, we set the flag in
sudoers_audit_accept() instead.  The reason this is complicated is
that when I/O logging is enabled the initial accept message gets
sent as part of the remote logging handshake.  GitHub issue #174
 2022-09-03 09:43:41 -06:00
Todd C. Miller
21b48a3034 Fix typo. 2022-09-02 15:22:40 -06:00
Todd C. Miller
49e9e5eb85 Only check the admin flag file once in intercept mode. 2022-09-02 14:45:57 -06:00
Todd C. Miller
159bdb1cb7 Document cvtsudoers CSV output format 2022-09-02 14:01:43 -06:00
Todd C. Miller
37ae66062d Document cvtsudoers JSON output format 2022-08-31 11:33:04 -06:00
Todd C. Miller
a6472710e6 Zero out register struct before calling ptrace_getregs(). 
Quiets a spurious valgrind warning.
 2022-08-30 07:35:43 -06:00
Todd C. Miller
caa0408a8a intercept_verify is fast, but the policy check is (relatively) slow. 2022-08-29 14:10:49 -06:00
Todd C. Miller
817f63b05d Realloc the buffer used to store argv and envp as needed. 
We now store the vector immediately after the string table.
It is possible for argv and its contents to be invalidated
by realloc() when reading envp so we store the pointers as
offsets until we are done allocating.
 2022-08-29 12:47:42 -06:00
Todd C. Miller
0d2f1c4a2b ptrace_verify_post_exec: use /proc/PID/cmdline and /proc/PID/environ 
There is no reason to read these directly from the tracee
when we rely on /proc being mounted to access /proc/PID/exe.
 2022-08-28 18:59:41 -06:00
Todd C. Miller
234c56b87f Protect ptrace_readv_string() with #ifdef HAVE_PROCESS_VM_READV 2022-08-28 08:27:30 -06:00
Todd C. Miller
922772c6cb Rework the intercept section in "Preventing shell escapes". 2022-08-25 19:01:59 -06:00
Todd C. Miller
351175eb26 Update CodeQL Action to v2 using current example config. 2022-08-25 14:42:26 -06:00
Todd C. Miller
0af393e75b Suppress PVS-Studio false positive. 2022-08-25 14:22:21 -06:00
Todd C. Miller
2902ebe067 intercept_check_policy_req: an empty argv[] is now supported 2022-08-25 14:21:12 -06:00
Todd C. Miller
14356c1940 Use process_vm_readv(2) and process_vm_writev(2) if available. 
This is faster than reading/writing from/to the remote process one
word at a time using PTRACE_PEEKDATA and PTRACE_POKEDATA.
 2022-08-25 12:37:19 -06:00
Todd C. Miller
36747f89a8 Skip all of check_user() for intercept unless intercept_authenticate set. 
Previously we were calling the PAM approval modules even in intercept
mode which can take a lot of time.  We may wish to make PAM approval
configurable in intercept mode in the future.
 2022-08-25 09:35:42 -06:00
Todd C. Miller
22dad3f59c Only set MODE_POLICY_INTERCEPTED on subsequent policy checks. 
This fixes a bug where MODE_POLICY_INTERCEPTED was set too early
if the intercept option was set globally in sudoers.  It should
only be set after the original command has executed.
 2022-08-25 09:33:42 -06:00
Todd C. Miller
966eae6bf3 intercept_verify also compares the environment. 
Also mention the overhead involved in checking things.
 2022-08-23 11:12:51 -06:00
Todd C. Miller
3d995f7e58 ptrace_getregs: make compat check more generic 
No need to use different checks for mips and non-mips, the compiler
will optimize away the superfluous check.
 2022-08-22 11:46:46 -06:00
Todd C. Miller
4d58fc904d Correct type of sudoers_audit. 
GitHub issue #61
 2022-08-22 09:04:44 -06:00
Todd C. Miller
a3a181df07 Fix shadowed variable warning. 2022-08-20 14:36:29 -06:00
Todd C. Miller
c948717bd4 Fix shadowed variable warning on aarch64. 2022-08-19 13:37:49 -06:00
Todd C. Miller
8145ad12da Quiet another -Wwrite-strings warning. 2022-08-19 11:37:38 -06:00
Todd C. Miller
8eb619ac2b ptrace_getregs: try to determine compat mode if caller doesn't know. 
In ptrace_verify_post_exec(), we don't know whether the executable
that is now running is a native or compat binary.  In most cases
ptrace_getregs() will be able to figure it out for us.
 2022-08-19 11:34:40 -06:00
Todd C. Miller
b2d8909c19 ptrace_intercept_execve: fail syscall rather than killing process on error. 
If the execve(2) args are bogus pointers, we should just return an
error instead of killing the process.  For consistency with the
kernel, convert EIO from ptrace(2) to EFAULT.
Also convert some ptrace(2) warnings to debug printfs so sudo is less chatty.
 2022-08-19 11:05:10 -06:00
Todd C. Miller
9f552471bc Treat argv and closure->run_argv of different sizes as a mismatch. 
If argv and closure->run_argv match up to the point where we hit a
NULL but one of them has additional entries, we still need to rewrite
argv.
 2022-08-18 15:15:06 -06:00