Now that logging of successful commands is performed by sudoers as an
audit plugin we need to load sudoers_audit if sudoers_policy is also
loaded. Otherwise, accpted commands will not be logged.
With this change, the sudo front-end will send an "accept" audit
event to the audit plugins after all the I/O logging plugins have
been initialized. This can be used by an audit plugin that does
not care about the result of the individual policy and approval
plugins and only wants to receive a single "accept" event if all
policy and approval plugins have succeeded. The plugin_type argument
for events sent by the front-end is SUDO_FRONT_END (0).
This fixes an issue on Solaris 11.4 (and probably others) with "sudo
reboot" when I/O logging is enabled. Previously, sudo would kill
the command if it was still running after the event loop terminated,
leaving the system in a half-dead state.
Fixes a problem on Solaris 11.4 (and possibly others) where sudo
continually tries to put itself in the background after the user's
terminal has been revoked.
Previously we needed to include headers required by the various
sudo*h files. Now those files are more self-sufficient and we
should only include headers needed by code in the various .c files.
Previously, if multiple instances of the same command line option were
specified, the last one would be used. This meant that, for example,
"sudo -u someuser -u otheruser id" would run the command as "otheruser".
This has the potential to cause problems for programs that run sudo with
a user-specified command that do not use the "--" option to indicate
that no more options should be processed. While this is a bug in
the calling program, there is little downside to erroring out when
multiple options of the same type are specified on the command line.
Bug #924
Fixes a problem when there are multiple users with the same user-ID
where the PAM session modules could be called with the wrong user name.
Debian bug #734752
We can't use run_command() to run sesh, that will use the sudo event
loop (and might run it in a pty!).
There's no need to relabel the tty when copying files.
Get the path to sesh from sudo.conf.
Currently, for SELinux RBAC, the editor runs with the target user's
security context. This defeats the purpose of sudoedit. Fixing
that requires passing file descriptors between the main sudo process
(running with the invoking user's security context) and sesh (runnning
with the target user's security context).
Instead of opening the original file for writing w/ tuncation, we
first extend the file with zeroes (by writing, not seeking), then
overwrite it. This should allow sudo to fail early if the disk is
out of space before it overwrites the original file.
We currently have no good way to distinguish between an error
executing the command and an error while the command is running.
In the future, we should have additional status codes so we
can tell what type of condition caused the loop to exit.
For now, only kill the command if cstat is left uninitialized.
Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY
if we set the limit to zero, even for root. This is not a problem
outside the container.
We need a close function to be able to to free memory allocated for
errstr. Unlike the other plugins, the close function is called
immediately after the plugin's check or show_version function.
The plugin does not remain open until the command completes.
This can be used to implement logging-only plugins.
The plugin functions now take an errstr argument that can be used
to return an error string to be logged on failure or error.
In getln() if the user enters ^U (erase line) and the write(2) fails,
the remaining buffer size is reset but the current pointer is not.
While here, fix an incorrect break for erase when write(2) fails.
Also disable pwfeedback when input is not a tty as it cannot work.
CVE-2019-18634
Credit: Joe Vennix from Apple Information Security.
Fixes sudoedit on macOS 10.15 and above where the root file system
is mounted read-only. See https://support.apple.com/en-us/HT210650.
From Dan Villiom Podlaski Christiansen. Bug #913
The warning message said the later I/O plugin was ignored but it
actually overwrote the existing one instead.
The first registered plugin of the same name now is used, as was intended.
Specifying more than one policy plugin is no longer a fatal error;
this allows the admin to fix the situation.
EINVAL. On NetBSD, setrlimit(2) can return EINVAL if the new soft
limit is lower than the current resource usage. This can be a
problem when restoring the old stack limit if sudo has raised it.
