isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,255 Commits 1 Branch 0 Tags
8049e4e32f81424b01ac9c83eacefc3de3640ef5
Commit Graph

438 Commits

Author SHA1 Message Date
Todd C. Miller
7f3c670a13 Fix sudoers garbage collection and run it in policy fuzzer. 2021-02-14 14:01:31 -07:00
Todd C. Miller
776c57a81e Move create_admin_success_flag() to timestamp.c. 2021-02-13 15:48:21 -07:00
Todd C. Miller
197d6600fa Cleanup sudoers sources on denial and error too. 2021-02-12 19:52:11 -07:00
Todd C. Miller
df2931588a Fuzz sudoers policy module API. 
Includes a test case to reproduce CVE-2021-3156.
 2021-02-12 15:36:18 -07:00
Todd C. Miller
0663ffbc3f Use sudo_basename() instead of doing the equivalent manually. 2021-02-10 15:14:08 -07:00
Todd C. Miller
6c8242c357 Update comment about return values for resolve_host(). 2021-01-29 06:24:31 -07:00
Todd C. Miller
8ca47cc99d Fix compilation on systems without a native strlcpy() function. 2021-01-28 09:15:36 -07:00
Todd C. Miller
29acc64192 Refactor code to flatten an argument vector into a string. 
This is used when building up the user_args string.
 2021-01-27 21:27:14 -07:00
Todd C. Miller
2804c2c78e Add strlcpy_unescape() function to undo escaping from front-end. 
Includes unit test.
 2021-01-27 15:41:54 -07:00
Todd C. Miller
1f8638577d Fix potential buffer overflow when unescaping backslashes in user_args. 
Also, do not try to unescaping backslashes unless in run mode *and*
we are running the command via a shell.
Found by Qualys, this fixes CVE-2021-3156.
 2021-01-23 08:43:59 -07:00
Todd C. Miller
741cf082a3 Use debug_return_int() not debug_return_bool() to return -1. 
Found by PVS Studio.
 2021-01-04 14:48:43 -07:00
Todd C. Miller
b3173fdedc The runas user must be set before applying runas-based Defaults. 
This effectively backs out changeset f738f5ac5350, which made
it possible to log the command when an invalid user was specified.
The policy plugin API doesn't supply the command until the check
function, at which point we've already denied the command due to
the invalid user.  Bug #951.
 2020-12-20 08:43:34 -07:00
Todd C. Miller
63739dd326 Store the user-provided runas user and group name in struct sudo_user. 
This makes it available for event logging in case the name doesn't resolve.
 2020-12-05 09:05:42 -07:00
Todd C. Miller
008a0e8dc1 Store iolog_path in struct sudo_user for use in the event log. 2020-12-05 08:31:46 -07:00
Todd C. Miller
fd39e2d7d6 Defer lookup of runas user until sudoers_main() for better logging. 
The log message now includes user info and the command attempted.
 2020-12-04 13:49:37 -07:00
Todd C. Miller
7d0b19d2a0 Don't free the private copy of the environment until the close function. 
We may need to use it when logging from the audit reject function.
 2020-11-17 13:44:32 -07:00
Todd C. Miller
62547746d3 Rename iolog_client -> log_client. 
The logsrvd client code is now used for more than just I/O logging.
 2020-11-09 17:13:04 -07:00
Todd C. Miller
e0c2635fb3 Apply Google inclusive language guidelines. 
Also replace backwards with backward.
 2020-10-30 10:15:30 -06:00
Todd C. Miller
28d6771d24 Add log_format sudoers setting to select sudo or json format logs. 
Defaults to sudo-format logs.
 2020-10-27 15:26:02 -06:00
Todd C. Miller
fdae4bdbbb Add support for file log line wrapping in libeventlog. 2020-10-26 16:16:46 -06:00
Todd C. Miller
d899fe5936 Use real setters for the eventlog config. 
This makes it possible to have a base config that the callers can
modify instead of replacing the config wholesale.
 2020-10-26 16:10:42 -06:00
Todd C. Miller
a5a5cc7f85 sudoers_policy_store() -> sudoers_policy_store_result() 2020-10-16 05:56:03 -06:00
Todd C. Miller
bf9d208662 Rename sudoers_policy_exec_setup() -> sudoers_policy_store(). 
It is called even when there is no command to execute.
Also pass in status of whether or not the command was accepted.
 2020-10-14 06:33:35 -06:00
Todd C. Miller
88dcdcd11d Fix -Wshadow warnings. 2020-09-25 15:09:45 -06:00
Todd C. Miller
f1d19f1d6e Add SLOG_AUDIT flag for log_warningx() to also audit the message. 
This lets us combine audit_failure() and log_warningx() calls with
the same message.
 2020-09-23 08:18:55 -06:00
Todd C. Miller
6ee731caff Log when user-specified command line options are rejected by sudoers. 
We already audit those but in some cases they were not logged as well.
 2020-09-23 08:02:43 -06:00
Todd C. Miller
6f8e1b9741 Fix potential NULL deref in debug code. 2020-09-23 08:59:18 -06:00
Todd C. Miller
c200e71637 Add callback for runchroot Defaults and require password -D/-R checks. 
Using a command-based Default for runchroot will still only work for
paths that exist both in and outside the chroot.
 2020-09-09 19:18:24 -06:00
Todd C. Miller
10d3d69aa1 Pass a struct to the match functions to track the resolved command. 
This makes it possible to update user_cmnd and cmnd_status modified
by per-rule CHROOT settings.
 2020-09-09 15:26:45 -06:00
Todd C. Miller
b6dbfe5094 Take the chroot into account when search for the command. 
This could a a user-specific chroot via the -R option, a runchroot
Defaults value, or a per-command CHROOT spec in the sudoers rule.
 2020-09-09 15:26:44 -06:00
Todd C. Miller
226307591c Log the runcwd not submitcwd in the sudo-style log file. 
The log entry should reflect the working directory the command
actually ran in.
 2020-09-02 11:23:26 -06:00
Todd C. Miller
1676f0ceeb Support "*" for CWD/CHROOT to allow user to specify cwd or chroot. 
Adds two new command line options, -D (--chdir) and -R (--chroot)
that can only be used when sudoers sets runcwd or runchroot to "*".
 2020-09-01 14:10:02 -06:00
Todd C. Miller
961a4afe67 Fix some warnings from pvs-studio 2020-08-12 13:45:09 -06:00
Todd C. Miller
cbad17a994 Move inclusion of compat headers up with the system headers. 
Now that sudo_dso_public is defined in config.h we don't need sudo_compat.h
before including the compat headers.
 2020-08-12 10:07:07 -06:00
Todd C. Miller
852d8c7953 Fix a typo in the audit string when "sudo -E" is not allowed. 2020-06-07 08:37:32 -06:00
Todd C. Miller
b519481912 Defer logging of the successful command until approval plugins have run. 
This adds audit plugin support to the sudoers module, currently
only used for accept events.  As a result, the sudoers file is now
initially parsed as an audit plugin.
 2020-06-02 09:07:46 -06:00
Todd C. Miller
446ae3f507 Include string.h unconditionally and only use strings.h for strn?casecmp() 
In the pre-POSIX days BSD had strings.h, not string.h.
Now strings.h is only used for non-ANSI string functions.
 2020-05-18 07:59:24 -06:00
Todd C. Miller
dd88460800 We no longer need to include headers we don't use for sudo*.h files. 
Previously we needed to include headers required by the various
sudo*h files.  Now those files are more self-sufficient and we
should only include headers needed by code in the various .c files.
 2020-05-18 06:47:04 -06:00
Todd C. Miller
5635c22f6b Add --disable-log-server and --disable-log-client configure options. 
These can be used to optionally disable building sudo_logsrvd and
support for remote I/O logging in the sudoers plugin respectively.
 2020-02-26 13:17:40 -07:00
Todd C. Miller
f6a264e719 Avoid calling sudoers_policy_exec_setup() on error. 
We only want to pass the execution environment back for commands
that are accepted or rejected.
Also avoid potentially freeing the wrong pointer when garbage
collection is enabled.
 2020-02-24 19:59:44 -07:00
Todd C. Miller
45e589d443 Pass back a failure or error string to the front end. 
The audit_failure() function now stores the failure string.
This will allow an audit plugin to log the reason if the user's
request is a rejected.
 2020-01-30 13:25:36 -07:00
Todd C. Miller
604945f93e Fix warning about unresolved host name with "sudo -l -h hostname". 
The resolve_host() function returns 0 on success, not bool.
 2020-01-28 13:00:54 -07:00
Todd C. Miller
486ee2b71f debug_decl and debug_decl_vars now require a semicolon at the end. 2019-12-22 08:48:16 -07:00
Todd C. Miller
4392b5726e Output the name of the limit when warning about setrlimit or getrlimit. 
From Kimmo Suominen.
 2019-12-18 09:42:14 -07:00
Todd C. Miller
b14d633ec6 Add runas_check_shell flag to require a runas user to have a valid shell. 
Not enabled by default.
 2019-12-09 19:29:45 -07:00
Todd C. Miller
df8f06609c Add a new flag "allow_unknown_runas_id" to control matching of unknown IDs. 
Previous, sudo would always allow unknown user or group IDs if the
sudoers entry permitted it.  This included the "ALL" alias.
With this change, the admin must explicitly enable support for unknown IDs.
 2019-12-09 17:14:06 -07:00
Todd C. Miller
d10220162d Don't touch the local iolog sequence file if we are logging remotely 2019-11-18 13:51:52 -07:00
Todd C. Miller
635445d471 Transparently handle the "sudo sudoedit" problem. 
Some admin are confused about how to give users sudoedit permission
and many users try to run sudoedit via sudo instead of directly.
If the user runs "sudo sudoedit" sudo will now treat it as plain
"sudoedit" after issuing a warning.  If the admin has specified a
fully-qualified path for sudoedit in sudoers, sudo will treat it
as just "sudoedit" and match accordingly.  In visudo (but not sudo),
a fully-qualified path for sudoedit is now treated as an error.
 2019-11-05 15:18:34 -07:00
Todd C. Miller
ee91b7360b Simplify expand_iolog_path() 2019-10-24 20:04:33 -06:00
Todd C. Miller
7ba7c5835e Enable sudo_logsrvd.conf settings. 2019-10-24 20:04:31 -06:00