isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,358 Commits 1 Branch 0 Tags
3a85a8892f982cc47cf44ece71a2f7e7d7550905
Commit Graph

8358 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
3a85a8892f forgot to update date in last commit 2016-06-15 10:08:06 -06:00
Todd C. Miller
6c7eb07e0e Fix typo; cn=default should be cn=defaults 2016-06-15 05:14:33 -06:00
Todd C. Miller
72f18cff9a Fold lines at 80 characters for the clean: target 2016-06-13 15:12:44 -06:00
Todd C. Miller
5348d32ab6 Remove mksiglist, siglist.c, mksigname, signame.c as part of "distclean" 2016-06-13 13:45:17 -06:00
Todd C. Miller
ea23932af0 sync with translationproject.org 2016-06-12 18:57:09 -06:00
Todd C. Miller
d9e14bc659 LDAP sudoers doesn't support negated users, groups or netgroups. 2016-06-12 09:36:19 -06:00
Todd C. Miller
63a2428892 Bug #746 2016-06-09 12:25:36 -06:00
Todd C. Miller
e2de0027dc When matching paths with glob(3), check returned matches against 
user_cmnd first if it is fully-qualified.  This avoids a lot of
needless stat(2) calls and avoids a mismatch between safe_cmnd and
argv[0] if there are multiple matches with the same inode/dev due
to links.  Bug #746.
 2016-06-09 11:41:09 -06:00
Todd C. Miller
74c2dc7806 Add execve failure in pty bug fix. 2016-06-09 11:00:02 -06:00
Todd C. Miller
ce28b15eca sync with translationproject.org 2016-06-09 10:51:40 -06:00
Todd C. Miller
8a86233c16 In handle_sigchld() fix the return value when we've already received 
an exec error.  We don't want to overwrite the error status but we
do need to indicate that the command is no longer running.
Fixes as hang on execve(2) error when running in a pty.
 2016-06-09 10:50:58 -06:00
Todd C. Miller
1ec4d9918d Move sudo_debug_execve() call into sudo_execve(). 2016-06-09 10:48:59 -06:00
Todd C. Miller
12ab5b8108 sync with translationproject.org 2016-06-09 07:12:38 -06:00
Todd C. Miller
bd8e3b5fb9 update for 1.8.17 final 2016-06-07 13:45:37 -06:00
Todd C. Miller
1052a7205f Fix setting of hard stack limit when stack_hard is not specified 
in /etc/security/limits.  When 64-bit resource limits are supported
we can use the default value of 8388608 512-byte blocks directly.
We should only resort to using RLIM_SAVED_MAX for 32-bit resource
limits.
 2016-06-07 13:06:27 -06:00
Todd C. Miller
734b43c6b0 regen 2016-06-06 10:07:58 -06:00
Todd C. Miller
3169259821 Ignore empty ipa_hostname 2016-06-05 14:42:54 -06:00
Todd C. Miller
c6a21bd53d Better martching of ipa_hostname in sssd.conf 2016-06-05 05:40:32 -06:00
Todd C. Miller
9b027676c0 Use the value of ipa_hostname from /etc/sssd/sssd.conf if present 
instead of the system hostname.
 2016-06-04 19:52:10 -06:00
Todd C. Miller
ccf88d3bb2 When matching host, short-circuit the loop when we get a match. 
Only check username as part of the netgroup when netgroup_tuple is
enabled.
 2016-06-03 14:07:40 -06:00
Todd C. Miller
a71cac91f2 Avoid using !strcmp() 2016-06-03 13:58:12 -06:00
Todd C. Miller
b6beccf19e SSSD doesn't handle netgroups, we have to ensure they are correctly filtered 
in sudo. The rules may contain mixed sudoUser specification so we have to
check not only for netgroup membership but also for user and group matches.
Adapted from a patch from Daniel Kopecek.
 2016-06-02 10:47:39 -06:00
Todd C. Miller
a24f4b8248 Return PAM_CONV_ERR from the conversation function if getpass returns 
NULL or the user pressed ^C.
 2016-06-01 14:48:31 -06:00
Todd C. Miller
7a35bab8c8 Make base64 decoding table-driven. 2016-06-01 12:43:02 -06:00
Todd C. Miller
fc517ba9f8 Back out cfa26b99228f, it was already fixed differently. 
Caught by regress checks.
 2016-06-01 12:38:53 -06:00
Todd C. Miller
6c3c03ea26 Allow double-quoted groups and netgroups to be part of a Defaults spec. 
From Daniel Kopecek.
 2016-05-31 13:50:38 -06:00
Todd C. Miller
638acc28cf The sudoers.ldap manual is installed in section 4 or 5, not 1m or 8. 
Also fix the section for ldap.conf cross-references.
 2016-05-31 13:17:38 -06:00
Todd C. Miller
77331392e0 Fix copy pasta, "sudoNotAfter" not "sudoNotBefore". 
Add missing word "order" in a sentence describing sudoOrder.
 2016-05-31 13:14:30 -06:00
Todd C. Miller
461a419d04 For sudo -ll (long list) print the SSSD role just like we do 
for the LDAP backend.  Adapted from sudo-1.8.6p3-sssdrulenames.patch
 2016-05-31 13:07:31 -06:00
Todd C. Miller
c6b41b1657 Setting timestamp_timeout less than zero only lasts until the 
next reboot.  Adapted from a RedHat patch.
 2016-05-31 12:57:08 -06:00
Todd C. Miller
77179d69de sync with translationproject.org 2016-05-31 12:31:40 -06:00
Todd C. Miller
53ebf69af3 fputs() is now specified as returning non-negative on success, not 
explicitly zero.  Fixes a failure on glibc.
 2016-05-25 14:50:05 -06:00
Todd C. Miller
e93b4aa681 Don't try to dereference replies[] if it is a NULL pointer. 2016-05-25 14:48:52 -06:00
Todd C. Miller
db2c732931 sudo_version should be unsigned 2016-05-25 08:44:53 -06:00
Todd C. Miller
4d36fbec2f sync with translationproject.org 2016-05-25 08:41:45 -06:00
Todd C. Miller
63dbb74250 Korean translation for sudo and sudoers from translationproject.org. 2016-05-25 08:41:27 -06:00
Todd C. Miller
5e1084c08a Ignore PAM_SESSION_ERR from pam_open_session() since this can 
apparently happen on systems using Solaris-derived PAM.  Other
errors from pam_open_session() are treated as fatal.  This avoids
the "policy plugin failed session initialization" error message
seen on some systems.
 2016-05-25 08:33:57 -06:00
Todd C. Miller
356e74e1db Don't read from stdin when flushing final buffers in blocking mode. 
Reading from the pipe can block too if the other end is not closed.
 2016-05-24 11:16:44 -06:00
Todd C. Miller
e3514817df Mention visudo -x change. 2016-05-23 11:32:01 -06:00
Todd C. Miller
58ffab1dfa There's no need to escape forward slashes in JSON output. While 
it is legal to escape a forward slash, it is not required.
 2016-05-23 11:29:17 -06:00
Todd C. Miller
ab861b92d2 Document that in 1.8.12 sudo started being able to check the NIS 
domain on Solaris.
 2016-05-23 11:21:34 -06:00
Todd C. Miller
ccece8c01d Better description of the I/O logging pipe issue. 2016-05-20 11:00:18 -06:00
Todd C. Miller
8f694cc228 In del_io_events(), avoid reading from the pty master in blocking 
mode.  We now do two passes, one with SUDO_EVLOOP_NONBLOCK and
another that could block if stdin is a pipe.  This ensures we consume
the pipe until EOF.
 2016-05-20 10:17:23 -06:00
Todd C. Miller
223b251c19 Improve debug info in sudo_ev_add() and sudo_ev_del() 2016-05-20 10:14:38 -06:00
Todd C. Miller
994f86b40f In pty_close(), call del_io_events with the SUDO_EVLOOP_ONCE flag 
so the event loop will exit after a single run through.  Otherwise,
we may hang at exit on non-BSD systems.
 2016-05-20 08:12:46 -06:00
Todd C. Miller
d8cfe62113 regen 2016-05-18 14:31:04 -06:00
Todd C. Miller
38f4ba2249 Bump I/O buffer size to 64K. We don't use PIPE_BUF or _PC_PIPE_BUF 
for this because that corresponds to the value for atomic pipe
writes.  The actual pipe buffer is much larger on modern systems
and 64K is what BSD and Linux support for large pipe buffers.
 2016-05-17 08:31:23 -06:00
Todd C. Miller
fb247aa76a I/O logging bug fix 2016-05-17 08:19:21 -06:00
Todd C. Miller
3b6cb9d65b Don't use SUDO_EVLOOP_NONBLOCK when flushing buffers at pty close 
time, only when the user suspends sudo.  Fixes a problem where all
buffers might not get flushed at exit when logging I/O.  Reproducible
via "sudo tar cf - foo | (cd /tmp && sudo tar xf -)" on OpenBSD.
 2016-05-17 08:16:43 -06:00
Todd C. Miller
eb4510597b Don't try to fflush(export_fp) or ferror(export_fp) if export_fp 
is NULL, which can happen on the error path.
 2016-05-16 14:16:08 -06:00