isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,802 Commits 1 Branch 0 Tags
5bbfaa8e68b5ee6f27d4fbfa3c4e789341724f9c
Commit Graph

12802 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
c1708f0cf1 Support multiple input files. 2023-09-24 16:27:22 -06:00
Todd C. Miller
171abbe112 No need to loop reading from/writing to a blocking socketpair. 
This removes some infinite loops that can cause static analyzer
warnings.  The fds are not in non-blocking mode and we use restartable
system calls so there is no need to loop.
 2023-09-22 10:53:41 -06:00
Todd C. Miller
1c7d757b79 check_user: fix return value for intercept mode 
Also use early return on error to quiet a PVS-Studio warning.
 2023-09-22 10:38:46 -06:00
Todd C. Miller
988d7f60f0 Set ec->term_raw to false even if sudo_term_restore() fails. 
Either the fd is not a terminal or we don't have the controlling
terminal.  Either way, we can't know the current status of the
terminal and will need to set to raw mode again (if possible).  Also
make sure to set ec->term_raw to false if sudo_term_raw() fails.
 2023-09-21 14:13:17 -06:00
Todd C. Miller
f2d267bfb4 Only define _PATH_ENVIRONMENT on systems where we use /etc/environment. 2023-09-20 16:49:27 -06:00
Todd C. Miller
0c67456923 Sudo assumes that a uid_t can be cast to unsigned int without problems. 
Add a configure check and error out if sizeof(uid_t) > 4.
 2023-09-20 11:25:48 -06:00
Todd C. Miller
f4acc43663 Mention the time stamp and lecture file name changes in 1.9.15. 2023-09-20 09:00:29 -06:00
Todd C. Miller
37ee2946aa sudo 1.9.15 2023-08-24 09:28:45 -06:00
Todd C. Miller
d9da92951a Replace '/' with '_' in paths using the user, group or host name. 2023-09-20 09:00:27 -06:00
Todd C. Miller
7363ad7b32 Use the user-ID instead of user-name for the timestamp and lecture file. 
This avoids problems if the user name itself contains a path separator.
 2023-09-11 10:27:35 -06:00
Todd C. Miller
94b80e3ad4 Replace MAX_UID_T_LEN with calls to STRLEN_MAX_UNSIGNED. 2023-09-19 15:16:30 -06:00
Todd C. Miller
d53bbb54b2 Add macros to determine the length of an integer type in string form. 
Adapted from answer #6 in:
https://stackoverflow.com/questions/10536207/ansi-c-maximum-number-of-characters-printing-a-decimal-int
 2023-09-19 15:15:02 -06:00
Todd C. Miller
221a10340c visudo: use verbose and strict in parser_conf 
Where the sudoers_context is available we can use the values
of verbose and strict instead of passing around quiet and
strict flags.
 2023-09-18 13:47:25 -06:00
Todd C. Miller
6e75f2311d Add resolve_cmnd(), a wrapper around find_path(). 
This is a convenience function that sets PERM_RUNAS and calls
find_path().  If the command is not found it will retry with PERM_USER
instead.
 2023-09-18 12:42:51 -06:00
Todd C. Miller
8fcb21b5cd Promote strict field in sudoers_parser_config from bool to int. 
This will be used by visudo to indicate when "visudo -s" is run.
 2023-09-18 12:42:51 -06:00
Todd C. Miller
e28dc0f275 Add parser_warnx() and parser_vwarnx() that displays file:line:col 
Used by defaults.c and check_aliases.c.
 2023-09-18 12:42:51 -06:00
Todd C. Miller
3a77314373 Add a separate file for visudo callbacks. 2023-09-18 12:42:51 -06:00
Todd C. Miller
c277e55f42 Rename callbacks.c -> sudoers_cb.c. 2023-09-18 12:42:51 -06:00
Todd C. Miller
0cb3e33444 Wait on a socketpair for the parent to grant child the controlling tty. 
This upgrades the error pipe to a bi-directional socketpair that
the parent will write to after it has granted the child process the
controlling terminal.  That fixes an issue where the child could
end up in a tight CPU loop waiting on the parent which may not be
scheduled immediately.
 2023-09-18 12:26:19 -06:00
Todd C. Miller
a127ddf6db Undefine AUTH_{SUCCESS,FAILURE,ERROR} before defining them. 
Quiets a warning on AIX where usersec.h defines AUTH_SUCCESS and
AUTH_FAILURE.  We avoided this problem in the past because the old
values for AUTH_SUCCESS and AUTH_FAILURE match what AIX defines.
 2023-09-15 10:53:28 -06:00
Todd C. Miller
49c7c1f4d3 Only cast TIOCSWINSZ to int on systems that might require it (AIX). 
Otherwise we end up with a -Wconversion warning on systems where
the ioctl() request argument is unsigned long.
 2023-09-15 10:26:29 -06:00
Todd C. Miller
51d6b0f425 Promote verbose flag to int for display_privs and display_cmnd. 
A negative verbosity will prevent non-error output from being
displayed.
 2023-09-15 10:01:35 -06:00
Todd C. Miller
a9ee97580a No need to include cvtsudoers.h here. 2023-09-13 19:44:02 -06:00
Todd C. Miller
0011333f8e Remove pivot_get_root() and pivot_get_cwd(). 
They are unnecessary since struct sudoers_pivot is not opaque.
The implementation details are private to match_command.c.
 2023-09-13 16:46:23 -06:00
Todd C. Miller
2aae36f345 Quiet some -Wconversion warnings in the tests. 2023-09-13 15:15:54 -06:00
Todd C. Miller
b8f2680cf0 Make flag in union sudo_defs_val bool to match how it is used. 
Adjust find_path()'s ignore_dot function argument to match.
 2023-09-13 14:59:29 -06:00
Todd C. Miller
a9801cc99d Parse euid and egid from sudo front-end. 
These are needed by bsm_audit.c.
 2023-09-13 12:43:39 -06:00
Todd C. Miller
38ddbb14f1 Parse pid and ppid from sudo front-end. 
We can now use the stored ppid in ts_init_key().
 2023-09-13 12:29:40 -06:00
Todd C. Miller
34990c0e08 Use struct sudoers_pivot instead of defining sudoers_pivot_t. 
We want to pass around a pointer, not the struct itself.
 2023-09-13 08:36:07 -06:00
Todd C. Miller
15b3d786d7 Don't expose the implementation of the pivot_root state. 2023-09-11 16:21:11 -06:00
Todd C. Miller
0b52ffd1a2 Don't expose the implementation of the pivot_root state. 2023-09-11 16:15:41 -06:00
Todd C. Miller
4117ad1462 Only call ptrace_verify_post_exec() for intercept, not log_subcmds. 
This fixes a logic goof introduced in sudo 1.9.14.
 2023-09-11 13:11:49 -06:00
Todd C. Miller
c0553cd383 tsgetusershell.c: don't rely on GNU sed extensions. 2023-09-10 17:59:18 -06:00
Todd C. Miller
0a85869286 testsudoers: add -S option to specify /etc/shells path. 2023-09-10 16:44:24 -06:00
Todd C. Miller
034b2f3bdd Add testsudoers_setshellfile() and use it in testsudoers. 2023-09-10 16:38:53 -06:00
Todd C. Miller
62b92c7fb8 regen 2023-09-10 16:37:26 -06:00
Todd C. Miller
166ef55aa7 Remove unnecessary sudo_gettext.h include and add missing const. 2023-09-10 10:23:04 -06:00
Todd C. Miller
c54bdd799b Return AUTH_* flags from check_user() instead of 1/0/-1. 2023-09-09 14:59:46 -06:00
Todd C. Miller
2fdb4db339 Wrap valid_shell and add to sudo_pwutil_set_backend(). 
This will make it possible to support a different getusershell()
implementation for testsudoers in the future.
 2023-09-09 14:48:25 -06:00
Todd C. Miller
d18ee8e0e7 Move check_user_shell() to pwutil.c as user_shell_valid() 
This will make it possible to support a different backend which may
be used by testsudoers in the future.
 2023-09-09 14:07:28 -06:00
Todd C. Miller
28a13501d8 Merge check_user() and check_user_interactive(), move getpass callbacks. 
The getpass callbacks are now defined in sudo_auth.c, which implements
auth_getpass().  As a result, struct getpass_closure is now public
and defined in timestamp.h.
 2023-09-09 14:07:11 -06:00
Todd C. Miller
0495afac57 Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}. 2023-09-09 14:07:07 -06:00
Todd C. Miller
2ef90231a1 Make all match functions return ALLOW/DENY not true/false. 2023-09-09 14:07:06 -06:00
Todd C. Miller
7873f8334c Try to make sudo less vulnerable to ROWHAMMER attacks. 
We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS,
AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE.  In addition, we
explicitly test for expected values instead of using a negated test
against an error value.  In the parser match functions this means
explicitly checking for ALLOW or DENY instead of accepting anything
that is not set to UNSPEC.

Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk
Sunar, all affiliated with the Vernam Applied Cryptography and
Cybersecurity Lab at Worcester Polytechnic Institute, for the report.
Paper preprint: https://arxiv.org/abs/2309.02545
 2023-09-09 14:07:04 -06:00
Todd C. Miller
525803db23 Honor ignore_perms plugin argument for @include and @includedir. 2023-09-09 14:06:11 -06:00
Todd C. Miller
499121229e Don't set on_suspend and on_resume twice. 2023-09-06 20:17:00 -06:00
Todd C. Miller
956de5cbbc sudoers_sethost: refactor code to set host names in sudoers_context. 
The sudoers_sethost() function can be shared by the sudoers plugin,
visudo, cvtsudoers and testsudoers.
 2023-09-02 15:25:58 -06:00
Todd C. Miller
0c9ca88f5b sudoers_trace_print: use debug_decl_vars instead of doing it by hand. 2023-09-01 16:55:19 -06:00
Todd C. Miller
080e08b0fb sudo_realpath() returns char *, not void *. 2023-09-01 13:28:04 -06:00
Todd C. Miller
d898d073bf Only print "no valid sudoers sources found, quitting" for multiple sources. 
If there is only a single source (usually the sudoers file), the
open function provide enough of an error message.  Printing two
error messages is just confusing.
 2023-08-31 14:05:08 -06:00