isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,808 Commits 1 Branch 0 Tags
817f63b05d95d0e4bae381a1bb4503e1559b8fe8
Commit Graph

11808 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
817f63b05d Realloc the buffer used to store argv and envp as needed. 
We now store the vector immediately after the string table.
It is possible for argv and its contents to be invalidated
by realloc() when reading envp so we store the pointers as
offsets until we are done allocating.
 2022-08-29 12:47:42 -06:00
Todd C. Miller
0d2f1c4a2b ptrace_verify_post_exec: use /proc/PID/cmdline and /proc/PID/environ 
There is no reason to read these directly from the tracee
when we rely on /proc being mounted to access /proc/PID/exe.
 2022-08-28 18:59:41 -06:00
Todd C. Miller
234c56b87f Protect ptrace_readv_string() with #ifdef HAVE_PROCESS_VM_READV 2022-08-28 08:27:30 -06:00
Todd C. Miller
922772c6cb Rework the intercept section in "Preventing shell escapes". 2022-08-25 19:01:59 -06:00
Todd C. Miller
351175eb26 Update CodeQL Action to v2 using current example config. 2022-08-25 14:42:26 -06:00
Todd C. Miller
0af393e75b Suppress PVS-Studio false positive. 2022-08-25 14:22:21 -06:00
Todd C. Miller
2902ebe067 intercept_check_policy_req: an empty argv[] is now supported 2022-08-25 14:21:12 -06:00
Todd C. Miller
14356c1940 Use process_vm_readv(2) and process_vm_writev(2) if available. 
This is faster than reading/writing from/to the remote process one
word at a time using PTRACE_PEEKDATA and PTRACE_POKEDATA.
 2022-08-25 12:37:19 -06:00
Todd C. Miller
36747f89a8 Skip all of check_user() for intercept unless intercept_authenticate set. 
Previously we were calling the PAM approval modules even in intercept
mode which can take a lot of time.  We may wish to make PAM approval
configurable in intercept mode in the future.
 2022-08-25 09:35:42 -06:00
Todd C. Miller
22dad3f59c Only set MODE_POLICY_INTERCEPTED on subsequent policy checks. 
This fixes a bug where MODE_POLICY_INTERCEPTED was set too early
if the intercept option was set globally in sudoers.  It should
only be set after the original command has executed.
 2022-08-25 09:33:42 -06:00
Todd C. Miller
966eae6bf3 intercept_verify also compares the environment. 
Also mention the overhead involved in checking things.
 2022-08-23 11:12:51 -06:00
Todd C. Miller
3d995f7e58 ptrace_getregs: make compat check more generic 
No need to use different checks for mips and non-mips, the compiler
will optimize away the superfluous check.
 2022-08-22 11:46:46 -06:00
Todd C. Miller
4d58fc904d Correct type of sudoers_audit. 
GitHub issue #61
 2022-08-22 09:04:44 -06:00
Todd C. Miller
a3a181df07 Fix shadowed variable warning. 2022-08-20 14:36:29 -06:00
Todd C. Miller
c948717bd4 Fix shadowed variable warning on aarch64. 2022-08-19 13:37:49 -06:00
Todd C. Miller
8145ad12da Quiet another -Wwrite-strings warning. 2022-08-19 11:37:38 -06:00
Todd C. Miller
8eb619ac2b ptrace_getregs: try to determine compat mode if caller doesn't know. 
In ptrace_verify_post_exec(), we don't know whether the executable
that is now running is a native or compat binary.  In most cases
ptrace_getregs() will be able to figure it out for us.
 2022-08-19 11:34:40 -06:00
Todd C. Miller
b2d8909c19 ptrace_intercept_execve: fail syscall rather than killing process on error. 
If the execve(2) args are bogus pointers, we should just return an
error instead of killing the process.  For consistency with the
kernel, convert EIO from ptrace(2) to EFAULT.
Also convert some ptrace(2) warnings to debug printfs so sudo is less chatty.
 2022-08-19 11:05:10 -06:00
Todd C. Miller
9f552471bc Treat argv and closure->run_argv of different sizes as a mismatch. 
If argv and closure->run_argv match up to the point where we hit a
NULL but one of them has additional entries, we still need to rewrite
argv.
 2022-08-18 15:15:06 -06:00
Todd C. Miller
aef4a61886 Handle the case where argc is 0 when allocating space for argv. 
We need to pass the pathname to the policy plugin in argv[0] so we
must be sure to allocate space for it even if argc is 0.
 2022-08-18 15:12:21 -06:00
Todd C. Miller
76bd1bcc95 copy_vector: treat a NULL pointer as an empty vector. 
Linux execve(2) allows argv to be NULL so we must allocate an empty
vector in this case and not return an error.
 2022-08-18 15:10:42 -06:00
Todd C. Miller
48a9126a1b Update debug_decl name for sudo_preload_dso -> sudo_preload_dso_alloc change. 2022-08-18 15:08:38 -06:00
Todd C. Miller
bc5016296d Handle the case where argc is 0 when rebuilding argv. 
We need to pass the pathname to the policy plugin in argv[0] so we
must be sure to allocate space for it even if argc is 0.
 2022-08-18 15:07:25 -06:00
Todd C. Miller
23fa22975c Handle sysconf(_SC_ARG_MAX) failure, Coverity CID 276504. 2022-08-18 10:32:19 -06:00
Todd C. Miller
d65bcf2ab3 Avoid a Coverity false positive. 2022-08-18 10:27:01 -06:00
Todd C. Miller
81a3339df9 Remove cast from time_t to int to avoid a Coverity false positive. 
The cast should not be required.
 2022-08-18 10:21:14 -06:00
Todd C. Miller
158facf6d5 Use multilib rules to look for a 64-bit group plugin on failure. 
If sudo_dso_load() fails on a 64-bit system, try to load a 64-bit
native version of the file using system-dependent multilib rules.
If we don't support multilib on the platform, check for a version
of the file that ends in "64" before the .so suffix.
 2022-08-11 19:34:50 -06:00
Todd C. Miller
68b26056f9 regen 2022-08-11 19:34:48 -06:00
Todd C. Miller
2f3afd14ed In putenv(3) replacement reject a string with no '=' or that starts with one. 2022-08-08 07:43:00 -06:00
Todd C. Miller
6e08fa9fb2 Update copyright year for embedded zlib. 2022-08-05 10:09:39 -06:00
Todd C. Miller
a366c623f1 Use our own arc4random() in preference to the glibc version. 
The glibc arc4random() may fail in chroot on older kernels and exit.
 2022-08-04 13:11:07 -06:00
Todd C. Miller
9ebaabfdde sudo_dso_load: restore original error for AIX on failure. 
For AIX, if dlopen() fails we try again with RTLD_MEMBER set
and a default member (shr.o or shr_64.o).  However, if that
also fails, the user will receive a useless error message
that doesn't correspond to the actual problem.  We now retry
the original dlopen() if the fallback to RTLD_MEMBER fails,
which has the effect of restoring the original error message.
 2022-08-04 09:35:06 -06:00
Todd C. Miller
184f0a2493 Merge pull request #165 from bdrung/xdg-current-desktop 
Add XDG_CURRENT_DESKTOP to initial_keepenv_table
 2022-08-02 15:45:08 -06:00
Todd C. Miller
b422ddea75 Sudo 1.9.12. 2022-08-02 14:28:30 -06:00
Todd C. Miller
9c61d7e6e9 Bump the sudo plugin minor version. 
The "update_ticket" entry was added to the settings list and the
"intercept_verify" entry was added to the command_info list.
 2022-08-02 14:28:29 -06:00
Todd C. Miller
556dacf1ff Add a way to run a command without updating the cached credentials. 
This can also be used to test for whether or not the user's
credentials are currently cached.
 2022-08-02 14:28:28 -06:00
Todd C. Miller
2d94d329cf Merge pull request #168 from likunyur/lky 
Remove unnecessary initialization and casts.
 2022-08-02 13:40:16 -06:00
Li zeming
393d9997cb iolog/hostcheck: These two parameters do not need to be initialized and assigned, the following code is directly assigned 
Signed-off-by: Li zeming <zeming@nfschina.com>
 2022-08-02 13:39:48 -06:00
Li zeming
c27acf55ec util/arc4random: (void*) type pointer passing address could remove cast 
Signed-off-by: Li zeming <zeming@nfschina.com>
 2022-08-02 13:39:40 -06:00
Todd C. Miller
210eb17cb7 Merge pull request #169 from kempstonjoystick/main 
Fix incorrect SHA384/512 digest calculation.
 2022-08-02 10:33:02 -06:00
Tim Shearer
e4f08157b6 Fix incorrect SHA384/512 digest calculation. 
Resolves an issue where certain message sizes result in an incorrect
checksum. Specifically, when:
(n*8) mod 1024 == 896
where n is the file size in bytes.
 2022-08-02 10:53:15 -04:00
Todd C. Miller
cf250354fc Defer chdir(2) until sesh when running with SELinux. 
We need to be running with the correct security context or the
chdir(2) may fail.  GitHub issue #160.
 2022-08-01 13:40:47 -06:00
Todd C. Miller
555474d3aa Merge pull request #166 from c4rlo/patch-1 
visudo.c: add nvim (Neovim) to lineno_editor list
 2022-07-31 13:06:39 -06:00
Carlo Teubner
2b5dcf255d visudo.c: add nvim (Neovim) to lineno_editor list 
Neovim supports it: https://neovim.io/doc/user/starting.html#-+
 2022-07-31 17:20:50 +01:00
Todd C. Miller
4de5e12ddb Document the TOCTOU issue with intercept mode. 
Describe how intercept_verify attempts to reduce the risk.
 2022-07-29 20:18:55 -06:00
Todd C. Miller
3eb6e78569 Update a codespell exclude pattern. 2022-07-29 19:51:57 -06:00
Todd C. Miller
3ce19efca9 Add intercept_verify sudoers option to control execve(2) argument checking. 2022-07-29 15:22:27 -06:00
Todd C. Miller
b80b012de0 Use PTRACE_EVENT_EXEC to stop execution before return from execve(2). 
We can now verify that the arguments match what we accepted before
the command actually runs.  If there is a mismatch, the process is
killed.  Shell scripts must be handled specially since the path
executed will be the interpreter, not the script name.
Linux allows interpreters to be nested up to 4 deep.
 2022-07-29 15:22:26 -06:00
Todd C. Miller
620a563b54 Only set MODE_POLICY_INTERCEPTED if we are running a command. 
Fixes an error with "sudo -l" when intercept is enabled globally.
 2022-07-29 15:17:45 -06:00
Benjamin Drung
225feb386e Add XDG_CURRENT_DESKTOP to initial_keepenv_table 
Qt needs `XDG_CURRENT_DESKTOP` to be set to determine the correct theme.

Since `DISPLAY` and `XAUTHORITY` are already in the default table of
variables to preserve in the environment, just add `XDG_CURRENT_DESKTOP`
to it.

Bug: https://launchpad.net/bugs/1958055
Signed-off-by: Benjamin Drung <bdrung@ubuntu.com>
 2022-07-29 11:35:47 +02:00