isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,089 Commits 1 Branch 0 Tags
0aedc965f88a08912eae945cd6cb15ca4f8faae2
Commit Graph

11089 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
3f30704ab7 Add trivial support for FreeBSD packages. 
The actual FreeBSD port supports multiple options but this is sufficient
for testing purposes.
 2021-08-11 15:09:00 -06:00
Todd C. Miller
374d499818 FreeBSD: Set default directory and file mode if not specified in %files 
Otherwise, a mode of 0 will be used, potentially rendering the
system unusable.
 2021-08-11 14:59:27 -06:00
Todd C. Miller
f327a19f34 Use same check for intercepted commands as log_server_accept(). 
Previously, log_server_reject() and log_server_alert() just
checked whether client_closure has been set.
 2021-08-11 14:10:05 -06:00
Todd C. Miller
0e2094471b Call shutdown() on sockets before closing() if they are connected. 
This should ensure that the other side sees any queued data before
the connection is dropped.
 2021-08-11 14:08:48 -06:00
Todd C. Miller
79129613e5 If SSL_shutdown() returns 0 it needs to be called one more time. 2021-08-11 10:16:36 -06:00
Todd C. Miller
ffdd7920cd resolve_editor: sudoers_gc_remove(editor) before freeing it. 2021-08-11 07:45:26 -06:00
Todd C. Miller
ef91b90ad6 Sync siglist.in with the generated files. 
The change to prefer SIGSYS over SIGUNUSED wasn't made to siglist.in.
Also, mksigname.c doesn't need to explicitly set sudo_sys_signame[0].
 2021-08-10 19:55:28 -06:00
Todd C. Miller
9798fd86bf Add garbage collection to resolve_editor(). 
Fixes a leak when evaluating the policy multiple times if sudoedit
is set.
 2021-08-10 12:58:18 -06:00
Todd C. Miller
abac069566 Fix compilation when configure option --disable-shared is specified. 2021-08-09 16:39:32 -06:00
Todd C. Miller
aa20eccad4 Sudo 1.9.8 2021-08-09 15:50:26 -06:00
Todd C. Miller
462e8ab471 Avoid some double frees in the fuzzer 
Now that sudoers free old values of NewArgv and command_info the
fuzzer needs to reset those values.  Otherwise we end up with
stashed values that have already been garbage collected.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
dae370fb70 Use a separate uuid for intercepted commands. 
We use the uuid to match the command with its exit status.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
2e99450d40 Fix logging intercepted commands to a log server in sudoers. 
Only available when the server supports the subcommands capability.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
3a090dcdcd Plug some memory leaks when sudoers_policy_main is called multiple times. 
These would get cleaned up a policy close time but we don't want
to bloat sudo's memory footprint when running a shell with multiple
commands.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
dfe26f8c34 If building with address sanitizer make sure its DSO is first. 
Address sanitizer requires that it be preloaded before any other
DSO in LD_PRELOAD.  This should not be required for clang, which
links in asan statically by default.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
8f8a9c37b3 Require that our dso be first in the list to make sure it takes effect. 
Otherwise, another dso could take precedence and ours would not be run.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
0ea5efd8b7 If msg_control is not present in struct msghdr use msg_accrights instead. 
Fixes building on Solaris and probably others.  It is possible to
expose msg_control on Solaris but this requires a specific set of
feature flag defines which can cause other complications.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
788708c9ff Add intercept_authenticate sudoers option, defaults to false. 
By default, sudoers will not require authentication of commands run
via an intercepted session.  To require authenticaton of subsequent
commands, enable intercept_authenticate in sudoers.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
13b89e9103 Make the log_children option only log and not check policy. 2021-08-09 15:50:25 -06:00
Todd C. Miller
258fa9d4f9 Add debug support to sudo_intercept.so 2021-08-09 15:50:25 -06:00
Todd C. Miller
9c3df47da9 Move preload_dso() to its own file and rename to sudo_preload_dso(). 
It now takes an intercept fd as an optional argument instead of a
list of extra variables to add.  This lets us check whether it is
already set to the expected value (and add it if not).
sudo_intercept.so now uses sudo_preload_dso() to make sure that
LD_PRELOAD and SUDO_INTERCEPT_FD are set properly before executing.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
60e76e3e35 Take control of the tty and save its settings before doing a policy check. 
Otherwise the policy plugin won't be able to read the password.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
42598735d0 Call the approval plugin after the policy plugin accepts a command. 
Previously, for intercepted commands we only called the policy plugin.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
4ff3f7604d Reduce the number of function args passed to plugin wrappers. 
This makes sudo_settings, user_info, submit_argv, submit_envp and
submit_optind global.  This will be required for calling the wrapper
from outside of sudo.c where we may not have access to those
variables.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
840bf4b09d Add return values for most of the plugin function wrappers that returned void. 
Previously, they would just exit if there was an error.
Now the error is passed back up the stack so we can use them in
sudo_intercept.so.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
4cf3d1c416 Implement sudo_intercept.so. 
Uses protobuf to talk to main sudo process over a socketpair.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
d7380bb271 Implement the sudo side of the sudo_intercept.so communication. 2021-08-09 15:50:25 -06:00
Todd C. Miller
cede7dd92d Define protocol for sudo <-> sudo_intercept.so communication. 
Uses google protocol buffers.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
5d4120fa5d Add separate convenience lib for protobuf-c 
We need to use it for sudo <-> sudo_intercept.so communication.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
9d776b4e7b Allow multiple accept/reject messages during a logsrv conversation. 
The log server now advertises a subcommands flag if it supports
logging subcommands (e.g. commands run from a sudo-spawned program
like a shell).  The client should only log additional commands
during a session if this flag is set in the ServerHello message.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
1ae9954c63 Use run_argv and run_envp passed into the audit plugin for event logging. 
Previously we used NewArgv[] and env_get() but now that logging is
performed via an audit plugin we should use the values passed in.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
5e3ce532fe Allow set_perms(PERM_INITIAL) to be called more than once. 
If the perm stack depth is non-zero when set_perms(PERM_INITIAL)
is called, rewind it first and re-initialize the stack depth to 0.
Fixes a user-after-free bug if set_perms(PERM_INITIAL) is called
multiple times.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
132936f8f0 Make it possible to call the sudoers policy check function multiple times. 
We need to reset the Defaults values to their original state.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
a556b373c9 Allocate a socketpair to communicate with sudo_intercept.so over. 
This is used for the intercept and log_children options.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
6287e8ca7d Add support for loading the sudo_intercept.so DSO. 2021-08-09 15:50:25 -06:00
Todd C. Miller
786e5865cb Add "intercept" Defaults setting to allow interception of sub-commands. 
This causes "intercept" to be set to true in command_info[] which
the sudo front-end will use to determine whether or not to intercept
attempts to run further commands, such as from a shell.  Also add
"log_children" which will use the same mechanism but only log (audit)
further commands.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
b3e86c65b1 expand_prompt: use correct strlcpy() size parameter 
The available size passed to strlcpy() was computed incorrectly.
Switch to updating the length after writing to the new prompt instead
of computing it each time.  The actual buffer size is computed and
allocated correctly so there is no real consequence to this bug.
Found by Qualys.
 2021-08-09 08:19:40 -06:00
Todd C. Miller
14ffa00c06 The tls_verify setting only affects server behavior, not the client. 
Originally, there was a flag in the ServerHello message to indicate
that the client should verify the server cert, but this was removed
TLS was moved to a separate port.  Client validation of the server
certificate is now configured in the sudoers file instead.
 2021-08-03 09:50:07 -06:00
Todd C. Miller
57cb62d7dc On macOS, don't disable tty tickets and set password timeout to 0. 
This more closely matches the options used by the macOS version of sudo.
 2021-08-02 11:11:05 -06:00
Todd C. Miller
d1c29fb008 Add some debugging info to find_path() 2021-08-02 08:57:35 -06:00
Todd C. Miller
e4568ceafe iolog_mkdtemp: umask must not be more restrictive than the file modes. 
We need this even though we will be calling mkdtemp() since the
umask affects the mode of any parent directories.
 2021-07-30 13:55:26 -06:00
Todd C. Miller
8b009f62eb Plug memory leak in error path when sudoers cannot be opened. 2021-07-29 15:26:04 -06:00
Todd C. Miller
1032fca5b8 Trying to use "+=" or "-=" operators on a non-list is an error. 
Previously, they were simply treated as "=" for non-lists.
 2021-07-29 09:29:10 -06:00
Todd C. Miller
2ea773ed1f Plug a memory leak in check_net_ifs found by address sanitizer. 2021-07-29 09:29:09 -06:00
Todd C. Miller
40496f510b Prefix sanitizer and fuzzer options with -XCClinker in ASAN_LDFLAGS. 
Otherwise libtool may ignore the options when linking.
 2021-07-29 09:29:07 -06:00
Todd C. Miller
aee82efe45 Display the correct error message if X509_verify_cert() fails. 
We must use X509_STORE_CTX_get_error() and X509_verify_cert_error_string()
instead of the generic OpenSSL error functions.
 2021-07-27 14:49:28 -06:00
Todd C. Miller
d109cd61d9 In new_logline check for NULL args->reason for EVLOG_RAW. 
This can't happen in practice since we never set EVLOG_RAW
without passing in a reason.  Coverity CID 237142 237143
 2021-07-27 12:19:53 -06:00
Todd C. Miller
e00ed390d5 format_json: don't dereference evlog if it is NULL. 
Also silence a PVS Studio false positive.
 2021-07-27 10:45:35 -06:00
Todd C. Miller
625ab9d298 Bump version to 1.9.7p2 2021-07-26 18:03:14 -06:00
Todd C. Miller
8d23e26110 Sudo 1.9.7p2 2021-07-26 17:54:22 -06:00