We rely on the include path to find many of these headers. It
especially doesn't make sense to use #include "foo.h" for headers
in the top-level include directory.
This removes some infinite loops that can cause static analyzer
warnings. The fds are not in non-blocking mode and we use restartable
system calls so there is no need to loop.
Either the fd is not a terminal or we don't have the controlling
terminal. Either way, we can't know the current status of the
terminal and will need to set to raw mode again (if possible). Also
make sure to set ec->term_raw to false if sudo_term_raw() fails.
This upgrades the error pipe to a bi-directional socketpair that
the parent will write to after it has granted the child process the
controlling terminal. That fixes an issue where the child could
end up in a tight CPU loop waiting on the parent which may not be
scheduled immediately.
This is safer than storing a pointer to a stack variable in the
cleanup function since we don't need to worry about it ever going
out of scope. Quiets a clang 15 analyzer warning.
The noexec and intercept DSO settings may now include both a 32-bit
DSO and a 64-bit DSO specified by a colon. For example:
/usr/libexec/sudo/sudo_intercept.so:/usr/libexec/sudo/sudo_intercept_64.so.
Previously, sudo only checked that the fd was a terminal, not that
it matched sudo's idea of the user's terminal. This matters when
input or output is redirected to a different terminal. In that
case we want to interpose the fd with a pipe even if it refers to
a terminal. Bug #1056.
This fixes a problem with "stair-stepped" output when the sudo-run
command's output is piped to another program and the command reads
input from the terminal.
Add cmnd_foreground flag that is only true if sudo is the foreground
process and the CD_EXEC_BG flag is not set and pass it to exec_monitor().
This means exec_monitor() no longer needs to check for CD_EXEC_BG.
The format value has to be a string literal, every time.
Otherwise, you are not using these functions correctly. To reinforce this fact, I putrestrict over every non-contrib example of this I could find.
macOS does not support direct access to the environ pointer from a
shared object. We need to redirect through _NSGetEnviron() instead.
Fixes GitHub issue #276.
Configuration paths in sudo are now a colon-separated list of files
with the adminconfdir instance first (if enabled), followed by a
sysconfdir instance.
This means that _PATH_SUDO_CONF, _PATH_SUDOERS, _PATH_SUDO_LOGSRVD_CONF,
and _PATH_CVTSUDOERS_CONF can now specify multiple files. The first
file that exists is used.
This should avoid problems on Linux in cases where sudo does not
have CAP_SYS_RESOURCE which may be the case in an unprivileged container.
GitHub issue #42
When a command is run via "sudo -b" it has no access to terminal
input. In non-pty mode, the command runs in an orphaned process
group and reads from the controlling terminal fail with EIO. We
cannot do the same while running in a pty but if we set stdin to a
half-closed pipe, reads from it will get EOF. That is close enough.
Trying to tailor the help and usage output to the terminal width
is simply not worth it and could be abused to mark a socket as
"trusted" on Linux if there are additional kernel bugs like
CVE-2023-2002.
