isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,831 Commits 1 Branch 0 Tags
c341608072a33c74fa3e534e987d6d3513f19b51
Commit Graph

469 Commits

Author SHA1 Message Date
Todd C. Miller
fccf3c9c56 Add sudo_mmap_{alloc,allocarrary,strdup,free} functions. 
These allocate memory via mmap anonymous regions and store the mapped
size immediately before the returned pointer as an unsigned long.
They are intended to be used in cases where malloc(3) and free(3)
are unsuitable due to concerns about corrupting global state in
multi-threaded programs or signal handlers.
 2022-07-25 15:08:11 -06:00
Todd C. Miller
2d6b9d22e1 For logsrvd_conf_test include both tls and non-tls configs. 2022-06-02 11:38:43 -06:00
Todd C. Miller
d7b2ff3214 Add a simple regression test for logsrvd.conf parser. 
Unlike the parser fuzzer, this includes sample certs and keys.
This test would have detected the BIO_new_file() bug in set_dhparams().
 2022-06-02 11:13:18 -06:00
kernelmethod
bd25b85a66 Add an apparmor_profile sudo setting 
Define a new sudo setting, `apparmor_profile`, that can be used to pass
in an AppArmor profile that should be used to confine commands. If
apparmor_profile is specified, sudo will execute the command using the
new `apparmor_execve` function, which confines the command under the
provided profile before exec'ing it.
 2022-05-23 13:41:42 -06:00
Todd C. Miller
0ea431e392 Move code to suspend sudo when no pty is in use to separate file. 
Use this in test_ptrace.c to be able to suspend just like sudo does.
 2022-05-18 07:29:55 -06:00
Todd C. Miller
040e75a07b Add test_ptrace program to test ptrace-based intercept support. 2022-05-11 20:07:55 -06:00
Todd C. Miller
35ea534b3e Move register definitions to exec_ptrace.h 2022-05-05 13:37:26 -06:00
Todd C. Miller
77979932b1 New Georgian translation from translationproject.org 2022-04-29 13:32:29 -06:00
Todd C. Miller
8e375445fb Check the policy for ptrace-based intercept mode. 2022-04-29 13:08:59 -06:00
Todd C. Miller
01733a5214 Add scaffolding for ptrace-based intercept mode. 2022-04-29 12:35:31 -06:00
Todd C. Miller
c414a89eb3 Remove ABOUT-NLS file, it is no longer maintained as part of GNU gettext. 
Expand the Translations section in CONTRIBUTING.md.
 2022-04-20 12:58:11 -06:00
Todd C. Miller
75a0e51590 Add sudo_closefrom() regression test. 2022-03-01 11:31:19 -07:00
Todd C. Miller
a57e979962 Adapt test harness for lib/util and move to regress directory. 2022-02-28 14:15:43 -07:00
Todd C. Miller
f35bbd5a3f Move the cvtsudoers/sudoers/testsudoers/visudo tests into a script. 
It is easier to maintain these tests in script form.  The output
now more closely matches that of the other tests.  The harness
script can be invoked directly and supports running specific tests.
 2022-02-28 11:29:38 -07:00
Todd C. Miller
cadfbfedb9 Add tests for iolog filtering. 
This is the functionality used by the log_passwords and passprompt_regex
options.
 2022-02-18 09:40:40 -07:00
Todd C. Miller
63b2a62f8a Substitute values in the example syslog.conf too. 
Also update ignore files for example changes
 2022-02-11 19:19:09 -07:00
Todd C. Miller
0bbe4b1813 Substitute paths set by configure in examples. Bug #1023 2022-02-11 19:07:08 -07:00
Todd C. Miller
7c17f84a35 Add helper function to compile a regex that supports (?i). 2022-02-11 12:01:31 -07:00
Todd C. Miller
86d2173937 Add support for matching command and args using regular expressions. 
Either the command, its arguments or both may be (separate)
regular expressions.
 2022-02-10 18:26:24 -07:00
Todd C. Miller
6564f1ae4c Work around a glibc regcomp() bug with repeated '+' operators. 
Glibc regcomp() has a bug where it uses excessive memory for repeated
'+' ops.  Collapse them to avoid running the fuzzer out of memory.
 2022-02-01 13:12:19 -07:00
Todd C. Miller
3c84aef902 Add missing sudoers4 test file for new cvtsudoers test. 2022-01-31 19:28:06 -07:00
Todd C. Miller
960bf99656 defaults_check_conflict: it is only really a conflict if the binding match 
If the Defaults name matched but the binding does not, we can simply
leave it be.  Fixes a problem where given two sudoers sources that
have a host specified, if they contain conflicting Defaults entries
we would drop one of the Defaults instead of keeping both after
making them host-specific.
 2022-01-31 19:18:04 -07:00
Todd C. Miller
8f4351a897 Make it possible to merge a host-based Defaults with a global one. 
We convert the global Defaults to a host-based one with a single
"ALL" member.  Later, when we simplify the host list, we'll convert
this back to a global Defaults.
 2022-01-31 19:18:03 -07:00
Todd C. Miller
5ea0bf4ee2 Escape/unescape commas when serializing/deserializing a stringlist. 2022-01-28 08:52:42 -07:00
Todd C. Miller
946404434e lib/iolog: add support for filtering password out of tty input 
If a password regex is found in the tty output, tty input will be
replaced with '*' chars until a newline or another tty output
character is received.
 2022-01-28 08:52:41 -07:00
Todd C. Miller
835079fa3f Fix merging of global/ALL entries when each input file has a host. 
If a host is specified for the input file, cvtsudoers will bind
global Defaults to that host and change host "ALL" in a userspec
to the host name.  However, if all the input files have matching
hosts we can simplify the merged file by converting back to ALL
after resolving conflicts.
 2022-01-03 13:23:22 -07:00
Todd C. Miller
0ed92e6165 Move LICENSE.md out of docs and back to the top-level. 
GitHub expects it to be in the top-level directory.
 2021-12-22 11:05:00 -07:00
Todd C. Miller
149e8208b5 cvtsudoers: fix a regression when merging matching Defaults. 
If a host is specified with a sudoers file, we have to treat Defaults
as Defaults@host checking for duplicates.
 2021-12-20 12:57:02 -07:00
Todd C. Miller
5d95345e60 Add an example cvtsudoers.conf file. 2021-12-16 15:42:21 -07:00
Todd C. Miller
7158b03b50 Add simple test for cvtsudoers merge functionality. 2021-12-12 10:28:09 -07:00
Todd C. Miller
869994433f Add sudoers Spanish translation from translationproject.org 2021-12-12 10:24:53 -07:00
Todd C. Miller
c13b21c199 Avoid TOCTOU in sudo_mkdir_parents() using openat(2) and mkdirat(2). 
This also allows us to make path const as it should be.
 2021-12-11 08:35:18 -07:00
Todd C. Miller
3bd572ba80 Convert README and docs files to markdown. 
This makes things look better on GitHub and we can use the
markdown version directly in the new sudo web site.
 2021-12-05 21:02:04 -07:00
Todd C. Miller
0608a4ea6f cvtsudoers: better merging of lists that are not exact duplicates 
When merging rules, if one list would be overridden by another,
remove the overridden rule and continue merging.
 2021-11-29 11:50:40 -07:00
Todd C. Miller
409410b029 New Persian (Farsi) translation from translationproject.org 2021-11-21 09:53:50 -07:00
Todd C. Miller
ab9e44a6ca cvtsudoers: merge aliases when multiple sudoers files are specified 
Duplicate aliases are remove.  If there are conflicting alias names,
the conflicts are renamed by appending a numerical suffix.
For example, if there are two SERVERS Host_Aliases, the second one
will be renamed to SERVERS_1.
 2021-11-19 12:29:21 -07:00
Todd C. Miller
7baee707b0 Add a background image for the macOS installer. 2021-11-19 12:26:31 -07:00
Todd C. Miller
781a4fb691 Add contributing guide. 2021-11-11 13:56:36 -07:00
Todd C. Miller
85325a7d2f Add security doc, inspired by the Microsoft template. 2021-11-10 17:26:26 -07:00
Todd C. Miller
289a045a4f Rename "doc" directory to "docs" for better GitHub compatibility. 2021-11-10 16:45:16 -07:00
Todd C. Miller
4eebd53bce parse_gentime: use timegm() to generate time since the epoch 
The timegm() function is non-standard but widely available.
Provide an implementation for those systems that lack it.
Bug #1006
 2021-10-31 09:27:34 -06:00
Todd C. Miller
a554629d84 Flush I/O logs before we send a commit point. 
The commit point message means we have written the data to disk so
we should not be buffering it any longer.
We do not currently fsync(2) the data after flushing, perhaps we should.
 2021-10-15 19:10:34 -06:00
Todd C. Miller
430048d167 cvtsudoers: initial support for CSV output 
For CSV output we double quotes strings that contain commas.  For
each literal double quote character present inside the string, two
double quotes are output.
 2021-10-10 14:24:31 -06:00
Todd C. Miller
8d98a447c5 Use circleci for continuous integegration. 
Build container descriptions are in the new docker directory.
 2021-10-04 18:49:06 -06:00
Todd C. Miller
292916f43c Test that digest matching works with LDAP sudoCommand: ALL 2021-09-17 20:41:34 -06:00
Todd C. Miller
fa71679b5a Add gmtime_r and localtime_r tests and compat if missing. 2021-09-17 10:55:06 -06:00
Todd C. Miller
cf225d2f10 Add a test to exercise Bug #994 2021-09-17 09:10:27 -06:00
Todd C. Miller
3a4aec7a62 sudo_intercept.so: only replace execvpe() if it is present. 
execvpe() is a GNU extension also found on *BSD (but not macOS).
 2021-09-08 11:09:59 -06:00
Todd C. Miller
4bff82cab4 Fix random uuid generation, no need to convert between byte order. 
Also add regression test.
 2021-08-31 19:53:28 -06:00
Todd C. Miller
4ccd966e22 Add exports file for sudo_intercept.so that only exports execve() 2021-08-20 11:49:22 -06:00