Commit Graph

96 Commits

Author SHA1 Message Date
Todd C. Miller
dceab7d756 Break up the long help string into multiple printf() statements.
AIX xlc compiler doesn't like cpp directives in between strings.
Also fixes a complaint from cppcheck and makes translation easier.
2021-01-28 08:53:25 -07:00
Todd C. Miller
f6452c7caf Avoid potential use after free with eventlog-only connections.
Coverity CID 215884.
2021-01-02 10:43:34 -07:00
Todd C. Miller
c5a7f0eb42 When shutting down the server, close non-I/O log connections immediately.
Avoids a timeout during server shutdown while the server waits for
active connections to close.
2020-12-03 14:40:30 -07:00
Todd C. Miller
293911eed6 Don't try to unlink a NULL pointer. 2020-11-24 09:53:54 -07:00
Todd C. Miller
0f6d581abd If pid_file is set to an empty value, disable the use of a pid file. 2020-11-24 09:43:00 -07:00
Todd C. Miller
d0042eda9e Don't overwrite sudo_logsrvd.pid if it is a symbolic link. 2020-11-24 09:00:25 -07:00
Todd C. Miller
deb217adf9 On SIGHUP, deregister the old debug instance before registering a new one.
Otherwise, if debugging is enabled we will get an extra log instance
each time sudo_logsrvd reeives SIGHUP which results in duplicate
lines in the debug log.
2020-11-10 19:36:55 -07:00
Todd C. Miller
9779009fae Add info_msgs to AlertMessage and populate it.
This lets us log eventlog info along with the alert if it is available.
2020-11-09 17:15:11 -07:00
Todd C. Miller
f1ded289e1 Avoid early return in handle_accept() if expect_iobufs not set. 2020-11-04 05:15:07 -07:00
Todd C. Miller
e0c2635fb3 Apply Google inclusive language guidelines.
Also replace backwards with backward.
2020-10-30 10:15:30 -06:00
Todd C. Miller
bd1ca79cca Add support for mailing eventlog entries and for logging raw messages.
These will be used by the sudoers plugin.
2020-10-26 16:10:37 -06:00
Todd C. Miller
4652698f8e struct eventlog contains submit_time, no need to pass it in directly. 2020-10-26 15:43:02 -06:00
Todd C. Miller
c0e91d7586 Add an errstr argument to eventlog_alert(). 2020-10-26 15:41:47 -06:00
Todd C. Miller
db72498257 Use struct eventlog in place of struct iolog_info. 2020-10-26 15:31:41 -06:00
Todd C. Miller
8c43340474 Use libeventlog in sudo_logsrvd. 2020-10-26 15:26:02 -06:00
Todd C. Miller
e92d10011e Rename sa_len -> sa_size to avoid a conflict on UnixWare and others.
On some systems, sa_len is a #define for 4.4BSD compatibility.
2020-09-04 16:06:37 -06:00
Todd C. Miller
eaa95acb31 Post-process protoc-c files to avoid depending on anonymous unions.
Based on a patch from Michael Osipov.
GitHub issue #60
2020-09-04 13:17:51 -06:00
Todd C. Miller
961a4afe67 Fix some warnings from pvs-studio 2020-08-12 13:45:09 -06:00
Todd C. Miller
cbad17a994 Move inclusion of compat headers up with the system headers.
Now that sudo_dso_public is defined in config.h we don't need sudo_compat.h
before including the compat headers.
2020-08-12 10:07:07 -06:00
Todd C. Miller
985af422d2 Rename __dso_public -> sudo_dso_public and move to config.h. 2020-08-12 09:57:42 -06:00
Todd C. Miller
076d0376db We no longer need to include sudo_gettext.h before sudo_compat.h 2020-08-12 09:50:35 -06:00
Todd C. Miller
84f0ae0cb8 Use PACKAGE_VERSION instead of 0.1 as the client and server version. 2020-05-18 11:33:13 -06:00
Todd C. Miller
d2686dde0c Rename FLUSHED state to FINISHED
This makes more sense when receiving event-only logs.
2020-05-13 09:30:05 -06:00
Todd C. Miller
0337f5b735 Fix handling of connections without associated I/O logs.
This fixes reject events as well as accept events without the
expect_iobufs flag set.
2020-05-13 07:40:47 -06:00
Todd C. Miller
fc79cbc317 Only enable TLS listener by default if we have a cert for it.
We want the log server to work with the default configuration.  If
the default certificate path exists, it will be used with the default
listener.  If the user explicitly enabled a TLS listener we always
attempt to use it.  If TLS was specified but no cert file was set,
the default location will be used (and an error will occur if the
cert cannot be loaded).
2020-05-08 16:07:55 -06:00
Todd C. Miller
0cf2e09e0c Apply spelling fixes.
Fixes from PR #30 (ka7) and Bug #925 (fossies.org codespell)
2020-05-06 09:27:43 -06:00
Todd C. Miller
6901fc97ac Add a ClientHello message that client sends to the server.
This makes it easier to detect a plaintext client sending to a
TLS port.  Without this, the TLS server will be silent as it
waits for the client to initiate the TLS connection.
2020-05-05 13:23:26 -06:00
Todd C. Miller
1f8da42f9a Warn about tls errors during startup so the user has a clue.
We write messages to stderr until we become a daemon.
2020-05-05 13:23:26 -06:00
Todd C. Miller
e5f8214c0a Remove the tls parameter from the ServerHello message.
The TLS connection is now initiated before ServerHello is received.
2020-05-05 13:23:26 -06:00
Todd C. Miller
1659d96c55 Use port 30343 for plaintext and port 30344 for TLS.
For TLS connections we now do the TLS handshake immediately before
the ServerHello message.  This lets the client recieve an alert
from the server is there is a handshake error after the TLS connect
has succeeded.  It also means that the contents of the ServerHello
are protected from a man-in-the-middle attack.
2020-05-05 13:23:26 -06:00
Todd C. Miller
2ab8f2a732 Check for tls_config->dhparams_path being non-NULL before using it. 2020-04-28 10:52:08 -06:00
Laszlo Orban
481427f9f0 add missing shudown of TLS connection 2020-04-17 07:00:19 -06:00
Todd C. Miller
ce92674cc2 Reload sudo.conf upon SIGUP
This makes it possible to update the Debug settings in sudo.conf and
have them take effect on reload.
2020-04-08 10:19:55 -06:00
Todd C. Miller
69b6783be6 Store the result of ERR_get_error() so we can use it for both warn and debug.
Otherwise, only the debug framework gets the actual error and the
user won't see the problem.
2020-04-08 09:26:41 -06:00
Todd C. Miller
18ff60f6ff Disable IPv4-mapped IPv6 addresses in the listener.
Also store the host + port string and use it in error messages.
2020-04-08 08:54:28 -06:00
Todd C. Miller
e86106f2e1 Create the pid file parent directory if it doesn't already exist.
Also package the run directory in the sudo_logsrvd PolyPkg file.
2020-04-07 19:26:37 -06:00
Todd C. Miller
c122e9bf62 Write process ID as an unsigned int (with a cast).
On Solaris, pid_t may be typedef'd as a long but the actual range
is 32 bits at most.
2020-03-29 09:11:57 -06:00
Todd C. Miller
f908ddd1bf Create a pidfile for sudo_logsrvd when not run with the -n flag. 2020-03-29 05:05:08 -06:00
Todd C. Miller
1b90f65609 sudo_logsrvd now exits with an error if it cannot open any listen sockets. 2020-03-29 05:05:08 -06:00
Todd C. Miller
5034ea91be Some new source files got created with my old email address. 2020-03-29 05:05:08 -06:00
Todd C. Miller
84d9c7b241 Add configure check for SSL_CTX_get0_certificate().
Dummy out verify_server_cert() if it is not present to allow building
on older OpenSSL versions.  Rewriting this to work with old OpenSSL
is not worth the trouble.
2020-03-17 20:07:48 -06:00
Todd C. Miller
b308b63b50 Fix potential use-after-free; Coverity CID 208814 2020-03-11 19:28:36 -06:00
Todd C. Miller
f561e2cafe Store the event base in the client closure.
Explicitly passing the event base removes the need to set a default base.
2020-03-01 13:36:59 -07:00
Todd C. Miller
a0c2de4cef Re-register listeners on SIGHUP.
Previously, a config reload would refresh the listener address list
but the changes had no effect on the actual addresses being listened on.
2020-02-18 13:13:03 -07:00
Todd C. Miller
adb3bdf6dd Fix compilation error when not built with OpenSSL support.
Adds a missing #ifdef HAVE_OPENSSL and reorders code to avoid the
need for a static init_tls_server_context() prototype.
2020-02-18 10:35:30 -07:00
Todd C. Miller
5781a6a4cf Add support for JSON logging in sudo_logsrvd. 2020-02-17 16:10:56 -07:00
Todd C. Miller
25542216fe Fix support for reloading the config in sudo_logsrvd.
We need to re-initialize the TLS server context.
Also fix a memory leak of the TLS parameters on reload.
2020-02-17 15:01:38 -07:00
Todd C. Miller
ac61b5655d Use EXIT_SUCCESS and EXIT_FAILURE more consistently. 2020-02-08 12:43:00 -07:00
Todd C. Miller
589adfee2d Only keepalive if accept() succeeded; coverity CID 207990 2020-02-07 12:54:53 -07:00
Laszlo Orban
24c9438486 logserver option to disable certificate verification on server side and server authentication on client side 2020-01-23 10:12:12 -07:00