isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,039 Commits 1 Branch 0 Tags
d5d170252a1065a6b10c3e8d0a7df1aee13a33df
Commit Graph

1055 Commits

Author SHA1 Message Date
Todd C. Miller
9dbd45ff66 add missing guard around wordexp() 2016-10-10 08:33:57 -06:00
Todd C. Miller
8e49ce07f6 Fix configure check for seccomp filter on Linux 2016-10-09 11:24:29 -06:00
Todd C. Miller
237e2f964d Use a seccomp filter on Linux to disable execve(2) and execveat(2). 
This still relies on LD_PRELOAD to work so it has the same issues
as the existing mether with respect to running 32-bit binaries on
a 64-bit kernel.
 2016-10-08 19:09:17 -06:00
Todd C. Miller
d24b9246a9 regen 2016-10-08 19:02:15 -06:00
Todd C. Miller
d0ccd947d0 Wrap wordexp(3) in sudo_noexec. 2016-10-05 20:21:18 -06:00
Todd C. Miller
533c9ce108 Add back line mistakenly removed in 0cf2a9351740 2016-09-11 14:37:42 -06:00
Todd C. Miller
3f022419ae Be consistent with the naming of the variable used to store the 
function return value.  Previously, some code used "rval", some
used "ret".  This standardizes on "ret" and uses "rc" for temporary
return codes.
 2016-09-08 16:38:08 -06:00
Todd C. Miller
40d0ecc7d6 Don't disable large file support for Linux, just SVR4-style /proc. 
Otherwise, stat(2) may fail on Linux when running a 32-bit sudo
on a 64-bit machine.  Bug #755
 2016-09-02 08:05:07 -06:00
Todd C. Miller
04340eea60 If get_process_ttyname() fails for errno != ENOENT, just warn 
instead of making it a fatal error.  Bug #755
 2016-09-01 08:23:19 -06:00
Todd C. Miller
e147ba1fec Use W_EXITCODE to construct the wait status if sudo could not execute 
the command.  Fixes the sudo exit value for exec(3) failure.
 2016-08-31 08:39:26 -06:00
Todd C. Miller
a9570e64ff fix brace style 2016-08-31 08:34:07 -06:00
Todd C. Miller
ef4e808103 It is possible for get_user_info() to fail for reasons other than 
ENOMEM so print the warning message there rather than in main().
 2016-08-31 05:47:36 -06:00
Todd C. Miller
7625f06841 Now that we ignore SIGPIPE in sudo we need to restore it at exec 
time.  Problem reported by Radovan Sroka of RedHat.
 2016-08-24 08:59:37 -06:00
Todd C. Miller
3e4c7eed31 Move the ignoring of I/O log plugin errors into the I/O log plugin 
itself.
 2016-08-17 14:38:00 -06:00
Todd C. Miller
ed18d0d5f8 Make the behavior when we cannot write to a log or audit file 
configurable.  File log failures are ignored by default for consistency
with syslog.  Audit errors are ignored by default to allow the admin
to fix the issue.  I/O log file errors are still fatal by default
since if I/O logging is activated it is usually to have an audit trail.
Bug #751
 2016-08-17 07:22:51 -06:00
Todd C. Miller
25f39ff31d suppress a cppcheck false positive 2016-08-12 11:11:49 -06:00
Todd C. Miller
4352bb9ca9 Add function name in "command resumed" debug message 2016-07-28 06:23:39 -06:00
Todd C. Miller
383debee9f If waitpid() returns 0 or -1, display a warning, this should never happen. 
Add a check for unhandled wait status (also should never happen).
 2016-07-28 06:16:43 -06:00
Todd C. Miller
4f47a2ad7d Explicitly check for a continued process with waitpid(2). Otherwise, 
waitpid() will return 0 when the command is resumed after being
suspended, which we were treating the same as -1.  Fixes suspend
and resume on Linux and probably others.
 2016-07-27 16:17:41 -06:00
Todd C. Miller
cc31c2b241 Repair symlink check in sudo_edit_openat_nofollow() on systems 
without O_NOFOLLOW, it must be done relative to dfd.  Previously
the lstat() would always fail, possibly leading to a false positive.
Also add an early symlink check like in sudo_edit() while here.
 2016-07-25 10:41:33 -06:00
Todd C. Miller
bf82b3f2ba On systems that lack the O_NOFOLLOW open(2) flag, check in 
sudo_edit_open() whether the path to be opened is symlink before
opening it.  This is racey but we detect losing the last post-open
and it is better to fail early if possible.  When editing a link
to a non-existent file, a zero-length file will be left behind but
it is too dangerous to try and remove it after the fact.
Bug #753
 2016-07-25 10:26:54 -06:00
Todd C. Miller
2663575118 Update debug_decl for sudo_edit_openat_nofollow() 
Remove unused variables when O_NOFOLLOW is not present.
 2016-07-25 10:22:29 -06:00
Todd C. Miller
6f5b8cf757 Only remove backup files as part of "make uninstall" when INSTALL_BACKUP 
is set.
 2016-07-08 12:56:47 -06:00
Todd C. Miller
144e3bb53f Only keep backups of installed files on HP-UX where you cannot 
unlink a shared library that is in use.
 2016-07-08 12:37:41 -06:00
Todd C. Miller
66ab525f1e Don't skip debug printfs in handle_sigchld() just because execve() 
returned an error.
 2016-06-23 11:27:59 -06:00
Todd C. Miller
ed9b457eb2 Set user groups in exec_setup() if they were not already set by 
policy_init_session().  Bug #749
 2016-06-22 10:21:29 -06:00
Todd C. Miller
72f18cff9a Fold lines at 80 characters for the clean: target 2016-06-13 15:12:44 -06:00
Todd C. Miller
8a86233c16 In handle_sigchld() fix the return value when we've already received 
an exec error.  We don't want to overwrite the error status but we
do need to indicate that the command is no longer running.
Fixes as hang on execve(2) error when running in a pty.
 2016-06-09 10:50:58 -06:00
Todd C. Miller
1ec4d9918d Move sudo_debug_execve() call into sudo_execve(). 2016-06-09 10:48:59 -06:00
Todd C. Miller
53ebf69af3 fputs() is now specified as returning non-negative on success, not 
explicitly zero.  Fixes a failure on glibc.
 2016-05-25 14:50:05 -06:00
Todd C. Miller
e93b4aa681 Don't try to dereference replies[] if it is a NULL pointer. 2016-05-25 14:48:52 -06:00
Todd C. Miller
356e74e1db Don't read from stdin when flushing final buffers in blocking mode. 
Reading from the pipe can block too if the other end is not closed.
 2016-05-24 11:16:44 -06:00
Todd C. Miller
8f694cc228 In del_io_events(), avoid reading from the pty master in blocking 
mode.  We now do two passes, one with SUDO_EVLOOP_NONBLOCK and
another that could block if stdin is a pipe.  This ensures we consume
the pipe until EOF.
 2016-05-20 10:17:23 -06:00
Todd C. Miller
994f86b40f In pty_close(), call del_io_events with the SUDO_EVLOOP_ONCE flag 
so the event loop will exit after a single run through.  Otherwise,
we may hang at exit on non-BSD systems.
 2016-05-20 08:12:46 -06:00
Todd C. Miller
38f4ba2249 Bump I/O buffer size to 64K. We don't use PIPE_BUF or _PC_PIPE_BUF 
for this because that corresponds to the value for atomic pipe
writes.  The actual pipe buffer is much larger on modern systems
and 64K is what BSD and Linux support for large pipe buffers.
 2016-05-17 08:31:23 -06:00
Todd C. Miller
3b6cb9d65b Don't use SUDO_EVLOOP_NONBLOCK when flushing buffers at pty close 
time, only when the user suspends sudo.  Fixes a problem where all
buffers might not get flushed at exit when logging I/O.  Reproducible
via "sudo tar cf - foo | (cd /tmp && sudo tar xf -)" on OpenBSD.
 2016-05-17 08:16:43 -06:00
Todd C. Miller
a2e541aef8 O_NOCTTY has no effect when opening /dev/tty as the open can only 
succeed if there is already a controlling tty.
 2016-05-16 11:17:20 -06:00
Todd C. Miller
3b39377246 Do not need to open /dev/tty with O_NONBLOCK, it doesn't block on 
first open like a physical terminal.  By definition, if you have a
controlling tty, the first open (which might block) has already
occurred.
 2016-05-16 11:12:54 -06:00
Todd C. Miller
4e6b6fd0fa Use O_NOCTTY when opening a tty. 2016-05-16 11:00:31 -06:00
Todd C. Miller
3161c05a04 regen 2016-05-16 10:29:30 -06:00
Todd C. Miller
009f3e6456 Check fputs() return value. 2016-05-14 19:34:42 -06:00
Todd C. Miller
a2085809fa Fix last commit, now that argc is not reset we need to explicitly 
start the copy from argv[1].  From Daniel Kopecek
 2016-05-13 06:40:59 -06:00
Todd C. Miller
ea5bd18b92 cosmetic change to warning string 2016-05-12 10:35:06 -06:00
Todd C. Miller
d3622b0f2c Repair SELinux support, broken by 397722cdd7ec. 
From Daniel Kopecek.
 2016-05-11 14:02:43 -06:00
Todd C. Miller
b04c49dbd3 Break up io_callback() into read_callback() and write_callback() 
to make it clear that we can't get an event with both read and write
set.
 2016-05-09 10:53:20 -06:00
Todd C. Miller
094854adfe In io_callback() make sure we clear SUDO_EV_READ if we close the 
fd.  It should not be possible for SUDO_EV_READ to be set when
revent is non-NULL but this makes static analyzers happier.
Coverity CID 104124.
 2016-05-07 14:51:37 -06:00
Todd C. Miller
e99e3c26c8 In sudo_edit_create_tfiles(), fix fd leak if sudo_edit_mktemp() fails. 
Coverity CID 104114.
 2016-05-07 05:10:11 -06:00
Todd C. Miller
355cce4570 Fix fd leak in sudo_edit_open_nonwritable() if dir_is_writable() 
returns an error.  Coverity CID 104113.
 2016-05-07 05:07:38 -06:00
Todd C. Miller
d733dd7783 Fix memory leak of sesh_args in selinux_edit_copy_tfiles(). 
Coverity CID 104112.
 2016-05-07 05:05:30 -06:00
Todd C. Miller
0f359e038c Fix memory leak on error if sudo_new_key_val() fails. 
Coverity CID 104103.
 2016-05-07 04:57:11 -06:00