isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,757 Commits 1 Branch 0 Tags
4b6de608c25a6ffbdb507be958e12f814b43077c
Commit Graph

2505 Commits

Author SHA1 Message Date
Todd C. Miller
4b6de608c2 Only update the time stamp entry after the approval function has succeeded. 
Bug #910
 2019-12-04 12:38:22 -07:00
Todd C. Miller
7c782edf53 Only deregister the sudoers debug instance on last close. 
Reference count calls to sudoers_debug_register and only deregister
sudoers_debug_instance when refcnt reaches 0.
Fixes a problem where the debug system was deregistered when the
sudoers policy is closed even though the iolog plugin is active.
 2019-12-03 20:03:07 -07:00
Laszlo Orban
24cda2592a implement tls layer in iolog plugin 2019-11-28 15:58:56 +01:00
Laszlo Orban
a409d8f1fc process tls config options 2019-11-28 15:58:56 +01:00
Laszlo Orban
3ce51d40ce add audit server tls related configuration options to sudoers 2019-11-28 11:16:54 +01:00
Laszlo Orban
a9c2cf9272 optionally link sudoers with openssl libs 2019-11-28 11:07:05 +01:00
Todd C. Miller
333ea878e2 Add some missing files to "make clean" and "make distclean" 2019-11-25 13:28:58 -07:00
Todd C. Miller
f976a5d866 For plugin API 1.15 and up, always call the plugin close function. 
Previously, it was only called when a command was run (including
sudoedit).  Now, plugin operations list, validate, invalidate, and
show_version are also closed.
 2019-11-20 10:57:47 -07:00
Todd C. Miller
2143746370 Avoid NULL deref on an error path if calloc() fails. 
Coverity CID 205873
 2019-11-19 19:00:31 -07:00
Todd C. Miller
c7cac7c0e6 Sync with argument handling in group_plugin.c 2019-11-19 12:46:21 -07:00
Todd C. Miller
a3266edc27 If a group plugin has optional arguments, NULL terminate the vector. 
Otherwise, the plugin cannot determine the end of arguments.
The behavior now matches the plugin documentation.
 2019-11-19 10:30:22 -07:00
Todd C. Miller
d10220162d Don't touch the local iolog sequence file if we are logging remotely 2019-11-18 13:51:52 -07:00
Todd C. Miller
6c2821fe42 Plug a memory leak found by leak sanitizer 2019-11-18 11:50:25 -07:00
Todd C. Miller
3241b82a7e Make a shallow copy of user_env in I/O plugin in case it is reallocated. 
The policy plugin's session init function may reallocate the user
environment pointer.  Fixes a use after free when PAM is used.
 2019-11-18 10:29:11 -07:00
Todd C. Miller
f913249dd0 Rename "log_server" in sudoers to "log_servers" to match I/O plugin. 2019-11-18 09:39:03 -07:00
Todd C. Miller
82237194dd Add support for logging to the log server 2019-11-15 13:41:51 -07:00
Todd C. Miller
5793023ffd Add a plugin interface to sudo main event loop. 2019-11-15 13:36:01 -07:00
Todd C. Miller
71aed42f9e Do not warn about a missing /etc/environment file on Linux without PAM. 
Bug #907
 2019-11-06 09:55:14 -07:00
Todd C. Miller
635445d471 Transparently handle the "sudo sudoedit" problem. 
Some admin are confused about how to give users sudoedit permission
and many users try to run sudoedit via sudo instead of directly.
If the user runs "sudo sudoedit" sudo will now treat it as plain
"sudoedit" after issuing a warning.  If the admin has specified a
fully-qualified path for sudoedit in sudoers, sudo will treat it
as just "sudoedit" and match accordingly.  In visudo (but not sudo),
a fully-qualified path for sudoedit is now treated as an error.
 2019-11-05 15:18:34 -07:00
Todd C. Miller
655fdde22b We haven't needed -I$(top_srcdir) for a long time. 2019-11-02 12:00:04 -06:00
Todd C. Miller
356287557f Use dup3() instead of dup2(). 
This is less error prone since dup3() returns an error if old == new.
Sudo guarantees that fds 0-2 are already open.
 2019-11-02 10:55:50 -06:00
Todd C. Miller
352212c7bf Open all pipes using pipe2() with O_CLOEXEC. 
We no longer depend on calling closefrom() before exec.
 2019-11-02 10:52:34 -06:00
Todd C. Miller
5a1e5e9fae regen 2019-10-24 20:04:33 -06:00
Todd C. Miller
ee91b7360b Simplify expand_iolog_path() 2019-10-24 20:04:33 -06:00
Todd C. Miller
13e3eaad5f Simplify iolog_set_user and iolog_set_group 2019-10-24 20:04:33 -06:00
Todd C. Miller
56c21243d7 Add iolog_ prefix to exported functions in iolog_util.c 2019-10-24 20:04:33 -06:00
Todd C. Miller
aaf5d0dc6e Read logsrvd.conf in two steps: first read, then apply if OK. 
This fixes a problem where when logsrvd.conf was reloaded while
running (due to SIGHUP) and there was an error we could end up with
a partial config.
 2019-10-24 20:04:33 -06:00
Todd C. Miller
b58ecb7e6d Move read_timing_record() into libsudo_iolog 2019-10-24 20:04:32 -06:00
Todd C. Miller
76eec78a33 Add basic support for event logging using a sudo-style log format. 2019-10-24 20:04:32 -06:00
Todd C. Miller
282263c113 Use openat(2) when opening files in the I/O log directory. 2019-10-24 20:04:31 -06:00
Todd C. Miller
7ba7c5835e Enable sudo_logsrvd.conf settings. 2019-10-24 20:04:31 -06:00
Todd C. Miller
059b55ce72 Refactor code in sudoers that creates I/O log files to share with logsrvd. 2019-10-24 20:04:31 -06:00
Todd C. Miller
e0c9a9dfa3 Move mkdir_parents to libsudo_util. 2019-10-24 20:04:31 -06:00
Todd C. Miller
4dacf81082 Refactor I/O log code so it can be shared between sudoers and logsrvd 2019-10-24 20:04:29 -06:00
Todd C. Miller
271ead2fd3 Don't pass an invalid session or process group ID to the plugin. 
Fixes a regression in 1.8.28 when there is no terminal session leader.
 2019-10-23 12:47:44 -06:00
Todd C. Miller
0375eaca58 regen 2019-10-21 19:55:08 -06:00
Todd C. Miller
b157b96893 Add depend target to all Makefile.in files. 2019-10-21 15:20:21 -06:00
Todd C. Miller
f57e2d04a3 Older FreeBSD needs sys/param.h included before sys/user.h. 
From Darren Tucker
 2019-10-20 19:18:27 -06:00
Todd C. Miller
c3ce3a84fb Refer to user-ID and group-ID instead of "user ID" and "group ID" 2019-10-19 14:26:41 -06:00
Todd C. Miller
40bf4081be Rename sudo_strtoid() to sudo_strtoidx() and add simplified sudo_strtoid() 2019-10-20 10:21:29 -06:00
Todd C. Miller
b02851dcf3 Change how the umask is handled with PAM and login.conf. 
If the umask is explicitly set in sudoers, use that value regardless
of what is in PAM or login.conf.  If using the default umask from
sudoers, allow PAM or login.conf to override it.  Bug #900
 2019-10-18 06:20:27 -06:00
Todd C. Miller
cf6c60c102 Add log_allowed and log_denied sudoers flags, defaulting to true. 2019-10-17 13:43:04 -06:00
Todd C. Miller
4229dfc566 Enable security auditing malloc options for "make check". 2019-10-17 13:41:53 -06:00
Todd C. Miller
cf2f37136f No need to check existing sudoers file when installing to DESTDIR 
This check can cause problems on systems where /etc/sudoers.d is not readable.
 2019-10-16 12:17:06 -06:00
Todd C. Miller
d494b81556 The fix for bug #869 broke "sudo -v" when verifypw=all (the default) 2019-10-15 07:23:51 -06:00
Todd C. Miller
2512f6efbf Use sudo_strtonum() explicitly instead of via a macro. 2019-10-14 10:09:30 -06:00
Todd C. Miller
9d5867eaed Use errno in warning when sudo_make_*_item() fails. 
Previously we always said "out of memory" if not ENOENT.
 2019-10-14 10:09:28 -06:00
Todd C. Miller
3edd6afedf Reject non-LDIF input when converting from LDIF to sudoers or JSON. 2019-10-14 10:09:27 -06:00
Todd C. Miller
8e58e6715a More case-insensitive compare for LDAP attributes and string lists. 
Only the ALL keyword should be compared case-sensitive.
 2019-09-05 08:09:53 -06:00
Todd C. Miller
208a52c613 regen 2019-10-10 10:12:08 -06:00