Commit Graph

11012 Commits

Author SHA1 Message Date
Todd C. Miller
620b0dec86 Only replace the last instance of "sudo" in example and doc dir.
Otherwise we end up with weird paths for a prefix like /opt/sudo.
2021-04-15 10:31:28 -06:00
Todd C. Miller
a1323ba43b Fix lint warning. 2021-04-13 14:29:59 -06:00
Todd C. Miller
556b8f62cb Mention relay mode and update TLS example. 2021-04-13 14:24:50 -06:00
Todd C. Miller
d028410bf7 If libssl_dep was not passed in, use ldd to determine its value.
Normally, mkpkg will figure this out, but if the user does "make
package" outside of the mkpkg script, libssl_dep will not be set.
2021-04-13 10:00:57 -06:00
Todd C. Miller
28d41cecad Enable the use of OpenSSL if log client/server not disabled.
This adds a dependency on OpenSSL unless it is explicitly disabled
(--disable-openssl) or the sudo log client and server are disabled
(--disable-log-client and --disable-log-server).
2021-04-12 14:10:49 -06:00
Todd C. Miller
b8fda5b0a9 configure aux scripts moved to the scripts directory 2021-04-09 16:30:39 -06:00
Todd C. Miller
4e9baba2b5 Set logsrvd_config to NULL in logsrvd_conf_cleanup() after freeing it.
Fixes a double free in fuzz_logsrvd_conf (but not sudo_logsrvd itself).
Also fix linking fuzz_logsrvd_conf with OpenSSL.
2021-04-09 14:02:50 -06:00
Todd C. Miller
e4e0e734b9 Update sudo_logsrvd.conf fuzzer to match configuration changes. 2021-04-09 13:34:36 -06:00
Todd C. Miller
ae77355eda Document relay configuration changes. 2021-04-09 12:58:57 -06:00
Todd C. Miller
163a5f08b5 Move relay configuration into its own section and add TLS options.
TLS options in the relay section will be used if specified, otherwise
the TLS options from the server section are used.
2021-04-08 19:14:05 -06:00
Todd C. Miller
25d4dd8e6d Add "server" and "relay" to getters/callbacks specific to server and relay. 2021-04-08 19:09:55 -06:00
Todd C. Miller
90770794db Remove struct logsrvd_tls_config.
Now that the SSL context is initialized in logsrvd_conf.c there's
no need to export TLS configuration other than tls_check_peer.
2021-04-08 18:07:59 -06:00
Todd C. Miller
9779996c3c No longer need struct logsrvd_tls_runtime, use SSL_CTX instead. 2021-04-08 15:39:26 -06:00
Todd C. Miller
990fa4f5ad Move allocation of the TLS context to logsrvd_conf_apply().
This way we get certificate errors at configuration time, not after.
It also means that a change to the config file that renders the TLS
settings invalid will no longer cause the server to exit.  The new
config will just be ignored as if there was a syntax error.
2021-04-08 15:31:33 -06:00
Todd C. Miller
8f0c16f06e Only initialize the SSL library once. 2021-04-08 15:14:13 -06:00
Todd C. Miller
c2909e20ee Sanity check struct timespec in timestamp file.
Coverity CID 220564
2021-04-07 11:10:17 -06:00
Todd C. Miller
394673cbf5 Check lseek(fd, 0, SEEK_CUR) for -1 return value.
Not actually possible in practice.  Coverity CID 220568.
2021-04-07 10:59:12 -06:00
Todd C. Miller
42865567d7 Check for NULL ifa->ifa_addr and ifa->ifa_netmask in both loops. 2021-04-07 08:15:10 -06:00
Todd C. Miller
52c29aa7a0 Plug memory leak on overflow; Coverity CID 220556 2021-04-06 21:38:43 -06:00
Todd C. Miller
37e8b58684 In schedule_commit_point() do not free the closure on error.
It is the caller's responsibility to free resources on error.
Coverity CID 220557
2021-04-06 19:13:33 -06:00
Todd C. Miller
a2e4f53642 Cast NULL terminator argument to char * when calling sudo_mkgrent().
Avoids a portability issue on systems where NULL is not a pointer.
2021-04-06 18:57:33 -06:00
Todd C. Miller
d92610ee43 Rename LOGSRVD_DEFAULT_CIPHER_LST13 to DEFAULT_CIPHER_LST13 2021-04-06 17:03:30 -06:00
Todd C. Miller
5cb5a45bab Include string.h for strerror(3) prototype. 2021-04-06 16:54:30 -06:00
Todd C. Miller
3f1a76cb83 Move connect_relay_tls() so we don't need a prototype for it.
Fixes a warning when sudo is not configured to use OpenSSL.
2021-04-06 16:53:35 -06:00
Todd C. Miller
3aec794b75 Document relay and connect_timeout server settings. 2021-04-06 16:30:41 -06:00
Todd C. Miller
86c815fd61 Add logsrvd_conf_cleanup() to free the conf data structures on exit.
There is no longer a need to do anything in shutdown_cb() other
than break out of the event loop.
2021-04-06 14:44:19 -06:00
Todd C. Miller
ec52810c0b Don't allow a wildcard address for the relay parameter. 2021-04-06 14:44:19 -06:00
Todd C. Miller
30f57bcdce Add sa_host to struct server_address as a ref counted string.
Also convert sa_str to ref counted string.
2021-04-06 14:44:19 -06:00
Todd C. Miller
2db9e64214 Move reference-counted string code from sudoers to libsudo_util.
It will be used by sudo_logsrvd too.
2021-04-06 14:44:19 -06:00
Todd C. Miller
b1c4de2088 Add support for relaying to another sudo_logsrvd via TLS. 2021-04-06 14:44:19 -06:00
Todd C. Miller
d60b8a791c Add a relay mode to sudo_logsrvd where it forwards instead of stores.
Relay hosts are be specified in the server section of sudo_logsrvd.conf.
2021-04-06 14:44:19 -06:00
Todd C. Miller
343100307d Split most of server_commit_cb() out into schedule_commit_point().
This allows it to be used by the relay code too.
2021-04-06 14:44:19 -06:00
Todd C. Miller
533fcc3f02 Try to send an error message to client for some client_msg_cb() failures. 2021-04-06 14:44:19 -06:00
Todd C. Miller
8101b23e54 Rename listen_address -> server_address and add reference counting.
This will be used by the upcoming relay mode.
2021-04-06 14:44:19 -06:00
Todd C. Miller
72c40ae0e1 Move common TLS client code to tls_client.c and use it in sendlog.c. 2021-04-06 14:44:19 -06:00
Todd C. Miller
71e5275a1c Move common TLS initialization code to tls_init.c. 2021-03-10 16:29:27 -07:00
Todd C. Miller
7bb5eef9d9 Use a tailq of write buffers instead of a single one per connection.
This allows us to queue up multiple messages for writing like the
sudoers client supports.  Currently, each connection has its own
free list.  In the future we may want a single free list with low
and high water marks.
2021-04-06 14:30:16 -06:00
Todd C. Miller
e3ff4e663c Set user group list when executing the askpass helper.
Under normal circumstances the existing group list will match the
list fetched by sudo.  However, if sudo is executed by a process
that has changed the group list via setgroups(2) and "group_source"
in sudo.conf is set to "dynamic" it is possible for them to be
different.

If group_source in sudo.conf is set to "dynamic" it is possible
for the group list
2021-04-06 14:30:16 -06:00
Todd C. Miller
f1f8515bd6 Increase autoconf minimum version to 2.70.
Some of the macros deprecated in 2.70 are required by older versions.
For example, AC_PROG_CC now does the work of AC_PROG_CC_STDC.
Bug #972
2021-04-06 14:28:06 -06:00
Todd C. Miller
d4517e0a1c Move autoconf auxiliary files to the scripts directory. 2021-04-06 14:23:38 -06:00
Radovan Sroka
c2a63690c8 Removed depricated security_context_t
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
2021-04-06 06:06:46 -06:00
Todd C. Miller
28d65159ed Document SUCCESS=return support in sudoers nsswitch.conf entries.
Based on a patch from Dennis Filder.  Bug #971.
2021-04-05 20:13:50 -06:00
Todd C. Miller
8fa897d3ae Move log_server_accept() out from under the #ifdef SUDOERS_LOG_CLIENT
Fixes a link error when sudo is configured with --disable-log-client.
2021-04-01 15:10:32 -06:00
Todd C. Miller
5a79841208 Return NULL if init_tls_client_context() fails.
Otherwise, we will call SSL_new with a freed SSL context.
Bug #970
2021-03-31 07:57:09 -06:00
Todd C. Miller
4f9d2374c8 Do not include parent directories in rpm and deb files.
Fixes a directory conflict with the AIX sudo rpm package.
Other deb/rpm packages were not affected because parent dirs are
omitted for a prefix of /usr.
2021-03-30 12:49:20 -06:00
Todd C. Miller
a40e4b3867 Use separate getopt config for sudoedit.
Avoids a problem where the user gets an exclusive usage error message
when using a sudo-specific option.
GitHub issue #95
2021-03-30 16:07:28 -06:00
Todd C. Miller
a4c710ccfd Add -h and -V to sudoedit usage and customize help output for sudoedit.
Also add missing -B option to usage strings.
2021-03-30 15:53:38 -06:00
Todd C. Miller
b9a0c72fd1 Don't report a usage error for "sudo -V".
GitHub issue #95
2021-03-30 15:17:31 -06:00
Todd C. Miller
ce1f0da845 SCO OpenServer uses SIOCGIFANUM, not SIOCGIFNUM.
On OpenServer, SIOCGIFNUM is the number of network interfaces,
not the number of ifreq structs.
2021-03-29 09:59:09 -06:00
Todd C. Miller
b269da75b8 Add support for HP-UX SIOCGLIFNUM and SIOCGLIFCONF ioctls.
We need to use both SIOCGIFCONF and SIOCGLIFCONF since SIOCGLIFCONF
only returns IPv6 addresses.
2021-03-27 13:55:07 -06:00