isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,616 Commits 1 Branch 0 Tags
0b541c2029c58e7bd7f6e7bdfbf206fe84fb4cc6
Commit Graph

11616 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
cf84511273 Build and test macos with circleci. 2022-02-23 10:10:39 -07:00
Todd C. Miller
c7fb513594 Mention lecture behavior change. 2022-02-22 17:02:40 -07:00
Todd C. Miller
eaf76278ec Fix compilation on systems without a real openat(2). 2022-02-22 14:13:15 -07:00
Todd C. Miller
b0fa769504 Better warning message when the digest in sudoers is the wrong length. 2022-02-22 12:15:34 -07:00
Todd C. Miller
41bc52302b Do not disable fuzzer output if SUDO_FUZZ_VERBOSE env variable is set. 2022-02-22 12:04:10 -07:00
Todd C. Miller
2911c31dd7 Display the lecture immediately before prompting for a password. 
This means we no longer display the lecture unless the user is going
to enter a password.  Authentication methods that don't interact
with the user via the terminal don't trigger the lecture.
 2022-02-21 19:34:06 -07:00
Todd C. Miller
9757d29a24 Add back warning when a user is not allowed to run a command. 
Previously, the warning was displayed when a user was not in the
sudoers file, or was present but not listed for the local host.
The new behavior is to display the warning if a command is denied
and mail is sent to the administrator.  Whether or not mail is sent
is controlled by the "mail_*" flags in sudoers.  The warning text
is now "This incident has been reported to the administrator." which
is hopefully less confusing.  The message will not be printed if
either the "mailto" or "mailerpath" sudoers settings are disabled.
 2022-02-21 14:03:05 -07:00
Todd C. Miller
973a8f08f9 Document that negating mailto or mailerpath disables sending mail. 2022-02-21 13:50:49 -07:00
Todd C. Miller
98ac09de38 Don't try to send mail if mailto not set or the mailer is not present. 2022-02-20 19:11:33 -07:00
Todd C. Miller
81d63244e9 Remove obsolete TODO file. 2022-02-21 13:22:07 -07:00
Todd C. Miller
bde48fb4c5 Updated translations from translationproject.org 2022-02-18 09:45:52 -07:00
Todd C. Miller
cadfbfedb9 Add tests for iolog filtering. 
This is the functionality used by the log_passwords and passprompt_regex
options.
 2022-02-18 09:40:40 -07:00
Todd C. Miller
b19bd98531 iolog_pwfilt_run: apply regex on ttyout even if we disabled filtering. 
The heuristic used to decide when to disable filtering is when we
see another ttyout buffer or find a cr or nl in the ttyin buffer.
However, we should also check the buffer that caused us to disable
filtering for a matching regex that would re-enable filtering.
Programs that prompt for a password twice might otherwise not have
the second password filtered.
 2022-02-18 09:14:35 -07:00
Todd C. Miller
9f5615e5b1 Avoid using "note that" and "note: " in documentation. 2022-02-16 16:38:44 -07:00
Todd C. Miller
9175954895 Remove "please" from the documentation, it is considered bad style. 2022-02-16 12:33:32 -07:00
Todd C. Miller
c4fc9b695b Mention regular expressions and "sudo -l -U user" behavior change. 2022-02-16 11:01:59 -07:00
Todd C. Miller
339ef82d62 Add security notes about regular expressions in sudoers rules. 2022-02-16 10:41:29 -07:00
Todd C. Miller
03484c0c1d Update NEWS for GitHub issue #134. 2022-02-16 09:10:36 -07:00
Todd C. Miller
de52b8e443 fmt_authfail_message: compute the exact amount of space needed. 
Instead of truncating on overflow, warn and return NULL.
 2022-02-15 19:48:06 -07:00
Todd C. Miller
274468d7d2 do_logfile_sudo: plug memory leak of full_line 
Coverity CID 249329
 2022-02-15 19:53:35 -07:00
Todd C. Miller
f01b044010 log_server_alert: plug potential memory leak 
Coverity CID 249328
 2022-02-15 19:50:55 -07:00
Todd C. Miller
72961fe433 Fix potential NULL deref if getpwuid(0) fails. 
Coverity CID 249326
 2022-02-15 19:41:31 -07:00
Todd C. Miller
9f695f0fcc Restrict "sudo -U other -l" to users with sudo ALL for root or "other". 
Having "sudo ALL" permissions in no longer sufficient to be able to
list another user's privileges.  The invoking user must now have
"sudo ALL" for root or the target user.
GitHub issue #134
 2022-02-14 13:09:55 -07:00
Todd C. Miller
df1bb3814b Reword some of the NEWS items for 1.9.10. 2022-02-13 08:55:01 -07:00
Todd C. Miller
33f54c853b Limit regular expressions to 1024 characters each. 
Avoids a problem with the fuzzer creating large regular expressions
that blow up the glibc regcomp().
 2022-02-12 09:33:02 -07:00
Todd C. Miller
63b2a62f8a Substitute values in the example syslog.conf too. 
Also update ignore files for example changes
 2022-02-11 19:19:09 -07:00
Todd C. Miller
0bbe4b1813 Substitute paths set by configure in examples. Bug #1023 2022-02-11 19:07:08 -07:00
Todd C. Miller
0e2e4b6882 Update Project-Id-Version to 1.9.10. 2022-02-11 18:34:04 -07:00
Todd C. Miller
541c165e65 Update .pot files for 1.9.10 2022-02-11 14:15:31 -07:00
Todd C. Miller
85f9f2beb6 Sudo 1.9.10 2022-02-11 14:14:32 -07:00
Todd C. Miller
7c17f84a35 Add helper function to compile a regex that supports (?i). 2022-02-11 12:01:31 -07:00
Todd C. Miller
86d2173937 Add support for matching command and args using regular expressions. 
Either the command, its arguments or both may be (separate)
regular expressions.
 2022-02-10 18:26:24 -07:00
Todd C. Miller
c8bf591042 Clear sudoers_errstr after it is used. 
This way we avoid printing the same error message more than once
if there are multiple ERROR tokens returned from the lexer.
 2022-02-10 16:09:44 -07:00
Todd C. Miller
3c1ce4bf72 store_iobuf_local: fix potential double free on the error path. 2022-02-10 13:33:24 -07:00
Todd C. Miller
3b6f620e3e Update links to sudo web site and reference markdown docs. 2022-02-10 13:15:39 -07:00
Todd C. Miller
7b5f0dfaf7 Use a 4n indent for code blocks instead of the default 6n. 2022-02-10 13:05:34 -07:00
Todd C. Miller
4e3a48f2d1 testsudoers: disable argument permutation in GNU getopt 
This makes it easier to test commands with arguments.
 2022-02-10 10:36:03 -07:00
Todd C. Miller
b6a2fcf59f iolog_pwfilt_run: fix types in error return 2022-02-10 09:43:33 -07:00
Todd C. Miller
c5027c796c Free potential leaks of passprompt_regex_handle. 
Coverity CID 249057
 2022-02-10 09:08:31 -07:00
Todd C. Miller
8dc2dc8bbc Merge pull request #133 from Dzejrou/main 
Do not unset user timeout when no default timeout is set.
 2022-02-09 10:09:05 -07:00
Jaroslav Jindrak
1f3815c4fb Do not unset user timeout when no default timeout is set. 2022-02-09 17:37:26 +01:00
Todd C. Miller
10ad934b77 Don't escape double quotes (") in a command when printing it. 
Previously, cvtsudoers and "sudo -l" would escape double quotes in
a command or command line argument, which is not valid sudoers syntax.
 2022-02-08 15:44:18 -07:00
Todd C. Miller
8adad85b4b A few minor (mostly cosmetic) fixes. 
Add missing ALL to Runas_Member and Host.
Replace some tabs with spaces.
Fix the syntax of a sudoedit example.
 2022-02-08 11:26:55 -07:00
Todd C. Miller
53d3e20099 Merge pull request #132 from ninedotnine/patch-1 
Sync example sudoers with default sudoers
 2022-02-04 12:33:50 -07:00
dan soucy
8130dc9cb7 Sync example sudoers with default sudoers 
`sudoers.in` was changed by 1d13533
 2022-02-04 19:29:34 +00:00
Todd C. Miller
c5133d84eb Upgrade http links to https where possible and fix some broken links. 2022-02-04 08:31:03 -07:00
Todd C. Miller
6aa320c96a Remove "This incident will be reported." from user warnings. 
This used to indicate that email had been sent to the administrator
telling them that someone tried to run sudo.  Whether or not sudo
sends email is now configurable, so the warning may not be accurate.
It is also confusing to the user since they will not know who the
incident is being reported to.  See also https://xkcd.com/838/
 2022-02-03 19:47:44 -07:00
Todd C. Miller
4d0aeea688 Log fn_get_values() return code in the debug log on error. 
Also move a nested switch() statement out of 'case 0' for
improved readability.
 2022-02-03 12:31:56 -07:00
Todd C. Miller
de0f4398e2 Do not return an error if we cannot connect to the SSSD connector. 
This may simply mean that nsswitch.conf lists sss as a sudoers
source but SSSD is not configured for sudo.  Otherwise, the user
will receive a useless "problem with defaults entries" when the
sssd backend tries to fetch the global defaults.  Bug #1022.
 2022-02-03 11:31:05 -07:00
Todd C. Miller
c236d58b5a Set client_closure to NULL after freeing it. 2022-02-03 10:55:45 -07:00