By default, sudoers will not require authentication of commands run
via an intercepted session. To require authenticaton of subsequent
commands, enable intercept_authenticate in sudoers.
It now takes an intercept fd as an optional argument instead of a
list of extra variables to add. This lets us check whether it is
already set to the expected value (and add it if not).
sudo_intercept.so now uses sudo_preload_dso() to make sure that
LD_PRELOAD and SUDO_INTERCEPT_FD are set properly before executing.
This makes sudo_settings, user_info, submit_argv, submit_envp and
submit_optind global. This will be required for calling the wrapper
from outside of sudo.c where we may not have access to those
variables.
The log server now advertises a subcommands flag if it supports
logging subcommands (e.g. commands run from a sudo-spawned program
like a shell). The client should only log additional commands
during a session if this flag is set in the ServerHello message.
If the perm stack depth is non-zero when set_perms(PERM_INITIAL)
is called, rewind it first and re-initialize the stack depth to 0.
Fixes a user-after-free bug if set_perms(PERM_INITIAL) is called
multiple times.
This causes "intercept" to be set to true in command_info[] which
the sudo front-end will use to determine whether or not to intercept
attempts to run further commands, such as from a shell. Also add
"log_children" which will use the same mechanism but only log (audit)
further commands.
The available size passed to strlcpy() was computed incorrectly.
Switch to updating the length after writing to the new prompt instead
of computing it each time. The actual buffer size is computed and
allocated correctly so there is no real consequence to this bug.
Found by Qualys.
Originally, there was a flag in the ServerHello message to indicate
that the client should verify the server cert, but this was removed
TLS was moved to a separate port. Client validation of the server
certificate is now configured in the sudoers file instead.
OpenSSL returns an error for SSL_accept() if TLS_client_method()
was used to generate the context (LibreSSL doesn't care).
Prior to sudo 1.9.7, TLS_client_method() and TLS_server_method()
were used in the TLS client and server initialization code respectively.
This was refactored in sudo 1.9.7 to allow the code to be shared.
Bug #988
getutline() advances the file pointer until it matches or reaches EOF. pututline() starts from the current position in utmp. This rewinds the file pointer to the beginning to avoid allocating additional spurious utmp entries.
For sudo-formatted logs, this is a record with "EXIT=number" and
potentially "SIGNAL=name" after the command. For JSON-format logs,
a new "exit" record is logged which contains an "exit_value" and
potentially "signal" and "core_dumped". JSON-format logs now incude
a UUID to associate the "exit" record with the "accept" record.
This is intended to provide a more useful error message if the
user defines a module which conflicts with a system python module.
For example, a module called test.py would conflicts with the system
python test module.
On systems where getgroups() returns results based on more than
just the per-process group vector in the kernel it is possible for
the number of groups to change in between invocations.
Based on GitHub PR #106 from Pierre-Olivier Martel.
