Todd C. Miller
930271847a
clean_output: prune lines that consisting of '^' characters and whitespace.
...
Starting with Python 3.11, backtraces may contain a line with '^'
characters to bring attention to the important part of the line.
Also replace "REJECT" with "0" in backtrace output for Python 3.11.
2022-04-11 19:05:06 -06:00
Todd C. Miller
dcb2fb26a5
Rename SSP_(C|LD)FLAGS -> HARDENING_(C|LD)FLAGS
2022-04-01 11:14:59 -06:00
Todd C. Miller
6af2b4188a
Minor style nit.
2022-03-16 15:53:17 -06:00
Dianne Skoll
11c6cdc02b
If we're using Kerberos, don't overwrite a custom prompt if one was given with -p
...
Thanks to @thend20 for testing this patch.
2022-03-16 16:46:18 -04:00
Todd C. Miller
7537713904
Adjust starttime test when run under Debian faketime.
...
Bug #1026
2022-03-15 08:38:27 -06:00
Todd C. Miller
ff17317988
Do not warn, log or send mail for errors when reinitializing defaults.
...
If there is a problem, we would have already warned, logged or mailed it.
The one exception is the initial defaults, which should never fail.
2022-03-14 13:54:12 -06:00
Todd C. Miller
e5a50ae429
If there are multiple parse errors, send them in a single mail message.
2022-03-14 13:54:11 -06:00
Todd C. Miller
1f64aca229
Unset LANGUAGE when running tests, otherwise it may override LC_ALL.
...
Bug #1025 .
2022-03-14 13:51:03 -06:00
Todd C. Miller
ef4ce5c08a
Looser owner/permission checks for an uninstalled sudoers file.
...
We don't check the owner or permissions on a sudoers file that is
specified as an argument to visudo by default. However, the owner
and mode of files included via @includedir were still checked. This
commit makes the owner and permissions checks for filed included
via @includedir follow the same as for the original sudoers file.
2022-03-11 10:44:17 -07:00
Todd C. Miller
8e7c004c7f
Add missing va_start/va_end around call to sudoers_error_hook().
...
Coverity CID 250885
2022-03-11 08:37:06 -07:00
Todd C. Miller
8dae0ba06c
Fix off-by-one when storing line number in userspec.
...
We store the line number *after* parsing the newline so we need to
subtract one.
2022-03-10 20:05:40 -07:00
Todd C. Miller
65e5b89f1d
Pass file, line and column to sudoers defaults callbacks.
2022-03-10 13:35:58 -07:00
Todd C. Miller
d7ddff2a31
Add a hook for sudoers parse errors (including defaults and aliases).
...
The hook can be used to log parser errors (sudoers module) or keep
track of which files have an error (visudo).
Previously, we only kept track of a single parse error.
2022-03-10 13:30:56 -07:00
Todd C. Miller
6ec279532e
Add a source to struct sudo_nss and use it if getdefs() fails.
...
Also remove useless "Problem with defaults entries" warning in testsudoers.
2022-03-09 12:38:25 -07:00
Todd C. Miller
346dce4358
Remove extra newline in sudo_warnx() calls.
2022-03-06 18:56:28 -07:00
Todd C. Miller
7d3f9293c6
Preserve the column and error message when there is a syntax error.
...
This information is now included in the error mail sent to root.
2022-03-06 18:54:30 -07:00
Todd C. Miller
dfda098ae7
Deinit python subinterpreters in reverse order (last to first).
...
This appears to work around a crash on OpenBSD with Python 3.9.10.
2022-03-06 18:39:12 -07:00
Todd C. Miller
c131b27474
For 'make check-verbose' run fuzzers with -verbose=1
...
This is the default for libFuzzer but not for the stub fuzzer lib.
2022-03-03 10:45:56 -07:00
Todd C. Miller
cdee5d48da
Add check-verbose Makefile target that runs tests in verbose mode.
2022-03-02 13:32:08 -07:00
Todd C. Miller
dda14cb57a
Less verbose output unless the -v option is used.
...
Also display a test summary at the end.
2022-03-01 16:09:32 -07:00
Todd C. Miller
e9155a067c
Regenerate dependencies.
2022-03-01 11:32:23 -07:00
Todd C. Miller
c2bd52edf8
Allow test harness to be run from any directory.
...
Also add missing copyright notice.
2022-02-28 19:39:33 -07:00
Todd C. Miller
a57e979962
Adapt test harness for lib/util and move to regress directory.
2022-02-28 14:15:43 -07:00
Todd C. Miller
f35bbd5a3f
Move the cvtsudoers/sudoers/testsudoers/visudo tests into a script.
...
It is easier to maintain these tests in script form. The output
now more closely matches that of the other tests. The harness
script can be invoked directly and supports running specific tests.
2022-02-28 11:29:38 -07:00
Todd C. Miller
e7b7c902db
Updated translations from translationproject.org
2022-02-27 09:03:54 -07:00
Todd C. Miller
e5bbd33834
testsudoers/test18: don't rely on /usr/bin/w being present
...
Fixes a test failure on Alpine Linux.
2022-02-25 09:46:26 -07:00
Todd C. Miller
22a01410bd
sudo_ldap_parse_options: fix memory leak of sudoRole cn string.
...
Coverity CID 249976
2022-02-24 07:56:38 -07:00
Todd C. Miller
b1fd1ec0fc
display_lecture: just return if callback is NULL
2022-02-23 21:09:33 -07:00
Todd C. Miller
b0fa769504
Better warning message when the digest in sudoers is the wrong length.
2022-02-22 12:15:34 -07:00
Todd C. Miller
41bc52302b
Do not disable fuzzer output if SUDO_FUZZ_VERBOSE env variable is set.
2022-02-22 12:04:10 -07:00
Todd C. Miller
2911c31dd7
Display the lecture immediately before prompting for a password.
...
This means we no longer display the lecture unless the user is going
to enter a password. Authentication methods that don't interact
with the user via the terminal don't trigger the lecture.
2022-02-21 19:34:06 -07:00
Todd C. Miller
9757d29a24
Add back warning when a user is not allowed to run a command.
...
Previously, the warning was displayed when a user was not in the
sudoers file, or was present but not listed for the local host.
The new behavior is to display the warning if a command is denied
and mail is sent to the administrator. Whether or not mail is sent
is controlled by the "mail_*" flags in sudoers. The warning text
is now "This incident has been reported to the administrator." which
is hopefully less confusing. The message will not be printed if
either the "mailto" or "mailerpath" sudoers settings are disabled.
2022-02-21 14:03:05 -07:00
Todd C. Miller
98ac09de38
Don't try to send mail if mailto not set or the mailer is not present.
2022-02-20 19:11:33 -07:00
Todd C. Miller
bde48fb4c5
Updated translations from translationproject.org
2022-02-18 09:45:52 -07:00
Todd C. Miller
de52b8e443
fmt_authfail_message: compute the exact amount of space needed.
...
Instead of truncating on overflow, warn and return NULL.
2022-02-15 19:48:06 -07:00
Todd C. Miller
f01b044010
log_server_alert: plug potential memory leak
...
Coverity CID 249328
2022-02-15 19:50:55 -07:00
Todd C. Miller
72961fe433
Fix potential NULL deref if getpwuid(0) fails.
...
Coverity CID 249326
2022-02-15 19:41:31 -07:00
Todd C. Miller
9f695f0fcc
Restrict "sudo -U other -l" to users with sudo ALL for root or "other".
...
Having "sudo ALL" permissions in no longer sufficient to be able to
list another user's privileges. The invoking user must now have
"sudo ALL" for root or the target user.
GitHub issue #134
2022-02-14 13:09:55 -07:00
Todd C. Miller
0e2e4b6882
Update Project-Id-Version to 1.9.10.
2022-02-11 18:34:04 -07:00
Todd C. Miller
541c165e65
Update .pot files for 1.9.10
2022-02-11 14:15:31 -07:00
Todd C. Miller
7c17f84a35
Add helper function to compile a regex that supports (?i).
2022-02-11 12:01:31 -07:00
Todd C. Miller
86d2173937
Add support for matching command and args using regular expressions.
...
Either the command, its arguments or both may be (separate)
regular expressions.
2022-02-10 18:26:24 -07:00
Todd C. Miller
c8bf591042
Clear sudoers_errstr after it is used.
...
This way we avoid printing the same error message more than once
if there are multiple ERROR tokens returned from the lexer.
2022-02-10 16:09:44 -07:00
Todd C. Miller
4e3a48f2d1
testsudoers: disable argument permutation in GNU getopt
...
This makes it easier to test commands with arguments.
2022-02-10 10:36:03 -07:00
Todd C. Miller
c5027c796c
Free potential leaks of passprompt_regex_handle.
...
Coverity CID 249057
2022-02-10 09:08:31 -07:00
Jaroslav Jindrak
1f3815c4fb
Do not unset user timeout when no default timeout is set.
2022-02-09 17:37:26 +01:00
Todd C. Miller
10ad934b77
Don't escape double quotes (") in a command when printing it.
...
Previously, cvtsudoers and "sudo -l" would escape double quotes in
a command or command line argument, which is not valid sudoers syntax.
2022-02-08 15:44:18 -07:00
Todd C. Miller
c5133d84eb
Upgrade http links to https where possible and fix some broken links.
2022-02-04 08:31:03 -07:00
Todd C. Miller
6aa320c96a
Remove "This incident will be reported." from user warnings.
...
This used to indicate that email had been sent to the administrator
telling them that someone tried to run sudo. Whether or not sudo
sends email is now configurable, so the warning may not be accurate.
It is also confusing to the user since they will not know who the
incident is being reported to. See also https://xkcd.com/838/
2022-02-03 19:47:44 -07:00
Todd C. Miller
4d0aeea688
Log fn_get_values() return code in the debug log on error.
...
Also move a nested switch() statement out of 'case 0' for
improved readability.
2022-02-03 12:31:56 -07:00