OpenSSL returns an error for SSL_accept() if TLS_client_method()
was used to generate the context (LibreSSL doesn't care).
Prior to sudo 1.9.7, TLS_client_method() and TLS_server_method()
were used in the TLS client and server initialization code respectively.
This was refactored in sudo 1.9.7 to allow the code to be shared.
Bug #988
getutline() advances the file pointer until it matches or reaches EOF. pututline() starts from the current position in utmp. This rewinds the file pointer to the beginning to avoid allocating additional spurious utmp entries.
For sudo-formatted logs, this is a record with "EXIT=number" and
potentially "SIGNAL=name" after the command. For JSON-format logs,
a new "exit" record is logged which contains an "exit_value" and
potentially "signal" and "core_dumped". JSON-format logs now incude
a UUID to associate the "exit" record with the "accept" record.
This is intended to provide a more useful error message if the
user defines a module which conflicts with a system python module.
For example, a module called test.py would conflicts with the system
python test module.
On systems where getgroups() returns results based on more than
just the per-process group vector in the kernel it is possible for
the number of groups to change in between invocations.
Based on GitHub PR #106 from Pierre-Olivier Martel.
There is a crash when "group: compat" is used in /etc/nsswitch.conf
that I haven't been able to debug. Since HP-UX doesn't ship the
appropriate headers it is likely that there is a mismatch between
include/compat/nss_dbdefs.h and what HP actually uses.
Fixes a bug where we would not insert a journal file that failed
to relay into the queue because its state was changed from CONNECTING
to ERROR after failing to connect.
Add some function argument names. Also use struct nss_db_state *
instead of void * in nss_db_root_t. We don't define struct
nss_db_state but since it is a pointer all we need is a forward
declaration.
In selinux_edit_copy_tfiles() when there is only one file and the open()
fails then number of arguments is lower than expected.
Sudo should return error with or without "Defaults !sudoedit_checkdir" set.
This was found with regression testing of CVE-2021-23240.
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
On Darwin, shared modules and shared libraries are not interchangable
and since we preload sudo_noexec.so via DYLD_INSERT_LIBRARIES it
must be a library, not a module. We must relax the requirement
that libraries begin with a "lib" prefix to work around this
difference. This does mean you must use sudo's libtool on Darwin
(macOS) but that is already a requirement on other systems (notably
HP-UX and SCO) due to a number of libtool patches we require that
haven't be accepted upstream. This is a different fix for PR #102.
