isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,066 Commits 1 Branch 0 Tags
b40f74cb24c5ecd377bd35b69d503d615c67b0a5
Commit Graph

11066 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
b40f74cb24 Cross-build support for mksigname and mksiglist 
We must build these with the host C compiler but use the target
preprocessor to generate the output.
 2021-08-19 09:50:05 -06:00
a1346054
bf7d20b482 Minor cleanup (#110) 
* fix trivial shell script issues
* remove trailing whitespace
 2021-08-19 09:48:01 -06:00
Todd C. Miller
1c52c24a93 log_server_peer_cert and log_server_peer_key are not required by default. 
They are only required if sudo_logsrvd has tls_checkpeer enabled.
 2021-08-19 09:15:12 -06:00
Todd C. Miller
e17003b35c Sync warning messages with sudoers/logging.c 
Avoids 3 translation strings that were effectively duplicated.
 2021-08-19 09:09:19 -06:00
Todd C. Miller
ad5feeb40b regen 2021-08-18 15:48:05 -06:00
Todd C. Miller
f9d3f46fa7 Add intercept_allow_setid sudoers option, disabled by default. 
With this change, a shell in intercept mode cannot run a setuid or
setgid binary by default.  On most systems, the dynamic loader will
ignore LD_PRELOAD for setuid/setgid binaries such as sudo which
would effectively disable intercept mode.
 2021-08-18 15:43:26 -06:00
Todd C. Miller
53a95e3a50 Always allocate a struct sudo_command for the command, even for ALL. 
Previously we special-cased handling of ALL but this complicates
some upcoming changes.
 2021-08-18 09:12:19 -06:00
Todd C. Miller
dad40a50a1 Update TAGS_CHANGED macro based on parse.h 2021-08-16 13:28:19 -06:00
Todd C. Miller
fc9a01936c Better document the limitations of intercept mode. 
Also mention log_children under "Preventing shell escapes"
 2021-08-16 12:44:49 -06:00
Todd C. Miller
e4809d634d Update .pot files for 1.9.8. 2021-08-16 10:46:34 -06:00
Todd C. Miller
a85cf1f3fd Try to clarify log_server_peer_key and log_server_peer_cert. 
These are client-side not server-side.
 2021-08-16 10:45:51 -06:00
Todd C. Miller
bfcc31b19b Print the section when warning about an illegal key in the conf file. 
This should make it easier to tell when a setting is present in the
wrong section.
 2021-08-16 10:44:48 -06:00
Todd C. Miller
5902c0e21c new_logline: limit offset to two significant digits after the decimal 
Now instead of TSID=0001L3@5.168230749 we would log TSID=0001L3@5.16.
 2021-08-14 13:22:48 -06:00
Todd C. Miller
9248ea6bbe Set umask to be less restrictive before creating parent directories. 
Otherwise we could end up creating them with a more restrictive
mode than indended.  Coverity CID 221592
 2021-08-14 10:49:51 -06:00
Todd C. Miller
babb498c6e new_logline: handle case where evlog is NULL 2021-08-14 09:24:39 -06:00
Todd C. Miller
6d3cf0ffda store_alert_local: fix memory leak on error path 
Coverity CID 238642
 2021-08-14 09:18:55 -06:00
Todd C. Miller
e2abcd6cb6 log_server_accept: fix memory leak of evlog when logging a sub-command. 
Coverity CID 238643
 2021-08-14 09:11:02 -06:00
Todd C. Miller
340d753947 Fix memory leak when client requests secret. 
Move closure allocation closer to where it is used.
 2021-08-14 08:54:36 -06:00
Todd C. Miller
4add9c2c00 store_accept_local: fix return value on error 2021-08-14 08:47:44 -06:00
Todd C. Miller
0f6a74f180 Cast iolog_offset.tv_sec to long long for %lld printf format. 
Quiets a compiler warning on systems where tv_sec in struct timeval
is not long long.
 2021-08-13 16:19:58 -06:00
Todd C. Miller
4aefd43948 For intercepted commands, log an offset into the current I/O log. 
This can be used with sudoreplay to jump to when a specific command
was executed within a session log.
 2021-08-13 16:00:00 -06:00
Todd C. Miller
695f4bea05 Add support for an optional offset when parsing the ID to replay. 
The offset is a suffix in the form of @sec[.nanosec]
 2021-08-13 16:00:00 -06:00
Todd C. Miller
064981fb14 Don't overwrite closure->evlog for sub-commands. 2021-08-13 15:59:59 -06:00
Todd C. Miller
62aca803ce Older Solaris has getusershell() et al but does not declare it. 2021-08-13 09:52:02 -06:00
Todd C. Miller
a55b54329e Add missing stdint.h and sudo_rand.h includes. 
Needed for arc4random() and uin64_t.
 2021-08-13 09:25:01 -06:00
Todd C. Miller
eaf03a382b Pass a secret value to sudo_intercept.so and verify after policy check. 
The goal is to make it harder for someone to have a fake policy checker.
This will not stop a determined adversary since the secret is present
in the address space of the running process.
 2021-08-13 09:10:44 -06:00
Todd C. Miller
c9d9225469 Split off intercept code into exec_intercept.c. 2021-08-11 16:00:47 -06:00
Todd C. Miller
3f30704ab7 Add trivial support for FreeBSD packages. 
The actual FreeBSD port supports multiple options but this is sufficient
for testing purposes.
 2021-08-11 15:09:00 -06:00
Todd C. Miller
374d499818 FreeBSD: Set default directory and file mode if not specified in %files 
Otherwise, a mode of 0 will be used, potentially rendering the
system unusable.
 2021-08-11 14:59:27 -06:00
Todd C. Miller
f327a19f34 Use same check for intercepted commands as log_server_accept(). 
Previously, log_server_reject() and log_server_alert() just
checked whether client_closure has been set.
 2021-08-11 14:10:05 -06:00
Todd C. Miller
0e2094471b Call shutdown() on sockets before closing() if they are connected. 
This should ensure that the other side sees any queued data before
the connection is dropped.
 2021-08-11 14:08:48 -06:00
Todd C. Miller
79129613e5 If SSL_shutdown() returns 0 it needs to be called one more time. 2021-08-11 10:16:36 -06:00
Todd C. Miller
ffdd7920cd resolve_editor: sudoers_gc_remove(editor) before freeing it. 2021-08-11 07:45:26 -06:00
Todd C. Miller
ef91b90ad6 Sync siglist.in with the generated files. 
The change to prefer SIGSYS over SIGUNUSED wasn't made to siglist.in.
Also, mksigname.c doesn't need to explicitly set sudo_sys_signame[0].
 2021-08-10 19:55:28 -06:00
Todd C. Miller
9798fd86bf Add garbage collection to resolve_editor(). 
Fixes a leak when evaluating the policy multiple times if sudoedit
is set.
 2021-08-10 12:58:18 -06:00
Todd C. Miller
abac069566 Fix compilation when configure option --disable-shared is specified. 2021-08-09 16:39:32 -06:00
Todd C. Miller
aa20eccad4 Sudo 1.9.8 2021-08-09 15:50:26 -06:00
Todd C. Miller
462e8ab471 Avoid some double frees in the fuzzer 
Now that sudoers free old values of NewArgv and command_info the
fuzzer needs to reset those values.  Otherwise we end up with
stashed values that have already been garbage collected.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
dae370fb70 Use a separate uuid for intercepted commands. 
We use the uuid to match the command with its exit status.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
2e99450d40 Fix logging intercepted commands to a log server in sudoers. 
Only available when the server supports the subcommands capability.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
3a090dcdcd Plug some memory leaks when sudoers_policy_main is called multiple times. 
These would get cleaned up a policy close time but we don't want
to bloat sudo's memory footprint when running a shell with multiple
commands.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
dfe26f8c34 If building with address sanitizer make sure its DSO is first. 
Address sanitizer requires that it be preloaded before any other
DSO in LD_PRELOAD.  This should not be required for clang, which
links in asan statically by default.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
8f8a9c37b3 Require that our dso be first in the list to make sure it takes effect. 
Otherwise, another dso could take precedence and ours would not be run.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
0ea5efd8b7 If msg_control is not present in struct msghdr use msg_accrights instead. 
Fixes building on Solaris and probably others.  It is possible to
expose msg_control on Solaris but this requires a specific set of
feature flag defines which can cause other complications.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
788708c9ff Add intercept_authenticate sudoers option, defaults to false. 
By default, sudoers will not require authentication of commands run
via an intercepted session.  To require authenticaton of subsequent
commands, enable intercept_authenticate in sudoers.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
13b89e9103 Make the log_children option only log and not check policy. 2021-08-09 15:50:25 -06:00
Todd C. Miller
258fa9d4f9 Add debug support to sudo_intercept.so 2021-08-09 15:50:25 -06:00
Todd C. Miller
9c3df47da9 Move preload_dso() to its own file and rename to sudo_preload_dso(). 
It now takes an intercept fd as an optional argument instead of a
list of extra variables to add.  This lets us check whether it is
already set to the expected value (and add it if not).
sudo_intercept.so now uses sudo_preload_dso() to make sure that
LD_PRELOAD and SUDO_INTERCEPT_FD are set properly before executing.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
60e76e3e35 Take control of the tty and save its settings before doing a policy check. 
Otherwise the policy plugin won't be able to read the password.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
42598735d0 Call the approval plugin after the policy plugin accepts a command. 
Previously, for intercepted commands we only called the policy plugin.
 2021-08-09 15:50:25 -06:00