Otherwise, sudo_ldap_role_to_priv() will treat a NULL host list as
as the "ALL" wildcard. This regression was introduced in sudo 1.8.23,
which was the first version to convert LDAP sudoRole objects to
sudoers internal data structures.
Thanks to Andreas Mueller for reporting and debugging this problem.
This adds audit plugin support to the sudoers module, currently
only used for accept events. As a result, the sudoers file is now
initially parsed as an audit plugin.
With this change, the sudo front-end will send an "accept" audit
event to the audit plugins after all the I/O logging plugins have
been initialized. This can be used by an audit plugin that does
not care about the result of the individual policy and approval
plugins and only wants to receive a single "accept" event if all
policy and approval plugins have succeeded. The plugin_type argument
for events sent by the front-end is SUDO_FRONT_END (0).
These are less confusing than #include and #includedir when the
hash character is also the comment character.
This commit also adds real parsing of include directives as opposed
to the pure lexer approach used previously. As a result, it is now
possible to include files with spaces by either using a double-quoted
string or escaping the space characters with a backslash.
By default, sudoreplay will exit when it reaches the end of the
timing file. With the -F option, it will keep going until the
timing file is finished and its write bit is cleared.
Previously we needed to include headers required by the various
sudo*h files. Now those files are more self-sufficient and we
should only include headers needed by code in the various .c files.
In the past we've relied on the various .c files to include the
system headers that define types that the sudo_*.h headers require.
This is fragile and can cause issues when includes get re-ordered.
We want the log server to work with the default configuration. If
the default certificate path exists, it will be used with the default
listener. If the user explicitly enabled a TLS listener we always
attempt to use it. If TLS was specified but no cert file was set,
the default location will be used (and an error will occur if the
cert cannot be loaded).
This makes it easier to detect a plaintext client sending to a
TLS port. Without this, the TLS server will be silent as it
waits for the client to initiate the TLS connection.
The Signals enum was added in Python 3.5. If it is not present we
need to iterate over the dictionary items, looking for signal name
to number mappings. Fixes the signal tests with Python 3.4.
When converting sudo options from a dictionary to a tuple we need
to track the current index into the tuple separately from the
position of the dictionary entry.
Dictionary order is not stable in Python < 3.6 so we need to sort
by key to have consistent results.
The LogHandler output is also different on older Python versions.
Also, don't stop running python tests after the first error.
It is possible for the cwd and/or tty to be missing. If we send a
NULL pointer to the server where it expects a string the AcceptMessage
will fail to parse.
We have to limit the length of SUDO_COMMAND to avoid getting E2BIG
from execve(2) for very long argument vectors.
The command's environment also counts against the ARG_MAX limit.
Debian bug #596631
This is used for PAM authentication to make sure pam_end() is called
via sudo_auth_cleanup() when the user authenticates successfully but
sudoers denies the command. Debian bug #669687
