isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,420 Commits 1 Branch 0 Tags
a08ea1b14d34d7e363bfa38528049c034b4c0620
Commit Graph

1767 Commits

Author SHA1 Message Date
Todd C. Miller
734b43c6b0 regen 2016-06-06 10:07:58 -06:00
Todd C. Miller
3169259821 Ignore empty ipa_hostname 2016-06-05 14:42:54 -06:00
Todd C. Miller
c6a21bd53d Better martching of ipa_hostname in sssd.conf 2016-06-05 05:40:32 -06:00
Todd C. Miller
9b027676c0 Use the value of ipa_hostname from /etc/sssd/sssd.conf if present 
instead of the system hostname.
 2016-06-04 19:52:10 -06:00
Todd C. Miller
ccf88d3bb2 When matching host, short-circuit the loop when we get a match. 
Only check username as part of the netgroup when netgroup_tuple is
enabled.
 2016-06-03 14:07:40 -06:00
Todd C. Miller
a71cac91f2 Avoid using !strcmp() 2016-06-03 13:58:12 -06:00
Todd C. Miller
b6beccf19e SSSD doesn't handle netgroups, we have to ensure they are correctly filtered 
in sudo. The rules may contain mixed sudoUser specification so we have to
check not only for netgroup membership but also for user and group matches.
Adapted from a patch from Daniel Kopecek.
 2016-06-02 10:47:39 -06:00
Todd C. Miller
a24f4b8248 Return PAM_CONV_ERR from the conversation function if getpass returns 
NULL or the user pressed ^C.
 2016-06-01 14:48:31 -06:00
Todd C. Miller
7a35bab8c8 Make base64 decoding table-driven. 2016-06-01 12:43:02 -06:00
Todd C. Miller
fc517ba9f8 Back out cfa26b99228f, it was already fixed differently. 
Caught by regress checks.
 2016-06-01 12:38:53 -06:00
Todd C. Miller
6c3c03ea26 Allow double-quoted groups and netgroups to be part of a Defaults spec. 
From Daniel Kopecek.
 2016-05-31 13:50:38 -06:00
Todd C. Miller
461a419d04 For sudo -ll (long list) print the SSSD role just like we do 
for the LDAP backend.  Adapted from sudo-1.8.6p3-sssdrulenames.patch
 2016-05-31 13:07:31 -06:00
Todd C. Miller
db2c732931 sudo_version should be unsigned 2016-05-25 08:44:53 -06:00
Todd C. Miller
4d36fbec2f sync with translationproject.org 2016-05-25 08:41:45 -06:00
Todd C. Miller
63dbb74250 Korean translation for sudo and sudoers from translationproject.org. 2016-05-25 08:41:27 -06:00
Todd C. Miller
5e1084c08a Ignore PAM_SESSION_ERR from pam_open_session() since this can 
apparently happen on systems using Solaris-derived PAM.  Other
errors from pam_open_session() are treated as fatal.  This avoids
the "policy plugin failed session initialization" error message
seen on some systems.
 2016-05-25 08:33:57 -06:00
Todd C. Miller
58ffab1dfa There's no need to escape forward slashes in JSON output. While 
it is legal to escape a forward slash, it is not required.
 2016-05-23 11:29:17 -06:00
Todd C. Miller
eb4510597b Don't try to fflush(export_fp) or ferror(export_fp) if export_fp 
is NULL, which can happen on the error path.
 2016-05-16 14:16:08 -06:00
Todd C. Miller
a2e541aef8 O_NOCTTY has no effect when opening /dev/tty as the open can only 
succeed if there is already a controlling tty.
 2016-05-16 11:17:20 -06:00
Todd C. Miller
b9dde14808 No need to set pass to NULL after freeing at the end of the loop 
it since it is already set to NULL each time through the loop.
 2016-05-16 10:18:31 -06:00
Todd C. Miller
787912fa91 Check fprintf() return value in writeln_wrap() and return the number 
of characters actually written, or -1 on error.
 2016-05-14 19:38:23 -06:00
Todd C. Miller
9d526c1af5 Do not write directly to stdout/stderr, use sudo_printf which calls 
the conversation function.
 2016-05-14 19:34:13 -06:00
Todd C. Miller
90fdb6a316 Do not write directly to stdout/stderr, use sudo_printf which calls 
the conversation function.
 2016-05-14 19:33:28 -06:00
Todd C. Miller
578af5af4d Use ferror() after fflush() to check the error status of the stdio 
stream we wrote to.
 2016-05-14 18:48:20 -06:00
Todd C. Miller
6d63ed8a92 printf() returns < 0 on error, not explicitly -1 2016-05-13 14:48:00 -06:00
Todd C. Miller
4f46e07209 Avoid adding an extraneous warning string to sudoers.pot. 2016-05-12 10:33:32 -06:00
Todd C. Miller
b0be9895d9 Now that pam_open_session() failure is fatal we should print and log 
an error from it.  Bug #744
 2016-05-11 15:01:45 -06:00
Todd C. Miller
05db5aa3b8 Remove sudo_mkpwcache() and sudo_mkgrcache(). We now create the 
caches as needed on demand.  Also remove calls to sudo_freepwcache()
and sudo_freegrcache() that are immediately followed by execve(),
they are not needed.
 2016-05-11 09:40:31 -06:00
Todd C. Miller
23d288563e Eliminate use of setpwent()/endpwent() and setgrent()/endgrent(). 
Sudo never iterates over the passwd or group file.
Rename sudo_set{pw,gr}ent() -> sudo_mk{pw,gr}cache() and
use sudo_free{pw,gr}cache() instead of sudo_end{pw,gr}ent().
 2016-05-11 07:06:45 -06:00
Todd C. Miller
8b4de84049 Remove unnecessary NULL checks in the RUNAS_CHANGED macro. The 
only place where the pointers could be NULL is in visudo_json.c but
we already check for "next" being NULL there.  Quiets a cppcheck
warning.
 2016-05-10 06:32:55 -06:00
Todd C. Miller
398ddd0467 In replay_session() free iov at the end of the function (if needed) 
instead of after processing each line from the timing file.
Coverity CID 104843.
 2016-05-09 14:54:26 -06:00
Todd C. Miller
e528cad795 Add io_log_read() and io_log_gets() to hide differences between 
gzread/fread and gzgets/fgets.  Check for premature EOF and error
from io_log_read().  Also sanity check the index in the timing file.
Coverity CID 104630.
 2016-05-09 14:27:33 -06:00
Todd C. Miller
194c7c8069 In sudo_krb5_copy_cc_file() move the close(ofd) to the done: label 
so we only have to cleanup in one place.  Coverity CID 104577.
 2016-05-07 08:18:27 -06:00
Todd C. Miller
0568fa90cf Fix memory leak in sudo_netgroup_lookup() in the non-error case. 
Coverity CID 104572, 104573, 104574, 104575.
 2016-05-07 07:57:15 -06:00
Todd C. Miller
334b8f36a8 Fix fd leak in sudo_krb5_copy_cc_file() if restore_perms() fails. 
Coverity CID 104571.
 2016-05-07 07:49:35 -06:00
Todd C. Miller
b84b2e6805 Free the events and event base before returning from replay_session(). 
Coverity CID 104116, 104117.
 2016-05-07 05:16:03 -06:00
Todd C. Miller
bbda2e7b5b Fix memory leak in get_editor() if resolve_editor() fails with 
an error.  Coverity CID 104107.
 2016-05-07 04:59:56 -06:00
Todd C. Miller
96f5fe4cd0 Ignore the return value of the initial sudoersparse(), before 
we have actually edited any files.  Coverity CID 104078.
 2016-05-07 04:52:21 -06:00
Todd C. Miller
edd1a1cac5 In fill_args() clean up properly if there is an internal overflow 
(which should not be possible).  Coverity CID 104569.
 2016-05-07 04:37:55 -06:00
Todd C. Miller
0ecc6025a2 Fix logic inversion in sudoers_gc_remove(), currently unused. 
Coverity CID 104568
 2016-05-07 04:33:45 -06:00
Todd C. Miller
c56a812ea2 In io_mkdirs(), change the order from stat then mkdir, to mkdir then stat. 
This more closely matches what "mkdir -p" does.
Coverity CID 104120.
 2016-05-06 16:42:42 -06:00
Todd C. Miller
602ed0c747 In ts_mkdirs(), change the order from stat then mkdir, to mkdir then stat. 
This more closely matches what "mkdir -p" does.
Coverity CID 104119.
 2016-05-06 16:37:20 -06:00
Todd C. Miller
5ee1e5bbcb Newer versions of Ubuntu have switched from using the "admin" group 
to the "sudo" group to align with Debian.  create_admin_success_flag()
now accepts either one.
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1387347
 2016-05-06 14:30:46 -06:00
Todd C. Miller
7a86430d41 Cast off_t printed via printf(3) instead of assuming it is long long. 2016-05-06 14:17:32 -06:00
Todd C. Miller
151e03fb5b Instead of using stat(2) to see if the admin flag file exists and 
creating it if not, just try to create the file and treat EEXIST
as a non-error.  Coverity CID 104121.
 2016-05-06 14:12:08 -06:00
Todd C. Miller
7b302e09ae Check return value of restore_perms() in vlog_warning(). 
Coverity CID 104079.
 2016-05-06 09:26:45 -06:00
Todd C. Miller
b4cb1c0a1f Fix memory leaks in resolve_editor() in the error path. 
Coverity CID 104109, 104110
 2016-05-06 09:23:22 -06:00
Todd C. Miller
61c53c8e66 Fix memory leak of gid_list in sudoers_policy_exec_setup() in the 
error path.  Coverity CID 104111.
 2016-05-06 09:17:14 -06:00
Todd C. Miller
0690793c25 Fix fd leak in do_logfile() if we fail to lock the log file. 
Coverity CID 104115.
 2016-05-06 09:12:39 -06:00
Todd C. Miller
7a5149d738 Fix memory leak of sss_result in sudo_sss_lookup() 
Coverity CID 104106
 2016-05-06 08:22:03 -06:00