isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,454 Commits 1 Branch 0 Tags
a38b7146676946949c37a66ff342eaba4bc6c9a9
Commit Graph

271 Commits

Author SHA1 Message Date
Todd C. Miller
a38b714667 sudoers plugin: silence most -Wconversion warnings. 2023-07-07 15:07:04 -06:00
Todd C. Miller
3786654dbd Add NETGROUP_QUERY option for servers that can't match nisNetgroupTriple. 
This can be used to support netgroup queries on systems that lack
the innetgr() function and where the LDAP server cannot query the
nisNetgroup by nisNetgroupTriple.
 2023-06-07 10:10:52 -06:00
Todd C. Miller
6fddb2875c sudo_ldap_check_non_unix_group: pass nss pointer to netgr_matches() 
This allows us to use the LDAP-specific version of innetgr() when
possible.  Also enable "use_netgroups" by default even on systems
without innetgr() since we can now query netgroups directly via
LDAP.
 2023-06-06 19:55:06 -06:00
Todd C. Miller
f722272b7c Eliminate dead store. Coverity CID 315032. 2023-05-08 14:15:48 -06:00
Todd C. Miller
80768ed3a8 Make path_ldap_conf and path_ldap_secret private to policy.c. 
Add getters for both so the ldap code can access them.
 2023-05-02 10:47:53 -06:00
Todd C. Miller
4b563ea44f Pass around const struct sudo_nss pointers where possible. 2023-03-17 13:41:38 -06:00
Todd C. Miller
fc253048f5 Add LDAP-specific innetgr() implementation. 
Wheh netgroup_base is set we now do out own netgroup lookups using
LDAP.  Previously, LDAP was queried directly to get a list of the
netgroups the user belongs to but other netgroups queries went
through innetgr(3).  This makes it possible to use netgroups
in LDAP sudoers on systems that don't have an innetgr() function.
GitHub issue #251.
 2023-03-10 10:05:33 -07:00
Todd C. Miller
554df8d934 Move some functions from ldap.c to ldap_util.c. 
These will be used by the LDAP innetgr() implementation.
 2023-03-10 10:02:36 -07:00
Todd C. Miller
0aad96bba1 Add per-source innetgr function pointer and use it in netgr_matches(). 
This will be used to implement LDAP-specific netgroup lookups when
netgroup_base is set in ldap.conf.
 2023-03-08 13:44:22 -07:00
Todd C. Miller
f066ff9e01 Eliminate a few harmless dead stores. 
Quiets warnings from Infer.
 2022-11-22 11:18:24 -07:00
Todd C. Miller
a37ecb2666 sudo_ldap_result_add_entry: check sudo_ldap_get_values_len() return value. 
Previously, we just compared the error code with LDAP_NO_MEMORY
when checking for sudoOrder since this is the only error we care about.
We now return NULL for LDAP_NO_MEMORY and ignore other errors.
Quiets a warning from Infer.
 2022-11-22 11:05:26 -07:00
Todd C. Miller
13672f28df Make sudo pass -Wwrite-strings 2022-06-28 16:33:15 -06:00
Todd C. Miller
6ec279532e Add a source to struct sudo_nss and use it if getdefs() fails. 
Also remove useless "Problem with defaults entries" warning in testsudoers.
 2022-03-09 12:38:25 -07:00
Todd C. Miller
22a01410bd sudo_ldap_parse_options: fix memory leak of sudoRole cn string. 
Coverity CID 249976
 2022-02-24 07:56:38 -07:00
Todd C. Miller
e88087721b Add support in the LDAP filter for negated users. 
Based on a diff from Simon Lees
 2022-01-18 11:20:22 -07:00
Todd C. Miller
dc90df8de5 Check snprintf() return values even if we preallocated the correct amount. 
There are no remaining unchecked snprintf() that can actually overflow.
 2021-09-21 19:13:35 -06:00
Todd C. Miller
55171df5e5 Check strftime(3) return value in all cases. 
Old versions of strftime(3) didn't guarantee to NUL-terminate the buffer
so we explicitly clear the last byte of the buffer and check it.
 2021-09-17 14:01:28 -06:00
Todd C. Miller
18f1884ddc Use gmtime_r() and localtime_r() instead of gmtime() and localtime(). 2021-09-17 10:55:06 -06:00
Todd C. Miller
132936f8f0 Make it possible to call the sudoers policy check function multiple times. 
We need to reset the Defaults values to their original state.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
2db9e64214 Move reference-counted string code from sudoers to libsudo_util. 
It will be used by sudo_logsrvd too.
 2021-04-06 14:44:19 -06:00
Todd C. Miller
568931035d Move new_member_all to ldap_util.c, it is only used by ldap/sssd. 2021-01-31 05:44:40 -07:00
Todd C. Miller
6439b4cc01 Ignore sudoNotBefore and sudoNotAfter unless ldap.conf contains SUDOERS_TIMED 
This is consistent with the pre-1.8.24 behavior.  Bug #945
 2020-11-11 09:34:50 -07:00
Todd C. Miller
55c4f3bddd Introduce new_member_all() for code that doesn't include gram.h. 
The ldap and sssd back-ends no longer require gram.h which fixes a
compilation issue with IBM LDAP.
 2020-11-10 19:36:56 -07:00
Todd C. Miller
c8c7e1f607 Use ssl_err2string() in message on ldap_ssl_client_init() failure. 
Displaying SSL reason code directly is not user-friendly.
 2020-10-28 09:40:11 -06:00
Todd C. Miller
961a4afe67 Fix some warnings from pvs-studio 2020-08-12 13:45:09 -06:00
Todd C. Miller
fb8ed8ba66 Use angle quotes when including gram.h and def_data.c. 
Otherwise, we can include the wrong file when doing an out-of-source
build when configured using --with-devel.
 2020-08-12 10:28:33 -06:00
Todd C. Miller
49e43f580c Avoid passing NULL to printf in match debug code for LDAP/SSSD. 
The file name in struct userspec was not set for the LDAP and SSSD
backends.  There is no actual file in this case so set the name to
LDAP/SSSD.  Also add a guard to make sure we don't try to print
NULL in sudoers_lookup_check() if name is left unset.
 2020-06-04 11:31:12 -06:00
Todd C. Miller
73c1b04306 When converting LDAP to sudoers, ignore entries with no sudoHost attribute. 
Otherwise, sudo_ldap_role_to_priv() will treat a NULL host list as
as the "ALL" wildcard.  This regression was introduced in sudo 1.8.23,
which was the first version to convert LDAP sudoRole objects to
sudoers internal data structures.
Thanks to Andreas Mueller for reporting and debugging this problem.
 2020-06-03 20:12:04 -06:00
Todd C. Miller
446ae3f507 Include string.h unconditionally and only use strings.h for strn?casecmp() 
In the pre-POSIX days BSD had strings.h, not string.h.
Now strings.h is only used for non-ANSI string functions.
 2020-05-18 07:59:24 -06:00
Todd C. Miller
486ee2b71f debug_decl and debug_decl_vars now require a semicolon at the end. 2019-12-22 08:48:16 -07:00
Todd C. Miller
c3ce3a84fb Refer to user-ID and group-ID instead of "user ID" and "group ID" 2019-10-19 14:26:41 -06:00
Todd C. Miller
a7cd4f0d48 Add user ID to the search filter when matching sudoUser. 
We already support group IDs but the user ID was missing.
From sudo-1.8.23-ldapsearchuidfix.patch in RHEL 7.
 2019-08-20 10:33:51 -06:00
Todd C. Miller
e99082e05b Fix special handling of ipa_hostname that was lost in sudo 1.8.24. 
We now include the long and short hostname in sudo parser container.
 2019-08-15 14:20:12 -06:00
Todd C. Miller
9d8f374397 Add ssizeof macro that returns ssize_t. 
We can use this instead of casting the result of size_t to int.
Also change checks for snprintf() returning <=0 to <0.
 2019-06-25 09:45:10 -06:00
Todd C. Miller
1e1ef61902 Add SPDX-License-Identifier to files. 2019-04-29 07:21:51 -06:00
Todd C. Miller
985600e7f0 Minor snprintf() usage tweaks: 
1) don't assume snprintf() returns -1 on error, check for <0
2) when comparing return value of sizeof(foo), cast the sizeof, not the len
3) cast return value to void in cases where snprintf cannot fail
 2019-01-20 07:49:48 -07:00
Todd C. Miller
6c3d20cb41 Convert PVS-Studio comment to ANSI C. 2018-10-26 08:39:09 -06:00
Todd C. Miller
64e5d34c57 Add comments in .c files so PVS-Studio will check them. 2018-10-21 08:46:05 -06:00
Todd C. Miller
54784a234c If sudo_ldap_get_values_len() fails goto cleanup instead of oom. 
This is not strictly necessary as there's not anything to cleanup
in this case but it is more consistent with the code that follows.
 2018-10-18 14:19:09 -06:00
Todd C. Miller
a924b4610b Fix warnings on OpenIndiana (Illumos) 2018-08-30 14:06:18 -06:00
Todd C. Miller
765d99e1f9 Correct ldap_to_sudoers() return value. 2018-08-30 13:47:02 -06:00
Todd C. Miller
ea38e9d909 For conversion to a sudoers parse tree, ldap_entry_compare() now 
needs to sort in ascending order, not descending.  Bug #849
 2018-08-30 07:48:16 -06:00
Todd C. Miller
aaefdd7575 Include stddef.h for offsetof() definition. 2018-08-22 10:27:33 -06:00
Todd C. Miller
1e5af35564 Refactor code to convert defaults to tags and do conversion on 
output for "sudo -l".

Remove the short_list (was long_list) global in favor of a verbose
argument.
 2018-08-05 07:17:34 -06:00
Todd C. Miller
608574a219 For ldap/sssd, include defaults in the generate privilege unless 
we are listing in short mode (in which case we convert them to tags
if possible).  Fixes a problem where sudoOptions were not being
applied to the command.
 2018-08-02 14:45:00 -06:00
Todd C. Miller
70d519c8ad o Move userspecs, defaults and aliases into a new struct sudoers_parse_tree. 
o The parse tree is now passed to the alias, match and defaults functions.
o The nss API has been changed so that the nss parse() function returns
  a pointer to a struct sudoers_parse_tree which will be filled in
  by the getdefs() and query() functions.
 2018-07-26 15:12:33 -06:00
Todd C. Miller
2270b1e89f Avoid duplicate free when netgroup_base is invalid. 2018-07-15 07:46:34 -06:00
Todd C. Miller
919b567229 The getdefs() function now get called multiple times so use the 
cached data if present.
 2018-05-29 10:53:47 -06:00
Todd C. Miller
c990d93a4e Remove a needless copy when parsing options. 2018-05-29 09:39:42 -06:00
Todd C. Miller
0b31f186cd Move cached userspecs and defaults into the handle object. 2018-05-29 09:39:40 -06:00