isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,433 Commits 1 Branch 0 Tags
6286ce1d16e11619efb8d5855b14dd296f355f9c
Commit Graph

10433 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
2a29daee18 Clear the write bit from the I/O log timing file when it is complete. 
This matches the behavior of sudo_logsrvd.
 2020-05-18 13:16:29 -06:00
Todd C. Miller
84f0ae0cb8 Use PACKAGE_VERSION instead of 0.1 as the client and server version. 2020-05-18 11:33:13 -06:00
Todd C. Miller
8ef5c4cf9d Set DEFAULT_TEXT_DOMAIN in lib/util's Makefile not individual .c files. 
We no longer need to include sudo_gettext.h before sudo_compat.h
 2020-05-18 11:19:58 -06:00
Todd C. Miller
446ae3f507 Include string.h unconditionally and only use strings.h for strn?casecmp() 
In the pre-POSIX days BSD had strings.h, not string.h.
Now strings.h is only used for non-ANSI string functions.
 2020-05-18 07:59:24 -06:00
Todd C. Miller
dd88460800 We no longer need to include headers we don't use for sudo*.h files. 
Previously we needed to include headers required by the various
sudo*h files.  Now those files are more self-sufficient and we
should only include headers needed by code in the various .c files.
 2020-05-18 06:47:04 -06:00
Todd C. Miller
d85d370c63 Add dependent system includes to make sudo_*.h more standalone. 
In the past we've relied on the various .c files to include the
system headers that define types that the sudo_*.h headers require.
This is fragile and can cause issues when includes get re-ordered.
 2020-05-18 04:47:21 -06:00
Todd C. Miller
b66cf649f5 Fix typo in PERLIO_DEBUG (trailing whitespace). 
This has no effect unless env_reset is disabled.
From Allan Wirth
 2020-05-18 04:45:04 -06:00
Dan Robertson
f4e9e4337f Fix includes when building with musl 
Include sys/types.h for mode_t and id_t in sudo_debug.h
 2020-05-16 10:45:17 -06:00
Sebastian Rasmussen
3d73f05e3b Fix typo in warning message. 2020-05-16 10:44:27 -06:00
Todd C. Miller
aaea462277 Prefer SIGSYS if SIGUNUSED is defined to the same value. 
Fixes a regress failure on musl libc where SIGSYS and SIGUNUSED
share the same value.
 2020-05-15 19:25:30 -06:00
Todd C. Miller
26b599a5b1 Add missing sys/wait.h include; fixes a compilation problem on musl libc. 2020-05-15 19:08:16 -06:00
Todd C. Miller
36bbf629be Add missing sys/types.h include; fixes a compilation problem on musl libc. 2020-05-15 18:56:40 -06:00
Todd C. Miller
ea1226be7c Only define WCONTINUED and WIFCONTINUED if neither are already defined. 
Fixes a warning on musl libc where WIFCONTINUED is defined in
stdlib.h for some reason.
 2020-05-15 18:50:04 -06:00
Todd C. Miller
4ea7ecffdd Enable OpenSSL on RHEL 6 too. 
The version of OpenSSL in RHEL 6 is new enough for the log server to use.
 2020-05-15 09:50:46 -06:00
Todd C. Miller
1c3946e9b1 Don't print errno for the "TLS not supported" message. 2020-05-15 09:10:22 -06:00
Todd C. Miller
3ded5cbd67 Fix macOS bundle IDs for sudo-logsrvd and sudo-python packages 2020-05-14 15:16:35 -06:00
Todd C. Miller
f71b569419 Add iolog_path to the JSON-format event log 2020-05-13 11:13:29 -06:00
Todd C. Miller
d2686dde0c Rename FLUSHED state to FINISHED 
This makes more sense when receiving event-only logs.
 2020-05-13 09:30:05 -06:00
Todd C. Miller
0337f5b735 Fix handling of connections without associated I/O logs. 
This fixes reject events as well as accept events without the
expect_iobufs flag set.
 2020-05-13 07:40:47 -06:00
Todd C. Miller
27355e6aae Fix handling of accept and reject messages without an I/O log. 
Only set expect_iobufs in AcceptMessage if sending I/O logs.
Set state to FINISHED immediately after sending a RejectMessage.
 2020-05-12 19:19:16 -06:00
Todd C. Miller
d5888e2745 Add -A and -R options to test logging of accept and reject events. 
If -A is specified, no I/O will be sent, only the accept event.
For -R, a reject event with the specified reason is sent.
 2020-05-12 14:45:46 -06:00
Todd C. Miller
d3b710b0da cfmakeraw(3) is broken on AIX, don't use it there 
The cfmakeraw(3) function exists but does not set VMIN to 1 or VTIME
to 0 in c_cc[] in struct termios, which makes it useless.  The AIX
version also doesn't clear the CSIZE and PARENB flags from c_cflag.
 2020-05-12 09:52:27 -06:00
Todd C. Miller
af0d840322 fix pastos 2020-05-12 07:47:38 -06:00
Todd C. Miller
83d1bee918 Rename sudo_parse_host_port -> iolog_parse_host_port and mv to lib/iolog 
It is not used outside of the I/O log client and server and the
host:port syntax may change in the future.
 2020-05-11 08:47:54 -06:00
Todd C. Miller
fbf25112e6 Remove duplicate inclusion of time.h 2020-05-11 08:46:58 -06:00
Todd C. Miller
fc79cbc317 Only enable TLS listener by default if we have a cert for it. 
We want the log server to work with the default configuration.  If
the default certificate path exists, it will be used with the default
listener.  If the user explicitly enabled a TLS listener we always
attempt to use it.  If TLS was specified but no cert file was set,
the default location will be used (and an error will occur if the
cert cannot be loaded).
 2020-05-08 16:07:55 -06:00
Todd C. Miller
3de3de8b75 regen for 1.9.0 final 2020-05-07 12:23:13 -06:00
Todd C. Miller
e9be26c4b1 regen 2020-05-07 12:22:00 -06:00
Todd C. Miller
92199e25c4 The --preserve-env=list option may be specified more than once. 2020-05-07 11:11:43 -06:00
Todd C. Miller
deb9ce7d12 Quiet some warnings from igor. 2020-05-07 08:02:49 -06:00
Todd C. Miller
7f2585ed0a Plumb in codespell with a "make spell" target. 2020-05-07 07:50:11 -06:00
Todd C. Miller
04cb06160a Fix a few more typos. 2020-05-07 07:49:54 -06:00
Todd C. Miller
4266279c0c Don't allow duplicate values for command line options that take an argument. 
Previously, if multiple instances of the same command line option were
specified, the last one would be used.  This meant that, for example,
"sudo -u someuser -u otheruser id" would run the command as "otheruser".
This has the potential to cause problems for programs that run sudo with
a user-specified command that do not use the "--" option to indicate
that no more options should be processed.  While this is a bug in
the calling program, there is little downside to erroring out when
multiple options of the same type are specified on the command line.
Bug #924
 2020-05-06 19:33:24 -06:00
Todd C. Miller
24ad424a57 Debian bug #734752 2020-05-06 16:40:48 -06:00
Todd C. Miller
4dba87262a Look up runas user by name, not euid, where possible. 
Fixes a problem when there are multiple users with the same user-ID
where the PAM session modules could be called with the wrong user name.
Debian bug #734752
 2020-05-06 16:38:08 -06:00
Todd C. Miller
ea99394fcf Fix ironic typo in spelling fixes. Bug #925 2020-05-06 11:04:47 -06:00
Todd C. Miller
e42afc7732 Sync PolyPkg from upstream. 2020-05-06 09:52:48 -06:00
Todd C. Miller
0cf2e09e0c Apply spelling fixes. 
Fixes from PR #30 (ka7) and Bug #925 (fossies.org codespell)
 2020-05-06 09:27:43 -06:00
Todd C. Miller
5d3f635ae8 Use the proper python version in the libpython dependency on Debian. 
The configure script already detects the python version, we just need
to use it.
 2020-05-05 17:21:36 -06:00
Todd C. Miller
f261d58af8 Updated translations from translationproject.org 2020-05-05 13:36:30 -06:00
Todd C. Miller
a3e94aefa3 Bug #922 and Bug #923 2020-05-05 13:36:05 -06:00
Todd C. Miller
6901fc97ac Add a ClientHello message that client sends to the server. 
This makes it easier to detect a plaintext client sending to a
TLS port.  Without this, the TLS server will be silent as it
waits for the client to initiate the TLS connection.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
1e765e1caf Better error messages when there is a problem with the TLS connection. 
If SSL_read, SSL_write or SSL_connect fails we can use the reason
string to let the user know what the problem is.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
1f8da42f9a Warn about tls errors during startup so the user has a clue. 
We write messages to stderr until we become a daemon.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
e5f8214c0a Remove the tls parameter from the ServerHello message. 
The TLS connection is now initiated before ServerHello is received.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
8186b98208 Adapt sudoers iolog client to log server dual port changes. 
The TLS handshake now occurs before the ServerHello message is read.
This fixes potential man-in-the-middle attacks and works better with
TLS 1.3.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
1659d96c55 Use port 30343 for plaintext and port 30344 for TLS. 
For TLS connections we now do the TLS handshake immediately before
the ServerHello message.  This lets the client recieve an alert
from the server is there is a handshake error after the TLS connect
has succeeded.  It also means that the contents of the ServerHello
are protected from a man-in-the-middle attack.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
b5a317aeb9 Add support for a tls flag in sudo_parse_host_port(). 
If the string "(tls)" appears at the end, the tls flag is set to true
and the default tls port is used if necessary.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
82bc05d998 Fix Debian ldap dependency broken in last commit. 2020-05-04 13:03:51 -06:00
Todd C. Miller
3b078b7a9c Fix "make package" on Debian when linux_audit is not set. 2020-05-04 12:36:35 -06:00