isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,757 Commits 1 Branch 0 Tags
4b6de608c25a6ffbdb507be958e12f814b43077c
Commit Graph

9757 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
4b6de608c2 Only update the time stamp entry after the approval function has succeeded. 
Bug #910
 2019-12-04 12:38:22 -07:00
Todd C. Miller
049bbbfae1 Merge pull request #14 from sudo-project/tls-config-default-values 
Audit Server - add default values for cert paths
 2019-12-04 10:01:08 -07:00
Laszlo Orban
1dceb8bbb8 add default values for cert paths 2019-12-04 14:18:24 +01:00
Todd C. Miller
3ab29e29bb Add reference counting to debug register/deregister. 
Fixes a potential problem when an instance is re-registered.
 2019-12-03 20:03:19 -07:00
Todd C. Miller
7c782edf53 Only deregister the sudoers debug instance on last close. 
Reference count calls to sudoers_debug_register and only deregister
sudoers_debug_instance when refcnt reaches 0.
Fixes a problem where the debug system was deregistered when the
sudoers policy is closed even though the iolog plugin is active.
 2019-12-03 20:03:07 -07:00
Laszlo Orban
24cda2592a implement tls layer in iolog plugin 2019-11-28 15:58:56 +01:00
Laszlo Orban
a409d8f1fc process tls config options 2019-11-28 15:58:56 +01:00
Laszlo Orban
3ce51d40ce add audit server tls related configuration options to sudoers 2019-11-28 11:16:54 +01:00
Laszlo Orban
a9c2cf9272 optionally link sudoers with openssl libs 2019-11-28 11:07:05 +01:00
Laszlo Orban
f5e0e2a4bb Merge pull request #11 from sudo-project/audit-server-tls-async 
Sudo audit Server - TLS protocol update
 2019-11-27 08:29:19 +01:00
Laszlo Orban
06a0f89704 disable timeout for the reader after ServerHello message 2019-11-26 14:07:56 +01:00
Laszlo Orban
21e7fdfd55 use event timeout instead of socket timeout 2019-11-26 08:36:02 +01:00
Laszlo Orban
f4bbce6708 adapt sudo sendlog (async communication, unencrypted ServerHello message) 2019-11-26 08:36:02 +01:00
Todd C. Miller
1747e50090 Exit if the first call to logsrvd_conf_read() fails. 
It is not fatal if subsequent calls fail (due to SIGHUP) since we
keep a copy of the old config before installing the new one.
 2019-11-25 13:38:22 -07:00
Todd C. Miller
333ea878e2 Add some missing files to "make clean" and "make distclean" 2019-11-25 13:28:58 -07:00
Todd C. Miller
42adbca7ad Update .hgignore and convert to .gitignore 2019-11-25 12:57:03 -07:00
Laszlo Orban
f67d0d13cf ServerHello message is now unencrypted, TLS communication has been refactored to full async 2019-11-22 11:11:55 +01:00
Laszlo Orban
33f6a16764 extend ServerHello message with two fields (tls, tls_checkpeer) 2019-11-22 11:11:55 +01:00
Todd C. Miller
f976a5d866 For plugin API 1.15 and up, always call the plugin close function. 
Previously, it was only called when a command was run (including
sudoedit).  Now, plugin operations list, validate, invalidate, and
show_version are also closed.
 2019-11-20 10:57:47 -07:00
Todd C. Miller
2143746370 Avoid NULL deref on an error path if calloc() fails. 
Coverity CID 205873
 2019-11-19 19:00:31 -07:00
Todd C. Miller
e0a4b2d68a Fix potential fd leak when converting trailing newline to cr + nl. 
Coverity CID 205872
 2019-11-19 18:57:22 -07:00
Todd C. Miller
b31b830518 Document the process of creating self-signed certificates for sudo_logsrvd. 
Based on a document from Laszlo Orban.
 2019-11-19 14:29:40 -07:00
Todd C. Miller
c7cac7c0e6 Sync with argument handling in group_plugin.c 2019-11-19 12:46:21 -07:00
Todd C. Miller
a3266edc27 If a group plugin has optional arguments, NULL terminate the vector. 
Otherwise, the plugin cannot determine the end of arguments.
The behavior now matches the plugin documentation.
 2019-11-19 10:30:22 -07:00
Todd C. Miller
368e12b0f9 If there is no session or terminal group ID, pass the plugin a value of 0. 
This behavior already matches what is documented in the sudo_plugin
manual for "sid" but the "tcpgid" entry needed to be updated.
 2019-11-18 16:25:52 -07:00
Todd C. Miller
d10220162d Don't touch the local iolog sequence file if we are logging remotely 2019-11-18 13:51:52 -07:00
Todd C. Miller
6c2821fe42 Plug a memory leak found by leak sanitizer 2019-11-18 11:50:25 -07:00
Todd C. Miller
3241b82a7e Make a shallow copy of user_env in I/O plugin in case it is reallocated. 
The policy plugin's session init function may reallocate the user
environment pointer.  Fixes a use after free when PAM is used.
 2019-11-18 10:29:11 -07:00
Todd C. Miller
f913249dd0 Rename "log_server" in sudoers to "log_servers" to match I/O plugin. 2019-11-18 09:39:03 -07:00
Todd C. Miller
810669c4f0 Check closure->ssl for non-NULL instead of logsrvd_conf_get_tls_opt(). 
It's a little more obvious this way and ssl is only non-NULL when the
tls option is enabled anyway.
 2019-11-17 08:06:37 -07:00
Todd C. Miller
5be951bd79 Init iolog_dir_fd and sock in connection_closure before adding to list. 
Otherwise we could close the wrong fds in the error path.
 2019-11-17 08:02:20 -07:00
Todd C. Miller
82fea739af Add Laszlo Orban 2019-11-17 06:44:09 -07:00
Todd C. Miller
4bb2b2f605 regen 2019-11-16 19:14:40 -07:00
Todd C. Miller
366a63ce58 Change TLS example file locations to be under /etc/ssl/sudo. 2019-11-16 19:13:53 -07:00
Todd C. Miller
49c09ee2d8 Document sudo_logsrvd TLS configuration. 2019-11-16 13:01:49 -07:00
Todd C. Miller
dae0da2fe3 Include time.h for struct timespec. 2019-11-15 16:32:45 -07:00
Todd C. Miller
20bc94635d Add sudo_ev_set_v1 to the exports file. 2019-11-15 16:30:46 -07:00
Todd C. Miller
d8ccf11c58 Document the log_server and log_server_timeout options 2019-11-15 13:41:52 -07:00
Todd C. Miller
82237194dd Add support for logging to the log server 2019-11-15 13:41:51 -07:00
Todd C. Miller
5793023ffd Add a plugin interface to sudo main event loop. 2019-11-15 13:36:01 -07:00
Todd C. Miller
58cede6fee Move protobuf-c.c, log_server.proto, log_server.pb-c.[ch] to lib/logsrv 2019-11-15 13:35:58 -07:00
Todd C. Miller
f6acc134f4 When freeing an event base, reset ev->base to NULL for associated events. 2019-11-15 13:35:19 -07:00
Todd C. Miller
3689839a0e Move cb_timeout() out from under the HAVE_OPENSSL ifdef. 2019-11-15 13:33:47 -07:00
Todd C. Miller
690f145d3f LibreSSL and older OpenSSL don't support SSL_CTX_set_ciphersuites(). 
Add a configure test and skip TLS 1.3 setup if it is missing.
We still accept the tls_ciphers13 config setting but it will be ignored.
 2019-11-15 13:19:28 -07:00
Todd C. Miller
68480b0959 Minor style nits that I missed during review. 2019-11-15 12:48:42 -07:00
Todd C. Miller
c9da8d4084 Avoid calling SSL_CTX_free() on an uninitialized pointer in an error path. 2019-11-15 12:26:44 -07:00
Todd C. Miller
f08c98a6aa Merge pull request #9 from sudo-project/audit-server-tls-support 
Audit server tls support
 2019-11-15 11:30:39 -07:00
Laszlo Orban
8c8023d212 update sudo_sendlog to support openssl tls 2019-11-15 09:52:48 +01:00
Laszlo Orban
b9641816d6 set timeout value for the socket 2019-11-15 09:52:48 +01:00
Laszlo Orban
e201f104d4 make audit server openssl dependency optional; tls layer is compiled only if sudo is built with --enable-openssl feature switch 2019-11-15 09:52:48 +01:00