isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,308 Commits 1 Branch 0 Tags
a2e541aef8f39eb746e3e5ed605f42a8481ca87f
Commit Graph

228 Commits

Author SHA1 Message Date
Todd C. Miller
a2e541aef8 O_NOCTTY has no effect when opening /dev/tty as the open can only 
succeed if there is already a controlling tty.
 2016-05-16 11:17:20 -06:00
Todd C. Miller
3b39377246 Do not need to open /dev/tty with O_NONBLOCK, it doesn't block on 
first open like a physical terminal.  By definition, if you have a
controlling tty, the first open (which might block) has already
occurred.
 2016-05-16 11:12:54 -06:00
Todd C. Miller
0f359e038c Fix memory leak on error if sudo_new_key_val() fails. 
Coverity CID 104103.
 2016-05-07 04:57:11 -06:00
Todd C. Miller
6473d55aa7 Cast the return value of fcntl() to void when setting FD_CLOEXEC. 
Coverity CID 104063, 104064, 104069, 104070, 104071, 104072, 104073, 104074
 2016-05-05 16:16:24 -06:00
Todd C. Miller
829917f008 pid_t is defined by POSIX as a signed integer type so we don't need 
a cast when comparing to -1.
 2016-05-04 14:14:38 -06:00
Todd C. Miller
f88da1c1a0 Do group setup in policy_init_session() before calling out to the 
plugin.  This makes it possible for the pam_group module to change
the group in pam_setcred().  It's a bit bogus since pam_setcred()
is documented as not changing the group or user ID, but pam_group
is shipped with stock Linux-PAM so we need to support it.
 2016-04-28 11:01:58 -06:00
Todd C. Miller
b4309d4aea Ignore SIGPIPE for the duration of sudo and not just in a few select 
places.  We have no control over what nss, PAM modules or sudo
plugins might do so ignoring SIGPIPE is safest.
 2016-04-22 16:36:36 -06:00
Todd C. Miller
6cbba7d665 Add an administrative domain to the passwd/group cache key for 
AIX which can have different name <-> ID mappings depending
on whether the database is local, LDAP, etc.
 2016-02-01 11:08:58 -07:00
Todd C. Miller
7b2fbed45d Rename gc_cleanup to gc_run and remove I/O plugins from the plugin 
list when freeing them.
 2016-01-28 14:48:11 -07:00
Todd C. Miller
23aeb0b5ec Free up the garbage via an atexit() handler instead of requiring 
a call to gc_exit.
 2016-01-28 11:01:42 -07:00
Todd C. Miller
9b3ef072f9 Add support for garbage collecting info passed to the plugin before 
exit to appease address sanitizer's leak detector (and valgrind's
leak checker).  We can't free these sooner since the plugin may be
using the memory.  For plugin API 2.0 it should be make clear that
the plugin must make a copy of the data in the arrays passed in to
the plugin's open() function.  Only enabled if NO_LEAKS is defined.
 2016-01-27 15:37:15 -07:00
Todd C. Miller
91bce65e29 Remove sudo_fatalx() calls from format_plugin_settings(). 2016-01-27 13:59:04 -07:00
Todd C. Miller
5507b2328c Pass updated user_env_out, not envp, to the I/O open function. 2016-01-26 07:42:57 -07:00
Todd C. Miller
ca330adada Pass updated argv/envp to the I/O open function like the plugin API 
documents.
 2016-01-26 07:39:43 -07:00
Todd C. Miller
5bae35c05c Fix off by one error in new SET_FLAG macro. 2016-01-20 15:09:32 -07:00
Todd C. Miller
de0208a01b Make sudoedit_checkdir the default and update the documentation accordingly. 2016-01-19 14:16:25 -07:00
Todd C. Miller
e719d954e7 Add a SET_FLAG macro to simplify parsing command details boolean 
flags.  Previously, flags were only set and never cleared even if
the boolean value was false.  This was not a problem as there were
no default flags for the plugin to enable.  That will change in the
future.
 2016-01-19 10:32:33 -07:00
Todd C. Miller
b20977d445 Add support for using fexecve() if supported on commands that are 
checksummed.
 2016-01-04 10:35:18 -07:00
Todd C. Miller
c50cead833 Add directory writability checks for sudoedit. 2015-10-23 14:04:35 -06:00
Todd C. Miller
9486afb4e5 When the command sudo is running is killed by a signal, sudo will 
now send itself the same signal with the default signal handler
instead of exiting.  The bash shell appears to ignore some signals,
e.g.  SIGINT, unless the command is killed by that signal.  This
makes the behavior of commands run under sudo the same as without
sudo when bash is the shell.  Bug #722
 2015-09-26 10:53:16 -06:00
Todd C. Miller
27c2a3d158 Fix running commands as non-root when neither setresuid() not 
setreuid() are available.  At this point we are already root so
setuid() must succeed.  Bug #713
 2015-09-09 10:45:56 -06:00
Todd C. Miller
0dbfbee035 Cast uid_t to unsigned int when printing as %u 2015-09-09 10:14:03 -06:00
Todd C. Miller
98a15d9879 Add a struct sudo_conv_callback that contains on_suspend and on_resume 
function pointer args plus a closure pointer and at it to the
conversation function.
 2015-09-07 06:06:08 -06:00
Todd C. Miller
3354d27a17 Do not follow symbolic links in sudoedit by default. This behavior 
can be controlled by the sudoedit_follow Defaults flag as well as
the FOLLOW/NOFOLLOW tags.
 2015-08-06 13:20:01 -06:00
Todd C. Miller
d96f8bcabb Avoid needless memory allocation when resolving the tty name. 2015-07-19 20:19:22 -06:00
Todd C. Miller
d4211081c0 Add some debugging printfs when malloc fails and we don't have an 
explicit call to sudo_warnx().
 2015-07-14 15:28:01 -06:00
Todd C. Miller
445e6f2e9a Check sudo_conf_read() return value and exit on fatal error (a 
warning was already printed by sudo_conf_read()).
 2015-07-07 13:17:50 -06:00
Todd C. Miller
854c084956 Fix utmp setup broken by commit be0ca60facf8 2015-07-06 13:56:39 -06:00
Todd C. Miller
0b241088b3 There's no need to conditionalize the #include <unistd.h>, we require 
a POSIX system.
 2015-07-02 09:08:28 -06:00
Todd C. Miller
4a07b472f0 Only include stddef.h where it is needed. 2015-06-20 05:34:35 -06:00
Todd C. Miller
c36415417f Add function name to "unable to allocate memory" warnings. 2015-06-19 14:51:17 -06:00
Todd C. Miller
dc883f2454 We require ANSI C so stop using the obsolete STDC_HEADERS. 2015-06-19 14:29:27 -06:00
Todd C. Miller
4f9cabd005 Remove obsolete memory.h include. 2015-06-18 21:02:57 -06:00
Todd C. Miller
cb63ca701c Avoid using exiting allocators in the front end. 2015-06-17 17:00:54 -06:00
Todd C. Miller
25917e435c We need to unlimit RLIMIT_NPROC in sudoers as well as the sudo front 
end since set_perms() and restore_perms change the read uid and may
fail with EAGAIN on Linux kernels prior to 3.1.
 2015-06-12 15:30:06 -06:00
Todd C. Miller
4131449ffb Add a few missing sudo_new_key_val() return value checks. 
Also use non-exiting allocators for consistency.
 2015-05-27 09:42:51 -06:00
Todd C. Miller
a40cf3e288 There should be no need to check for tzset() as it is POSIX. 2015-05-18 13:42:06 -06:00
Todd C. Miller
caf5d45e0f Previously, debug_return_bool was the same as debug_return_int 
except that it logged true/false for 1/0.  However, this appears
to trigger a bug in some compilers.  To avoid this, debug_return_bool
now uses bool, not int.  Callers that were passing it an int have
been converted to use debug_return_int instead.
 2015-05-07 10:33:23 -06:00
Todd C. Miller
41f3666a12 Defer conversation initialization until right before plugins 
are initialized.
 2015-04-22 13:30:58 -06:00
Todd C. Miller
6f8af4d26d Split variable declaration out of debug_decl into debug_decl_vars() 
so we can use it in main() when we know sudo_debug_enter() cannot
succeed.
 2015-04-22 13:30:58 -06:00
Todd C. Miller
be8dbeb22e Avoid using HOST_NAME_MAX directly and use sysconf(_SC_HOST_NAME_MAX) 
instead.
 2015-02-19 20:28:02 -07:00
Todd C. Miller
96eddddc12 Almost no systems actually define OPEN_MAX since it is dynamic on 
modern OSes.  If sysconf(_SC_OPEN_MAX) ever fails, fall back on
_POSIX_OPEN_MAX instead.  We can assume modern systems have sysconf().
Also remove checks for strrchr() and strtoll() for which the HAVE_*
defines are no longer used.
 2015-02-19 09:59:25 -07:00
Todd C. Miller
67eba7e534 Don't assume argv[0] is set without first checking argc. 2015-02-05 11:17:25 -07:00
Todd C. Miller
59ab26dbcc Go back to a 2 args debug_decl and just use the "default" instance, 
now renamed "active".
 2015-02-01 08:24:49 -07:00
Todd C. Miller
6b1b734ffa Add a flag argument to sudo_conf_read() so we can decide which 
bits get parsed.  This lets us parse Debug statements first and
init the debug subsystem early.
 2014-10-26 08:33:08 -06:00
Todd C. Miller
4bf641df69 In the plugin registers with the debug framework at open time, the 
sudo front-end will now set the default debug instance appropriately
before calling into the plugin.  This means the plugin no longer needs
to do the sudo_debug_set_default_instance() dance.
 2014-10-24 11:17:48 -06:00
Todd C. Miller
866cfc4fc3 Add support for multiple Debug lines per program. Callers may 
register arbitrary debug facilities or use built-in defaults.  We
now use separate Debug statements for plugins and programs.
 2014-10-22 13:23:05 -06:00
Todd C. Miller
a7e724b75d Change how sudo.conf is parsed. We now do a quick parse and then 
set the values after the entire file has been parsed.  This lets
us init the debug system earlier.  Plugin-specific debug flags are
now stored in struct plugin_info and struct plugin_container and
passed to the plugin via one or more debug_flags settings.
 2014-10-22 13:20:32 -06:00
Todd C. Miller
346ff6766e Pass plugin path in the settings array. 2014-10-22 13:13:00 -06:00
Todd C. Miller
1e0b8903f2 Return settings from parse_args as struct sudo_settings and format 
for the plugin at plugin open time.  This will allow for additional,
plugin-specific settings to be added to the array.
 2014-10-22 13:13:00 -06:00