isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,602 Commits 1 Branch 0 Tags
2eb8ff17be0d028cc44aaaca0a74eb75a6151305
Commit Graph

3317 Commits

Author SHA1 Message Date
Todd C. Miller
906eb19ece Add maxseq setting to log_output example. 
This should make it more obvious that you need to adjust maxseq
unless you have (virtually) unlimited disk space.
 2022-05-15 18:46:24 -06:00
Todd C. Miller
4ab6a87b96 Initialize intercept_allow_setid to true if we use ptrace(2) and seccomp(2). 2022-05-04 13:32:28 -06:00
Todd C. Miller
4d75b32799 sudoers_lookup_check: preserve intercepted flag when reinitializing cmnd_info 
Otherwise we may not reject an attempt to run a set-user-ID command.
 2022-05-03 09:30:09 -06:00
Todd C. Miller
42117a1ce2 Move intercept setid check out of do_stat() and into its own function. 
For command_matches_all() we should only perform the setid check
if the file exists and intercept is enabled.  Otherwise, we can end
up returning an error if the fully-qualified command does not exist.
Fixes a regression introduced in sudo 1.9.0 with the support for
digests in conjunction with "sudo ALL".
 2022-05-02 18:14:30 -06:00
Todd C. Miller
307b4f69b8 Fix typos 2022-04-29 19:03:20 -06:00
Todd C. Miller
5d385b3c58 Enable intercept and log_subcmds for SELinux using ptrace and seccomp. 2022-04-29 13:09:03 -06:00
Todd C. Miller
c7ed03c986 sudo_logsrvd: update elapsed time for winsize and suspend in journal mode 
Fixes a bug in store-first relay mode where the commit point messages
sent by the server were incorrect.
 2022-04-24 17:26:05 -06:00
Todd C. Miller
930271847a clean_output: prune lines that consisting of '^' characters and whitespace. 
Starting with Python 3.11, backtraces may contain a line with '^'
characters to bring attention to the important part of the line.
Also replace "REJECT" with "0" in backtrace output for Python 3.11.
 2022-04-11 19:05:06 -06:00
Todd C. Miller
dcb2fb26a5 Rename SSP_(C|LD)FLAGS -> HARDENING_(C|LD)FLAGS 2022-04-01 11:14:59 -06:00
Todd C. Miller
6af2b4188a Minor style nit. 2022-03-16 15:53:17 -06:00
Dianne Skoll
11c6cdc02b If we're using Kerberos, don't overwrite a custom prompt if one was given with -p 
Thanks to @thend20 for testing this patch.
 2022-03-16 16:46:18 -04:00
Todd C. Miller
7537713904 Adjust starttime test when run under Debian faketime. 
Bug #1026
 2022-03-15 08:38:27 -06:00
Todd C. Miller
ff17317988 Do not warn, log or send mail for errors when reinitializing defaults. 
If there is a problem, we would have already warned, logged or mailed it.
The one exception is the initial defaults, which should never fail.
 2022-03-14 13:54:12 -06:00
Todd C. Miller
e5a50ae429 If there are multiple parse errors, send them in a single mail message. 2022-03-14 13:54:11 -06:00
Todd C. Miller
1f64aca229 Unset LANGUAGE when running tests, otherwise it may override LC_ALL. 
Bug #1025.
 2022-03-14 13:51:03 -06:00
Todd C. Miller
ef4ce5c08a Looser owner/permission checks for an uninstalled sudoers file. 
We don't check the owner or permissions on a sudoers file that is
specified as an argument to visudo by default.  However, the owner
and mode of files included via @includedir were still checked.  This
commit makes the owner and permissions checks for filed included
via @includedir follow the same as for the original sudoers file.
 2022-03-11 10:44:17 -07:00
Todd C. Miller
8e7c004c7f Add missing va_start/va_end around call to sudoers_error_hook(). 
Coverity CID 250885
 2022-03-11 08:37:06 -07:00
Todd C. Miller
8dae0ba06c Fix off-by-one when storing line number in userspec. 
We store the line number *after* parsing the newline so we need to
subtract one.
 2022-03-10 20:05:40 -07:00
Todd C. Miller
65e5b89f1d Pass file, line and column to sudoers defaults callbacks. 2022-03-10 13:35:58 -07:00
Todd C. Miller
d7ddff2a31 Add a hook for sudoers parse errors (including defaults and aliases). 
The hook can be used to log parser errors (sudoers module) or keep
track of which files have an error (visudo).
Previously, we only kept track of a single parse error.
 2022-03-10 13:30:56 -07:00
Todd C. Miller
6ec279532e Add a source to struct sudo_nss and use it if getdefs() fails. 
Also remove useless "Problem with defaults entries" warning in testsudoers.
 2022-03-09 12:38:25 -07:00
Todd C. Miller
346dce4358 Remove extra newline in sudo_warnx() calls. 2022-03-06 18:56:28 -07:00
Todd C. Miller
7d3f9293c6 Preserve the column and error message when there is a syntax error. 
This information is now included in the error mail sent to root.
 2022-03-06 18:54:30 -07:00
Todd C. Miller
dfda098ae7 Deinit python subinterpreters in reverse order (last to first). 
This appears to work around a crash on OpenBSD with Python 3.9.10.
 2022-03-06 18:39:12 -07:00
Todd C. Miller
c131b27474 For 'make check-verbose' run fuzzers with -verbose=1 
This is the default for libFuzzer but not for the stub fuzzer lib.
 2022-03-03 10:45:56 -07:00
Todd C. Miller
cdee5d48da Add check-verbose Makefile target that runs tests in verbose mode. 2022-03-02 13:32:08 -07:00
Todd C. Miller
dda14cb57a Less verbose output unless the -v option is used. 
Also display a test summary at the end.
 2022-03-01 16:09:32 -07:00
Todd C. Miller
e9155a067c Regenerate dependencies. 2022-03-01 11:32:23 -07:00
Todd C. Miller
c2bd52edf8 Allow test harness to be run from any directory. 
Also add missing copyright notice.
 2022-02-28 19:39:33 -07:00
Todd C. Miller
a57e979962 Adapt test harness for lib/util and move to regress directory. 2022-02-28 14:15:43 -07:00
Todd C. Miller
f35bbd5a3f Move the cvtsudoers/sudoers/testsudoers/visudo tests into a script. 
It is easier to maintain these tests in script form.  The output
now more closely matches that of the other tests.  The harness
script can be invoked directly and supports running specific tests.
 2022-02-28 11:29:38 -07:00
Todd C. Miller
e7b7c902db Updated translations from translationproject.org 2022-02-27 09:03:54 -07:00
Todd C. Miller
e5bbd33834 testsudoers/test18: don't rely on /usr/bin/w being present 
Fixes a test failure on Alpine Linux.
 2022-02-25 09:46:26 -07:00
Todd C. Miller
22a01410bd sudo_ldap_parse_options: fix memory leak of sudoRole cn string. 
Coverity CID 249976
 2022-02-24 07:56:38 -07:00
Todd C. Miller
b1fd1ec0fc display_lecture: just return if callback is NULL 2022-02-23 21:09:33 -07:00
Todd C. Miller
b0fa769504 Better warning message when the digest in sudoers is the wrong length. 2022-02-22 12:15:34 -07:00
Todd C. Miller
41bc52302b Do not disable fuzzer output if SUDO_FUZZ_VERBOSE env variable is set. 2022-02-22 12:04:10 -07:00
Todd C. Miller
2911c31dd7 Display the lecture immediately before prompting for a password. 
This means we no longer display the lecture unless the user is going
to enter a password.  Authentication methods that don't interact
with the user via the terminal don't trigger the lecture.
 2022-02-21 19:34:06 -07:00
Todd C. Miller
9757d29a24 Add back warning when a user is not allowed to run a command. 
Previously, the warning was displayed when a user was not in the
sudoers file, or was present but not listed for the local host.
The new behavior is to display the warning if a command is denied
and mail is sent to the administrator.  Whether or not mail is sent
is controlled by the "mail_*" flags in sudoers.  The warning text
is now "This incident has been reported to the administrator." which
is hopefully less confusing.  The message will not be printed if
either the "mailto" or "mailerpath" sudoers settings are disabled.
 2022-02-21 14:03:05 -07:00
Todd C. Miller
98ac09de38 Don't try to send mail if mailto not set or the mailer is not present. 2022-02-20 19:11:33 -07:00
Todd C. Miller
bde48fb4c5 Updated translations from translationproject.org 2022-02-18 09:45:52 -07:00
Todd C. Miller
de52b8e443 fmt_authfail_message: compute the exact amount of space needed. 
Instead of truncating on overflow, warn and return NULL.
 2022-02-15 19:48:06 -07:00
Todd C. Miller
f01b044010 log_server_alert: plug potential memory leak 
Coverity CID 249328
 2022-02-15 19:50:55 -07:00
Todd C. Miller
72961fe433 Fix potential NULL deref if getpwuid(0) fails. 
Coverity CID 249326
 2022-02-15 19:41:31 -07:00
Todd C. Miller
9f695f0fcc Restrict "sudo -U other -l" to users with sudo ALL for root or "other". 
Having "sudo ALL" permissions in no longer sufficient to be able to
list another user's privileges.  The invoking user must now have
"sudo ALL" for root or the target user.
GitHub issue #134
 2022-02-14 13:09:55 -07:00
Todd C. Miller
0e2e4b6882 Update Project-Id-Version to 1.9.10. 2022-02-11 18:34:04 -07:00
Todd C. Miller
541c165e65 Update .pot files for 1.9.10 2022-02-11 14:15:31 -07:00
Todd C. Miller
7c17f84a35 Add helper function to compile a regex that supports (?i). 2022-02-11 12:01:31 -07:00
Todd C. Miller
86d2173937 Add support for matching command and args using regular expressions. 
Either the command, its arguments or both may be (separate)
regular expressions.
 2022-02-10 18:26:24 -07:00
Todd C. Miller
c8bf591042 Clear sudoers_errstr after it is used. 
This way we avoid printing the same error message more than once
if there are multiple ERROR tokens returned from the lexer.
 2022-02-10 16:09:44 -07:00