isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
10,420 Commits 1 Branch 0 Tags
28d6771d248dc80137ce17261fc913a19a4c34d7
Commit Graph

112 Commits

Author SHA1 Message Date
Todd C. Miller
90bcae7986 Only use faccessat(3) if AT_EACCESS is defined. 
Apparently Android (bionic) has faccessat() but not AT_EACCESS.
Bug #940.
 2020-09-17 20:17:38 -06:00
Todd C. Miller
961a4afe67 Fix some warnings from pvs-studio 2020-08-12 13:45:09 -06:00
Todd C. Miller
bee9950593 Clean up temporary sudoedit files on success; Bug #929 
This is a regression introduced in sudo 1.9.0.
 2020-06-14 16:40:21 -06:00
Todd C. Miller
446ae3f507 Include string.h unconditionally and only use strings.h for strn?casecmp() 
In the pre-POSIX days BSD had strings.h, not string.h.
Now strings.h is only used for non-ANSI string functions.
 2020-05-18 07:59:24 -06:00
Todd C. Miller
dd88460800 We no longer need to include headers we don't use for sudo*.h files. 
Previously we needed to include headers required by the various
sudo*h files.  Now those files are more self-sufficient and we
should only include headers needed by code in the various .c files.
 2020-05-18 06:47:04 -06:00
Todd C. Miller
76bf9a73bc Fix sudoedit when running with SELinux RBAC mode. 
We can't use run_command() to run sesh, that will use the sudo event
loop (and might run it in a pty!).
There's no need to relabel the tty when copying files.
Get the path to sesh from sudo.conf.

Currently, for SELinux RBAC, the editor runs with the target user's
security context. This defeats the purpose of sudoedit.  Fixing
that requires passing file descriptors between the main sudo process
(running with the invoking user's security context) and sesh (runnning
with the target user's security context).
 2020-04-21 14:29:23 -06:00
Todd C. Miller
009876bf36 Refactor the sudoedit code to copy files so it can be shared. 
The SELinux sudoedit code now extends the destination file the
same way the non-SELinux version does.
 2020-04-21 11:05:32 -06:00
Todd C. Miller
0bd39701b4 Do not remove sudoedit temporary files if we cannot overwrite the real file. 
The warning message says the files were preserved but they actually
got removed.
 2020-04-21 11:05:30 -06:00
Todd C. Miller
adb4360c40 Extend the original file before to the new size before updating it. 
Instead of opening the original file for writing w/ tuncation, we
first extend the file with zeroes (by writing, not seeking), then
overwrite it.  This should allow sudo to fail early if the disk is
out of space before it overwrites the original file.
 2020-04-17 19:08:56 -06:00
Todd C. Miller
9e12b71776 Treat EROFS (like EACCES) as a non-fatal error in dir_is_writable(). 
Fixes sudoedit on macOS 10.15 and above where the root file system
is mounted read-only.  See https://support.apple.com/en-us/HT210650.
From Dan Villiom Podlaski Christiansen.  Bug #913
 2020-01-16 13:55:32 -07:00
Todd C. Miller
c592470dbd For sudoedit_checkdir consider a user-owner directory to be writable. 
The non-faccessat() code already did this so this just brings the
faccessat() path into alignment.  Bug #912
 2020-01-11 15:32:48 -07:00
Todd C. Miller
486ee2b71f debug_decl and debug_decl_vars now require a semicolon at the end. 2019-12-22 08:48:16 -07:00
Todd C. Miller
0d69de5b25 Move openat() emulation to lib/util and at unlinkat() emulation. 2019-10-24 20:04:30 -06:00
Todd C. Miller
ab9a2ecac2 Create new files with the umask specified in sudoers. 2019-09-11 16:26:56 -06:00
Todd C. Miller
1e1ef61902 Add SPDX-License-Identifier to files. 2019-04-29 07:21:51 -06:00
Todd C. Miller
6c3d20cb41 Convert PVS-Studio comment to ANSI C. 2018-10-26 08:39:09 -06:00
Todd C. Miller
64e5d34c57 Add comments in .c files so PVS-Studio will check them. 2018-10-21 08:46:05 -06:00
Todd C. Miller
fe58062547 Cast uid/gid to unsigned int before printing. 2018-08-22 12:58:24 -06:00
Todd C. Miller
69541be94a Handle the case where O_PATH or O_SEARCH is defined but O_DIRECTORY 
is not.  In theory, O_DIRECTORY is redundant when O_SEARCH is
specified but it is legal for O_EXEC and O_SEARCH to have the same
value.  Bug #844
 2018-08-18 07:06:54 -06:00
Todd C. Miller
5ae557e308 Check sudoedit temporary directory for writability before using it. 2018-04-04 21:05:59 -06:00
Todd C. Miller
a885b952fb Remove use of AC_HEADER_TIME, only obsolete platforms actually 
need this.  Also stop removing sys/time.h unless the source file
uses struct timeval.
 2018-01-17 09:52:15 -07:00
Todd C. Miller
bbc43b5e30 Change some _() into U_() since they are used for warn/fatal. 
We always want to issue warnings in the user's locale.
 2017-12-11 08:07:01 -07:00
Todd C. Miller
48fba3c2cc update my email to Todd.Miller@sudo.ws 2017-12-03 17:53:40 -07:00
Todd C. Miller
ab59834a00 Don't treat an unchanged file as an error. From Xin Li. 2017-06-05 07:47:43 -06:00
Todd C. Miller
0d70e868f1 sudo_edit() must return a wait status but if there is an error, or 
even if no changes were made to the file, it was returning 1 instead
which would be interpreted as the command having received SIGHUP.
Use the W_EXITCODE() to construct a proper wait status in the error
case too.
 2017-06-05 07:11:09 -06:00
Todd C. Miller
befa862f75 No need to include selinux.h here. 2017-05-15 09:00:15 -06:00
Todd C. Miller
8133cdfdf6 Use sys/stat.h defines instead of bare octal values. 2016-11-07 13:36:05 -07:00
Todd C. Miller
3f022419ae Be consistent with the naming of the variable used to store the 
function return value.  Previously, some code used "rval", some
used "ret".  This standardizes on "ret" and uses "rc" for temporary
return codes.
 2016-09-08 16:38:08 -06:00
Todd C. Miller
cc31c2b241 Repair symlink check in sudo_edit_openat_nofollow() on systems 
without O_NOFOLLOW, it must be done relative to dfd.  Previously
the lstat() would always fail, possibly leading to a false positive.
Also add an early symlink check like in sudo_edit() while here.
 2016-07-25 10:41:33 -06:00
Todd C. Miller
bf82b3f2ba On systems that lack the O_NOFOLLOW open(2) flag, check in 
sudo_edit_open() whether the path to be opened is symlink before
opening it.  This is racey but we detect losing the last post-open
and it is better to fail early if possible.  When editing a link
to a non-existent file, a zero-length file will be left behind but
it is too dangerous to try and remove it after the fact.
Bug #753
 2016-07-25 10:26:54 -06:00
Todd C. Miller
2663575118 Update debug_decl for sudo_edit_openat_nofollow() 
Remove unused variables when O_NOFOLLOW is not present.
 2016-07-25 10:22:29 -06:00
Todd C. Miller
e99e3c26c8 In sudo_edit_create_tfiles(), fix fd leak if sudo_edit_mktemp() fails. 
Coverity CID 104114.
 2016-05-07 05:10:11 -06:00
Todd C. Miller
355cce4570 Fix fd leak in sudo_edit_open_nonwritable() if dir_is_writable() 
returns an error.  Coverity CID 104113.
 2016-05-07 05:07:38 -06:00
Todd C. Miller
d733dd7783 Fix memory leak of sesh_args in selinux_edit_copy_tfiles(). 
Coverity CID 104112.
 2016-05-07 05:05:30 -06:00
Todd C. Miller
6ea903623b Handle read() returning -1 when creating temporary files. 
Coverity CID 104100
 2016-05-04 12:48:17 -06:00
Todd C. Miller
78ac87cd90 Plug a memory leak in sudo_edit. 2016-01-28 10:54:34 -07:00
Todd C. Miller
f4e5b135bb Update copyright year 2016-01-20 15:40:51 -07:00
Todd C. Miller
726b4dc968 If the user runs "sudoedit /" we will receive ENOENT from openat(2) 
and sudoedit will try to create a file with the null string.  If
path is empty, open the cwd instead so sudoedit can give a sensible
error message.
 2016-01-20 15:36:20 -07:00
Todd C. Miller
5e300f1e4c There are no systems that support O_SEARCH/O_PATH that do not also 
support O_DIRECTORY so simplify the definition of DIR_OPEN_FLAGS a
bit.
 2016-01-19 19:50:27 -07:00
Todd C. Miller
4b96e94f37 Need to be root when switching to a different user. 2016-01-18 13:12:50 -07:00
Todd C. Miller
9f481f128d Use O_SEARCH on systems without O_PATH if present. It can be used 
for a similar purpose.
 2016-01-18 12:38:41 -07:00
Todd C. Miller
c1b1481204 Use faccessat(2) for directory writability instead of doing the 
checks manually where possible.  This also allows us to remove the
#ifdef __linux__ bits since we no longer use fstat(2) on Linux with
an O_PATH fd.
 2016-01-18 10:45:47 -07:00
Todd C. Miller
051fe2d4cf Add missing dfd argument to the version of sudo_edit_openat_nofollow() 
for systems without O_NOFOLLOW.
 2016-01-11 16:36:40 -07:00
Todd C. Miller
c7c80913ef No need to check whether the fd we opened is really a directory in 
sudo_edit_open_nonwritable() since if not, the openat() will fail
with ENOTDIR anyway.
 2016-01-11 11:15:42 -07:00
Todd C. Miller
68c1073fe5 Rewritten sudoedit_checkdir support that checks all the dirs in the 
path and refuses to follow symlinks in writable directories.
This is a better fix for CVE-2015-5602.
Adapted from a diff by Ben Hutchings.  Bug #707
 2016-01-10 18:31:29 -07:00
Todd C. Miller
97e86c74ff Call openat() with the basename not the full path. From Ben Hutchings. 2015-12-29 13:38:14 -07:00
Todd C. Miller
9ecf12daa7 Set errno to EISDIR instead of ENOTDIR if directory is writable 
since ENOTDIR can be a legitimate errno.  This avoids a bogus
"directory is writable" error in that case.
 2015-10-25 14:28:38 -06:00
Todd C. Miller
5d66b840d8 When creating a new file, sudoedit will now check that the file's 
parent directory exists before running the editor.
 2015-10-24 06:20:20 -06:00
Todd C. Miller
c50cead833 Add directory writability checks for sudoedit. 2015-10-23 14:04:35 -06:00
Todd C. Miller
6dc5151d5d Remove S_ISREG check from sudo_edit_open(), it is already done in 
the caller.
 2015-10-02 20:35:55 -06:00