isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,333 Commits 1 Branch 0 Tags
24b35393e3c38c483efb10c8e45a3ba0d1522bf5
Commit Graph

146 Commits

Author SHA1 Message Date
Todd C. Miller
fd06e588ee If the command was run in a chroot, add it to the log. 2020-09-02 16:57:55 -06:00
Todd C. Miller
226307591c Log the runcwd not submitcwd in the sudo-style log file. 
The log entry should reflect the working directory the command
actually ran in.
 2020-09-02 11:23:26 -06:00
Todd C. Miller
bd254e1042 Read/write runchroot and runcwd entries in the JSON event log. 2020-09-01 06:26:05 -06:00
Todd C. Miller
84e6e6ccf9 Update copyright year on some files where it was out of date. 2020-08-31 14:09:36 -06:00
Todd C. Miller
961a4afe67 Fix some warnings from pvs-studio 2020-08-12 13:45:09 -06:00
Todd C. Miller
cbad17a994 Move inclusion of compat headers up with the system headers. 
Now that sudo_dso_public is defined in config.h we don't need sudo_compat.h
before including the compat headers.
 2020-08-12 10:07:07 -06:00
Todd C. Miller
985af422d2 Rename __dso_public -> sudo_dso_public and move to config.h. 2020-08-12 09:57:42 -06:00
Todd C. Miller
076d0376db We no longer need to include sudo_gettext.h before sudo_compat.h 2020-08-12 09:50:35 -06:00
Todd C. Miller
63dadad9df Refactor freeing of InfoMessage list into free_info_messages(). 
Also fixes a false positive from the clang analyzer.
 2020-08-07 14:22:28 -06:00
Todd C. Miller
03ad96e445 Use the fallthrough attribute instead of /* FALLTHROUGH */ comments. 2020-08-01 13:10:50 -06:00
Todd C. Miller
8da1f31954 Fix memory leak on error in fmt_info_messages(). 2020-06-06 14:08:34 -06:00
Todd C. Miller
84f0ae0cb8 Use PACKAGE_VERSION instead of 0.1 as the client and server version. 2020-05-18 11:33:13 -06:00
Todd C. Miller
1c3946e9b1 Don't print errno for the "TLS not supported" message. 2020-05-15 09:10:22 -06:00
Todd C. Miller
f71b569419 Add iolog_path to the JSON-format event log 2020-05-13 11:13:29 -06:00
Todd C. Miller
d2686dde0c Rename FLUSHED state to FINISHED 
This makes more sense when receiving event-only logs.
 2020-05-13 09:30:05 -06:00
Todd C. Miller
0337f5b735 Fix handling of connections without associated I/O logs. 
This fixes reject events as well as accept events without the
expect_iobufs flag set.
 2020-05-13 07:40:47 -06:00
Todd C. Miller
27355e6aae Fix handling of accept and reject messages without an I/O log. 
Only set expect_iobufs in AcceptMessage if sending I/O logs.
Set state to FINISHED immediately after sending a RejectMessage.
 2020-05-12 19:19:16 -06:00
Todd C. Miller
d5888e2745 Add -A and -R options to test logging of accept and reject events. 
If -A is specified, no I/O will be sent, only the accept event.
For -R, a reject event with the specified reason is sent.
 2020-05-12 14:45:46 -06:00
Todd C. Miller
83d1bee918 Rename sudo_parse_host_port -> iolog_parse_host_port and mv to lib/iolog 
It is not used outside of the I/O log client and server and the
host:port syntax may change in the future.
 2020-05-11 08:47:54 -06:00
Todd C. Miller
fc79cbc317 Only enable TLS listener by default if we have a cert for it. 
We want the log server to work with the default configuration.  If
the default certificate path exists, it will be used with the default
listener.  If the user explicitly enabled a TLS listener we always
attempt to use it.  If TLS was specified but no cert file was set,
the default location will be used (and an error will occur if the
cert cannot be loaded).
 2020-05-08 16:07:55 -06:00
Todd C. Miller
e9be26c4b1 regen 2020-05-07 12:22:00 -06:00
Todd C. Miller
0cf2e09e0c Apply spelling fixes. 
Fixes from PR #30 (ka7) and Bug #925 (fossies.org codespell)
 2020-05-06 09:27:43 -06:00
Todd C. Miller
6901fc97ac Add a ClientHello message that client sends to the server. 
This makes it easier to detect a plaintext client sending to a
TLS port.  Without this, the TLS server will be silent as it
waits for the client to initiate the TLS connection.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
1e765e1caf Better error messages when there is a problem with the TLS connection. 
If SSL_read, SSL_write or SSL_connect fails we can use the reason
string to let the user know what the problem is.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
1f8da42f9a Warn about tls errors during startup so the user has a clue. 
We write messages to stderr until we become a daemon.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
e5f8214c0a Remove the tls parameter from the ServerHello message. 
The TLS connection is now initiated before ServerHello is received.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
1659d96c55 Use port 30343 for plaintext and port 30344 for TLS. 
For TLS connections we now do the TLS handshake immediately before
the ServerHello message.  This lets the client recieve an alert
from the server is there is a handshake error after the TLS connect
has succeeded.  It also means that the contents of the ServerHello
are protected from a man-in-the-middle attack.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
b5a317aeb9 Add support for a tls flag in sudo_parse_host_port(). 
If the string "(tls)" appears at the end, the tls flag is set to true
and the default tls port is used if necessary.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
42df431ce2 Make the default certificate and key paths match the example file. 2020-05-04 11:33:04 -06:00
Todd C. Miller
7d621fc6f1 Plug memory leaks in sudo_sendlog 2020-05-04 11:25:47 -06:00
Todd C. Miller
aba4915b83 On error, remove the connection with an error without freeing the closure. 
Fixes the final message at the end when there is a network error.
 2020-04-30 15:54:35 -06:00
Todd C. Miller
2ab8f2a732 Check for tls_config->dhparams_path being non-NULL before using it. 2020-04-28 10:52:08 -06:00
Todd C. Miller
5dec0f763f Allow -t option even without OpenSSL 
Also add -t to the usage message
 2020-04-23 14:16:02 -06:00
Todd C. Miller
0fafcf6aea Use sudo_strtonum() instead of relying on strtoll(). 
Older, pre-C99, systems may not include strtoll() in their C library.
 2020-04-23 11:15:03 -06:00
Laszlo Orban
481427f9f0 add missing shudown of TLS connection 2020-04-17 07:00:19 -06:00
Todd C. Miller
ce92674cc2 Reload sudo.conf upon SIGUP 
This makes it possible to update the Debug settings in sudo.conf and
have them take effect on reload.
 2020-04-08 10:19:55 -06:00
Todd C. Miller
69b6783be6 Store the result of ERR_get_error() so we can use it for both warn and debug. 
Otherwise, only the debug framework gets the actual error and the
user won't see the problem.
 2020-04-08 09:26:41 -06:00
Todd C. Miller
18ff60f6ff Disable IPv4-mapped IPv6 addresses in the listener. 
Also store the host + port string and use it in error messages.
 2020-04-08 08:54:28 -06:00
Todd C. Miller
e86106f2e1 Create the pid file parent directory if it doesn't already exist. 
Also package the run directory in the sudo_logsrvd PolyPkg file.
 2020-04-07 19:26:37 -06:00
Robert Manner
468a5d228e logsrvd/eventlog.c: add a newline after each log message for logfile output 2020-04-06 07:31:01 -06:00
Robert Manner
ace8e18953 logsrvd/iolog_writer.c: treat runuid, rungid 0 as valid (usually ==root) 2020-04-06 07:31:01 -06:00
Todd C. Miller
c122e9bf62 Write process ID as an unsigned int (with a cast). 
On Solaris, pid_t may be typedef'd as a long but the actual range
is 32 bits at most.
 2020-03-29 09:11:57 -06:00
Todd C. Miller
f908ddd1bf Create a pidfile for sudo_logsrvd when not run with the -n flag. 2020-03-29 05:05:08 -06:00
Todd C. Miller
1b90f65609 sudo_logsrvd now exits with an error if it cannot open any listen sockets. 2020-03-29 05:05:08 -06:00
Todd C. Miller
cffda82e20 Do not use JSON_ARRAY with sudo_json_add_value() 2020-03-29 05:05:08 -06:00
Todd C. Miller
9b144069fc Store runenv in the I/O log info file too. 2020-03-29 05:05:08 -06:00
Todd C. Miller
ea9b711a70 Write an extended I/O info log in JSON format. 
This will be used by sudoreplay if it exists to get more information
about the command being replayed.
 2020-03-29 05:05:08 -06:00
Todd C. Miller
a644c1d1d2 iolog_parse_loginfo() now opens the log file itself. 2020-03-29 05:05:08 -06:00
Todd C. Miller
5034ea91be Some new source files got created with my old email address. 2020-03-29 05:05:08 -06:00
Todd C. Miller
84d9c7b241 Add configure check for SSL_CTX_get0_certificate(). 
Dummy out verify_server_cert() if it is not present to allow building
on older OpenSSL versions.  Rewriting this to work with old OpenSSL
is not worth the trouble.
 2020-03-17 20:07:48 -06:00