isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,049 Commits 1 Branch 0 Tags
ceea24b96554951c21b1241c6ec74eb61d5cc28d
Commit Graph

212 Commits

Author SHA1 Message Date
Todd C. Miller
cfe0034cdf Treat LDAP_OPT_CONNECT_TIMEOUT (Tivoli Directory Server 6.3) the 
same as LDAP_OPT_CONNECT_TIMEOUT (OpenSSH).
Don't make failure to a set an ldap option fatal.
 2012-06-28 14:58:15 -04:00
Todd C. Miller
e9f5a38398 Use MAX_UID_T_LEN + 1 for uid/gid buffers, not MAX_UID_T_LEN to 
prevent potential truncation.  Bug #562.
 2012-06-27 13:41:58 -04:00
Todd C. Miller
649edc3192 Export group cache from sudoers.so for system_group.so to use. 2012-06-13 16:21:45 -04:00
Todd C. Miller
e82b67314c Need to call ldapssl_clientauth_init() for start_tls on Mozilla 
LDAP SDK.
 2012-04-24 12:52:36 -04:00
Todd C. Miller
28268ed99c Fix printing of invalid uri 2012-04-24 10:34:02 -04:00
Todd C. Miller
f6c7ae2519 sudo_ldap_set_options_global() should not take an LDAP handle as 
an argument since the options affect the global settings.
 2012-04-23 19:56:41 -04:00
Todd C. Miller
cde9f8aa12 Provide a more useful error message if using a Mozilla-style LDAP 
SDK and you forgot to specify TLS_CERT in ldap.conf.
 2012-04-23 15:30:34 -04:00
Todd C. Miller
9f461efd5f Split global and per-connection LDAP options into separate arrays. 
Set global LDAP options before calling ldap_initialize() or ldap_init().
After we have an LDAP handle, set the per-connection options.
Fixes a problem with OpenLDAP using the nss crypto backend; bug #342
 2012-04-23 13:08:57 -04:00
Todd C. Miller
55d1a1a79d Use ecalloc() when allocating structs. 2012-03-19 11:24:24 -04:00
Todd C. Miller
37770ecf1e Initial cut at a hooks implementation. The plugin can register 
hooks for getenv, putenv, setenv and unsetenv.  This makes it
possible for the plugin to trap changes to the environment made by
authentication methods such as PAM or BSD auth so that such changes
are reflected in the environment passed back to sudo for execve().
 2012-03-07 16:35:42 -05:00
Todd C. Miller
4f9da8fdaa When adding gids to the LDAP filter, only add the primary gid once. 
This is consistent with the space computation/allocation.
From Eric Lakin
 2012-02-24 15:17:48 -05:00
Todd C. Miller
666d8d6359 Escape values in the search expression as per RFC 4515. 2011-12-07 15:12:22 -05:00
Todd C. Miller
21a2f95821 Use stdbool.h instead of rolling our own TRUE/FALSE macros. 2011-12-02 11:27:33 -05:00
Todd C. Miller
b12b4fdc7b Add support for permitting access by group ID in addition to group name. 2011-11-29 16:24:45 -05:00
Todd C. Miller
627e485c0e Older Netscape LDAP SDKs don't prototype ldapssl_set_strength() 2011-11-29 15:37:48 -05:00
Todd C. Miller
839919566e Add debug_decl/debug_return (almost) everywhere. 
Remove old sudo_debug() and convert users to sudo_debug_printf().
 2011-10-22 14:40:21 -04:00
Todd C. Miller
3bcc9048c3 Add support for DEREF in ldap.conf. 2011-09-16 16:50:04 -04:00
Todd C. Miller
4f9a93f658 Fix some potential problems found by the clang static analyzer, 
none serious.
 2011-07-28 10:59:37 -04:00
Todd C. Miller
b124635b04 Instead of keeping separate groups and gids arrays, create struct 
group_info and use it to store both, along with a count for each.
Cache group info on a per-user basis using getgrouplist() to get
the groups.  We no longer need special to special case the user or
list user for user_in_group() and thus no longer need to reset the
groups list when listing another user.
 2011-07-20 11:58:45 -04:00
Todd C. Miller
56321ec778 Resolve the list of gids passed in from the sudo frontend (the 
result of getgroups()) to names and store both the group names and
ids in the sudo_user struct.  When matching groups in the sudoers
file, match based on the names in the groups list first and
only do a gid-based match when we absolutely have to.  By matching
on the group name (as it is listed in sudoers) instead of id
(which we would have to resolve) we save a lot of group lookups
for sudoers files with a lot of groups in them.
 2011-07-01 14:13:47 -04:00
Todd C. Miller
ab3b3eb83b Quiet gcc warnings. 2011-05-28 15:27:14 -04:00
Todd C. Miller
086cbfe376 Tivoli Directory Server requires that seconds be present in a 
timestamp, even though RFC 4517 states that they are optional.
 2011-05-25 15:04:34 -04:00
Todd C. Miller
bd36d4f2ab Add primitive format string support to the lbuf code to make translations 
simpler.
 2011-05-20 15:25:03 -04:00
Todd C. Miller
67cc4ff025 Translate help / usage strings. 2011-05-19 16:07:14 -04:00
Todd C. Miller
27cb585142 Do not mark untranslatable strings for translation 2011-05-18 13:16:32 -04:00
Todd C. Miller
fce0b906eb cannot -> "unable to" in warning/error messages 2011-05-18 12:41:06 -04:00
Todd C. Miller
917c8d48ad We don't want to translate debugging messages. 2011-05-17 18:37:18 -04:00
Todd C. Miller
b643b190a7 Prepare sudoers module messages for translation. 2011-05-16 16:32:05 -04:00
Todd C. Miller
b00cf92eff Remove extraneous parens in LDAP filter when sudoers_search_filter 
is enabled that causes a search error.  From Matthew Thomas.
 2011-04-12 11:48:04 -04:00
Todd C. Miller
e8776da730 Add support for sudoers_search_filter setting in ldap.conf. This 
can be used to restrict the set of records returned by the LDAP
query.
 2011-03-18 09:38:42 -04:00
Todd C. Miller
cf7ec7a3cc Fix typo; tupple vs. tuple 2011-03-15 15:52:18 -04:00
Todd C. Miller
21d8f01fac return foo not return(foo) 2011-02-07 06:47:29 -05:00
Todd C. Miller
ae2f7638f5 standardize on "return foo;" rather than "return(foo);" or "return (foo);" 2011-01-24 15:15:18 -05:00
Todd C. Miller
be034d5e7e In sudo_ldap_lookup(), always do the initial sudoers check as the 
invoking user.  If we are listing another user's privs we will
do a separate lookup using list_pw later.
 2011-01-21 08:10:26 -05:00
Todd C. Miller
f7f8b6867e Update copyright year to 2011 2011-01-20 16:46:56 -05:00
Todd C. Miller
215500bb55 Stash pointer to user group vector in LDAP handle and only reuse 
the query if it has not changed.  We always allocate a new buffer
when we reset the group vector so a simple pointer check is sufficient.
 2011-01-20 16:16:08 -05:00
Todd C. Miller
49409b7c5d Add support for TIMEOUT in ldap.conf, mapping to the OpenLDAP 
LDAP_OPT_TIMEOUT.  There is no corresponding option for mozilla-derived
LDAP SDKs but we can pass the timeout parameter to ldap_search_ext_s()
or ldap_search_st() when possible.
 2011-01-10 10:33:22 -05:00
Todd C. Miller
823e812723 Add NETWORK_TIMEOUT as an alias for BIND_TIMELIMIT for compatibility 
with OpenLDAP ldap.conf files.
 2011-01-10 09:27:58 -05:00
Todd C. Miller
93e9635842 Pick last match in LDAP sudoers too 2010-12-20 16:37:44 -05:00
Todd C. Miller
7e59d4c5c8 Make sure we don't dereference a NULL handle. 2010-11-30 11:59:28 -05:00
Todd C. Miller
ef5f73a49f Enlarge the array of entry wrappers int blocks of 100 entries to 
save on allocation time.  From Andreas Mueller
 2010-11-17 18:56:52 -05:00
Todd C. Miller
f9353d95ca Add back call to sudo_ldap_timefilter() in sudo_ldap_build_pass2() 
that was mistakenly dropped.
 2010-11-17 07:31:07 -05:00
Todd C. Miller
8940f361ea Merge in ordered LDAP entry support from Andreas Mueller 
and add local changes from the 1.7 branch.
 2010-11-14 13:22:38 -05:00
Todd C. Miller
2b0fca31c0 Add timed entry support from Andreas Mueller. 2010-11-12 15:26:35 -05:00
Todd C. Miller
8597c39194 Use efree() not free() and remove malloc.h include since we never 
directly call malloc() or free().
 2010-11-11 16:10:57 -05:00
Todd C. Miller
a627c60deb When iterating over returned LDAP entries, keep looking at remaining 
matches even if we have a positive match.  This catches negative
matches that may exist in other entries and more closely match the
sudoers file behavior.
 2010-10-01 12:17:01 -04:00
Todd C. Miller
df8ec6fc25 Add support for multiple URI lines by joining the contents and passing 
the result to ldap_initialize.
 2010-09-04 20:43:51 -04:00
Todd C. Miller
27f6558df9 Do not return -1 on error from the display functions; the caller 
expects a return value >= 0.
 2010-09-04 08:42:08 -04:00
Todd C. Miller
0186018d3d Reference count cached passwd and group structs. The cache holds 
one reference itself and another is added by sudo_getgr{gid,nam}
and sudo_getpw{uid,nam}.  The final ref on the runas and user passwd
and group structs are persistent for now.
 2010-08-04 09:58:50 -04:00
Todd C. Miller
432d27573d TLS_CACERT is now an alias for TLS_CACERTFILE. OpenLDAP uses TLS_CACERT, 
not TLS_CACERTFILE in its ldap.conf.  Other LDAP client code, such as
nss_ldap, uses TLS_CACERTFILE.  Also document why you should avoid
disabling TLS_CHECKPEER is possible.
 2010-07-08 09:02:03 -04:00