The goal is to make it harder for someone to have a fake policy checker.
This will not stop a determined adversary since the secret is present
in the address space of the running process.
Now that sudoers free old values of NewArgv and command_info the
fuzzer needs to reset those values. Otherwise we end up with
stashed values that have already been garbage collected.
Address sanitizer requires that it be preloaded before any other
DSO in LD_PRELOAD. This should not be required for clang, which
links in asan statically by default.
Fixes building on Solaris and probably others. It is possible to
expose msg_control on Solaris but this requires a specific set of
feature flag defines which can cause other complications.
By default, sudoers will not require authentication of commands run
via an intercepted session. To require authenticaton of subsequent
commands, enable intercept_authenticate in sudoers.
It now takes an intercept fd as an optional argument instead of a
list of extra variables to add. This lets us check whether it is
already set to the expected value (and add it if not).
sudo_intercept.so now uses sudo_preload_dso() to make sure that
LD_PRELOAD and SUDO_INTERCEPT_FD are set properly before executing.
This makes sudo_settings, user_info, submit_argv, submit_envp and
submit_optind global. This will be required for calling the wrapper
from outside of sudo.c where we may not have access to those
variables.
The log server now advertises a subcommands flag if it supports
logging subcommands (e.g. commands run from a sudo-spawned program
like a shell). The client should only log additional commands
during a session if this flag is set in the ServerHello message.
If the perm stack depth is non-zero when set_perms(PERM_INITIAL)
is called, rewind it first and re-initialize the stack depth to 0.
Fixes a user-after-free bug if set_perms(PERM_INITIAL) is called
multiple times.
This causes "intercept" to be set to true in command_info[] which
the sudo front-end will use to determine whether or not to intercept
attempts to run further commands, such as from a shell. Also add
"log_children" which will use the same mechanism but only log (audit)
further commands.
The available size passed to strlcpy() was computed incorrectly.
Switch to updating the length after writing to the new prompt instead
of computing it each time. The actual buffer size is computed and
allocated correctly so there is no real consequence to this bug.
Found by Qualys.
Originally, there was a flag in the ServerHello message to indicate
that the client should verify the server cert, but this was removed
TLS was moved to a separate port. Client validation of the server
certificate is now configured in the sudoers file instead.
