isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,160 Commits 1 Branch 0 Tags
c352187cf8c61c79b51c55f4b0c63c77a787ed56
Commit Graph

4160 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
dd2c345be9 Avoid Heimdal'isms introduced in the rev 1.32 rewrite of verify_krb_v5_tgt() 2008-02-13 22:17:14 +00:00
Todd C. Miller
04bb8f00fc Remove dependence on VALIDATE_NOT_OK in logging functions. 
Split log_auth() into log_allowed() and log_denial()
Replace mail_auth() with should_mail() and a call to send_mail()
 2008-02-13 12:28:37 +00:00
Todd C. Miller
4f5d9371a3 Add debugging so we can tell if the krb5 ccache is accessible 2008-02-10 23:06:19 +00:00
Todd C. Miller
ebae55854a mention --with-selinux 2008-02-10 22:34:40 +00:00
Todd C. Miller
9635907f29 regen 2008-02-09 14:48:21 +00:00
Todd C. Miller
cc47d67b4f add Sudo tag 2008-02-09 14:43:32 +00:00
Todd C. Miller
4c992e1901 Add support for SELinux RBAC. Sudoers entries may specify a role and type. 
There are also role and type defaults that may be used.  To make sure a
transition occurs, when using RBAC commands are executed via the new sesh
binary.  Based on initial changes from Dan Walsh.
 2008-02-09 14:30:07 +00:00
Todd C. Miller
c7a2ef7a1e Add support for SELinux RBAC. Sudoers entries may specify a role and type. 
There are also role and type defaults that may be used.  To make sure a
transition occurs, when using RBAC commands are executed via the new sesh
binary.  Based on initial changes from Dan Walsh.
 2008-02-09 14:30:06 +00:00
Todd C. Miller
f2b70188b6 Add support for SELinux RBAC. Sudoers entries may specify a role and type. 
There are also role and type defaults that may be used.  To make sure a
transition occurs, when using RBAC commands are executed via the new sesh
binary.  Based on initial changes from Dan Walsh.
 2008-02-09 14:30:06 +00:00
Todd C. Miller
5d20923c2f Add long list (sudo -ll) support for printing verbose LDAP and sudoers 
file entries.  Still need to update manual.
 2008-02-08 13:18:12 +00:00
Todd C. Miller
3c7b76bb54 Unify the -l output for file and ldap based sudoers and use lbufs for both. 
The ldap output does not currently include options that cannot be represented
as tags.  This will be remedied in a long list output mode to come.
 2008-02-03 15:43:38 +00:00
Todd C. Miller
8e33f63484 Use a specific error message for errno == EAGAIN when setuid() et al fails. 
On Linux systems setuid() will fail with errno set to EAGAIN if changing
to the new uid would result in a resource limit violation.
 2008-01-27 21:37:54 +00:00
Todd C. Miller
72656eaf3b Unlimit nproc on Linux systems where calling the setuid() family 
of syscalls causes the nroc resource limit to be checked.  The
limits will be reset by pam_limits.so when PAM is used.  In the
non-PAM case the nproc limit will remain unlimited but there doesn't
seem to be a way around that other than having sudo parse
/etc/security/limits.conf directly.
 2008-01-27 21:34:41 +00:00
Todd C. Miller
801860b298 Only read /etc/environment on Linux and AIX 2008-01-27 21:31:27 +00:00
Todd C. Miller
f0dc1caa45 Use SUDO_DEFINE_UNQUOTED instead of AC_DEFINE_UNQUOTED to prevent 
ldap.conf and ldap.secret paths from going into config.h.
Avoid single quotes in variable expansion when using SUDO_DEFINE_UNQUOTED
since in some versions of bash they will end up literally in the resulting
define.
 2008-01-23 11:33:27 +00:00
Todd C. Miller
cc346a5ecf mention --with-nsswitch=no 2008-01-21 18:22:51 +00:00
Todd C. Miller
48df9c481b ldap_ssl.h depends on ldap.h being included first 2008-01-21 16:43:10 +00:00
Todd C. Miller
a3e6610e01 Include ldap_ssl.h if we can find it. Needed for the ldapssl_set_strength 
defines on HP-UX at least.
 2008-01-21 16:07:42 +00:00
Todd C. Miller
870334373d sync 2008-01-21 15:04:40 +00:00
Todd C. Miller
40fb31c0a5 sync 2008-01-21 15:02:46 +00:00
Todd C. Miller
bc5772f798 regen 2008-01-21 15:01:37 +00:00
Todd C. Miller
b54eff661f Use 78n line length when formatting cat pages. 2008-01-21 15:00:54 +00:00
Todd C. Miller
57a6ebde5d Remove redundant info that is now in sudoers.ldap.pod 2008-01-21 14:50:54 +00:00
Todd C. Miller
a48e85e1ab Reorganize the first section a bit. Substitute the proper path for 
/etc/sudoers.
 2008-01-20 21:18:56 +00:00
Todd C. Miller
e1db0d126f Substitute values for ldap.conf, ldap.secret and nsswitch.conf 
Move schema into EXAMPLES
 2008-01-20 15:17:35 +00:00
Todd C. Miller
c268627f90 Substitute values for ldap.conf, ldap.secret and nsswitch.conf into 
sudoers.ldap.man.
 2008-01-20 15:15:47 +00:00
Todd C. Miller
49f2264ad6 substitute for sudoers.ldap.man 2008-01-20 01:35:54 +00:00
Todd C. Miller
32d57a928d Fix cut & pasto introduced when adding sudoers.ldap man page. 2008-01-20 01:34:44 +00:00
Todd C. Miller
961a79b743 Fill in some of the missing pieces. Still needs some reorganization and 
editing.
 2008-01-20 01:25:39 +00:00
Todd C. Miller
907be979cb Beginnings of a sudoers.ldap man page. Currently, much of the information 
is adapted from README.LDAP.
 2008-01-19 20:06:09 +00:00
Todd C. Miller
2a5a01c22d When copying gr_mem we must guarantee that the storage space for 
gr_mem is properly aligned.  The simplest way to do this is to
simply store gr_mem directly after struct group.  This is not a
problem for gr_passwd or gr_name as they are simple strings.
 2008-01-18 22:32:52 +00:00
Todd C. Miller
09c1189d1b Fix a typo/thinko in one of the calls to sudo_ldap_check_user_netgroup(). 
From Marco van Wieringen.
 2008-01-18 21:47:05 +00:00
Todd C. Miller
0f6101bb26 include <mps/ldap_ssl.h> in ldap.c if available 2008-01-17 20:44:28 +00:00
Todd C. Miller
5fc4d8fa10 Make sure we define SIZE_MAX for yacc's skeleton.c 2008-01-16 23:20:35 +00:00
Todd C. Miller
ebcf3cf399 Use TCSAFLUSH when restoring terminal settings (and echo) to guarantee that any pending output is discarded 2008-01-16 18:03:08 +00:00
Todd C. Miller
fb4b049788 no longer need to specify SETENV when user has sudo ALL 2008-01-15 22:18:11 +00:00
Todd C. Miller
18d42bf8b4 sync user_args size calculation with sudo.c 
Add -g group option, renaming old -g to -G
Add set_runasgr() and set_runaspw() and use them
 2008-01-15 14:40:48 +00:00
Todd C. Miller
7f05a4ff6f Make set_runaspw static void 2008-01-15 14:23:58 +00:00
Todd C. Miller
6c1ef6839c g/c set_runaspw stub 2008-01-15 14:17:31 +00:00
Todd C. Miller
63f224f045 Don't add -llber twice. 2008-01-15 12:28:33 +00:00
Todd C. Miller
6131e9f36e fix typo 2008-01-14 11:40:08 +00:00
Todd C. Miller
2ff13a2403 regen 2008-01-13 20:39:54 +00:00
Todd C. Miller
dde5143f08 Fix check that determines whether -llber is required. 2008-01-13 19:57:34 +00:00
Todd C. Miller
9a07c1a7f1 For netscape-based LDAP, use ldapssl_set_strength() to implement 
the checkpeer ldap.conf option.
 2008-01-13 19:22:11 +00:00
Todd C. Miller
0851d77f10 Delay krb5_cc_initialize() until we actually need to use the cred cache, 
which is what krb5_verify_user() does.
Better cleanup on failure.
 2008-01-13 14:49:43 +00:00
Todd C. Miller
584ab252d7 Rewrite verify_krb_v5_tgt() based on what heimdal's krb5_verify_user() does. 2008-01-12 17:40:43 +00:00
Todd C. Miller
7a110f08ce The U suffix on constants is an ANSI feature 2008-01-09 19:58:39 +00:00
Todd C. Miller
1df9ca2dc1 Add check for ber_set_option() in -llber 2008-01-09 17:08:30 +00:00
Todd C. Miller
8db7b8e590 default if no nsswitch.conf is files only 2008-01-07 00:02:58 +00:00
Todd C. Miller
1b6275a694 don't tell people to mail aaron about LDAP stuff 2008-01-06 22:28:03 +00:00