isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,082 Commits 1 Branch 0 Tags
cd74b83c213b03028c7a5da79c1b315ab03aeec4
Commit Graph

107 Commits

Author SHA1 Message Date
Robert Manner
468a5d228e logsrvd/eventlog.c: add a newline after each log message for logfile output 2020-04-06 07:31:01 -06:00
Robert Manner
ace8e18953 logsrvd/iolog_writer.c: treat runuid, rungid 0 as valid (usually ==root) 2020-04-06 07:31:01 -06:00
Todd C. Miller
c122e9bf62 Write process ID as an unsigned int (with a cast). 
On Solaris, pid_t may be typedef'd as a long but the actual range
is 32 bits at most.
 2020-03-29 09:11:57 -06:00
Todd C. Miller
f908ddd1bf Create a pidfile for sudo_logsrvd when not run with the -n flag. 2020-03-29 05:05:08 -06:00
Todd C. Miller
1b90f65609 sudo_logsrvd now exits with an error if it cannot open any listen sockets. 2020-03-29 05:05:08 -06:00
Todd C. Miller
cffda82e20 Do not use JSON_ARRAY with sudo_json_add_value() 2020-03-29 05:05:08 -06:00
Todd C. Miller
9b144069fc Store runenv in the I/O log info file too. 2020-03-29 05:05:08 -06:00
Todd C. Miller
ea9b711a70 Write an extended I/O info log in JSON format. 
This will be used by sudoreplay if it exists to get more information
about the command being replayed.
 2020-03-29 05:05:08 -06:00
Todd C. Miller
a644c1d1d2 iolog_parse_loginfo() now opens the log file itself. 2020-03-29 05:05:08 -06:00
Todd C. Miller
5034ea91be Some new source files got created with my old email address. 2020-03-29 05:05:08 -06:00
Todd C. Miller
84d9c7b241 Add configure check for SSL_CTX_get0_certificate(). 
Dummy out verify_server_cert() if it is not present to allow building
on older OpenSSL versions.  Rewriting this to work with old OpenSSL
is not worth the trouble.
 2020-03-17 20:07:48 -06:00
Todd C. Miller
b308b63b50 Fix potential use-after-free; Coverity CID 208814 2020-03-11 19:28:36 -06:00
Todd C. Miller
f561e2cafe Store the event base in the client closure. 
Explicitly passing the event base removes the need to set a default base.
 2020-03-01 13:36:59 -07:00
Todd C. Miller
f40b4c2887 Open event log at config time instead of open/close for each entry. 
If logging via syslog, do the openlog() at config time instead.
We still lock the log file prior to writing to it but unlock
immediately after.
 2020-02-22 16:13:56 -07:00
Todd C. Miller
4b4db9694a Regenerate dependencies to match the recent JSON changes. 2020-02-20 11:35:28 -07:00
Todd C. Miller
a0c2de4cef Re-register listeners on SIGHUP. 
Previously, a config reload would refresh the listener address list
but the changes had no effect on the actual addresses being listened on.
 2020-02-18 13:13:03 -07:00
Todd C. Miller
adb3bdf6dd Fix compilation error when not built with OpenSSL support. 
Adds a missing #ifdef HAVE_OPENSSL and reorders code to avoid the
need for a static init_tls_server_context() prototype.
 2020-02-18 10:35:30 -07:00
Todd C. Miller
982c003b8d Add support for JSON structured logging using syslog. 
Note that depending on the system, the default syslog buffer
may not be large enough to store all the logging data.
 2020-02-17 16:25:18 -07:00
Todd C. Miller
5781a6a4cf Add support for JSON logging in sudo_logsrvd. 2020-02-17 16:10:56 -07:00
Todd C. Miller
25542216fe Fix support for reloading the config in sudo_logsrvd. 
We need to re-initialize the TLS server context.
Also fix a memory leak of the TLS parameters on reload.
 2020-02-17 15:01:38 -07:00
Todd C. Miller
ac61b5655d Use EXIT_SUCCESS and EXIT_FAILURE more consistently. 2020-02-08 12:43:00 -07:00
Todd C. Miller
630fc9b17b Make restart and elapsed members of the closure structs not pointers. 
Fixes coverity CID 207992
 2020-02-07 13:12:38 -07:00
Todd C. Miller
589adfee2d Only keepalive if accept() succeeded; coverity CID 207990 2020-02-07 12:54:53 -07:00
Todd C. Miller
2fe127d108 Move some scripts from the top level src dir to a scripts dir. 2020-02-06 14:30:26 -07:00
Laszlo Orban
0ca2d1427b fixed compiler error when sudo is configured without --enable-openssl 2020-02-03 06:09:47 -07:00
Laszlo Orban
1e5562df93 Refactor sudo_sendlog in order to be able to send one I/O log multiple times in parallel (for testing purposes) 2020-01-31 13:45:13 -07:00
Laszlo Orban
24c9438486 logserver option to disable certificate verification on server side and server authentication on client side 2020-01-23 10:12:12 -07:00
Laszlo Orban
9935a7e2ff Rename tls_checkpeer to tls_reqcert in ServerHello message 2020-01-23 10:12:12 -07:00
Laszlo Orban
38160d0ccb logserver: enable/disable SO_KEEPALIVE socket option based on tcp_keepalive configuration option in sudo_logsrvd.conf 2020-01-22 10:52:18 -07:00
Todd C. Miller
dde86e585f Add support for building on OpenSSL 1.0.2. 
This adds compatibility defines for some OpenSSL 1.1.x functions.
 2020-01-21 13:27:40 -07:00
Todd C. Miller
c3bd025052 Store the server host name and IP in client_closure_fill(). 
Also check for getpeername() and inet_ntop() failure.
 2020-01-20 14:03:41 -07:00
Todd C. Miller
2d91555e85 Fix handling of SSL_ERROR_WANT_{READ,WRITE} during normal I/O. 
If we get SSL_ERROR_WANT_WRITE during SSL_read(), we need to resume
the SSL_read(), not call SSL_write() as we were doing.  Likewise
for SSL_ERROR_WANT_READ received from SSL_write().
This introduces a flag so we call the proper callback even when
the I/O direction doesn't match the read/write calls.
 2020-01-20 12:42:39 -07:00
Todd C. Miller
5913c63642 Add abs_top_srcdir and abs_top_builddir and use them. 
Configure provides absolution versions of srcdir, builddir, top_srcdir
and top_builddir.  We can use these instead of calling pwd.
 2020-01-20 06:37:42 -07:00
Todd C. Miller
47d9504716 Add debugging statements to certificate checks. 2020-01-18 12:57:24 -07:00
Todd C. Miller
d2b7148b6c Using "libtool --clean" to remove regular files is slow. 
We only need to use libtool's clean mode to remove files created by libtool.
 2020-01-18 05:53:55 -07:00
Laszlo Orban
829fb9db84 do client identity validation in logserver 2020-01-18 05:49:54 -07:00
Todd C. Miller
9b12b21eaa Fix TLS accept when SSL_accept() returns SSL_ERROR_WANT_WRITE. 
We need to switch from SUDO_EV_READ to SUDO_EV_WRITE for this case.
 2020-01-16 17:37:46 -07:00
Todd C. Miller
36b3362b99 Fix TLS connect when SSL_connect returns SSL_ERROR_WANT_READ. 
We need to switch from SUDO_EV_WRITE to SUDO_EV_READ for this case.
Also make the tls connect events private to tls_timed_connect()
with their own closure.  There is no need to store them in the
client closure.
 2020-01-16 17:37:45 -07:00
Todd C. Miller
fb9d7d8cc6 Store submit time in struct iolog_info. 
Fixes missing time stamp in remote I/O log info file.
 2020-01-16 17:37:36 -07:00
Todd C. Miller
920cdf421a Check for sudo_ev_add() failure; Coverity CID 206395 206397 2020-01-03 04:48:56 -07:00
Todd C. Miller
486ee2b71f debug_decl and debug_decl_vars now require a semicolon at the end. 2019-12-22 08:48:16 -07:00
Laszlo Orban
5e36cc655c cert files can contain the full chain of trust, so load all certs in every case for verification 2019-12-06 11:17:12 +01:00
Laszlo Orban
1dceb8bbb8 add default values for cert paths 2019-12-04 14:18:24 +01:00
Laszlo Orban
f5e0e2a4bb Merge pull request #11 from sudo-project/audit-server-tls-async 
Sudo audit Server - TLS protocol update
 2019-11-27 08:29:19 +01:00
Laszlo Orban
06a0f89704 disable timeout for the reader after ServerHello message 2019-11-26 14:07:56 +01:00
Laszlo Orban
21e7fdfd55 use event timeout instead of socket timeout 2019-11-26 08:36:02 +01:00
Laszlo Orban
f4bbce6708 adapt sudo sendlog (async communication, unencrypted ServerHello message) 2019-11-26 08:36:02 +01:00
Todd C. Miller
1747e50090 Exit if the first call to logsrvd_conf_read() fails. 
It is not fatal if subsequent calls fail (due to SIGHUP) since we
keep a copy of the old config before installing the new one.
 2019-11-25 13:38:22 -07:00
Laszlo Orban
f67d0d13cf ServerHello message is now unencrypted, TLS communication has been refactored to full async 2019-11-22 11:11:55 +01:00
Laszlo Orban
33f6a16764 extend ServerHello message with two fields (tls, tls_checkpeer) 2019-11-22 11:11:55 +01:00