Variable length arrays are supported by C99, but having it denoted as "1" confused the compiler and is not defined.
Note that because we don't get the inferred NULL terminator, we have to increase the malloc size by one.
Configuration paths in sudo are now a colon-separated list of files
with the adminconfdir instance first (if enabled), followed by a
sysconfdir instance.
This means that _PATH_SUDO_CONF, _PATH_SUDOERS, _PATH_SUDO_LOGSRVD_CONF,
and _PATH_CVTSUDOERS_CONF can now specify multiple files. The first
file that exists is used.
If the compiler supports [[noreturn]] as a attribute as in C23,
then we define sudo_noreturn to be it. When that's the case, we must place
it at the beginning of the declaration, before any other *extension*
attributes (__attribute(...)).
A bug has been filed with GCC regarding rejecting/accepting mixed
attribute styles.
sudo_dso_public is always an extension attribute, while sudo_noreturn only
might be, so put it first.
This only shows up with GCC 13 so far (see the linked GCC bug for a bit more
exploration). Clang 16 does support the attribute but doesn't let you use it
for earlier language versions (need to pass explicit -std=c2x, unlike with GCC here).
This is essentially a followup to e707ffe58b.
Tested with GCC 13.0.1 20230212 (unreleased), GCC 12.2.1 20230211,
Clang 16.0.0_rc2, and Clang 15.0.7.
Bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108796
Closes: https://github.com/sudo-project/sudo/issues/239
Fixes: e707ffe58b
Fixes: 16ae61dcd7
The log message contains user-controlled strings that could include
things like terminal control characters. Space characters in the
command path are now also escaped.
Command line arguments that contain spaces are surrounded with
single quotes and any literal single quote or backslash characters
are escaped with a backslash. This makes it possible to distinguish
multiple command line arguments from a single argument that contains
spaces.
Issue found by Matthieu Barjole and Victor Cutillas of Synacktiv
(https://synacktiv.com).
The numeric fields in struct sudo_lbuf are now unsigned so that
wraparound is defined, this make the overflow checks simpler.
Problem deteced by oss-fuzz using the fuzz_sudoers fuzzer.
If output is being written to a terminal in "raw" mode, we need to
add a carriage return after the newline to avoid "stair-step" output.
However, we should not write the carriage return if the terminal
is in "cooked" mode, output to a pipe, or output redirected to a file.
Bug #1042.
Renamed __malloc -> sudo_malloclike, __printflike -> sudo_printflike,
__printf0like -> sudo_printf0like.
Add sudo_noreturn instead of __attribute__((__noreturn__)).
We do not use stdnoreturn.h since it has been deprecated in C23
in favor of the [[noreturn]] attribute.
These allocate memory via mmap anonymous regions and store the mapped
size immediately before the returned pointer as an unsigned long.
They are intended to be used in cases where malloc(3) and free(3)
are unsuitable due to concerns about corrupting global state in
multi-threaded programs or signal handlers.
Define a new sudo setting, `apparmor_profile`, that can be used to pass
in an AppArmor profile that should be used to confine commands. If
apparmor_profile is specified, sudo will execute the command using the
new `apparmor_execve` function, which confines the command under the
provided profile before exec'ing it.
