isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,831 Commits 1 Branch 0 Tags
c341608072a33c74fa3e534e987d6d3513f19b51
Commit Graph

11831 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
368e5d49eb Quiet a cppcheck false positive. 2022-01-19 12:57:07 -07:00
Todd C. Miller
9a013b79b8 Mention https://www.sudo.ws/security/fuzzing/ in the fuzzing section. 2022-01-19 11:02:19 -07:00
Todd C. Miller
08abeb94a5 Fix logic inversion when setting negated flag. 2022-01-19 09:36:58 -07:00
Todd C. Miller
5e30d01205 Quiet a PVS-Studio format string warning. 2022-01-19 09:20:42 -07:00
Todd C. Miller
c8b9f4ad1d Regen .pot files. 2022-01-18 16:51:13 -07:00
Todd C. Miller
3f8b7f6eae Bug #1016, #1017 and negated sudoUser in LDAP. 2022-01-18 16:49:17 -07:00
Todd C. Miller
e1c2288fbc Don't set/run early Defaults if a custom defaults_list is specified. 
Defaults settings passed in by the front end are already "early"
so there is no need to treat any of them as special.

Otherwise, we end up running the early defaults callbacks before
sudoers has been parsed.  This means that, for instance, it is not
possible to disable the fqdn flag before its callback is run if
sudo is build with the --with-fqdn option.  Bug #1016.
 2022-01-18 15:38:57 -07:00
Todd C. Miller
28cfe868ec Mark is_early_default(), run_early_defaults(), set_early_default() static. 
They are not used outside of defaults.c.
 2022-01-18 13:40:59 -07:00
Todd C. Miller
9bb3df748e Add support in SSSD for negated users. 2022-01-18 11:31:36 -07:00
Todd C. Miller
e88087721b Add support in the LDAP filter for negated users. 
Based on a diff from Simon Lees
 2022-01-18 11:20:22 -07:00
Todd C. Miller
1afce22f7f Use PATH_MAX, not NAME_MAX+1 for the directory entry length. 
On some systems, such as Solaris, the max length of a directory
entry is filesystem-dependent.  We could use fpathconf() and
dynamically allocate the name but it is simpler to just use
PATH_MAX here.
 2022-01-12 15:30:39 -07:00
Todd C. Miller
853e710f4a Only emulate Py_FinalizeEx for Python 3.[0-5]. 2022-01-12 13:07:21 -07:00
Todd C. Miller
1f098a2029 Use POSIX NAME_MAX, not the obsolete MAXNAMLEN define. 
Fixes compilation with musl libc.
 2022-01-12 10:25:44 -07:00
Todd C. Miller
757c3a1d37 When applying fallback limits, make sure we don't reduce rlim_max. 
Fixes a problem where sudo could reduce the max stack size on some
systems if the original limit was higher than the fallback limit,
but not unlimited/infinity.
 2022-01-11 13:30:20 -07:00
Todd C. Miller
1c95ab8852 Don't modify the stack limit if it is >= SUDO_STACK_MIN. 2022-01-11 13:21:32 -07:00
Todd C. Miller
5fdaa48228 The pre-install target requires visudo, add an explicit dependency. 2022-01-11 11:01:09 -07:00
Todd C. Miller
2e08db3695 If sudo is not set-user-ID root, check for the no_new_privs flag on Linux. 
This flag disables set-user-ID at execve(2) time and may be set by
default for some containers.  GitHub issue #129.
 2022-01-09 17:31:06 -07:00
Todd C. Miller
48bc498a6f Add pam_askpass_service sudoers setting for "sudo -A". 
This makes it possible to use a different PAM configuration for
when "sudo -A" is used.  The main use case is to only use PAM modules
that can interact with the askpass program.  GitHub issue #112.
 2022-01-08 11:35:03 -07:00
Todd C. Miller
763256e464 Improve debugging info when fdopen() fails. 2022-01-07 12:49:30 -07:00
Todd C. Miller
3b7d32b251 sss_sudo_free_values() checks for NULL, no need to do it manually. 2022-01-06 11:18:45 -07:00
Todd C. Miller
8aec6c2a8d Quiet a clang analyzer false positive. 2022-01-06 10:53:01 -07:00
Todd C. Miller
de7171ab6c Quiet a clang analyzer false positive. 2022-01-05 17:34:18 -07:00
Todd C. Miller
a2d27bc9ec Fix return value for non-interactive mode for non-standalone auth methods. 
AUTH_NONINTERACTIVE was being stored in the wrong variable.
 2022-01-05 16:41:19 -07:00
Todd C. Miller
513574ce10 Updated translations from translationproject.org 2022-01-05 11:13:01 -07:00
Todd C. Miller
d6ff97d837 defaults_var_matches() should return bool, not enum match_result. 
Remove enum match_result as it is no longer used.
 2022-01-05 11:12:07 -07:00
Todd C. Miller
72989bf83f Quiet two PVS-studio warnings. 2022-01-05 11:04:18 -07:00
Todd C. Miller
1b72f138e3 Remove PAM_TTY workaround for old, buggy PAM modules. 
In the past, some PAM modules assumed that PAM_TTY was set and would
misbehave (or crash) if not.  This was primarily obsolete versions
of Linux-PAM, so it should now be safe to remove this.  Setting
PAM_TTY to an empty string can cause its own set of issues.
GitHub issue #74
 2022-01-05 10:59:27 -07:00
Todd C. Miller
8c42a29a1e Mention fix for Bug #956 and GitHub issue #83. 2022-01-04 19:42:58 -07:00
Todd C. Miller
521ef37aea Push non-interactive mode checking down into the auth methods. 
For "sudo -n" we only want to reject a command if user input is
actually required.  In the case of PAM at least, we may not need
to interact with the user.  Bug #956, GitHub issue #83
 2022-01-04 18:57:36 -07:00
Todd C. Miller
296d876b76 userspec_overridden: fix checks when there is more than one userspec 2022-01-03 16:40:32 -07:00
Todd C. Miller
835079fa3f Fix merging of global/ALL entries when each input file has a host. 
If a host is specified for the input file, cvtsudoers will bind
global Defaults to that host and change host "ALL" in a userspec
to the host name.  However, if all the input files have matching
hosts we can simplify the merged file by converting back to ALL
after resolving conflicts.
 2022-01-03 13:23:22 -07:00
Todd C. Miller
d02ba52fa4 Welcome to 2022. 2022-01-03 10:27:07 -07:00
Todd C. Miller
59d55c5308 LICENSE.md moved to the top-level src dir. 2022-01-03 10:26:15 -07:00
Todd C. Miller
dabd8d80a2 Merge pull request #127 from Tyler887/main 
Typo
 2021-12-22 15:01:33 -07:00
Tyler887
d9594cb216 Typo 2021-12-22 21:56:34 +00:00
Todd C. Miller
e22cc72530 Back out changes to enable SELinux by default. 
This may return in a future release in a different form.
 2021-12-22 11:13:22 -07:00
Todd C. Miller
0ed92e6165 Move LICENSE.md out of docs and back to the top-level. 
GitHub expects it to be in the top-level directory.
 2021-12-22 11:05:00 -07:00
Todd C. Miller
149e8208b5 cvtsudoers: fix a regression when merging matching Defaults. 
If a host is specified with a sudoers file, we have to treat Defaults
as Defaults@host checking for duplicates.
 2021-12-20 12:57:02 -07:00
Todd C. Miller
4ffc3142c5 add_defaults: add defs == NULL check to quiet coverity false positive 2021-12-18 07:54:26 -07:00
Todd C. Miller
dfc11d7483 When merging Defaults, allow a subsequent global Defaults (no 
binding) to override a prior Defaults setting with a binding.
 2021-12-17 18:59:29 -07:00
Todd C. Miller
6a2c5043a9 add_defaults: defs can never be NULL 2021-12-17 16:04:33 -07:00
Todd C. Miller
546d4f6246 Plug memory leak when making a default host-specific. 
We don't need to allocate new space for the binding list,
just the members of the list.
 2021-12-17 16:01:11 -07:00
Todd C. Miller
5d95345e60 Add an example cvtsudoers.conf file. 2021-12-16 15:42:21 -07:00
Todd C. Miller
991ef32508 Add group_file, match_local, and passwd_file to cvtsudoers.conf. 
Previously, these were only settable via command line options.
 2021-12-16 15:42:06 -07:00
Todd C. Miller
537f75dc74 Remove question about running Solaris 11 binaries on Solaris 10. 
Current versions of sudo use many APIs that are not present on
Solaris 10.  If you want a sudo Solaris 10 binary, build it on
Solaris 10, not 11.
 2021-12-12 18:57:17 -07:00
Todd C. Miller
7158b03b50 Add simple test for cvtsudoers merge functionality. 2021-12-12 10:28:09 -07:00
Todd C. Miller
955359af5d Updated translations from translationproject.org 2021-12-12 10:25:04 -07:00
Todd C. Miller
869994433f Add sudoers Spanish translation from translationproject.org 2021-12-12 10:24:53 -07:00
Todd C. Miller
7d7e24d167 Bugs #1013 and #1014 2021-12-11 16:27:58 -07:00
Todd C. Miller
c53192eb7e sudo_mkdir_parents: make sure the path we created is a directory 
For extra paranoia, verify that the directory we created is still
a directory before we fchown() it.
 2021-12-11 16:27:33 -07:00