isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,322 Commits 1 Branch 0 Tags
978aa90021c439235a504b2405d0d6ca2cb15c1c
Commit Graph

3550 Commits

Author SHA1 Message Date
Todd C. Miller
d1f2452c08 getaddrinfo stub: set sin_port 2023-04-26 16:27:34 -06:00
Todd C. Miller
2898c85119 Avoid NULL deref in stub getaddrinfo() when nodename is NULL. 
Also add support for parsing servname.  We only need to support a
subset of getaddrinfo() functionality in the fuzzer.
 2023-04-26 13:23:31 -06:00
Todd C. Miller
cc22cca34f Add an fd argument to sudo_get_ttysize() instead of always using stderr. 
For sudoreplay we open /dev/tty, so use that instead of stderr when
determining the terminal size.
 2023-04-16 15:45:19 -06:00
Todd C. Miller
894daa88f6 Enable the use_pty option by default for sudo 1.9.14. 
GitHub issue #258
 2023-04-06 11:30:51 -06:00
Todd C. Miller
d7b8f3ffbf Split up the monolithic sudoers_policy_main() function. 
This splits the code to find the command, perform a sudoers lookup,
ask for a password as needed, and perform post-lokup checks out
into sudoers_check_common().  The old sudoers_policy_main() has
been replaced by sudoers_check_cmnd() (called by sudoers_policy_check()),
sudoers_validate_user() (called by sudoers_policy_validate()) and
sudoers_list() (called by sudoers_policy_list()).  The list_user
lookup is now performed in sudoers_list().
 2023-04-05 13:35:09 -06:00
Todd C. Miller
859a81ad24 Move the root_sudo check until after we apply per-command Defaults. 
It is possible, though unlikely, for "root_sudo" to be used in
a per-command Defaults statement.
 2023-04-05 13:25:32 -06:00
Todd C. Miller
ab4b947169 sudoers_policy_main: restore locale if sudoers_lookup() fails. 
Previously, if sudoers_lookup() set VALIDATE_ERROR, the sudoers
locale would still be in effect instead of the original locale.
 2023-04-01 10:22:07 -06:00
Todd C. Miller
fb0a36c1a5 sudoers_lookup_pseudo: remove validated function argument 
This was always set to FLAG_NO_USER|FLAG_NO_HOST which are cleared
at the top of the fuction.  Make validated a local variables,
initialized to 0, instead.  No change in behavior.
 2023-04-01 10:17:31 -06:00
Todd C. Miller
0a4c8872a8 The I/O log file name is not just the basename of the full iolog_path. 
The audit plugin already has the correct value for iolog_file, don't
overwrite it with basename(iolog_path).  In the future we may wish
to pass in iolog_file and iolog_dir in addition to iolog_path.
Fixes Bug #1046.
 2023-03-31 15:51:14 -06:00
Todd C. Miller
ac12f82d86 Warn with "unknown user" not "unknown uid" if user cannot be resolved. 
Prior to sudo 1.8 this was after a getpwuid() but now we use
getpwnam().
 2023-03-29 14:49:41 -06:00
Todd C. Miller
ad890acf6c Set timestamp_uid and timestamp_gid via a callback. 
This also makes it possible to include the location of the line in
the sudoers file in the warning message (and mail).
 2023-03-29 14:37:09 -06:00
Todd C. Miller
a17491972b Quiet compiler warnings on systems where pid_t is not an int. 
Historically, pid_t was a long on some 32-bit systems like Solaris.
 2023-03-22 14:48:49 -06:00
Todd C. Miller
775059156f Silence "used uninitialized" false positives with older gcc versions. 2023-03-22 13:52:43 -06:00
Todd C. Miller
c64993a0b3 visudo: restore controlling terminal after running the editor. 
Otherwise, visudo will get SIGTTOU if it tries to write to the
terminal after the editor finishes.  Also avoid races by setting
the process group ID in both the parent and child, and grant the
controlling terminal in the parent, not the child.
 2023-03-21 09:22:53 -06:00
Todd C. Miller
28ecbe4d51 Warn about ignored files in sudoers.d in visudo. 2023-03-20 18:29:33 -06:00
Todd C. Miller
8049e4e32f Replace sudoers_warnings with sudoers_verbose. 
This is now an int, with values > 1 reserved for visudo.
 2023-03-20 18:27:27 -06:00
Todd C. Miller
738387aa4d Split push_include() into push_include() and push_includedir(). 
This moves the "isdir" function argument to the internal version.
 2023-03-20 13:01:02 -06:00
Todd C. Miller
4b563ea44f Pass around const struct sudo_nss pointers where possible. 2023-03-17 13:41:38 -06:00
Todd C. Miller
1f19a6b72b Pass around const struct sudoers_parse_tree pointers where possible. 2023-03-17 13:31:36 -06:00
Todd C. Miller
70c533ec79 Move non-config-related macros to from sudo_ldap_conf.h to sudo_ldap.h. 2023-03-17 10:59:30 -06:00
Todd C. Miller
b965d222d8 sudo_ldap_netgroup_match_str: "-" in a netgroup can never match. 
We already check for a NULL value above so "str == NULL" is always
false.  Found by PVS-Studio.
 2023-03-15 10:06:04 -06:00
Todd C. Miller
d8e6396c55 Declare domain even if the system lacks innetgr(). 
Fixes a build error on musl-based systems like Alpine.
 2023-03-13 15:21:38 -06:00
Todd C. Miller
34933ef9d0 Remove unused sudoers_gc_init() function. 2023-03-11 08:06:54 -07:00
Todd C. Miller
c76ac1cab3 sudoers_cleanup: free cached environment before running g/c. 
Avoids a double free in fuzz_policy.
 2023-03-10 15:23:48 -07:00
Todd C. Miller
cd5cd45336 sudoers_cleanup: run the garbage collector at the end 2023-03-10 15:03:44 -07:00
Todd C. Miller
c09aabecdc Plugin a memory leak in intercept mode. 2023-03-10 15:00:20 -07:00
Todd C. Miller
33c385a78e Plug memory leak if ldap_get_option() fails with LDAP_NO_MEMORY. 2023-03-10 13:45:53 -07:00
Todd C. Miller
fc253048f5 Add LDAP-specific innetgr() implementation. 
Wheh netgroup_base is set we now do out own netgroup lookups using
LDAP.  Previously, LDAP was queried directly to get a list of the
netgroups the user belongs to but other netgroups queries went
through innetgr(3).  This makes it possible to use netgroups
in LDAP sudoers on systems that don't have an innetgr() function.
GitHub issue #251.
 2023-03-10 10:05:33 -07:00
Todd C. Miller
554df8d934 Move some functions from ldap.c to ldap_util.c. 
These will be used by the LDAP innetgr() implementation.
 2023-03-10 10:02:36 -07:00
Todd C. Miller
0aad96bba1 Add per-source innetgr function pointer and use it in netgr_matches(). 
This will be used to implement LDAP-specific netgroup lookups when
netgroup_base is set in ldap.conf.
 2023-03-08 13:44:22 -07:00
Todd C. Miller
689022978c A user with "list" privs for root may not list all users. 
A user with "sudo ALL" for root _is_ allowed to list any user.
 2023-03-03 13:57:27 -07:00
Todd C. Miller
452d63d6c1 sudoers_policy_list: do not set runas_pw to list_pw when listing 
This change introduced in sudo 1.9.13 is not actually needed.  The
"list" pseudo-command checks are performed via runas_matches_pw()
which does not use runas_pw.  GitHub issue #248
 2023-03-03 11:16:44 -07:00
Todd C. Miller
d9e9307d98 Fix "sudo -l command args", broken in sudo 1.9.13. 
The value of user_args should not contain the command to be run in
"sudo -l command args", only the arguments of the command being checked.
This restores the pre-1.9.13 behavior.  GitHub issue #249
 2023-03-03 11:12:18 -07:00
Todd C. Miller
b013711e48 Check for sudo_pow2_roundup() overflow. 
Calling sudo_pow2_roundup(INT_MAX+2) will return since there is no
power of 2 larger than INT_MAX+1 that fits in an unsigned int.
This is not an issue in practice since we restrict messages to 2Mib.
 2023-03-01 13:58:32 -07:00
Todd C. Miller
43378de75e Test non-fully qualified path name. 2023-02-28 09:11:26 -07:00
Todd C. Miller
7356a77969 Fix removal of y.tab.[ch] when generating gram.[ch]. 2023-02-28 09:06:48 -07:00
Todd C. Miller
172515c94d Add test for using "list" as user, runas and host. 2023-02-28 08:56:44 -07:00
Todd C. Miller
0197491e9c Move handling of the "list" pseudo-command from lexer to parser. 
The special handling of "list" in the lexer meant it could not
be used as a user, group or host, which was unintentional.
GitHub issue #246.
 2023-02-28 08:47:45 -07:00
Todd C. Miller
a4f31cff2b Plug memory leak with multiple matching CHROOT= entries. 
Found by oss-fuzz.
 2023-02-27 08:57:17 -07:00
Todd C. Miller
87ce692468 Fix potential double free for rules that include a CHROOT= option. 
If a rule with a CHROOT= option matches the user, host and runas,
the user_cmnd variable could be freed twice.
 2023-02-21 20:01:13 -07:00
Todd C. Miller
6c52056d36 Include error string when formatting a SLOG_PARSE_ERROR message if present. 2023-02-23 11:37:04 -07:00
Todd C. Miller
fb6740fa2e Add sudoers open errors to the list of parse errors sent via mail. 
Previously there would be one email for the open failure and a
separate one describing the parse error.  Now a single email message
contains everything.
 2023-02-22 18:49:09 -07:00
Todd C. Miller
1641c30ed6 visudo: quiet a compiler warning on Solaris 10. 
Also explicitly close /dev/tty fd instead of relying on closefrom()
in case the fd ends up being a value 0-2.
 2023-02-22 10:55:27 -07:00
Todd C. Miller
ba7b126451 Check tcsetpgrp() return value. 2023-02-21 16:34:12 -07:00
Todd C. Miller
0339337103 Run the editor in its own process group. 
This fixes suspending the editor on GNU Hurd which doesn't seem to
have proper process group signal handling.
 2023-02-21 16:14:14 -07:00
Todd C. Miller
1bcddb9602 Stub out pivot_root() and unpivot_root() for all but the sudoers module. 2023-02-21 14:46:27 -07:00
Todd C. Miller
8b9c1b962f Fix build when SUDOERS_NAME_MATCH is defined. 2023-02-21 13:47:27 -07:00
Todd C. Miller
b52631e877 Match using canonicalized directories where possible. 2023-02-21 13:24:33 -07:00
Todd C. Miller
0ef5373678 Add canon_path(), a realpath() wrapper that performs caching. 
This also adds a new user_cmnd_dir variable that stores the
canonicalized parent directory of the command to be run.
 2023-02-21 13:24:33 -07:00
Todd C. Miller
78ff514358 match_command: apply runchroot if set when matching the command 
Previously we would prepend runchroot to the path we were checking
but that does not properly handle symbolic links.
 2023-02-21 13:24:33 -07:00