isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,469 Commits 1 Branch 0 Tags
24d812d0373dd06a03cae5d7f02f843e7f048b51
Commit Graph

10469 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
24d812d037 Pass command_info[] to audit plugin on I/O log plugin reject or error. 
The audit plugin should cope with a NULL command_info but there's no
reason not to pass the info when we have it.
 2020-11-17 13:15:15 -07:00
Todd C. Miller
27615b5582 For the audit plugin, command_info may be NULL. 
Fixes a NULL dereference in sudoers_audit when an I/O logging
plugin rejects input/output or returns an error.
 2020-11-17 13:04:57 -07:00
Todd C. Miller
e4a2765cce Add missing initialization of def_log_format to sudo. 2020-11-17 11:11:52 -07:00
Todd C. Miller
a96b9a1373 Newer LibreSSL has SSL_CTX_set_ciphersuites but it is not enabled. 
Add a check for the function declaration in openssl/ssl.h.
 2020-11-16 14:39:52 -07:00
Todd C. Miller
38dd0f63b6 Event log data is sent to sudo_logsrvd even when not I/O logging. 2020-11-16 06:30:52 -07:00
Todd C. Miller
061b53e338 Regenerate sudoers.pot for 1.9.4 2020-11-14 11:42:31 -07:00
Todd C. Miller
1aa76e9b7a Update for sudo 1.9.4. 2020-11-14 11:42:29 -07:00
Todd C. Miller
2b71b61044 Update struct eventlog based on command_info[] from front-end. 
The I/O log path is not known until the I/O log plugins have
run and other plugins may alter the execution environment.
 2020-11-14 11:42:27 -07:00
Todd C. Miller
95fb8eb727 Add sudoerserrorf(), a printf-style yyerror() function. 
Use this to display a better error message when using a reserved
work in an alias definition.
 2020-11-14 06:17:41 -07:00
Todd C. Miller
d28b4291c4 Build universal binaries on macOS 11.0 and higher. 
The resulting package should work on Macs based on Apple Silicon.
 2020-11-13 09:46:00 -07:00
Todd C. Miller
aeef6db85e Support EDITOR environment variable that includes quotes. 
Quote support is limited to the beginning of a word.
Also handles characters escaped with a backslash.
 2020-11-12 16:04:05 -07:00
Todd C. Miller
d688f4d34e Back out regex use in python tests, filter the output instead. 
This makes it possible to regenerate the test output again.
Also adds an update_test_data target to the Makefile.
 2020-11-11 19:04:01 -07:00
Todd C. Miller
b2ccbb3a90 Stay setuid until just before executing the command. 
Fixes a problem with pam_xauth which checks effective and real uids
to get the real identity of the user.
 2020-11-11 09:34:50 -07:00
Todd C. Miller
6439b4cc01 Ignore sudoNotBefore and sudoNotAfter unless ldap.conf contains SUDOERS_TIMED 
This is consistent with the pre-1.8.24 behavior.  Bug #945
 2020-11-11 09:34:50 -07:00
Todd C. Miller
55c4f3bddd Introduce new_member_all() for code that doesn't include gram.h. 
The ldap and sssd back-ends no longer require gram.h which fixes a
compilation issue with IBM LDAP.
 2020-11-10 19:36:56 -07:00
Todd C. Miller
deb217adf9 On SIGHUP, deregister the old debug instance before registering a new one. 
Otherwise, if debugging is enabled we will get an extra log instance
each time sudo_logsrvd reeives SIGHUP which results in duplicate
lines in the debug log.
 2020-11-10 19:36:55 -07:00
Todd C. Miller
72df19088b Refactor code to format the client message after the hello. 2020-11-09 18:32:37 -07:00
Todd C. Miller
56fb16d3e8 Use sudoers_to_eventlog() and init_log_details() in sudoers_audit_accept(). 
log_deserialize_info() can be private to iolog.c again.
 2020-11-09 17:15:11 -07:00
Todd C. Miller
9779009fae Add info_msgs to AlertMessage and populate it. 
This lets us log eventlog info along with the alert if it is available.
 2020-11-09 17:15:11 -07:00
Todd C. Miller
62525dcc94 Log reject and alert messages to the log server if one is defined. 2020-11-09 17:15:02 -07:00
Todd C. Miller
e56c3b342b Rename iolog_plugin.h to log_client.h. 
It is no longer I/O log specific and is used by sudoers_audit too.
 2020-11-09 17:13:04 -07:00
Todd C. Miller
62547746d3 Rename iolog_client -> log_client. 
The logsrvd client code is now used for more than just I/O logging.
 2020-11-09 17:13:04 -07:00
Todd C. Miller
2112d9beb1 Log accept messages in sudoers_audit if not I/O logging. 2020-11-04 05:39:16 -07:00
Todd C. Miller
8f5290b19a Refactor code to format InfoMesage array into fmt_info_messages(). 
Add free_info_messages() to free the array.
 2020-11-04 05:46:07 -07:00
Todd C. Miller
e264767eaa Refactor sudoers_io_open_remote() into log_server_open(). 
Also rename client_close() to log_server_close().
This keeps more of the client code details out of iolog.c and
will be used when logging accept messages from the audit plugin.
 2020-11-04 05:29:03 -07:00
Todd C. Miller
2d888380a4 Move argv and envp setting into iolog_deserialize_info(). 2020-11-04 05:20:08 -07:00
Todd C. Miller
f1ded289e1 Avoid early return in handle_accept() if expect_iobufs not set. 2020-11-04 05:15:07 -07:00
Todd C. Miller
fe9e65754c Add event_alloc to the audit plugin API. 
The sudoers audit plugin will use this to communicate with sudo_logsrvd.
 2020-11-02 15:28:21 -07:00
Todd C. Miller
ad40241703 Treat an authentication failure as a reject, not an alert. 
This matters when logging via sudo_logsrvd.
It also lets us remove a special case in vlog_warning().
 2020-11-09 17:13:04 -07:00
Todd C. Miller
0dd4c5797a For logsrvd AlertMessages, evlog will be NULL. 2020-11-06 14:40:54 -07:00
Todd C. Miller
444ca3789e Append errstr to reason for alert and reject events if specified. 
Previously, we logged the error string separately but this is
not consistent with how it is logged in other formats.
 2020-11-06 13:09:21 -07:00
Todd C. Miller
f8a708dae3 Regenerate with bison 3.7.3 2020-11-09 16:52:26 -07:00
Todd C. Miller
08d236293b Remove hack to define YYTOKENTYPE, it breaks newer bison. 2020-11-09 16:52:26 -07:00
Todd C. Miller
a9cad13b11 Use struct eventlog *evlog, not struct eventlog *details. 2020-11-09 16:52:21 -07:00
Todd C. Miller
282a7e80f2 Fix cut & pasto in debug subsystem. 2020-11-06 08:51:38 -07:00
Todd C. Miller
de58c11dba Set server_name before initiating TLS connection so verify function works. 
Fixes a crash in the SSL_VERIFY_PEER callback.  Also call inet_ntop(3)
with addr pointer, not sockaddr pointer so we get the correct IP address.
 2020-11-02 09:30:45 -07:00
Todd C. Miller
6286ce1d16 Store column number for aliases, defaults and userspecs too. 
This is used to provided the column number along with the line
number in error messages.  For aliases we store the column of the
alias name, not the value since that is what visudo generally needs.
 2020-11-02 05:39:06 -07:00
Todd C. Miller
982012dbb1 Display column number in parse error messages too. 
Bug #841
 2020-11-01 15:34:11 -07:00
Todd C. Miller
6f7e5b104b Move tls initialized flag into client_closure. 
We may call tls_init() from multiple places in the future so a
static initialized flag will cause problems.
 2020-11-01 15:03:02 -07:00
Todd C. Miller
10b09e4d89 Fix -Wshadow warnings caused by json enum member. 2020-11-01 15:01:16 -07:00
Todd C. Miller
e0c2635fb3 Apply Google inclusive language guidelines. 
Also replace backwards with backward.
 2020-10-30 10:15:30 -06:00
Todd C. Miller
973da9a591 Refernce IBM LDAP libs, not Tivoli since that is how it is packaged. 
We still use Tivoli when talking about the server itself but refer
to it as the "IBM Tivoli Directory Server".
 2020-10-29 09:16:06 -06:00
Todd C. Miller
f4c5f34ab7 Add a newline before "This option is ..." 2020-10-29 06:32:03 -06:00
Todd C. Miller
8dee1b1ecf regen 2020-10-29 06:31:45 -06:00
Todd C. Miller
1910b1924f Test eventlog_writeln() when word wrap is disabled. 2020-10-28 13:47:40 -06:00
Todd C. Miller
3078d67c13 Bison generates an extra enum containing the parser tokens. 
This conflicts with the IBM ldap.h at least.  Prevent it from being
exposed by defining YYTOKENTYPE.
 2020-10-28 10:13:39 -06:00
Todd C. Miller
c8c7e1f607 Use ssl_err2string() in message on ldap_ssl_client_init() failure. 
Displaying SSL reason code directly is not user-friendly.
 2020-10-28 09:40:11 -06:00
Todd C. Miller
488aeff532 IBM LDAP packages use a lib64 directory for 64-bit libraries. 
We need to add this to LDFLAGS so the linker is able to find
the correct libs when building 64-bit binaries.
 2020-10-28 09:49:10 -06:00
Todd C. Miller
8c43eeb293 For JSON logs, write the most important log elements first. 
This is important for syslog where the record could be truncated.
 2020-10-27 16:28:16 -06:00
Todd C. Miller
28d6771d24 Add log_format sudoers setting to select sudo or json format logs. 
Defaults to sudo-format logs.
 2020-10-27 15:26:02 -06:00