Todd C. Miller
6260a75891
Use AI_FQDN instead of AI_CANONNAME if available since "canonical"
...
is not always the same as "fully qualified".
2012-08-15 09:52:26 -04:00
Todd C. Miller
7aeadbd5b3
Add new check_defaults() function to check (but not update) the
...
Defaults entries. Visudo can now use this instead of update_defaults
to check all the defaults regardless instead of just the global
Defaults entries.
2012-08-14 10:45:55 -04:00
Todd C. Miller
66ad86594e
regen
2012-08-10 13:18:19 -04:00
Todd C. Miller
ef33ee45d9
Sync with translationproject.org and add new Slovenian translation.
2012-08-10 13:07:53 -04:00
Todd C. Miller
241b2395cf
Reduce the number of "internal error, foo overflow" messages that
...
need to be translated.
2012-08-10 12:18:38 -04:00
Todd C. Miller
d89b1a6be2
Support for using SSSD ( http://fedorahosted.org/sssd/ ) as a sudoers
...
data source. From Daniel Kopecek and Pavel Brezina.
2012-08-10 11:59:26 -04:00
Todd C. Miller
3ba8da4ab6
Cast 2nd argument of lseek() to off_t if it is a constant for systems
...
with 64-bit off_t but without a proper lseek() prototype.
2012-08-07 14:42:08 -04:00
Todd C. Miller
7d255e42cb
Fix some warnings from clang checker-267
2012-08-07 11:01:28 -04:00
Todd C. Miller
487c8abb08
Fix memory leak found by clang checker-267
2012-08-07 10:27:55 -04:00
Todd C. Miller
355d40aa86
The second argument to init_parser() is now bool.
2012-08-02 15:40:11 -04:00
Todd C. Miller
80597710c1
Fix printing of parse error message to stderr.
2012-08-02 15:37:48 -04:00
Todd C. Miller
57699c5531
If a command matches using an empty Runas_List (i.e. Runas_List is
...
present but empty) and the -u option was not specified, set runas_pw
to user_pw instead of using runas_default. This is intended to be
used in conjunction with the Solaris Privilege Set support for rules
that grant privileges without changing the user.
2012-08-02 14:37:32 -04:00
Todd C. Miller
e2d210a340
Add support for parsing an empty Runas_List, which only allows the
...
command to be run as the invoking user. This can be used in
conjunction with the Solaris Privilege Set support to grant privileges
without changing the user.
2012-08-02 14:02:54 -04:00
Todd C. Miller
b1d1d89899
Fix compilation on Solaris
2012-08-01 14:57:14 -04:00
Todd C. Miller
f205243bd7
Active Directory apparently requires that tenths of a second be
...
present in a date so append .0 to the "now" value in the time filter.
Also remove space for the global AND from TIMEFILTER_LENGTH since
it was not being used consistently. Buffers of TIMEFILTER_LENGTH
now need to account for the terminating NUL byte.
2012-07-30 11:09:11 -04:00
Todd C. Miller
a9623c29c2
Fix SELinux build
2012-07-30 11:01:32 -04:00
Todd C. Miller
383e0c860b
Fix printing of the permission denied message to standard error
...
when a user is not allowed to run a command. This got broken by
the recent logging changes.
2012-07-27 16:22:09 -04:00
Todd C. Miller
2c7df29251
Bump grammar version for Solaris privs.
2012-07-27 15:32:42 -04:00
Todd C. Miller
6ce246f0b0
Remove lex.yy.c when building toke.c
2012-07-26 14:31:05 -04:00
Todd C. Miller
4abd2a6cf4
Merge in Solaris privilege support by Darren Moffat and John Zolnowsky
2012-07-26 13:49:21 -04:00
Todd C. Miller
f7dc1d849f
Use "a password is required" instead of "password required" when
...
the -n flag is used and we need to read a password.
2012-07-11 16:28:40 -04:00
Todd C. Miller
5f83d35f78
regen
2012-07-10 14:53:52 -04:00
Todd C. Miller
8b03f3e7d0
Move log_denial() calls and logic to log_failure().
...
Move authentication failure logging to log_auth_failure().
Both of these call audit_failure() for us.
This subtly changes logging for commands that are denied by sudoers
but where the user failed to enter the correct password. Previously,
these would be logged as "N incorrect password attempts" but now
are logged as "command not allowed". Fixes bug #563
2012-07-10 12:42:33 -04:00
Todd C. Miller
f8f0021710
Add configure check for building PIE executables instead of doing
...
it in mkpkg.
2012-07-02 10:12:41 -04:00
Todd C. Miller
3c57d6a06d
Add support for ldaps using Tivoli LDAP libraries.
...
Add ldap.conf option to specify Tivoli key db password.
Allow TLS ciphers to be configured for Tivoli.
2012-06-29 12:14:45 -04:00
Todd C. Miller
f56bada404
Tivoli Directory Server 6.3 libs always return a (bogus) error
...
when setting LDAP_OPT_CONNECT_TIMEOUT.
2012-06-28 15:42:38 -04:00
Todd C. Miller
cfe0034cdf
Treat LDAP_OPT_CONNECT_TIMEOUT (Tivoli Directory Server 6.3) the
...
same as LDAP_OPT_CONNECT_TIMEOUT (OpenSSH).
Don't make failure to a set an ldap option fatal.
2012-06-28 14:58:15 -04:00
Todd C. Miller
7d5048a5be
Zero pointers in sudo_user struct after freeing, just in case.
2012-06-27 17:04:39 -04:00
Todd C. Miller
899fcc05ac
Free user_gids in close function if it has not already been freed.
2012-06-27 16:56:55 -04:00
Todd C. Miller
1cd50d0bce
Defer group ID to name resolution until we actually need it.
2012-06-27 16:50:56 -04:00
Todd C. Miller
e9f5a38398
Use MAX_UID_T_LEN + 1 for uid/gid buffers, not MAX_UID_T_LEN to
...
prevent potential truncation. Bug #562 .
2012-06-27 13:41:58 -04:00
Todd C. Miller
9497df293a
Don't run regress tests or sudoers sanity check (using the newly-built
...
visudo) when cross compiling. Bug #560
2012-06-20 13:38:17 -04:00
Todd C. Miller
bcfeddc998
Rename foo.sym -> foo.exp
...
Remove foo.map from the repo and generate it on demand
Use a loader option file for HP-UX ld to explicitly export symbols
2012-06-20 12:58:16 -04:00
Todd C. Miller
a49238e3f1
Don't check for errorx as an exported symbols as it is now a macro.
...
Check for user_in_group() instead.
2012-06-20 09:38:25 -04:00
Todd C. Miller
45fea137f9
Fix compilation on gcc 2.95 and other compilers that only allow
...
variable declarations at the beginning of a block.
2012-06-18 13:47:01 -04:00
Todd C. Miller
fdcc8e1fce
Link check_symbols with SUDO_LIBS to make sure we link with the
...
requisite libraries to successfully dlopen sudoers.so. This is
needed on HP-UX where a program dlopen()ing a shared object that
uses pthreads must also be linked with pthreads (and HP-UX LDAP
uses pthreads).
2012-06-18 10:21:05 -04:00
Todd C. Miller
86cececc16
Add check for exported local symbols. This will cause a "make
...
check" failure on systems where we don't support symbol hiding.
2012-06-18 10:21:01 -04:00
Todd C. Miller
437978bd35
No need to provide a name for the scope in the map file since we
...
don't use the it for versioning.
2012-06-18 09:25:29 -04:00
Todd C. Miller
2a83d1c6d5
Add regress test for symbol visibility.
2012-06-17 20:23:21 -04:00
Todd C. Miller
203abd98b9
Use the expanded io log dir when updating the sequence number.
...
Includes a workaround for older versions of sudo where the
sequence number was stored in the unexpanded io log dir.
2012-06-15 12:33:12 -04:00
Todd C. Miller
47abbb90a2
Don't use a map file for sudo_noexec.so since Solaris ld doesn't
...
allow '*' in the global section. The libtool export flag is now
added to LT_LDFLAGS instead of commenting/uncommenting lines.
2012-06-14 11:35:02 -04:00
Todd C. Miller
649edc3192
Export group cache from sudoers.so for system_group.so to use.
2012-06-13 16:21:45 -04:00
Todd C. Miller
6f6b0dec6c
Use gcc's visibility attribute to specify when symbols are visible
...
or hidden, if available. If not available, use an ELF version
script if it is supported. If all else fails, fall back to using
libtool's -export-symbols.
2012-06-13 14:01:16 -04:00
Todd C. Miller
a8e0687ca9
Install shared objects with mode 0644 except on HP-UX which needs
...
the executable bit set.
2012-06-11 10:45:34 -04:00
Todd C. Miller
c131cb36f5
Make installed file modes consistent with the file modes in the
...
sudo package.
2012-06-11 10:17:19 -04:00
Todd C. Miller
54cfac04d1
If there are no privs to print, write the message to the lbuf instead
...
of printing it directly.
2012-06-01 16:27:17 -04:00
Todd C. Miller
b406b51da0
No need to loop over atomic_writev(), it guarantees to write all
...
data or return an error.
Fix handling of stdout/stderr that contains "\r\n" and handle a
"\r\n" pair that spans a buffer.
2012-05-30 10:46:02 -04:00
Todd C. Miller
12be3e7f54
Instead of doing extra write()s when replaying stdout, build up a
...
vector for writev() instead. This results in far fewer system
calls.
2012-05-29 13:46:28 -04:00
Todd C. Miller
7a6cad5026
When replaying a log of stdout or stderr, do newline to carriage
...
return + linefeed conversion. We cannot have termios do this for
us since we've disabled output postprocessing (POST) when setting
raw mode.
2012-05-25 16:24:42 -04:00
Todd C. Miller
ca9331d498
Add tests for sudoers mode, owner and group checks.
2012-05-21 15:39:24 -04:00