isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,433 Commits 1 Branch 0 Tags
6286ce1d16e11619efb8d5855b14dd296f355f9c
Commit Graph

10433 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
42df431ce2 Make the default certificate and key paths match the example file. 2020-05-04 11:33:04 -06:00
Todd C. Miller
7d621fc6f1 Plug memory leaks in sudo_sendlog 2020-05-04 11:25:47 -06:00
Todd C. Miller
0460008c5b Handle EAGAIN like we do ENOMEM from poll() and select(). 
On some systems, poll() and select() can return EAGAIN instead
of ENOMEM if there is a kernel resource shortage.  In this case
we just re-enter the event loop and retry.
 2020-05-04 11:23:35 -06:00
Todd C. Miller
a212ee64e3 Use the --embed when running "python3-config --ldflags" if supported. 
Newer versions of python3-config only include libpython in the
output when the --embed is used.  Otherwise, "python3-config --libs"
and "python3-config --ldflags" only list the libraries python is
dependent on and not the python library itself.
 2020-05-03 12:56:26 -06:00
Todd C. Miller
aba4915b83 On error, remove the connection with an error without freeing the closure. 
Fixes the final message at the end when there is a network error.
 2020-04-30 15:54:35 -06:00
Todd C. Miller
2b1e986572 Do not call poll(2) or ppoll(2) with nfds > RLIMIT_NOFILE. 
Both poll(2) and ppoll(2) will return EINVAL if the nfds function
argument is larger than the max files per process resource limit.
Prevent this by limiting the max number entries in the pfds[] array
to the RLIMIT_NOFILE soft limit.
 2020-04-30 15:54:34 -06:00
Todd C. Miller
85fe30e49b The timeout parameter of sudo_ev_add() should be const. 2020-04-29 11:27:30 -06:00
Todd C. Miller
3b7768be76 Don't free TLS on error in tls_init(), it is freed in client_closure_free(). 
Fixes a double free on error introduced with the TLS state cleanup in
client_closure_free().
 2020-04-28 10:52:09 -06:00
Todd C. Miller
2ab8f2a732 Check for tls_config->dhparams_path being non-NULL before using it. 2020-04-28 10:52:08 -06:00
Todd C. Miller
79b064139f Document the TLS and test options. 2020-04-23 14:26:16 -06:00
Todd C. Miller
5dec0f763f Allow -t option even without OpenSSL 
Also add -t to the usage message
 2020-04-23 14:16:02 -06:00
Todd C. Miller
0fafcf6aea Use sudo_strtonum() instead of relying on strtoll(). 
Older, pre-C99, systems may not include strtoll() in their C library.
 2020-04-23 11:15:03 -06:00
Todd C. Miller
b26e32f398 Allow this to build on systems without stdint.h by using config.h. 
Old, pre-C99, systems may have inttypes.h but not stdint.h.
 2020-04-23 11:13:33 -06:00
Todd C. Miller
40f47f0136 Fix support for pp_systemd_disabled and check for systemd existence. 
On our build schroots we don't have systemctl installed but do have
the /etc/systemd and /lib/systemd (or /usr/lib/systemd) directories.
 2020-04-22 15:23:05 -06:00
Todd C. Miller
8c5befaae8 Set pp_macos_service_id instead of pp_macos_default_service_id_prefix. 
It is only effective to set pp_macos_default_service_id_prefix in
the indivisual %service sections (and not %set) so we may was well
use pp_macos_service_id which includes the service name.
 2020-04-22 12:40:52 -06:00
Todd C. Miller
c70606c3c9 Set launchd service id prefix to "ws.sudo." 
The default value in PolyPkg is "com.quest.rc."
 2020-04-22 10:45:03 -06:00
Todd C. Miller
d5b06ff7fa Fix macOS package creation. 2020-04-22 08:58:07 -06:00
Todd C. Miller
557be2b0b1 Shut down the TLS connection cleanly in client_closure_free(). 
Also free the SSL data which is part of the client closure.
 2020-04-21 15:01:44 -06:00
Todd C. Miller
76bf9a73bc Fix sudoedit when running with SELinux RBAC mode. 
We can't use run_command() to run sesh, that will use the sudo event
loop (and might run it in a pty!).
There's no need to relabel the tty when copying files.
Get the path to sesh from sudo.conf.

Currently, for SELinux RBAC, the editor runs with the target user's
security context. This defeats the purpose of sudoedit.  Fixing
that requires passing file descriptors between the main sudo process
(running with the invoking user's security context) and sesh (runnning
with the target user's security context).
 2020-04-21 14:29:23 -06:00
Todd C. Miller
009876bf36 Refactor the sudoedit code to copy files so it can be shared. 
The SELinux sudoedit code now extends the destination file the
same way the non-SELinux version does.
 2020-04-21 11:05:32 -06:00
Todd C. Miller
0bd39701b4 Do not remove sudoedit temporary files if we cannot overwrite the real file. 
The warning message says the files were preserved but they actually
got removed.
 2020-04-21 11:05:30 -06:00
Todd C. Miller
d22800edd5 Only remove the systemd unit service file if we copied it manually. 
If the service file was installed as part of the package it will
be removed automatically when the package is uninstalled.
 2020-04-21 11:05:29 -06:00
Todd C. Miller
99129ba41f Make gl_pathc, gl_matchc and gl_offs size_t in glob_t to match POSIX. 2020-04-21 11:05:29 -06:00
Todd C. Miller
c161f68b43 Document TLS settings in ServerHello 2020-04-20 11:12:03 -06:00
Todd C. Miller
adb4360c40 Extend the original file before to the new size before updating it. 
Instead of opening the original file for writing w/ tuncation, we
first extend the file with zeroes (by writing, not seeking), then
overwrite it.  This should allow sudo to fail early if the disk is
out of space before it overwrites the original file.
 2020-04-17 19:08:56 -06:00
Todd C. Miller
2a60816f75 I/O log plugins should be closed *before* the policy plugin, not after. 2020-04-17 15:57:06 -06:00
Todd C. Miller
af4eb80dfb Fix typo 2020-04-17 15:37:41 -06:00
Todd C. Miller
132b943a2d Only display error string once on I/O error. 
We already include the error string in the format so no need to use
errno too.
 2020-04-17 15:36:45 -06:00
Todd C. Miller
ae7bb12335 Free passwd and group caches in I/O plugin after log_warning(), not before. 
The logging functions may try to use the cache via set_perms(PERM_ROOT).
 2020-04-17 15:07:25 -06:00
Laszlo Orban
481427f9f0 add missing shudown of TLS connection 2020-04-17 07:00:19 -06:00
Todd C. Miller
a89ddb63fd Disable systemd support on Linux systems that don't use it. 2020-04-16 15:32:07 -06:00
Todd C. Miller
024b146d06 1.9.0 final 2020-04-14 19:26:41 -06:00
Todd C. Miller
1034d3f5b6 Update PolyPkg from my branch with systemd support. 2020-04-14 19:25:49 -06:00
Todd C. Miller
75b9a26a37 If the signal.Signals enum is not present, search the dictionary. 
The Signals enum was added in Python 3.5.  If it is not present we
need to iterate over the dictionary items, looking for signal name
to number mappings.  Fixes the signal tests with Python 3.4.
 2020-04-09 10:49:59 -06:00
Todd C. Miller
57cef10ce9 Python dictionaries are sparse so we cannot use pos as an index. 
When converting sudo options from a dictionary to a tuple we need
to track the current index into the tuple separately from the
position of the dictionary entry.
 2020-04-09 08:34:29 -06:00
Todd C. Miller
324b237245 Fix handling of /etc/sudo_logsrvd.conf in the sudo-logsrvd package. 
For rpm and deb we include the file directly and mark it volatile.
For all others we copy it in the postinstall script from the example
dir if the file doesn't already exist.
 2020-04-08 15:46:30 -06:00
Todd C. Miller
eebe68233c Check for the Sun Studio C compiler on Solaris under /opt. 
Also intialize with_python to false.
 2020-04-08 14:10:03 -06:00
Todd C. Miller
6d32858b4f regen 2020-04-08 12:50:39 -06:00
Todd C. Miller
3bf4172272 Explicitly include stdio.h for getdelim(3) 2020-04-08 12:42:58 -06:00
Todd C. Miller
ce92674cc2 Reload sudo.conf upon SIGUP 
This makes it possible to update the Debug settings in sudo.conf and
have them take effect on reload.
 2020-04-08 10:19:55 -06:00
Todd C. Miller
69b6783be6 Store the result of ERR_get_error() so we can use it for both warn and debug. 
Otherwise, only the debug framework gets the actual error and the
user won't see the problem.
 2020-04-08 09:26:41 -06:00
Todd C. Miller
18ff60f6ff Disable IPv4-mapped IPv6 addresses in the listener. 
Also store the host + port string and use it in error messages.
 2020-04-08 08:54:28 -06:00
Todd C. Miller
55eb0a633c Install the example sudo_logsrvd.conf unless one already exists 2020-04-08 08:54:27 -06:00
Todd C. Miller
700becabc0 Make the path to logsrvd_cert.pem match the documentation. 2020-04-07 19:40:08 -06:00
Todd C. Miller
e86106f2e1 Create the pid file parent directory if it doesn't already exist. 
Also package the run directory in the sudo_logsrvd PolyPkg file.
 2020-04-07 19:26:37 -06:00
Todd C. Miller
dfd5a88772 Sudo 1.9.0rc1 2020-04-07 15:08:26 -06:00
Todd C. Miller
d6684b851a Build python packages where possible. 2020-04-07 14:03:58 -06:00
Todd C. Miller
0a10c702be Split sudo_logsrvd and the python plugin into their own packages. 2020-04-07 14:03:58 -06:00
Todd C. Miller
ab18c22ab4 Remove bits for Tru64 kit-style packages 2020-04-07 14:03:58 -06:00
Todd C. Miller
6a2b5fd82f Handle dependencies for .h files in the same directory as the source. 
Fixes missing header dependencies for the sudoers and python plugins.
 2020-04-07 14:03:58 -06:00