isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,310 Commits 1 Branch 0 Tags
901b2666fc2958852acf3a4868ad3c27ffb69601
Commit Graph

120 Commits

Author SHA1 Message Date
Todd C. Miller
70d519c8ad o Move userspecs, defaults and aliases into a new struct sudoers_parse_tree. 
o The parse tree is now passed to the alias, match and defaults functions.
o The nss API has been changed so that the nss parse() function returns
  a pointer to a struct sudoers_parse_tree which will be filled in
  by the getdefs() and query() functions.
 2018-07-26 15:12:33 -06:00
Todd C. Miller
154a5f59a9 Move digest code into libutil 2018-05-24 21:04:07 -06:00
Todd C. Miller
71e98d9493 Include parse.h in sudoers.h since it will soon be required. 2018-05-14 09:05:02 -06:00
Todd C. Miller
4a3aa5f6e6 Add debug warning if lseek() fails (should not be possible). 2018-05-11 07:51:43 -06:00
Todd C. Miller
7b1e78d6df Fix swapped args of lseek() when rewinding. This didn't cause a 
problem because the value of SEEK_SET is 0.
 2018-05-11 07:45:22 -06:00
Todd C. Miller
a18e811485 O_EXEC for fexecve() not O_SEARCH. 2018-04-25 14:55:55 -06:00
Todd C. Miller
cfdae3a4fd Move the check for /dev/fd/N until *after* the digest has been 
checked.  We still need to be able to check the digest even if there
is no /dev/fd/N or fexecve().
 2018-04-24 07:21:08 -06:00
Todd C. Miller
64c78a61cb Rewind the fd after calling sudo_filedigest(). Otherwise, when 
running a script via fexecve(), the interpreter may get EOF when
reading /dev/fd/N.  This only appears to affect BSD systems with
fdescfs.  Bug #831.
 2018-04-23 20:43:04 -06:00
Todd C. Miller
6e22da3412 In open_cmnd(), return true, not false, if we the /dev/fd/N pathname 
is not present.  We don't want to fail a match because of this.
 2018-04-23 14:42:35 -06:00
Todd C. Miller
def2e761e3 We can only use fexecve() on a script if /dev/fd/N exists. 
Some systems, such as FreeBSD, don't have /dev/fd mounted
by default.  Bug #831
 2018-04-23 10:54:51 -06:00
Todd C. Miller
1bfe03000d Prune alias contents when pruning and expanding aliases. 
This abuses the userlist_matches_filter() and hostlist_matches_filter()
functions.  A better approach would be to call the correct function
from user_matches() and host_matches().
 2018-04-15 08:14:46 -06:00
Todd C. Miller
7663ae7b27 Add option to prune non-matching entries from cvtsudoers output with -m 
option is used.
 2018-04-04 09:51:05 -06:00
Todd C. Miller
e26ef96a65 Add case_insensitive_group and case_insensitive_user sudoers options, 
which are enabled by default.
 2018-03-05 10:42:02 -07:00
Todd C. Miller
fff4acc1f7 Use a case-insensitive comparison when matching user and group names 
in sudoers with the passwd or group database.  This can be necessary
when users and groups are stored in AD or LDAP.
 2018-03-01 20:31:01 -07:00
Todd C. Miller
48fba3c2cc update my email to Todd.Miller@sudo.ws 2017-12-03 17:53:40 -07:00
Todd C. Miller
b5e7b7bd2c Move the file digest code out of match.c and into filedigest.c. 
Inspired by RedHat changes that used libgcrypt.
Also add digest_type_to_name() to map a sudo digest type (int)
to a name (string) and use it.
 2017-02-20 16:44:12 -07:00
Todd C. Miller
ba8f756695 Always set the close-on-exec bit on the fd used to generate the 
digest (i.e. the command to run) on systems that lack fexecve(2).
That way we don't need to explicitly close it using #ifdefs.
 2017-01-27 09:26:51 -07:00
Todd C. Miller
26b8dc11bf Fix fdexec=never when a digest is present. 2017-01-23 07:43:32 -08:00
Todd C. Miller
413e1100b8 Add new fdexec sudoers setting to allow choose whether execve() or 
fexecve() is used.
 2017-01-22 18:56:16 -08:00
Todd C. Miller
5514ea6851 Add support for digest matching when the command is a glob-style 
pattern or a directory.  For example:

millert ALL = sha224:TmUvLkp3a2txliSC2X6CiK42626qdKsH72m/PQ== /bin/
millert ALL = sha224:TmUvLkp3a2txliSC2X6CiK42626qdKsH72m/PQ== /bin/*

would only match /bin/ls (assuming the digest matches).

Previously, only explicit path matches checked the digest.
 2017-01-21 16:43:46 -07:00
Todd C. Miller
1bccd14180 runas_pw can no longer be NULL 2016-09-19 06:08:00 -06:00
Todd C. Miller
b165a5ff71 Use RUNAS_USER_SPECIFIED and RUNAS_GROUP_SPECIFIED when deciding 
whether to check runas user/group instead of checking runas_pw or
runas_gr.
 2016-09-15 13:47:38 -06:00
Todd C. Miller
d2af18c1fa runas_pw can no longer be NULL here 2016-09-15 09:40:41 -06:00
Todd C. Miller
ef82f792a1 Update check for whether or not the runas user was set in the ldap 
and sssd backends to match the sudoers file backend.  Introduces
the runas_user_set() macro to improve readability.  Previously,
runas_pw was set late, now it is set before checking sudoers.
 2016-09-15 09:37:53 -06:00
Todd C. Miller
ca2a1f3109 Don't check the username when matching a host netgroup unless 
def_netgroup_tuple is enabled.
 2016-09-13 09:12:42 -06:00
Todd C. Miller
c73dec723c Move valid domain name check into a new valid_domain() function. 
Fix memory leak if getdomainname(2) fails and avoid using heap
garbage for the domain name matching in this case.
 2016-09-13 09:06:25 -06:00
Todd C. Miller
3f022419ae Be consistent with the naming of the variable used to store the 
function return value.  Previously, some code used "rval", some
used "ret".  This standardizes on "ret" and uses "rc" for temporary
return codes.
 2016-09-08 16:38:08 -06:00
Todd C. Miller
a08ea1b14d Set runas_pw early and adjust runaslist_matches() to deal. Since 
we now set runas_default early there is no need to call update_defaults
with SETDEF_RUNAS after sudoers has been parsed.
 2016-08-10 10:56:05 -06:00
Todd C. Miller
e2de0027dc When matching paths with glob(3), check returned matches against 
user_cmnd first if it is fully-qualified.  This avoids a lot of
needless stat(2) calls and avoids a mismatch between safe_cmnd and
argv[0] if there are multiple matches with the same inode/dev due
to links.  Bug #746.
 2016-06-09 11:41:09 -06:00
Todd C. Miller
6473d55aa7 Cast the return value of fcntl() to void when setting FD_CLOEXEC. 
Coverity CID 104063, 104064, 104069, 104070, 104071, 104072, 104073, 104074
 2016-05-05 16:16:24 -06:00
Todd C. Miller
5a77989a33 Add support for matching the entire netgroup tuple (user, host, domain). 2016-01-12 14:59:44 -07:00
Todd C. Miller
089b468de7 Silence warning in digest_matches() on systems with no fexecve(2). 2016-01-11 16:55:52 -07:00
Todd C. Miller
b20977d445 Add support for using fexecve() if supported on commands that are 
checksummed.
 2016-01-04 10:35:18 -07:00
Todd C. Miller
7761af6d7e Add always_query_group_plugin 2015-10-24 05:43:07 -06:00
Todd C. Miller
bfb1cead60 When decoding base64, avoid using '=' in the decoded temporary array 
as a sentinel as it can legitimately be present.  Instead, just use
the count of bytes stored in the temp array to determine which bytes
to fold into the destination.
 2015-09-01 10:24:59 -06:00
Todd C. Miller
d4211081c0 Add some debugging printfs when malloc fails and we don't have an 
explicit call to sudo_warnx().
 2015-07-14 15:28:01 -06:00
Todd C. Miller
d77941c2be We require POSIX so no need to conditionally include dirent.h. 
Add a check for d_namlen and use the result in the NAMLEN macro.
 2015-07-02 09:24:48 -06:00
Todd C. Miller
0b241088b3 There's no need to conditionalize the #include <unistd.h>, we require 
a POSIX system.
 2015-07-02 09:08:28 -06:00
Todd C. Miller
4a07b472f0 Only include stddef.h where it is needed. 2015-06-20 05:34:35 -06:00
Todd C. Miller
c36415417f Add function name to "unable to allocate memory" warnings. 2015-06-19 14:51:17 -06:00
Todd C. Miller
dc883f2454 We require ANSI C so stop using the obsolete STDC_HEADERS. 2015-06-19 14:29:27 -06:00
Todd C. Miller
d004b02fc6 Use non-exiting allocatings in the sudoers plugin. 2015-06-17 06:49:59 -06:00
Todd C. Miller
c80b9c9457 In usergr_matches() matched should be bool but we have to take care 
to handle group_plugin_query() returning a value other than 0/1.
 2015-05-07 10:56:12 -06:00
Todd C. Miller
caf5d45e0f Previously, debug_return_bool was the same as debug_return_int 
except that it logged true/false for 1/0.  However, this appears
to trigger a bug in some compilers.  To avoid this, debug_return_bool
now uses bool, not int.  Callers that were passing it an int have
been converted to use debug_return_int instead.
 2015-05-07 10:33:23 -06:00
Todd C. Miller
be8dbeb22e Avoid using HOST_NAME_MAX directly and use sysconf(_SC_HOST_NAME_MAX) 
instead.
 2015-02-19 20:28:02 -07:00
Todd C. Miller
536c83cec3 Solaris uses sysinfo(SI_SRPC_DOMAIN) instead of getdomainname() to 
get the host's NIS domain.
 2015-02-03 07:33:24 -07:00
Todd C. Miller
15717c518e Actually use the check for prior initialization in sudo_getdomainname(). 2015-02-02 15:38:03 -07:00
Todd C. Miller
59ab26dbcc Go back to a 2 args debug_decl and just use the "default" instance, 
now renamed "active".
 2015-02-01 08:24:49 -07:00
Todd C. Miller
7ec9cfb493 When querying LDAP netgroups, use the NIS domain if it is sent but 
also match nisNetgroupTriple entries that have no domain.
 2015-01-30 14:45:22 -07:00
Todd C. Miller
e9914a91b1 The sudoers plugin now defines its own list of debugging subsystem names 
and defines.
 2014-10-22 13:30:52 -06:00