isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,843 Commits 1 Branch 0 Tags
c9f26ebbb4739d7db2a4fcdb3e69ac1ec2a0353c
Commit Graph

9843 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
333ea878e2 Add some missing files to "make clean" and "make distclean" 2019-11-25 13:28:58 -07:00
Todd C. Miller
42adbca7ad Update .hgignore and convert to .gitignore 2019-11-25 12:57:03 -07:00
Laszlo Orban
f67d0d13cf ServerHello message is now unencrypted, TLS communication has been refactored to full async 2019-11-22 11:11:55 +01:00
Laszlo Orban
33f6a16764 extend ServerHello message with two fields (tls, tls_checkpeer) 2019-11-22 11:11:55 +01:00
Todd C. Miller
f976a5d866 For plugin API 1.15 and up, always call the plugin close function. 
Previously, it was only called when a command was run (including
sudoedit).  Now, plugin operations list, validate, invalidate, and
show_version are also closed.
 2019-11-20 10:57:47 -07:00
Todd C. Miller
2143746370 Avoid NULL deref on an error path if calloc() fails. 
Coverity CID 205873
 2019-11-19 19:00:31 -07:00
Todd C. Miller
e0a4b2d68a Fix potential fd leak when converting trailing newline to cr + nl. 
Coverity CID 205872
 2019-11-19 18:57:22 -07:00
Todd C. Miller
b31b830518 Document the process of creating self-signed certificates for sudo_logsrvd. 
Based on a document from Laszlo Orban.
 2019-11-19 14:29:40 -07:00
Todd C. Miller
c7cac7c0e6 Sync with argument handling in group_plugin.c 2019-11-19 12:46:21 -07:00
Todd C. Miller
a3266edc27 If a group plugin has optional arguments, NULL terminate the vector. 
Otherwise, the plugin cannot determine the end of arguments.
The behavior now matches the plugin documentation.
 2019-11-19 10:30:22 -07:00
Todd C. Miller
368e12b0f9 If there is no session or terminal group ID, pass the plugin a value of 0. 
This behavior already matches what is documented in the sudo_plugin
manual for "sid" but the "tcpgid" entry needed to be updated.
 2019-11-18 16:25:52 -07:00
Todd C. Miller
d10220162d Don't touch the local iolog sequence file if we are logging remotely 2019-11-18 13:51:52 -07:00
Todd C. Miller
6c2821fe42 Plug a memory leak found by leak sanitizer 2019-11-18 11:50:25 -07:00
Todd C. Miller
3241b82a7e Make a shallow copy of user_env in I/O plugin in case it is reallocated. 
The policy plugin's session init function may reallocate the user
environment pointer.  Fixes a use after free when PAM is used.
 2019-11-18 10:29:11 -07:00
Todd C. Miller
f913249dd0 Rename "log_server" in sudoers to "log_servers" to match I/O plugin. 2019-11-18 09:39:03 -07:00
Todd C. Miller
810669c4f0 Check closure->ssl for non-NULL instead of logsrvd_conf_get_tls_opt(). 
It's a little more obvious this way and ssl is only non-NULL when the
tls option is enabled anyway.
 2019-11-17 08:06:37 -07:00
Todd C. Miller
5be951bd79 Init iolog_dir_fd and sock in connection_closure before adding to list. 
Otherwise we could close the wrong fds in the error path.
 2019-11-17 08:02:20 -07:00
Todd C. Miller
82fea739af Add Laszlo Orban 2019-11-17 06:44:09 -07:00
Todd C. Miller
4bb2b2f605 regen 2019-11-16 19:14:40 -07:00
Todd C. Miller
366a63ce58 Change TLS example file locations to be under /etc/ssl/sudo. 2019-11-16 19:13:53 -07:00
Todd C. Miller
49c09ee2d8 Document sudo_logsrvd TLS configuration. 2019-11-16 13:01:49 -07:00
Todd C. Miller
dae0da2fe3 Include time.h for struct timespec. 2019-11-15 16:32:45 -07:00
Todd C. Miller
20bc94635d Add sudo_ev_set_v1 to the exports file. 2019-11-15 16:30:46 -07:00
Todd C. Miller
d8ccf11c58 Document the log_server and log_server_timeout options 2019-11-15 13:41:52 -07:00
Todd C. Miller
82237194dd Add support for logging to the log server 2019-11-15 13:41:51 -07:00
Todd C. Miller
5793023ffd Add a plugin interface to sudo main event loop. 2019-11-15 13:36:01 -07:00
Todd C. Miller
58cede6fee Move protobuf-c.c, log_server.proto, log_server.pb-c.[ch] to lib/logsrv 2019-11-15 13:35:58 -07:00
Todd C. Miller
f6acc134f4 When freeing an event base, reset ev->base to NULL for associated events. 2019-11-15 13:35:19 -07:00
Todd C. Miller
3689839a0e Move cb_timeout() out from under the HAVE_OPENSSL ifdef. 2019-11-15 13:33:47 -07:00
Todd C. Miller
690f145d3f LibreSSL and older OpenSSL don't support SSL_CTX_set_ciphersuites(). 
Add a configure test and skip TLS 1.3 setup if it is missing.
We still accept the tls_ciphers13 config setting but it will be ignored.
 2019-11-15 13:19:28 -07:00
Todd C. Miller
68480b0959 Minor style nits that I missed during review. 2019-11-15 12:48:42 -07:00
Todd C. Miller
c9da8d4084 Avoid calling SSL_CTX_free() on an uninitialized pointer in an error path. 2019-11-15 12:26:44 -07:00
Todd C. Miller
f08c98a6aa Merge pull request #9 from sudo-project/audit-server-tls-support 
Audit server tls support
 2019-11-15 11:30:39 -07:00
Laszlo Orban
8c8023d212 update sudo_sendlog to support openssl tls 2019-11-15 09:52:48 +01:00
Laszlo Orban
b9641816d6 set timeout value for the socket 2019-11-15 09:52:48 +01:00
Laszlo Orban
e201f104d4 make audit server openssl dependency optional; tls layer is compiled only if sudo is built with --enable-openssl feature switch 2019-11-15 09:52:48 +01:00
Laszlo Orban
9df5e6c11d fixed segfault when connection_closure_free() tries to remove a non-existent connection object from the list 2019-11-15 09:52:48 +01:00
Laszlo Orban
764fb3e6bd verify server/client certs with CA certificate chain file 2019-11-15 09:52:48 +01:00
Laszlo Orban
037fb9298e fix copy-paste mistake 2019-11-15 09:52:48 +01:00
Laszlo Orban
3615576481 process tls config params in the audit server and establish TLS connection accordingly 2019-11-15 09:52:48 +01:00
Todd C. Miller
9309ca0074 Simplify resource limit fallback logic a bit. 2019-11-12 07:26:14 -07:00
Laszlo Orban
2c5e421761 add configuration options for TLS 2019-11-12 10:26:48 +01:00
Todd C. Miller
da82b16fc4 Add sudo logo designers 2019-11-11 19:57:39 -07:00
Todd C. Miller
f3ebe5025a Don't set the RLIMIT_STACK soft/hard limits to unlimited. 
Use 8Mb for soft and 64Mb for hard.
Works around issues on macOS and docker.  See also Bug #908
 2019-11-11 17:57:10 -07:00
Todd C. Miller
4a893912ce Restore resource limits before executing the askpass program. 
Linux with docker seems to have issues executing a program when the
stack size is unlimited.  Bug #908
 2019-11-11 16:07:43 -07:00
Todd C. Miller
ad52ce6612 Check for replies pointer being NULL just in case. 2019-11-11 14:10:13 -07:00
Todd C. Miller
6863a848d6 Convert trailing newline to carriage return + newline for tty. 
Does not currently handle embedded newlines.
 2019-11-09 10:13:56 -07:00
Todd C. Miller
f6a3dc6d27 Only write a carriage return if output is to a tty. 2019-11-08 19:40:49 -07:00
Todd C. Miller
b4878c95e7 Include a carriage return when printing warning messages. 
Otherwise, if the command is running in a pty the output is stair-stepped.
 2019-11-08 16:21:00 -07:00
Todd C. Miller
9f3bbdbd6f Add sudo_parse_host_port_v1 and sudo_pow2_roundup_v1 to exports file. 2019-11-07 18:09:44 -07:00