isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,433 Commits 1 Branch 0 Tags
6286ce1d16e11619efb8d5855b14dd296f355f9c
Commit Graph

10433 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
368e12b0f9 If there is no session or terminal group ID, pass the plugin a value of 0. 
This behavior already matches what is documented in the sudo_plugin
manual for "sid" but the "tcpgid" entry needed to be updated.
 2019-11-18 16:25:52 -07:00
Todd C. Miller
d10220162d Don't touch the local iolog sequence file if we are logging remotely 2019-11-18 13:51:52 -07:00
Todd C. Miller
6c2821fe42 Plug a memory leak found by leak sanitizer 2019-11-18 11:50:25 -07:00
Todd C. Miller
3241b82a7e Make a shallow copy of user_env in I/O plugin in case it is reallocated. 
The policy plugin's session init function may reallocate the user
environment pointer.  Fixes a use after free when PAM is used.
 2019-11-18 10:29:11 -07:00
Todd C. Miller
f913249dd0 Rename "log_server" in sudoers to "log_servers" to match I/O plugin. 2019-11-18 09:39:03 -07:00
Todd C. Miller
810669c4f0 Check closure->ssl for non-NULL instead of logsrvd_conf_get_tls_opt(). 
It's a little more obvious this way and ssl is only non-NULL when the
tls option is enabled anyway.
 2019-11-17 08:06:37 -07:00
Todd C. Miller
5be951bd79 Init iolog_dir_fd and sock in connection_closure before adding to list. 
Otherwise we could close the wrong fds in the error path.
 2019-11-17 08:02:20 -07:00
Todd C. Miller
82fea739af Add Laszlo Orban 2019-11-17 06:44:09 -07:00
Todd C. Miller
4bb2b2f605 regen 2019-11-16 19:14:40 -07:00
Todd C. Miller
366a63ce58 Change TLS example file locations to be under /etc/ssl/sudo. 2019-11-16 19:13:53 -07:00
Todd C. Miller
49c09ee2d8 Document sudo_logsrvd TLS configuration. 2019-11-16 13:01:49 -07:00
Todd C. Miller
dae0da2fe3 Include time.h for struct timespec. 2019-11-15 16:32:45 -07:00
Todd C. Miller
20bc94635d Add sudo_ev_set_v1 to the exports file. 2019-11-15 16:30:46 -07:00
Todd C. Miller
d8ccf11c58 Document the log_server and log_server_timeout options 2019-11-15 13:41:52 -07:00
Todd C. Miller
82237194dd Add support for logging to the log server 2019-11-15 13:41:51 -07:00
Todd C. Miller
5793023ffd Add a plugin interface to sudo main event loop. 2019-11-15 13:36:01 -07:00
Todd C. Miller
58cede6fee Move protobuf-c.c, log_server.proto, log_server.pb-c.[ch] to lib/logsrv 2019-11-15 13:35:58 -07:00
Todd C. Miller
f6acc134f4 When freeing an event base, reset ev->base to NULL for associated events. 2019-11-15 13:35:19 -07:00
Todd C. Miller
3689839a0e Move cb_timeout() out from under the HAVE_OPENSSL ifdef. 2019-11-15 13:33:47 -07:00
Todd C. Miller
690f145d3f LibreSSL and older OpenSSL don't support SSL_CTX_set_ciphersuites(). 
Add a configure test and skip TLS 1.3 setup if it is missing.
We still accept the tls_ciphers13 config setting but it will be ignored.
 2019-11-15 13:19:28 -07:00
Todd C. Miller
68480b0959 Minor style nits that I missed during review. 2019-11-15 12:48:42 -07:00
Todd C. Miller
c9da8d4084 Avoid calling SSL_CTX_free() on an uninitialized pointer in an error path. 2019-11-15 12:26:44 -07:00
Todd C. Miller
f08c98a6aa Merge pull request #9 from sudo-project/audit-server-tls-support 
Audit server tls support
 2019-11-15 11:30:39 -07:00
Laszlo Orban
8c8023d212 update sudo_sendlog to support openssl tls 2019-11-15 09:52:48 +01:00
Laszlo Orban
b9641816d6 set timeout value for the socket 2019-11-15 09:52:48 +01:00
Laszlo Orban
e201f104d4 make audit server openssl dependency optional; tls layer is compiled only if sudo is built with --enable-openssl feature switch 2019-11-15 09:52:48 +01:00
Laszlo Orban
9df5e6c11d fixed segfault when connection_closure_free() tries to remove a non-existent connection object from the list 2019-11-15 09:52:48 +01:00
Laszlo Orban
764fb3e6bd verify server/client certs with CA certificate chain file 2019-11-15 09:52:48 +01:00
Laszlo Orban
037fb9298e fix copy-paste mistake 2019-11-15 09:52:48 +01:00
Laszlo Orban
3615576481 process tls config params in the audit server and establish TLS connection accordingly 2019-11-15 09:52:48 +01:00
Todd C. Miller
9309ca0074 Simplify resource limit fallback logic a bit. 2019-11-12 07:26:14 -07:00
Laszlo Orban
2c5e421761 add configuration options for TLS 2019-11-12 10:26:48 +01:00
Todd C. Miller
da82b16fc4 Add sudo logo designers 2019-11-11 19:57:39 -07:00
Todd C. Miller
f3ebe5025a Don't set the RLIMIT_STACK soft/hard limits to unlimited. 
Use 8Mb for soft and 64Mb for hard.
Works around issues on macOS and docker.  See also Bug #908
 2019-11-11 17:57:10 -07:00
Todd C. Miller
4a893912ce Restore resource limits before executing the askpass program. 
Linux with docker seems to have issues executing a program when the
stack size is unlimited.  Bug #908
 2019-11-11 16:07:43 -07:00
Todd C. Miller
ad52ce6612 Check for replies pointer being NULL just in case. 2019-11-11 14:10:13 -07:00
Todd C. Miller
6863a848d6 Convert trailing newline to carriage return + newline for tty. 
Does not currently handle embedded newlines.
 2019-11-09 10:13:56 -07:00
Todd C. Miller
f6a3dc6d27 Only write a carriage return if output is to a tty. 2019-11-08 19:40:49 -07:00
Todd C. Miller
b4878c95e7 Include a carriage return when printing warning messages. 
Otherwise, if the command is running in a pty the output is stair-stepped.
 2019-11-08 16:21:00 -07:00
Todd C. Miller
9f3bbdbd6f Add sudo_parse_host_port_v1 and sudo_pow2_roundup_v1 to exports file. 2019-11-07 18:09:44 -07:00
Todd C. Miller
09f1c26490 Fix typo in closefrom emulation. 2019-11-06 13:41:52 -07:00
Todd C. Miller
71aed42f9e Do not warn about a missing /etc/environment file on Linux without PAM. 
Bug #907
 2019-11-06 09:55:14 -07:00
Todd C. Miller
635445d471 Transparently handle the "sudo sudoedit" problem. 
Some admin are confused about how to give users sudoedit permission
and many users try to run sudoedit via sudo instead of directly.
If the user runs "sudo sudoedit" sudo will now treat it as plain
"sudoedit" after issuing a warning.  If the admin has specified a
fully-qualified path for sudoedit in sudoers, sudo will treat it
as just "sudoedit" and match accordingly.  In visudo (but not sudo),
a fully-qualified path for sudoedit is now treated as an error.
 2019-11-05 15:18:34 -07:00
Todd C. Miller
73031bbb55 Rename cwd -> submitcwd to match man page. 2019-11-05 15:18:07 -07:00
Todd C. Miller
98ce89ee80 Add unit test for parse_host_port and make an empty port an error. 2019-11-05 06:04:13 -07:00
Todd C. Miller
2949d2c47b Fill in host and port pointers on success. 2019-11-04 13:28:09 -07:00
Todd C. Miller
4c54e61ea9 Fix ChangeLog generation on a branch. 2019-10-28 07:52:56 -06:00
Todd C. Miller
b270b0c887 Split out code to parse host:port into a utility function. 2019-11-02 12:04:26 -06:00
Todd C. Miller
f1d0c99e03 Move bufsize_roundup() -> sudo_pow2_roundup() in libsudo_util. 2019-11-02 12:03:44 -06:00
Todd C. Miller
676d3fc67b Add missing depend target 2019-11-02 12:00:07 -06:00