isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,456 Commits 1 Branch 0 Tags
32f4b98f6b4aea4951a2d7b56a55ba4a9e035b22
Commit Graph

355 Commits

Author SHA1 Message Date
Todd C. Miller
32f4b98f6b sudo frontend: silence most -Wconversion warnings. 2023-07-07 15:07:04 -06:00
Rose
cbed9daa46 Fixed even more signedness and conversion issues 
This should be the last of them.
 2023-07-03 22:07:35 -04:00
Todd C. Miller
04c7e910ef Fix up indentation. 2023-07-01 16:03:33 -06:00
Rose
45fdfa18f1 Mark functions not returning as sudo_noreturn 
We also put NOTREACHED where it applies.
 2023-07-01 17:40:16 -04:00
Rose
22079c3072 Avoid compiler casting warnings Part 2 
This saves instructions that are related to casting as well as compiler warnings.
 2023-06-29 13:10:27 -04:00
Rose
e54ba33ea0 Avoid compiler casting warnings by assigning to the same type where possible 
This saves instructions that are related to casting as well as compiler warnings.
 2023-06-28 17:25:26 -04:00
Todd C. Miller
65c0b5a089 Move CONFIGURE_ARGS from sudo_usage.h.in to config.h.in. 2023-04-18 07:29:37 -06:00
Todd C. Miller
80b85bdd50 get_user_info: call sudo_get_ttysize() even if no /dev/tty 
We still want to initialize rows and cols based on the environment
if possible.
 2023-04-17 07:27:05 -06:00
Todd C. Miller
d1912957ae get_user_info: pass sudo_get_ttysize() the fd of /dev/tty, not stderr. 
Both the plugin API and the main event loop expect lines/cols to
refer to the user's terminal, so using /dev/tty is better here.
 2023-04-16 16:05:15 -06:00
Todd C. Miller
cc22cca34f Add an fd argument to sudo_get_ttysize() instead of always using stderr. 
For sudoreplay we open /dev/tty, so use that instead of stderr when
determining the terminal size.
 2023-04-16 15:45:19 -06:00
Todd C. Miller
f0030cf30f Make struct {command,user}_details pointers const where possible. 2023-03-27 16:29:46 -06:00
Todd C. Miller
554397eaea Make user_details private to main. 2023-03-27 16:19:11 -06:00
Todd C. Miller
5108c279af Make user_details private to sudo.c. 2023-03-27 16:19:08 -06:00
Todd C. Miller
86002226b6 Store submitcwd (from user_details) in struct command_details. 
This eliminates use of the user_details global from exec_setup().
 2023-03-25 08:27:41 -06:00
Todd C. Miller
fa5a28f345 Remove list_user global. 2023-03-24 19:10:46 -06:00
Todd C. Miller
9fd787343d No need for sudo_mode to be global anymore. 2023-03-24 17:07:20 -06:00
Todd C. Miller
11277bb921 Make command_details private to main(). 2023-03-24 15:56:00 -06:00
Todd C. Miller
7ac9ce001c Eliminate utmp_user global, just use the value in struct command details. 2023-03-24 14:44:56 -06:00
Todd C. Miller
0865e61d9e Pass back the number of files to edit when using sudoedit. 
The sudo front-end can use this to determine where the list of files
to edit begins.
 2023-01-18 13:38:15 -07:00
Todd C. Miller
f066ff9e01 Eliminate a few harmless dead stores. 
Quiets warnings from Infer.
 2022-11-22 11:18:24 -07:00
Todd C. Miller
b2c8e1b1b9 Display sudo_mode in hex in debug log. 
This makes it easier to match against the MODE_ defines.
 2022-11-03 12:03:08 -06:00
Todd C. Miller
556dacf1ff Add a way to run a command without updating the cached credentials. 
This can also be used to test for whether or not the user's
credentials are currently cached.
 2022-08-02 14:28:28 -06:00
Todd C. Miller
cf250354fc Defer chdir(2) until sesh when running with SELinux. 
We need to be running with the correct security context or the
chdir(2) may fail.  GitHub issue #160.
 2022-08-01 13:40:47 -06:00
Todd C. Miller
3ce19efca9 Add intercept_verify sudoers option to control execve(2) argument checking. 2022-07-29 15:22:27 -06:00
Todd C. Miller
f5dc739ea3 Quiet some harmless PVS-Studio warnings. 2022-07-26 11:28:38 -06:00
Todd C. Miller
75e97fd5b2 Make sure the plugin provides a command, argv and envp. 2022-07-14 09:49:00 -06:00
Todd C. Miller
13672f28df Make sudo pass -Wwrite-strings 2022-06-28 16:33:15 -06:00
Todd C. Miller
f16754a1dd Merge branch 'main' into apparmor_support 2022-05-27 08:25:12 -06:00
Todd C. Miller
f053f174bc Add intercept_type sudoers option to set intercept/log_subcmds mechanism. 2022-05-24 13:39:28 -06:00
kernelmethod
bd25b85a66 Add an apparmor_profile sudo setting 
Define a new sudo setting, `apparmor_profile`, that can be used to pass
in an AppArmor profile that should be used to confine commands. If
apparmor_profile is specified, sudo will execute the command using the
new `apparmor_execve` function, which confines the command under the
provided profile before exec'ing it.
 2022-05-23 13:41:42 -06:00
Todd C. Miller
4ab6a87b96 Initialize intercept_allow_setid to true if we use ptrace(2) and seccomp(2). 2022-05-04 13:32:28 -06:00
Todd C. Miller
52cacfc302 For ptrace intercept mode, do not do a policy check for the initial command. 
We can skip the policy check for the execve(2) of the initial command
since it has already been check.  Otherwise, we would log the command
twice.  When using fexecve(2) due to a digest check, there should
be no need to skip the initial command since it will be executed
via execveat(2) not execve(2).  However, on older kernels without
execveat(2), glibc will emulate fexecve(2) using /proc which will
result in the extra log entry.
 2022-04-29 13:09:03 -06:00
Todd C. Miller
5e30d01205 Quiet a PVS-Studio format string warning. 2022-01-19 09:20:42 -07:00
Todd C. Miller
2e08db3695 If sudo is not set-user-ID root, check for the no_new_privs flag on Linux. 
This flag disables set-user-ID at execve(2) time and may be set by
default for some containers.  GitHub issue #129.
 2022-01-09 17:31:06 -07:00
Todd C. Miller
e22cc72530 Back out changes to enable SELinux by default. 
This may return in a future release in a different form.
 2021-12-22 11:13:22 -07:00
Todd C. Miller
74ef983f60 Add front-end support for setting resouce limits. 
The special value "user" means preserve the invoking user's limit.
The value "default" means don't override the default limit for the
user as assigned by the system (PAM, loging.conf, userdb, etc).
 2021-11-08 18:21:11 -07:00
Todd C. Miller
e97fb5fd0b Separate out the code to compute the context from selinux_setup(). 
This makes it possible to determine whether we really need to execute
the command via the sesh helper.  What was left of selinux_setup()
is now selinux_relabel_tty() and selinux_audit_role_change().
 2021-11-05 12:33:20 -06:00
Todd C. Miller
a336a8422f Pass status of selinux sudoers setting to front-end as selinux-rbac. 
The front-end uses this to decide whether or not to enable SELinux.
If selinux-rbac is true _or_ if it is not present and selinux_role or
selinux_type are set, SELinux support is enabled.
Previously, SELinux support was only enabled if a role was specified.
 2021-11-05 12:32:02 -06:00
Todd C. Miller
ba171724f7 Rename log_children -> log_subcmds 2021-08-26 16:36:41 -06:00
Todd C. Miller
70aef0eb2d sudo_debug_register: add minfd argument to specify lowest fd number 
Use this in sudo_intercept.so to avoid allocating a low-numbered
fd which the shell reserves for use by scripts.
 2021-08-26 09:57:24 -06:00
Todd C. Miller
42598735d0 Call the approval plugin after the policy plugin accepts a command. 
Previously, for intercepted commands we only called the policy plugin.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
4ff3f7604d Reduce the number of function args passed to plugin wrappers. 
This makes sudo_settings, user_info, submit_argv, submit_envp and
submit_optind global.  This will be required for calling the wrapper
from outside of sudo.c where we may not have access to those
variables.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
840bf4b09d Add return values for most of the plugin function wrappers that returned void. 
Previously, they would just exit if there was an error.
Now the error is passed back up the stack so we can use them in
sudo_intercept.so.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
d7380bb271 Implement the sudo side of the sudo_intercept.so communication. 2021-08-09 15:50:25 -06:00
Todd C. Miller
6287e8ca7d Add support for loading the sudo_intercept.so DSO. 2021-08-09 15:50:25 -06:00
Todd C. Miller
7a309d70bb Don't assume that the number of groups returned by getgroups() is static. 
On systems where getgroups() returns results based on more than
just the per-process group vector in the kernel it is possible for
the number of groups to change in between invocations.
Based on GitHub PR #106 from Pierre-Olivier Martel.
 2021-06-26 18:45:28 -06:00
Todd C. Miller
41eae91206 If sudo_getgrouplist2() returns -1, clamp ngroups based on max_groups. 
The ngroups parameter is an out parameter that is filled in with
the actual number of groups, which may be less than the static
number allocated when max_groups is set in sudo.conf.
Fixes a potential out of bounds read found by LLVM libFuzzer.
 2021-02-13 11:54:21 -07:00
Todd C. Miller
4e11bc0e26 Suppress PVS Studio false positives. 2021-01-06 14:27:09 -07:00
Todd C. Miller
ece5adc662 Add struct sudo_cred to hold the invoking or runas user credentials. 
We can use this when we need to pass around credential info instead
of the user_details and command_details structs.
 2021-01-06 13:01:09 -07:00
Todd C. Miller
b132def0b1 For sudo, only allow "sudo" or "sudoedit" as the program name. 
The program name is also used when matching Debug lines in sudo.conf.
We don't want the user to be able to influence sudo.conf Debug matching.
The string "sudoedit" is treated the same as "sudo" in sudo.conf.
Problem reported by Matthias Gerstner of SUSE.
 2021-01-06 10:16:00 -07:00