isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,977 Commits 1 Branch 0 Tags
657897b8bf608b51e675545f6086567d23e9ee79
Commit Graph

10977 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
050e91f8d1 Forward the journaled entry after it has been stored locally. 2021-04-23 16:56:18 -06:00
Todd C. Miller
280fabac38 Stash the value of the store_first config setting in connection_closure. 
If the configuration changes it should not affect a connection that
is already in progress.
 2021-04-23 16:56:17 -06:00
Todd C. Miller
c2d3070fa1 Journal messages to disk when store_first is set in the relay section. 
Instead of forwarding messages immediately, they are journaled
locally in wire format.
This will be used to implement relay store-and-forward mode.
 2021-04-23 16:55:30 -06:00
Todd C. Miller
6f5b353e87 Add configuration for sudo_logsrvd store-and-forward mode. 
Adds "relay_dir" and "store_first" settings to sudo_logsrvd.conf
in the [relay] section.  Also adds a --with-relaydir configure
argument to change the default value (usually /var/log/logsrvd-relay.
 2021-04-23 16:54:15 -06:00
Todd C. Miller
727056e0c9 Make sure SIGCHLD is not ignored when sudo is executed. 
If SIGCHLD is ignored there is a race condition between when the
process is executed and when the SIGCHLD handler is installed.
This fixes the bug described by GitHub PR #98
 2021-04-23 07:41:27 -06:00
Todd C. Miller
b0a32fe738 Remove the HP-UX 11.0 pread64() hack, it causes problems on modern HP-UX. 2021-04-20 14:59:19 -06:00
Todd C. Miller
6717415e73 Add minimum value to consider when overriding resource limits. 
Currently only used for RLIMIT_DATA and RLIMIT_AS.

This works around a problem on HP-UX where setting RLIMIT_DATA
changes the resource limits for both 32-bit and 64-bit processes.
HP-UX processes start out with RLIMIT_DATA set based on the values
of the maxdsiz and maxdsiz_64bit kernel tunables, depending on
whether they are 32-bit or 64-bit.  By default this limit is 1GB
for 32-bit processes and 4GB for 64-bit.  However, once RLIMIT_DATA
is changed, it does not appear to be possible to restore the old
values.  This can result in a 64-bit process that is executed by a
32-bit shell getting the 32-bit RLIMIT_DATA instead of the 64-bit
one.  Bug #973
 2021-04-20 14:31:40 -06:00
Todd C. Miller
32f742389b Don't use msg_len as a length after converting it to network byte order. 2021-04-19 16:28:18 -06:00
Todd C. Miller
110d9667e5 Use the packed message buffer when relaying if possible. 
There's no need to rebuild the message buffer for anything but
RestartMessage and ClientHello.
 2021-04-19 09:44:37 -06:00
Todd C. Miller
935daf6b7e Allocate the data buffer in get_free_buf() too. 
We always know the size of the data buffer we need at allocation time.
 2021-04-18 17:10:53 -06:00
Todd C. Miller
3dce67ec10 Relay ChangeWindowSize and CommandSuspend events too. 2021-04-17 07:59:13 -06:00
Todd C. Miller
7c2224584d Regenerate test output with python 3.10a7 
Also adjust debug tests so they pass on older python versions
 2021-04-16 15:24:12 -06:00
Todd C. Miller
5ffa915c9c determine Python (3.10) version number correctly. 
from upstream automake
 2021-04-16 14:06:07 -06:00
Todd C. Miller
fbbf602664 Move python.m4 and runlog.m4 to the m4 directory. 
Previously they were inline in aclocal.m4.
 2021-04-16 13:41:43 -06:00
Todd C. Miller
d76cc96af6 Add hiuxmpp where we have hpux for special cases. 
Also move the HP-UX 11.00 pread(2) workaround into the section where
pread(2) is tested for, not before it.
 2021-04-15 13:07:13 -06:00
Todd C. Miller
620b0dec86 Only replace the last instance of "sudo" in example and doc dir. 
Otherwise we end up with weird paths for a prefix like /opt/sudo.
 2021-04-15 10:31:28 -06:00
Todd C. Miller
a1323ba43b Fix lint warning. 2021-04-13 14:29:59 -06:00
Todd C. Miller
556b8f62cb Mention relay mode and update TLS example. 2021-04-13 14:24:50 -06:00
Todd C. Miller
d028410bf7 If libssl_dep was not passed in, use ldd to determine its value. 
Normally, mkpkg will figure this out, but if the user does "make
package" outside of the mkpkg script, libssl_dep will not be set.
 2021-04-13 10:00:57 -06:00
Todd C. Miller
28d41cecad Enable the use of OpenSSL if log client/server not disabled. 
This adds a dependency on OpenSSL unless it is explicitly disabled
(--disable-openssl) or the sudo log client and server are disabled
(--disable-log-client and --disable-log-server).
 2021-04-12 14:10:49 -06:00
Todd C. Miller
b8fda5b0a9 configure aux scripts moved to the scripts directory 2021-04-09 16:30:39 -06:00
Todd C. Miller
4e9baba2b5 Set logsrvd_config to NULL in logsrvd_conf_cleanup() after freeing it. 
Fixes a double free in fuzz_logsrvd_conf (but not sudo_logsrvd itself).
Also fix linking fuzz_logsrvd_conf with OpenSSL.
 2021-04-09 14:02:50 -06:00
Todd C. Miller
e4e0e734b9 Update sudo_logsrvd.conf fuzzer to match configuration changes. 2021-04-09 13:34:36 -06:00
Todd C. Miller
ae77355eda Document relay configuration changes. 2021-04-09 12:58:57 -06:00
Todd C. Miller
163a5f08b5 Move relay configuration into its own section and add TLS options. 
TLS options in the relay section will be used if specified, otherwise
the TLS options from the server section are used.
 2021-04-08 19:14:05 -06:00
Todd C. Miller
25d4dd8e6d Add "server" and "relay" to getters/callbacks specific to server and relay. 2021-04-08 19:09:55 -06:00
Todd C. Miller
90770794db Remove struct logsrvd_tls_config. 
Now that the SSL context is initialized in logsrvd_conf.c there's
no need to export TLS configuration other than tls_check_peer.
 2021-04-08 18:07:59 -06:00
Todd C. Miller
9779996c3c No longer need struct logsrvd_tls_runtime, use SSL_CTX instead. 2021-04-08 15:39:26 -06:00
Todd C. Miller
990fa4f5ad Move allocation of the TLS context to logsrvd_conf_apply(). 
This way we get certificate errors at configuration time, not after.
It also means that a change to the config file that renders the TLS
settings invalid will no longer cause the server to exit.  The new
config will just be ignored as if there was a syntax error.
 2021-04-08 15:31:33 -06:00
Todd C. Miller
8f0c16f06e Only initialize the SSL library once. 2021-04-08 15:14:13 -06:00
Todd C. Miller
c2909e20ee Sanity check struct timespec in timestamp file. 
Coverity CID 220564
 2021-04-07 11:10:17 -06:00
Todd C. Miller
394673cbf5 Check lseek(fd, 0, SEEK_CUR) for -1 return value. 
Not actually possible in practice.  Coverity CID 220568.
 2021-04-07 10:59:12 -06:00
Todd C. Miller
42865567d7 Check for NULL ifa->ifa_addr and ifa->ifa_netmask in both loops. 2021-04-07 08:15:10 -06:00
Todd C. Miller
52c29aa7a0 Plug memory leak on overflow; Coverity CID 220556 2021-04-06 21:38:43 -06:00
Todd C. Miller
37e8b58684 In schedule_commit_point() do not free the closure on error. 
It is the caller's responsibility to free resources on error.
Coverity CID 220557
 2021-04-06 19:13:33 -06:00
Todd C. Miller
a2e4f53642 Cast NULL terminator argument to char * when calling sudo_mkgrent(). 
Avoids a portability issue on systems where NULL is not a pointer.
 2021-04-06 18:57:33 -06:00
Todd C. Miller
d92610ee43 Rename LOGSRVD_DEFAULT_CIPHER_LST13 to DEFAULT_CIPHER_LST13 2021-04-06 17:03:30 -06:00
Todd C. Miller
5cb5a45bab Include string.h for strerror(3) prototype. 2021-04-06 16:54:30 -06:00
Todd C. Miller
3f1a76cb83 Move connect_relay_tls() so we don't need a prototype for it. 
Fixes a warning when sudo is not configured to use OpenSSL.
 2021-04-06 16:53:35 -06:00
Todd C. Miller
3aec794b75 Document relay and connect_timeout server settings. 2021-04-06 16:30:41 -06:00
Todd C. Miller
86c815fd61 Add logsrvd_conf_cleanup() to free the conf data structures on exit. 
There is no longer a need to do anything in shutdown_cb() other
than break out of the event loop.
 2021-04-06 14:44:19 -06:00
Todd C. Miller
ec52810c0b Don't allow a wildcard address for the relay parameter. 2021-04-06 14:44:19 -06:00
Todd C. Miller
30f57bcdce Add sa_host to struct server_address as a ref counted string. 
Also convert sa_str to ref counted string.
 2021-04-06 14:44:19 -06:00
Todd C. Miller
2db9e64214 Move reference-counted string code from sudoers to libsudo_util. 
It will be used by sudo_logsrvd too.
 2021-04-06 14:44:19 -06:00
Todd C. Miller
b1c4de2088 Add support for relaying to another sudo_logsrvd via TLS. 2021-04-06 14:44:19 -06:00
Todd C. Miller
d60b8a791c Add a relay mode to sudo_logsrvd where it forwards instead of stores. 
Relay hosts are be specified in the server section of sudo_logsrvd.conf.
 2021-04-06 14:44:19 -06:00
Todd C. Miller
343100307d Split most of server_commit_cb() out into schedule_commit_point(). 
This allows it to be used by the relay code too.
 2021-04-06 14:44:19 -06:00
Todd C. Miller
533fcc3f02 Try to send an error message to client for some client_msg_cb() failures. 2021-04-06 14:44:19 -06:00
Todd C. Miller
8101b23e54 Rename listen_address -> server_address and add reference counting. 
This will be used by the upcoming relay mode.
 2021-04-06 14:44:19 -06:00
Todd C. Miller
72c40ae0e1 Move common TLS client code to tls_client.c and use it in sendlog.c. 2021-04-06 14:44:19 -06:00