isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
12,736 Commits 1 Branch 0 Tags
2c06aa321b0aaa89ff174e6e7482e65f0e430874
Commit Graph

3821 Commits

Author SHA1 Message Date
Todd C. Miller
1c7d757b79 check_user: fix return value for intercept mode 
Also use early return on error to quiet a PVS-Studio warning.
 2023-09-22 10:38:46 -06:00
Todd C. Miller
f2d267bfb4 Only define _PATH_ENVIRONMENT on systems where we use /etc/environment. 2023-09-20 16:49:27 -06:00
Todd C. Miller
d9da92951a Replace '/' with '_' in paths using the user, group or host name. 2023-09-20 09:00:27 -06:00
Todd C. Miller
7363ad7b32 Use the user-ID instead of user-name for the timestamp and lecture file. 
This avoids problems if the user name itself contains a path separator.
 2023-09-11 10:27:35 -06:00
Todd C. Miller
94b80e3ad4 Replace MAX_UID_T_LEN with calls to STRLEN_MAX_UNSIGNED. 2023-09-19 15:16:30 -06:00
Todd C. Miller
d53bbb54b2 Add macros to determine the length of an integer type in string form. 
Adapted from answer #6 in:
https://stackoverflow.com/questions/10536207/ansi-c-maximum-number-of-characters-printing-a-decimal-int
 2023-09-19 15:15:02 -06:00
Todd C. Miller
221a10340c visudo: use verbose and strict in parser_conf 
Where the sudoers_context is available we can use the values
of verbose and strict instead of passing around quiet and
strict flags.
 2023-09-18 13:47:25 -06:00
Todd C. Miller
6e75f2311d Add resolve_cmnd(), a wrapper around find_path(). 
This is a convenience function that sets PERM_RUNAS and calls
find_path().  If the command is not found it will retry with PERM_USER
instead.
 2023-09-18 12:42:51 -06:00
Todd C. Miller
8fcb21b5cd Promote strict field in sudoers_parser_config from bool to int. 
This will be used by visudo to indicate when "visudo -s" is run.
 2023-09-18 12:42:51 -06:00
Todd C. Miller
e28dc0f275 Add parser_warnx() and parser_vwarnx() that displays file:line:col 
Used by defaults.c and check_aliases.c.
 2023-09-18 12:42:51 -06:00
Todd C. Miller
3a77314373 Add a separate file for visudo callbacks. 2023-09-18 12:42:51 -06:00
Todd C. Miller
c277e55f42 Rename callbacks.c -> sudoers_cb.c. 2023-09-18 12:42:51 -06:00
Todd C. Miller
a127ddf6db Undefine AUTH_{SUCCESS,FAILURE,ERROR} before defining them. 
Quiets a warning on AIX where usersec.h defines AUTH_SUCCESS and
AUTH_FAILURE.  We avoided this problem in the past because the old
values for AUTH_SUCCESS and AUTH_FAILURE match what AIX defines.
 2023-09-15 10:53:28 -06:00
Todd C. Miller
51d6b0f425 Promote verbose flag to int for display_privs and display_cmnd. 
A negative verbosity will prevent non-error output from being
displayed.
 2023-09-15 10:01:35 -06:00
Todd C. Miller
a9ee97580a No need to include cvtsudoers.h here. 2023-09-13 19:44:02 -06:00
Todd C. Miller
0011333f8e Remove pivot_get_root() and pivot_get_cwd(). 
They are unnecessary since struct sudoers_pivot is not opaque.
The implementation details are private to match_command.c.
 2023-09-13 16:46:23 -06:00
Todd C. Miller
2aae36f345 Quiet some -Wconversion warnings in the tests. 2023-09-13 15:15:54 -06:00
Todd C. Miller
b8f2680cf0 Make flag in union sudo_defs_val bool to match how it is used. 
Adjust find_path()'s ignore_dot function argument to match.
 2023-09-13 14:59:29 -06:00
Todd C. Miller
a9801cc99d Parse euid and egid from sudo front-end. 
These are needed by bsm_audit.c.
 2023-09-13 12:43:39 -06:00
Todd C. Miller
38ddbb14f1 Parse pid and ppid from sudo front-end. 
We can now use the stored ppid in ts_init_key().
 2023-09-13 12:29:40 -06:00
Todd C. Miller
34990c0e08 Use struct sudoers_pivot instead of defining sudoers_pivot_t. 
We want to pass around a pointer, not the struct itself.
 2023-09-13 08:36:07 -06:00
Todd C. Miller
15b3d786d7 Don't expose the implementation of the pivot_root state. 2023-09-11 16:21:11 -06:00
Todd C. Miller
0b52ffd1a2 Don't expose the implementation of the pivot_root state. 2023-09-11 16:15:41 -06:00
Todd C. Miller
c0553cd383 tsgetusershell.c: don't rely on GNU sed extensions. 2023-09-10 17:59:18 -06:00
Todd C. Miller
0a85869286 testsudoers: add -S option to specify /etc/shells path. 2023-09-10 16:44:24 -06:00
Todd C. Miller
034b2f3bdd Add testsudoers_setshellfile() and use it in testsudoers. 2023-09-10 16:38:53 -06:00
Todd C. Miller
62b92c7fb8 regen 2023-09-10 16:37:26 -06:00
Todd C. Miller
c54bdd799b Return AUTH_* flags from check_user() instead of 1/0/-1. 2023-09-09 14:59:46 -06:00
Todd C. Miller
2fdb4db339 Wrap valid_shell and add to sudo_pwutil_set_backend(). 
This will make it possible to support a different getusershell()
implementation for testsudoers in the future.
 2023-09-09 14:48:25 -06:00
Todd C. Miller
d18ee8e0e7 Move check_user_shell() to pwutil.c as user_shell_valid() 
This will make it possible to support a different backend which may
be used by testsudoers in the future.
 2023-09-09 14:07:28 -06:00
Todd C. Miller
28a13501d8 Merge check_user() and check_user_interactive(), move getpass callbacks. 
The getpass callbacks are now defined in sudo_auth.c, which implements
auth_getpass().  As a result, struct getpass_closure is now public
and defined in timestamp.h.
 2023-09-09 14:07:11 -06:00
Todd C. Miller
0495afac57 Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}. 2023-09-09 14:07:07 -06:00
Todd C. Miller
2ef90231a1 Make all match functions return ALLOW/DENY not true/false. 2023-09-09 14:07:06 -06:00
Todd C. Miller
7873f8334c Try to make sudo less vulnerable to ROWHAMMER attacks. 
We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS,
AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE.  In addition, we
explicitly test for expected values instead of using a negated test
against an error value.  In the parser match functions this means
explicitly checking for ALLOW or DENY instead of accepting anything
that is not set to UNSPEC.

Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk
Sunar, all affiliated with the Vernam Applied Cryptography and
Cybersecurity Lab at Worcester Polytechnic Institute, for the report.
Paper preprint: https://arxiv.org/abs/2309.02545
 2023-09-09 14:07:04 -06:00
Todd C. Miller
525803db23 Honor ignore_perms plugin argument for @include and @includedir. 2023-09-09 14:06:11 -06:00
Todd C. Miller
499121229e Don't set on_suspend and on_resume twice. 2023-09-06 20:17:00 -06:00
Todd C. Miller
956de5cbbc sudoers_sethost: refactor code to set host names in sudoers_context. 
The sudoers_sethost() function can be shared by the sudoers plugin,
visudo, cvtsudoers and testsudoers.
 2023-09-02 15:25:58 -06:00
Todd C. Miller
0c9ca88f5b sudoers_trace_print: use debug_decl_vars instead of doing it by hand. 2023-09-01 16:55:19 -06:00
Todd C. Miller
d898d073bf Only print "no valid sudoers sources found, quitting" for multiple sources. 
If there is only a single source (usually the sudoers file), the
open function provide enough of an error message.  Printing two
error messages is just confusing.
 2023-08-31 14:05:08 -06:00
Todd C. Miller
f5b3f99098 user_in_group: the user's group vector already includes the primary group. 
There's no need to look up the name of user's primary group (pw_gid),
we always include the primary group ID in the group vector.
 2023-08-30 13:36:41 -06:00
Todd C. Miller
05f823df22 Move sudoers_debug.c prototypes to sudoers_debug.h. 2023-08-29 13:54:45 -06:00
Todd C. Miller
35a7283dd9 sudo_conv, sudo_printf and plugin_event_alloc live in policy.c. 2023-08-29 13:46:43 -06:00
Todd C. Miller
68a9e91860 Move default value for "iolog_file" to sudo_iolog.h. 2023-08-29 11:46:58 -06:00
Todd C. Miller
75209e2718 Rename check.h -> timestamp.h and add remaining timestamp.c prototypes. 2023-08-29 11:16:23 -06:00
Todd C. Miller
8cd0d74fbb Restore AUTH_INTR support, it is still needed. 
We still need AUTH_INTR to know when to break out of the password
prompt loop.
 2023-08-29 10:02:09 -06:00
Todd C. Miller
3c05e748a4 Add ignore_perms plugin argument to skip the sudoers file security checks. 
This is not intended to be used in a production environment.
 2023-08-29 09:55:09 -06:00
Todd C. Miller
07003d9020 Disable fast_glob and fdexec if SUDOERS_NAME_MATCH is defined. 
We use SUDOERS_NAME_MATCH for fuzzing when we want to avoid searching
the file system for commands.
 2023-08-28 13:18:37 -06:00
Todd C. Miller
c858acc481 Rename AUTH_FATAL -> AUTH_ERROR. 2023-08-26 10:45:29 -06:00
Todd C. Miller
cf00568d88 Do not rely on the definition of ALLOW/DENY being true/false. 
We now explicitly check for ALLOW and DENY when checking return
values and negating values.
 2023-08-26 10:32:37 -06:00
Todd C. Miller
bae716642c Replace AUTH_INTR return with AUTH_FAILURE. 
The two were treated identically by the caller.
 2023-08-26 10:08:32 -06:00