Renamed __malloc -> sudo_malloclike, __printflike -> sudo_printflike,
__printf0like -> sudo_printf0like.
Add sudo_noreturn instead of __attribute__((__noreturn__)).
We do not use stdnoreturn.h since it has been deprecated in C23
in favor of the [[noreturn]] attribute.
Define a new sudo setting, `apparmor_profile`, that can be used to pass
in an AppArmor profile that should be used to confine commands. If
apparmor_profile is specified, sudo will execute the command using the
new `apparmor_execve` function, which confines the command under the
provided profile before exec'ing it.
This makes it possible to use a different PAM configuration for
when "sudo -A" is used. The main use case is to only use PAM modules
that can interact with the askpass program. GitHub issue #112.
While this is how the kernel behaves it is not a portable assumption.
The assumption may also be violated if getopt_long(3) permutes arguments.
Found by Qualys.
This is consistent with how the -e option is handled.
Also reject -H and -P flags for sudoedit as was done in sudo 1.7.
Found by Qualys, this is part of the fix for CVE-2021-3156.
Previously we needed to include headers required by the various
sudo*h files. Now those files are more self-sufficient and we
should only include headers needed by code in the various .c files.
Previously, if multiple instances of the same command line option were
specified, the last one would be used. This meant that, for example,
"sudo -u someuser -u otheruser id" would run the command as "otheruser".
This has the potential to cause problems for programs that run sudo with
a user-specified command that do not use the "--" option to indicate
that no more options should be processed. While this is a bug in
the calling program, there is little downside to erroring out when
multiple options of the same type are specified on the command line.
Bug #924
This can be used to implement logging-only plugins.
The plugin functions now take an errstr argument that can be used
to return an error string to be logged on failure or error.
line option is used. The caller doesn't check MODE_PRESERVE_ENV
these days but parse_args uses it to detect usage errors when -E
is used along with a mutually excusive option. Problem found by
Yuriy Vostrikov.
even if only defined to NULL. This means the accessors can always be
present.
Use RTLD_PRELOAD_VAR instead of _PATH_SUDO_NOEXEC to tell when
noexec is available.
Add ENABLE_SUDO_PLUGIN_API and use it instead of _PATH_SUDO_PLUGIN_DIR
to tell when the plugin API is available.
Add sudo_conf_clear_paths() to clear the path values so the
regress tests are not affected by compile-time settings.
