isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,674 Commits 1 Branch 0 Tags
31540e622869b6051a38d570ab5b398ec160f7e2
Commit Graph

8674 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
31540e6228 Bump version to 1.11 for timeout entry in settings[] 2017-02-16 10:28:08 -07:00
Todd C. Miller
b030c96a86 regen 2017-02-16 10:13:48 -07:00
Todd C. Miller
c86a6a23ad Add a command line option to specify the command timeout, as long 
as sudoers does not specify a shorter time limit.
 2017-02-16 09:58:18 -07:00
Todd C. Miller
9b0622b58f Better error message when the timeout value does not parse. 2017-02-15 15:13:37 -07:00
Todd C. Miller
8bffd09881 set errno to ERANGE not EOVERFLOW on range error 2017-02-15 10:51:39 -07:00
Todd C. Miller
635f330a43 regen 2017-02-14 16:24:10 -07:00
Todd C. Miller
e5266f9eba Only inhibit ASAN leak detector for tests that result in a parse 
error.  The parser cannot currently clean up completely on error.
 2017-02-14 15:56:34 -07:00
Todd C. Miller
0f3f4e028a Plug some memory leaks found by ASAN. 2017-02-14 15:56:34 -07:00
Todd C. Miller
e954facb9d List SELinux role/type for "sudo -l" with LDAP and SSSd backends. 
Also fix printing of the timeout.
 2017-02-14 15:56:34 -07:00
Todd C. Miller
d7f7cf7a79 Only inherit SELinux role/type and Solaris privilege sets if 
the command does not include any.  Previously, a command with
only a role would inherit a type from the previous command
which is not what was intended.
 2017-02-14 15:56:34 -07:00
Todd C. Miller
24cdbb8de1 Split out tags again so they must precede the command and not allow 
them to be mixed in with options.
 2017-02-14 15:56:34 -07:00
Todd C. Miller
3980f1531b Add support for command timeouts in sudoers. After the timeout, 
the command will be terminated.
 2017-02-14 15:56:34 -07:00
Todd C. Miller
4f9dcd7264 Merge command tags, SELinux type/role and Solaris privs settings 
into "command options".  This relaxes the order of things so tags
and other options can be interspersed.
 2017-02-14 15:56:34 -07:00
Todd C. Miller
fb419ba066 supress cppcheck memory leak false positive 2017-02-14 14:38:31 -07:00
Todd C. Miller
47b82acd78 fix typo that prevented compilation on FreeBSD 2017-02-14 13:19:45 -07:00
Todd C. Miller
4dad181be3 Link vsyslog.lo directly into vsyslog_test to make sure the syslog() 
stub gets called.  Otherwise, the real syslog will get called via
libutil on AIX.
 2017-02-13 20:33:42 -07:00
Todd C. Miller
f59327bc5c Fix final test with a format > 2048 bytes. 
Keep track of tests run in the syslog() stub so we can
detect if the stub is not being called.
 2017-02-13 20:30:45 -07:00
Todd C. Miller
6263cc55a5 avoid redefining the MIN macro 2017-02-13 15:03:57 -07:00
Todd C. Miller
09438e5b42 Include parse.h in timestr.c which is where function prototype lives. 2017-02-13 13:44:11 -07:00
Todd C. Miller
359cacc40f Fix for including a sudoers file that begins with the letter 'i'. 
The hack to determine whether we are parsing an include or includedir
is no longer safe now that relative include paths are permitted.
Bug #776.
 2017-02-13 13:38:24 -07:00
Todd C. Miller
8c1da9b69e Display the value of syslog_maxlen in sudo -V output. 2017-02-10 15:08:44 -07:00
Todd C. Miller
3742f7a46e Add ignore_unknown_defaults flag to ignore unknown Defaults entries 
in sudoers instead of producing a warning.
 2017-02-06 05:41:57 -07:00
Todd C. Miller
ba8f756695 Always set the close-on-exec bit on the fd used to generate the 
digest (i.e. the command to run) on systems that lack fexecve(2).
That way we don't need to explicitly close it using #ifdefs.
 2017-01-27 09:26:51 -07:00
Todd C. Miller
1a8957e30b sync with translationproject.org 2017-01-27 06:27:03 -07:00
Todd C. Miller
ca89a0a914 first updates for 1.8.20 2017-01-27 06:25:55 -07:00
Todd C. Miller
c392e469db sudo 1.8.20 2017-01-27 06:18:42 -07:00
Todd C. Miller
8e3613340c update zlib to version 1.2.11 2017-01-25 15:11:32 -07:00
Todd C. Miller
26b8dc11bf Fix fdexec=never when a digest is present. 2017-01-23 07:43:32 -08:00
Todd C. Miller
413e1100b8 Add new fdexec sudoers setting to allow choose whether execve() or 
fexecve() is used.
 2017-01-22 18:56:16 -08:00
Todd C. Miller
dde2b5eb2c Close execfd in parent processes where it is not needed. 2017-01-22 18:56:13 -08:00
Todd C. Miller
5514ea6851 Add support for digest matching when the command is a glob-style 
pattern or a directory.  For example:

millert ALL = sha224:TmUvLkp3a2txliSC2X6CiK42626qdKsH72m/PQ== /bin/
millert ALL = sha224:TmUvLkp3a2txliSC2X6CiK42626qdKsH72m/PQ== /bin/*

would only match /bin/ls (assuming the digest matches).

Previously, only explicit path matches checked the digest.
 2017-01-21 16:43:46 -07:00
Todd C. Miller
df03020c4c Add support for SASL_MECH in ldap.conf; Bug #764 2017-01-17 11:09:23 -07:00
Todd C. Miller
34ba901baa Fix documentation bug, the contents of env_file have never been 
subject to env_keep or env_check.  However, variables are only added
if they have not already been preserved.
 2017-01-17 10:10:47 -07:00
Todd C. Miller
57933a8ff3 Safer example for rule that can change non-root passwords. GNU 
getopts allows options to follow arguments so we need to be able
to deny things like "passwd root -q".  From Paul "Joey" Clark.
Bug #772
 2017-01-17 08:55:40 -07:00
Todd C. Miller
b4f524fe7d Don't overwrite the return value of ldap_sasl_interactive_bind_s() 
by the subsequent call to sudo_set_krb5_ccache_name().  From Paul
Zirnik of SUSE.
 2017-01-16 11:20:26 -07:00
Todd C. Miller
deb4c3b19c In sudo_unsetenv_nodebug(), decrement envp.env_len after removing 
the variable.  From Paul Zirnik of SUSE.
 2017-01-16 11:12:56 -07:00
Todd C. Miller
1a59ab8b74 only run vsyslog_test if it exists 2017-01-15 19:13:26 -07:00
Todd C. Miller
63deb77705 Add regress for vsyslog replacement. 2017-01-15 19:07:59 -07:00
Todd C. Miller
09698b8a31 Define HAVE_NANOSLEEP if we find nanosleep in librt 2017-01-13 21:29:02 -07:00
Todd C. Miller
f589897f8d sudo_nanosleep not nanosleep in util.exp.in 2017-01-13 21:02:31 -07:00
Todd C. Miller
e636f96c48 add nanosleep to util.exp.in if needed 2017-01-13 20:40:26 -07:00
Todd C. Miller
08b662bf0b sudo 1.8.19p2 2017-01-13 16:45:14 -07:00
Todd C. Miller
a957a657b0 Double the size of new_fmt[] and remove an extraneous break in the 
%m handling that was leftover from an earlier edit.
 2017-01-13 16:39:31 -07:00
Todd C. Miller
921ad88ab8 Fix typo, want vsnprintf not snprintf. 2017-01-13 16:30:44 -07:00
Todd C. Miller
414b28dc45 move va_start() in mysyslog() 2017-01-13 16:30:08 -07:00
Todd C. Miller
269b8602d8 Only treat failure of expand_iolog_path() as fatal if ignore_iolog_errors 
is not set.
 2017-01-13 15:45:59 -07:00
Todd C. Miller
2f0295373a When waiting for the parent to grant us the tty, use nanosleep 
instead of spinning to avoid hogging the CPU.
 2017-01-12 10:44:26 -07:00
Todd C. Miller
0ef26ff0b7 Use ROOT_UID instead of 0 2017-01-12 10:42:26 -07:00
Todd C. Miller
fabb38c918 regen 2017-01-09 10:45:44 -07:00
Todd C. Miller
90e1f4ec3e Fix crash in visudo introduced in sudo 1.8.9 when an IP address or 
network is used in a host-based Defaults entry.  Bug #766
 2017-01-07 19:50:05 -07:00