Commit Graph

61 Commits

Author SHA1 Message Date
Todd C. Miller
a2b0a8330c Fix a few whitespace issues. 2022-07-09 11:21:17 -06:00
Todd C. Miller
13672f28df Make sudo pass -Wwrite-strings 2022-06-28 16:33:15 -06:00
kernelmethod
c20859d55b Add an APPARMOR_PROFILE user spec option to sudoers
sudoers now supports an APPARMOR_PROFILE option, which can be specified
as e.g.

    alice       ALL=(ALL:ALL)   APPARMOR_PROFILE=foo    ALL

The line above says "user alice can run any command as any user/group,
under confinement by the AppArmor profile 'foo'." Profiles can be
specified in any way that complies with the rules of
aa_change_profile(2). For instance, the sudoers configuration

    alice       ALL=(ALL:ALL)   APPARMOR_PROFILE=unconfined     ALL

allows alice to run any command unconfined (i.e., without an AppArmor
profile), while

    alice       ALL=(ALL:ALL)   APPARMOR_PROFILE=foo//&bar      ALL

tells sudoers that alice can run any command under the stacked AppArmor
profiles 'foo' and 'bar'.

The intention of this option is to give sysadmins on Linux distros
supporting AppArmor better options for fine-grained access control.
Among other things, this option can enforce mandatory access control
(MAC) over the operations that a privileged user is able to perform to
ensure that they cannot privesc past the boundaries of a specified
profile. It can also be used to limit which users are able to get
unconfined system access, by enforcing a default AppArmor profile on all
users and then specifying 'APPARMOR_PROFILE=unconfined' for a privileged
subset of users.
2022-05-23 13:41:56 -06:00
Todd C. Miller
55171df5e5 Check strftime(3) return value in all cases.
Old versions of strftime(3) didn't guarantee to NUL-terminate the buffer
so we explicitly clear the last byte of the buffer and check it.
2021-09-17 14:01:28 -06:00
Todd C. Miller
18f1884ddc Use gmtime_r() and localtime_r() instead of gmtime() and localtime(). 2021-09-17 10:55:06 -06:00
Todd C. Miller
786e5865cb Add "intercept" Defaults setting to allow interception of sub-commands.
This causes "intercept" to be set to true in command_info[] which
the sudo front-end will use to determine whether or not to intercept
attempts to run further commands, such as from a shell.  Also add
"log_children" which will use the same mechanism but only log (audit)
further commands.
2021-08-09 15:50:25 -06:00
Todd C. Miller
6286ce1d16 Store column number for aliases, defaults and userspecs too.
This is used to provided the column number along with the line
number in error messages.  For aliases we store the column of the
alias name, not the value since that is what visudo generally needs.
2020-11-02 05:39:06 -07:00
Todd C. Miller
9ff960457a Add support for runchroot and runcwd to "sudo -l" and cvtsudoers. 2020-09-01 06:26:05 -06:00
Todd C. Miller
961a4afe67 Fix some warnings from pvs-studio 2020-08-12 13:45:09 -06:00
Todd C. Miller
03ad96e445 Use the fallthrough attribute instead of /* FALLTHROUGH */ comments. 2020-08-01 13:10:50 -06:00
Todd C. Miller
446ae3f507 Include string.h unconditionally and only use strings.h for strn?casecmp()
In the pre-POSIX days BSD had strings.h, not string.h.
Now strings.h is only used for non-ANSI string functions.
2020-05-18 07:59:24 -06:00
Todd C. Miller
dd88460800 We no longer need to include headers we don't use for sudo*.h files.
Previously we needed to include headers required by the various
sudo*h files.  Now those files are more self-sufficient and we
should only include headers needed by code in the various .c files.
2020-05-18 06:47:04 -06:00
Todd C. Miller
ea8445e364 Allow the ALL keyword to be specified with a digest list. 2020-03-11 11:19:37 -06:00
Todd C. Miller
4eca443246 Allow a list of digests to be specified for a command. 2020-03-11 11:17:52 -06:00
Todd C. Miller
486ee2b71f debug_decl and debug_decl_vars now require a semicolon at the end. 2019-12-22 08:48:16 -07:00
Todd C. Miller
1e1ef61902 Add SPDX-License-Identifier to files. 2019-04-29 07:21:51 -06:00
Todd C. Miller
6c3d20cb41 Convert PVS-Studio comment to ANSI C. 2018-10-26 08:39:09 -06:00
Todd C. Miller
1b035b5426 Add padding option to cvtsudoers.
Bug #856
2018-10-25 08:40:25 -06:00
Todd C. Miller
64e5d34c57 Add comments in .c files so PVS-Studio will check them. 2018-10-21 08:46:05 -06:00
Todd C. Miller
4782b22a47 Move ldif -> sudoers conversion code into parse_ldif.c 2018-08-26 20:02:49 -06:00
Todd C. Miller
52d54997ee Move string list functions to their own file. 2018-08-26 19:48:14 -06:00
Todd C. Miller
5d1dddc467 Eliminate most use of parsed_sudoers in cvtsudoers 2018-08-24 10:27:00 -06:00
Todd C. Miller
70d519c8ad o Move userspecs, defaults and aliases into a new struct sudoers_parse_tree.
o The parse tree is now passed to the alias, match and defaults functions.
o The nss API has been changed so that the nss parse() function returns
  a pointer to a struct sudoers_parse_tree which will be filled in
  by the getdefs() and query() functions.
2018-07-26 15:12:33 -06:00
Todd C. Miller
1cd472c051 Check for invalid bas64 attributes. 2018-05-20 08:09:25 -06:00
Todd C. Miller
a04cb53e37 Fix pointer sign warnings. 2018-05-20 07:42:54 -06:00
Todd C. Miller
5c113e59ec Add missing variable declaration for SELinux and Solaris. 2018-05-20 07:36:46 -06:00
Todd C. Miller
03aa84ed03 Handle empty string and treat it as safe. 2018-05-20 07:36:00 -06:00
Todd C. Miller
1bc8e9abfd Add support for base64-encoding non-safe strings in LDIF output. 2018-05-20 07:01:26 -06:00
Todd C. Miller
1ab3606019 Add support for parsing base64-encoded attributes 2018-05-18 10:11:51 -06:00
Todd C. Miller
7d42a609d9 rfc2253 says we need to escape " and leading and trailing space. 2018-05-17 11:16:44 -06:00
Todd C. Miller
2102800824 Fix format string mismatch, sudo_order is unsigned. 2018-05-16 10:15:15 -06:00
Todd C. Miller
71e98d9493 Include parse.h in sudoers.h since it will soon be required. 2018-05-14 09:05:02 -06:00
Todd C. Miller
7a940ce30b No need to explicitly free role on EOF, it will be freed after the
loop is done.
2018-05-03 11:06:02 -06:00
Todd C. Miller
b0c13e995c Plug memory leaks on parse error or when an LDIF entry doesn't match
the dn filter.
2018-05-03 10:51:11 -06:00
Todd C. Miller
e1392cd28a Fix the -b option when converting from LDIF. 2018-04-19 09:23:45 -06:00
Todd C. Miller
8a237eb07d Add cvtsudoers command line option to suppress certain parts of the
security policy.  Can be used to suppress displaying of Defaults
entries, aliases or privileges.
2018-03-22 11:38:39 -06:00
Todd C. Miller
bbd3e558b1 Move cvtsudoers string functions into cvtsudoers.c 2018-03-21 13:29:47 -06:00
Todd C. Miller
ff79de8592 Initial support filtering by user, group and host in cvtsudoers.
Currently forces alias expansion when a filter is applied and the
entire matching user or host list is printed, even the non-matching
entries.  This effectively allows you to grep sudoers by user, group
and host.
2018-03-21 12:24:11 -06:00
Todd C. Miller
910f288948 fix compilation on Solaris 2018-03-10 20:16:20 -07:00
Todd C. Miller
5c36f9dec3 Initial support for adding comments that will be emitted when
sudoers is formatted.  Currently adds a comment for the source
sudoRole when converting from ldif -> sudoers.
2018-03-04 07:03:43 -07:00
Todd C. Miller
843213d3de Handle escaped commas when skipping over the cn. 2018-03-04 07:03:38 -07:00
Todd C. Miller
72dd971ee1 Add missing sudoOrder support to parse_ldif(). 2018-03-02 11:27:01 -07:00
Todd C. Miller
44fc165e7c Don't emit an empty sudoRole for global defaults if there are none. 2018-03-02 10:59:19 -07:00
Todd C. Miller
e750bae75d Handle parsing boolean options that have no explicit value. 2018-03-02 10:44:33 -07:00
Todd C. Miller
9af4447c3d Refactor the code that actually converts the role to sudoers format
into role_to_sudoers() now that it is more involved than just calling
sudo_ldap_role_to_priv().
2018-03-02 09:27:27 -07:00
Todd C. Miller
9b20bb1493 When merging two privileges, use the runas lists of the previous
privilege when possible.  Otherwise, the generated sudoers line
will include a runas list for commands that is not necessary.
2018-03-02 06:42:29 -07:00
Todd C. Miller
73b5f961ee Split conversion code out of parse_ldif() and into ldif_to_sudoers(). 2018-02-28 16:21:09 -07:00
Todd C. Miller
8da213c8be Quiet a clang analyzer warning. 2018-02-28 14:44:54 -07:00
Todd C. Miller
3a2ae844ec When converting from ldif to sudoers, sudoRole objects with the
same user if possible.  If both user and host are the same, merge
into a single privilege.  This makes it possible to convert a
sudoers entry like:

    aaron shanty = NOEXEC: /usr/bin/vi, /usr/bin/more, EXEC: /bin/sh

to ldif and then back to sudoers as a single line.  Currently, the
ldif entries to be merged must have the same or adjacent sudoOrder
attributes.
2018-02-28 14:02:50 -07:00
Todd C. Miller
56bdde1339 plug memory leaks 2018-02-28 14:02:11 -07:00