isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,501 Commits 1 Branch 0 Tags
b3173fdedc605837113b9689c42d075398dd05c0
Commit Graph

2882 Commits

Author SHA1 Message Date
Todd C. Miller
b3173fdedc The runas user must be set before applying runas-based Defaults. 
This effectively backs out changeset f738f5ac5350, which made
it possible to log the command when an invalid user was specified.
The policy plugin API doesn't supply the command until the check
function, at which point we've already denied the command due to
the invalid user.  Bug #951.
 2020-12-20 08:43:34 -07:00
Todd C. Miller
4551b19f6c The lower bounds for the "closefrom" option is 3, not 4. 
This is a regression introduced in sudo 1.8.9 with the strtonum()
conversion.  Bug #950.
 2020-12-16 18:22:40 -07:00
Todd C. Miller
5c66e9532e Set sudoers_audit.close to NULL if not using a log server. 2020-12-11 08:46:39 -07:00
Todd C. Miller
63739dd326 Store the user-provided runas user and group name in struct sudo_user. 
This makes it available for event logging in case the name doesn't resolve.
 2020-12-05 09:05:42 -07:00
Todd C. Miller
bac76512fb Log submit group to event log. 2020-12-05 08:51:06 -07:00
Todd C. Miller
008a0e8dc1 Store iolog_path in struct sudo_user for use in the event log. 2020-12-05 08:31:46 -07:00
Todd C. Miller
fd39e2d7d6 Defer lookup of runas user until sudoers_main() for better logging. 
The log message now includes user info and the command attempted.
 2020-12-04 13:49:37 -07:00
Todd C. Miller
a7d670ee34 Fix a crash introduced in 1.9.4 when running command as an unknown user. 
Bug #948
 2020-12-04 06:45:48 -07:00
Todd C. Miller
67e6e2085a Reduce the number of error messages when we can't connect to the audit server. 
Add the error string to "unable to connect to log server" instead of
using an extra error message for the connect(2) failure.
 2020-12-03 13:20:18 -07:00
Todd C. Miller
a19f242796 Use correct error message when the TLS connection is dropped. 
Was: "recv: Unknown error 0", now: "lost connection to log server".
 2020-12-03 11:42:20 -07:00
Todd C. Miller
d98374753c Change alias_add() to return bool and set errno on failure. 
This fixes a localization problem where the error message could
have been reported in the wrong locale.
 2020-12-02 13:12:09 -07:00
Todd C. Miller
833e273ad9 Updated translations from translationproject.org 2020-11-29 15:11:34 -07:00
Todd C. Miller
94c5052ebf Fix typo detected by codespell 2.0.0 
Also avoid some new false positives
 2020-11-24 07:40:38 -07:00
Todd C. Miller
bdf5530014 Set pp_ignore_define_body=false in uncrustify config. 
Need to work around a bug that produces closed brace errors,
see https://github.com/uncrustify/uncrustify/issues/2569
 2020-11-23 10:47:47 -07:00
Todd C. Miller
7bbd7c8e05 Updated translations from translationproject.org 2020-11-23 09:09:32 -07:00
Todd C. Miller
7d0b19d2a0 Don't free the private copy of the environment until the close function. 
We may need to use it when logging from the audit reject function.
 2020-11-17 13:44:32 -07:00
Todd C. Miller
cb87253d1e It is possible for evlog->argv or evlog->envp to be NULL. 2020-11-17 13:43:31 -07:00
Todd C. Miller
27615b5582 For the audit plugin, command_info may be NULL. 
Fixes a NULL dereference in sudoers_audit when an I/O logging
plugin rejects input/output or returns an error.
 2020-11-17 13:04:57 -07:00
Todd C. Miller
e4a2765cce Add missing initialization of def_log_format to sudo. 2020-11-17 11:11:52 -07:00
Todd C. Miller
061b53e338 Regenerate sudoers.pot for 1.9.4 2020-11-14 11:42:31 -07:00
Todd C. Miller
2b71b61044 Update struct eventlog based on command_info[] from front-end. 
The I/O log path is not known until the I/O log plugins have
run and other plugins may alter the execution environment.
 2020-11-14 11:42:27 -07:00
Todd C. Miller
95fb8eb727 Add sudoerserrorf(), a printf-style yyerror() function. 
Use this to display a better error message when using a reserved
work in an alias definition.
 2020-11-14 06:17:41 -07:00
Todd C. Miller
aeef6db85e Support EDITOR environment variable that includes quotes. 
Quote support is limited to the beginning of a word.
Also handles characters escaped with a backslash.
 2020-11-12 16:04:05 -07:00
Todd C. Miller
d688f4d34e Back out regex use in python tests, filter the output instead. 
This makes it possible to regenerate the test output again.
Also adds an update_test_data target to the Makefile.
 2020-11-11 19:04:01 -07:00
Todd C. Miller
6439b4cc01 Ignore sudoNotBefore and sudoNotAfter unless ldap.conf contains SUDOERS_TIMED 
This is consistent with the pre-1.8.24 behavior.  Bug #945
 2020-11-11 09:34:50 -07:00
Todd C. Miller
55c4f3bddd Introduce new_member_all() for code that doesn't include gram.h. 
The ldap and sssd back-ends no longer require gram.h which fixes a
compilation issue with IBM LDAP.
 2020-11-10 19:36:56 -07:00
Todd C. Miller
72df19088b Refactor code to format the client message after the hello. 2020-11-09 18:32:37 -07:00
Todd C. Miller
56fb16d3e8 Use sudoers_to_eventlog() and init_log_details() in sudoers_audit_accept(). 
log_deserialize_info() can be private to iolog.c again.
 2020-11-09 17:15:11 -07:00
Todd C. Miller
9779009fae Add info_msgs to AlertMessage and populate it. 
This lets us log eventlog info along with the alert if it is available.
 2020-11-09 17:15:11 -07:00
Todd C. Miller
62525dcc94 Log reject and alert messages to the log server if one is defined. 2020-11-09 17:15:02 -07:00
Todd C. Miller
e56c3b342b Rename iolog_plugin.h to log_client.h. 
It is no longer I/O log specific and is used by sudoers_audit too.
 2020-11-09 17:13:04 -07:00
Todd C. Miller
62547746d3 Rename iolog_client -> log_client. 
The logsrvd client code is now used for more than just I/O logging.
 2020-11-09 17:13:04 -07:00
Todd C. Miller
2112d9beb1 Log accept messages in sudoers_audit if not I/O logging. 2020-11-04 05:39:16 -07:00
Todd C. Miller
8f5290b19a Refactor code to format InfoMesage array into fmt_info_messages(). 
Add free_info_messages() to free the array.
 2020-11-04 05:46:07 -07:00
Todd C. Miller
e264767eaa Refactor sudoers_io_open_remote() into log_server_open(). 
Also rename client_close() to log_server_close().
This keeps more of the client code details out of iolog.c and
will be used when logging accept messages from the audit plugin.
 2020-11-04 05:29:03 -07:00
Todd C. Miller
2d888380a4 Move argv and envp setting into iolog_deserialize_info(). 2020-11-04 05:20:08 -07:00
Todd C. Miller
fe9e65754c Add event_alloc to the audit plugin API. 
The sudoers audit plugin will use this to communicate with sudo_logsrvd.
 2020-11-02 15:28:21 -07:00
Todd C. Miller
ad40241703 Treat an authentication failure as a reject, not an alert. 
This matters when logging via sudo_logsrvd.
It also lets us remove a special case in vlog_warning().
 2020-11-09 17:13:04 -07:00
Todd C. Miller
f8a708dae3 Regenerate with bison 3.7.3 2020-11-09 16:52:26 -07:00
Todd C. Miller
282a7e80f2 Fix cut & pasto in debug subsystem. 2020-11-06 08:51:38 -07:00
Todd C. Miller
de58c11dba Set server_name before initiating TLS connection so verify function works. 
Fixes a crash in the SSL_VERIFY_PEER callback.  Also call inet_ntop(3)
with addr pointer, not sockaddr pointer so we get the correct IP address.
 2020-11-02 09:30:45 -07:00
Todd C. Miller
6286ce1d16 Store column number for aliases, defaults and userspecs too. 
This is used to provided the column number along with the line
number in error messages.  For aliases we store the column of the
alias name, not the value since that is what visudo generally needs.
 2020-11-02 05:39:06 -07:00
Todd C. Miller
982012dbb1 Display column number in parse error messages too. 
Bug #841
 2020-11-01 15:34:11 -07:00
Todd C. Miller
6f7e5b104b Move tls initialized flag into client_closure. 
We may call tls_init() from multiple places in the future so a
static initialized flag will cause problems.
 2020-11-01 15:03:02 -07:00
Todd C. Miller
10b09e4d89 Fix -Wshadow warnings caused by json enum member. 2020-11-01 15:01:16 -07:00
Todd C. Miller
e0c2635fb3 Apply Google inclusive language guidelines. 
Also replace backwards with backward.
 2020-10-30 10:15:30 -06:00
Todd C. Miller
c8c7e1f607 Use ssl_err2string() in message on ldap_ssl_client_init() failure. 
Displaying SSL reason code directly is not user-friendly.
 2020-10-28 09:40:11 -06:00
Todd C. Miller
28d6771d24 Add log_format sudoers setting to select sudo or json format logs. 
Defaults to sudo-format logs.
 2020-10-27 15:26:02 -06:00
Todd C. Miller
4fc39cfb0a Don't warn about log failure more than once. 2020-10-27 06:36:58 -06:00
Todd C. Miller
fdae4bdbbb Add support for file log line wrapping in libeventlog. 2020-10-26 16:16:46 -06:00