isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,619 Commits 1 Branch 0 Tags
0a8586928676319e9abf91b03ed6ac84d30f34e1
Commit Graph

12619 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
0a85869286 testsudoers: add -S option to specify /etc/shells path. 2023-09-10 16:44:24 -06:00
Todd C. Miller
034b2f3bdd Add testsudoers_setshellfile() and use it in testsudoers. 2023-09-10 16:38:53 -06:00
Todd C. Miller
62b92c7fb8 regen 2023-09-10 16:37:26 -06:00
Todd C. Miller
166ef55aa7 Remove unnecessary sudo_gettext.h include and add missing const. 2023-09-10 10:23:04 -06:00
Todd C. Miller
c54bdd799b Return AUTH_* flags from check_user() instead of 1/0/-1. 2023-09-09 14:59:46 -06:00
Todd C. Miller
2fdb4db339 Wrap valid_shell and add to sudo_pwutil_set_backend(). 
This will make it possible to support a different getusershell()
implementation for testsudoers in the future.
 2023-09-09 14:48:25 -06:00
Todd C. Miller
d18ee8e0e7 Move check_user_shell() to pwutil.c as user_shell_valid() 
This will make it possible to support a different backend which may
be used by testsudoers in the future.
 2023-09-09 14:07:28 -06:00
Todd C. Miller
28a13501d8 Merge check_user() and check_user_interactive(), move getpass callbacks. 
The getpass callbacks are now defined in sudo_auth.c, which implements
auth_getpass().  As a result, struct getpass_closure is now public
and defined in timestamp.h.
 2023-09-09 14:07:11 -06:00
Todd C. Miller
0495afac57 Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}. 2023-09-09 14:07:07 -06:00
Todd C. Miller
2ef90231a1 Make all match functions return ALLOW/DENY not true/false. 2023-09-09 14:07:06 -06:00
Todd C. Miller
7873f8334c Try to make sudo less vulnerable to ROWHAMMER attacks. 
We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS,
AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE.  In addition, we
explicitly test for expected values instead of using a negated test
against an error value.  In the parser match functions this means
explicitly checking for ALLOW or DENY instead of accepting anything
that is not set to UNSPEC.

Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk
Sunar, all affiliated with the Vernam Applied Cryptography and
Cybersecurity Lab at Worcester Polytechnic Institute, for the report.
Paper preprint: https://arxiv.org/abs/2309.02545
 2023-09-09 14:07:04 -06:00
Todd C. Miller
525803db23 Honor ignore_perms plugin argument for @include and @includedir. 2023-09-09 14:06:11 -06:00
Todd C. Miller
499121229e Don't set on_suspend and on_resume twice. 2023-09-06 20:17:00 -06:00
Todd C. Miller
956de5cbbc sudoers_sethost: refactor code to set host names in sudoers_context. 
The sudoers_sethost() function can be shared by the sudoers plugin,
visudo, cvtsudoers and testsudoers.
 2023-09-02 15:25:58 -06:00
Todd C. Miller
0c9ca88f5b sudoers_trace_print: use debug_decl_vars instead of doing it by hand. 2023-09-01 16:55:19 -06:00
Todd C. Miller
080e08b0fb sudo_realpath() returns char *, not void *. 2023-09-01 13:28:04 -06:00
Todd C. Miller
d898d073bf Only print "no valid sudoers sources found, quitting" for multiple sources. 
If there is only a single source (usually the sudoers file), the
open function provide enough of an error message.  Printing two
error messages is just confusing.
 2023-08-31 14:05:08 -06:00
Todd C. Miller
f5b3f99098 user_in_group: the user's group vector already includes the primary group. 
There's no need to look up the name of user's primary group (pw_gid),
we always include the primary group ID in the group vector.
 2023-08-30 13:36:41 -06:00
Todd C. Miller
05f823df22 Move sudoers_debug.c prototypes to sudoers_debug.h. 2023-08-29 13:54:45 -06:00
Todd C. Miller
35a7283dd9 sudo_conv, sudo_printf and plugin_event_alloc live in policy.c. 2023-08-29 13:46:43 -06:00
Todd C. Miller
68a9e91860 Move default value for "iolog_file" to sudo_iolog.h. 2023-08-29 11:46:58 -06:00
Todd C. Miller
75209e2718 Rename check.h -> timestamp.h and add remaining timestamp.c prototypes. 2023-08-29 11:16:23 -06:00
Todd C. Miller
8cd0d74fbb Restore AUTH_INTR support, it is still needed. 
We still need AUTH_INTR to know when to break out of the password
prompt loop.
 2023-08-29 10:02:09 -06:00
Todd C. Miller
3c05e748a4 Add ignore_perms plugin argument to skip the sudoers file security checks. 
This is not intended to be used in a production environment.
 2023-08-29 09:55:09 -06:00
Todd C. Miller
1eb4392e14 Fix test for unsetenv() returning void with clang 16. 
Clang has dropped support for K&R function definitions so rewrite
the test to require a unsetenv() prototype in stdlib.h.
Fixes GitHub issue #302.
 2023-08-28 18:37:06 -06:00
Todd C. Miller
07003d9020 Disable fast_glob and fdexec if SUDOERS_NAME_MATCH is defined. 
We use SUDOERS_NAME_MATCH for fuzzing when we want to avoid searching
the file system for commands.
 2023-08-28 13:18:37 -06:00
Todd C. Miller
c858acc481 Rename AUTH_FATAL -> AUTH_ERROR. 2023-08-26 10:45:29 -06:00
Todd C. Miller
cf00568d88 Do not rely on the definition of ALLOW/DENY being true/false. 
We now explicitly check for ALLOW and DENY when checking return
values and negating values.
 2023-08-26 10:32:37 -06:00
Todd C. Miller
bae716642c Replace AUTH_INTR return with AUTH_FAILURE. 
The two were treated identically by the caller.
 2023-08-26 10:08:32 -06:00
Todd C. Miller
b42cab112f Call log_allowed() even when "log_allowed" is disabled. 
Otherwise, sudo will not send mail if "mail_always" or "mail_all_cmnds"
is set.
 2023-08-25 11:19:42 -06:00
Todd C. Miller
4cdee2e312 Don't set defaults values for features that are not present. 
This means that lecture_status_dir and timestampdir are only set
if _PATH_SUDO_LECTURE_DIR and _PATH_SUDO_TIMEDIR respectively are
set.  Also, the log server defaults are only set when SUDOERS_LOG_CLIENT
is defined.
 2023-08-25 11:19:42 -06:00
Todd C. Miller
993ee338d9 Only set I/O logging callbacks if SESSID_MAX is defined. 2023-08-25 11:19:42 -06:00
Todd C. Miller
30fc288291 Move tty_present() into policy.c as sudoers_tty_present(). 
This function is policy-dependent.  For the modern sudo front-end
it will simply check tcpgid and/or ttypath.
 2023-08-25 11:19:42 -06:00
Todd C. Miller
df969d30b4 Silence a few remaining -Wconversion warnings. 2023-08-23 14:56:50 -06:00
Todd C. Miller
522ac12f21 No need to inclue auth/sudo_auth.h 2023-08-23 14:27:19 -06:00
Todd C. Miller
18aba49843 --enable-pvs-studio: check for license file in the default location 2023-08-23 09:56:39 -06:00
ken
60e5842014 modify ret type from int to bool (#298) 
* modify ret type from int to bool

* change debug_return_int to debug_return_bool

* modify ret type
 2023-08-23 08:37:09 -06:00
Todd C. Miller
091051125b Move timestampowner sudoers callback to timestamp.c. 2023-08-22 17:04:08 -06:00
Todd C. Miller
593998cb62 Quiet a PVS-Studio false positive about possible NULL dereference. 
set_perms() is only called with a NULL ctx for PERM_ROOT, PERM_SUDOERS
and PERM_TIMESTAMP.
 2023-08-22 09:58:05 -06:00
Todd C. Miller
821799d1f4 set_perms: ctx may be NULL for PERM_ROOT, PERM_SUDOERS, PERM_TIMESTAMP. 2023-08-21 16:53:35 -06:00
Todd C. Miller
c7157ce0b1 Move a few fields from sudoers_user_contect to sudoers_context. 
They are not really specific to the user or user-specified.
 2023-08-21 15:30:12 -06:00
Todd C. Miller
9aaba80a04 Remove dead code dealing with unknown user and MODE_INVALIDATE. 
The timestamp unlink code does not need the user's struct passwd
pointer, just the user name (which we already have).  Found by
PVS-Studio.
 2023-08-21 13:21:51 -06:00
Todd C. Miller
df730dec5d Suppress some other PVS-Studio false positives. 2023-08-21 13:21:49 -06:00
Todd C. Miller
49cd7463c5 Quiet a PVS-Studio false positive about possible NULL dereference. 
set_perms() is only called with a NULL ctx for PERM_ROOT, PERM_SUDOERS
and PERM_TIMESTAMP.
 2023-08-21 13:19:10 -06:00
Todd C. Miller
8161205447 MODE_KILL is never set in the sudoers plugin, remove it. 2023-08-21 12:52:21 -06:00
Todd C. Miller
c6987aa26e Cast int to size_t before adding instead of casting the result. 
Quiets PVS-Studio warning V1028.
 2023-08-21 12:50:31 -06:00
Todd C. Miller
9f05bfd298 Fix log_server_accept() definition for --disable-log-client builds. 2023-08-21 11:35:23 -06:00
Todd C. Miller
e933fc7ba3 Use a global static struct exec_closure for the cleanup hook. 
This is safer than storing a pointer to a stack variable in the
cleanup function since we don't need to worry about it ever going
out of scope.  Quiets a clang 15 analyzer warning.
 2023-08-21 10:47:34 -06:00
Todd C. Miller
6fa4786534 Plug memory leak if journal_parse_error() fails. 
Found by the clang 15 analyzer.
 2023-08-21 10:47:32 -06:00
Todd C. Miller
46e6955ba6 Eliminate some clang analyzer false positives. 2023-08-21 10:47:32 -06:00