isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,574 Commits 1 Branch 0 Tags
c6987aa26ea12569e65bc7ab18e702b06ab8d715
Commit Graph

1652 Commits

Author SHA1 Message Date
Todd C. Miller
b75a8be34d Use PTRACE_GETREGS/PTRACE_SETREGS on platforms that support it. 
This has a better chance of working on things like user-mode Linux.
 2022-04-29 13:09:03 -06:00
Todd C. Miller
4010d06ed0 In ptrace(2) intercept mode, add execveat to the seccomp(2) filter. 
This allows us to avoid logging the initial command twice regardless
of whether the kernel supports execveat(2) or not.
 2022-04-29 13:09:03 -06:00
Todd C. Miller
52cacfc302 For ptrace intercept mode, do not do a policy check for the initial command. 
We can skip the policy check for the execve(2) of the initial command
since it has already been check.  Otherwise, we would log the command
twice.  When using fexecve(2) due to a digest check, there should
be no need to skip the initial command since it will be executed
via execveat(2) not execve(2).  However, on older kernels without
execveat(2), glibc will emulate fexecve(2) using /proc which will
result in the extra log entry.
 2022-04-29 13:09:03 -06:00
Todd C. Miller
5d385b3c58 Enable intercept and log_subcmds for SELinux using ptrace and seccomp. 2022-04-29 13:09:03 -06:00
Todd C. Miller
423fbedb65 Suspend the child process and wait for SIGUSR when using ptrace. 
This fixes a race condition in ptrace-based intercept mode when
running the command in a pty.  It was possible for the monitor to
receive SIGCHLD when the command sent itself SIGSTOP before the
main sudo process did.
 2022-04-29 13:09:03 -06:00
Todd C. Miller
fe80dc0bc2 Check architecture in the seccomp filter. 
Currently only supports the native architecture.
 2022-04-29 13:09:03 -06:00
Todd C. Miller
8e7ead57f6 Add support for replacing argv in ptrace intecept mode. 
The new argv is written below the tracee's stack and the system
call argument is replaced with the new argv address.
 2022-04-29 13:09:03 -06:00
Todd C. Miller
8e375445fb Check the policy for ptrace-based intercept mode. 2022-04-29 13:08:59 -06:00
Todd C. Miller
3e73644cde Add support for getting the execve(2) arguments via ptrace(2). 
This will be used to perform a policy check in intercept mode.
 2022-04-29 12:35:34 -06:00
Todd C. Miller
01733a5214 Add scaffolding for ptrace-based intercept mode. 2022-04-29 12:35:31 -06:00
Todd C. Miller
22866f2423 Handle multiple child processes in the SIGCHLD handler. 
This is required by the uncoming ptrace intercept code.
 2022-04-29 08:02:57 -06:00
Todd C. Miller
46edc4e198 Stop using the WCONTINUED flag with waitpid(2). 
We don't use it for anything other than a debug message and it will
cause problems when intercept mode starts using ptrace(2).
 2022-04-29 08:02:57 -06:00
Todd C. Miller
d2da56dacc Add struct command details * to struct monitor_closure. 
This will be used in the future by the ptrace intercept code.
 2022-04-20 13:58:22 -06:00
Todd C. Miller
841375783a Don't require a pty for intercept or log_subcmmds. 
The code to take back control of the tty before a policy check
doesn't appear to be needed.  If the command is run in its own pty,
sudo has control over the user's tty.  If the command is run in
the user's tty, sudo should be in the foreground process group.
 2022-04-20 11:56:26 -06:00
Todd C. Miller
839c189373 Translate "unable to set limit privileges" strings. 2022-04-20 13:55:51 -06:00
Todd C. Miller
dcb2fb26a5 Rename SSP_(C|LD)FLAGS -> HARDENING_(C|LD)FLAGS 2022-04-01 11:14:59 -06:00
Todd C. Miller
e2692f1095 Write the \r\n pair to ttyfp if possible, falling back on fp. 
This is consistent with the vfprintf() call and fixes a problem
introduced by the last commit where the newline could be written
before the message instead of after.
 2022-03-15 17:33:58 -06:00
Todd C. Miller
210875796d sudo_conversation_printf: convert trailing nl to cr + nl combo. 
This fixes output when the terminal is in raw mode and is consistent
with how sudo_conversation() behaves.
 2022-03-14 20:11:38 -06:00
Todd C. Miller
de47380350 Block SIGCHLD when forking the mailer. 
Otherwise, it may be picked up by the signal handler instead of our
waitpid(2) call.
Don't warn if waitpid() returns 0 in a SIGCHLD handler.
 2022-03-14 13:54:12 -06:00
Todd C. Miller
1f64aca229 Unset LANGUAGE when running tests, otherwise it may override LC_ALL. 
Bug #1025.
 2022-03-14 13:51:03 -06:00
Todd C. Miller
c131b27474 For 'make check-verbose' run fuzzers with -verbose=1 
This is the default for libFuzzer but not for the stub fuzzer lib.
 2022-03-03 10:45:56 -07:00
Todd C. Miller
cdee5d48da Add check-verbose Makefile target that runs tests in verbose mode. 2022-03-02 13:32:08 -07:00
Todd C. Miller
2c329dbe42 verbose flag is boolean, not int 2022-03-01 15:47:47 -07:00
Todd C. Miller
e9155a067c Regenerate dependencies. 2022-03-01 11:32:23 -07:00
Todd C. Miller
a199abe0e5 Only display test totals unless run in verbose mode. 2022-02-28 20:18:54 -07:00
Todd C. Miller
f793042bec command_allowed: plug memory leak on strdup() failure. 
Coverity CID 249972
 2022-02-24 07:49:30 -07:00
Todd C. Miller
a299406291 Add fallback if /proc/self/stat or /proc/pid/psinfo is missing or invalid. 
If the /proc file indicates no terminal is present there is no fallback.
Bug #1020
 2022-02-02 08:32:44 -07:00
Todd C. Miller
5e30d01205 Quiet a PVS-Studio format string warning. 2022-01-19 09:20:42 -07:00
Todd C. Miller
757c3a1d37 When applying fallback limits, make sure we don't reduce rlim_max. 
Fixes a problem where sudo could reduce the max stack size on some
systems if the original limit was higher than the fallback limit,
but not unlimited/infinity.
 2022-01-11 13:30:20 -07:00
Todd C. Miller
1c95ab8852 Don't modify the stack limit if it is >= SUDO_STACK_MIN. 2022-01-11 13:21:32 -07:00
Todd C. Miller
2e08db3695 If sudo is not set-user-ID root, check for the no_new_privs flag on Linux. 
This flag disables set-user-ID at execve(2) time and may be set by
default for some containers.  GitHub issue #129.
 2022-01-09 17:31:06 -07:00
Todd C. Miller
48bc498a6f Add pam_askpass_service sudoers setting for "sudo -A". 
This makes it possible to use a different PAM configuration for
when "sudo -A" is used.  The main use case is to only use PAM modules
that can interact with the askpass program.  GitHub issue #112.
 2022-01-08 11:35:03 -07:00
Todd C. Miller
e22cc72530 Back out changes to enable SELinux by default. 
This may return in a future release in a different form.
 2021-12-22 11:13:22 -07:00
Todd C. Miller
f9f39cde20 dir_is_writable: don't treat EPERM from faccessat() as a fatal error. 
We can get EPERM on Linux with SELinux.  GitHub issue #122.
 2021-11-27 12:34:16 -07:00
Todd C. Miller
7085a64475 Avoid symbol name clash with is_writable() function variable. 
Rename "is_writable" variable to "writable".
 2021-11-09 13:39:30 -07:00
Todd C. Miller
7c8746bc70 Document resource limit support in command_info[] and Bump plugin API minor. 
This is supported beginning with sudo 1.9.9 and plugin API 1.17.
 2021-11-09 12:57:25 -07:00
Todd C. Miller
19065cb221 Use strtoul() on systems without strtoull(). 
We can assume that systems without strtoull() have 32-bit resource limits.
 2021-11-08 18:21:15 -07:00
Todd C. Miller
74ef983f60 Add front-end support for setting resouce limits. 
The special value "user" means preserve the invoking user's limit.
The value "default" means don't override the default limit for the
user as assigned by the system (PAM, loging.conf, userdb, etc).
 2021-11-08 18:21:11 -07:00
Todd C. Miller
9c465f84ad switch_user_nonfatal: only define if using faccessat() 2021-11-08 17:45:26 -07:00
Todd C. Miller
22d624c028 Rename selinux_setcon -> selinux_setexeccon 2021-11-05 12:34:03 -06:00
Todd C. Miller
e92c3d841e In the SELinux role is "unconfined_r", disable SELinux support. 
We only want to apply SELinux to confined users.  This is a bit of
a hack as unconfined_r is specific to the targeted policy.
 2021-11-05 12:33:31 -06:00
Todd C. Miller
e97fb5fd0b Separate out the code to compute the context from selinux_setup(). 
This makes it possible to determine whether we really need to execute
the command via the sesh helper.  What was left of selinux_setup()
is now selinux_relabel_tty() and selinux_audit_role_change().
 2021-11-05 12:33:20 -06:00
Todd C. Miller
a336a8422f Pass status of selinux sudoers setting to front-end as selinux-rbac. 
The front-end uses this to decide whether or not to enable SELinux.
If selinux-rbac is true _or_ if it is not present and selinux_role or
selinux_type are set, SELinux support is enabled.
Previously, SELinux support was only enabled if a role was specified.
 2021-11-05 12:32:02 -06:00
Todd C. Miller
6804632591 Make get_exec_context static, it is unused outside selinux.c. 2021-11-01 14:15:08 -06:00
Todd C. Miller
a527d6dfdd dir_is_writable: add fallback if changing UIDs fails 
The SELinux policy may not allow uid/gid changes which will break
the writability checks and cause sudoedit to fail.
 2021-11-05 12:24:51 -06:00
Todd C. Miller
73e9256f9d Handle EMLINK and EFTYPE errno values for O_NOFOLLOW failure. 
FreeBSD returns EMLINK and NetBSD returns EFTYPE instead of ELOOP.
This is only used to present the user with a more appropriate error
message.
 2021-09-26 08:05:08 -06:00
Todd C. Miller
5421c61828 Add intercept_cleanup() stub for when building w/o intercept support. 2021-09-20 09:01:05 -06:00
Todd C. Miller
a8c4d9800b Add intercept_cleanup() to free the closure used by intercept_accept_cb(). 2021-09-20 08:50:42 -06:00
Todd C. Miller
4289e9609d Teach mkdep.pl about --tag=disable-static in LTFLAGS. 
If static objs are disabled we need to add explicit dependencies for
.o files.  The OpenBSD libtool doesn't use a pic object file when
linking executables so we need to build the non-pic objects too.
 2021-09-13 09:33:17 -06:00
Todd C. Miller
51d5f05e67 sudo_interposer_init: verify message type from sudo 
We should only get a HelloResponse from sudo at this point.
 2021-09-15 11:20:45 -06:00