isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,039 Commits 1 Branch 0 Tags
d5d170252a1065a6b10c3e8d0a7df1aee13a33df
Commit Graph

1055 Commits

Author SHA1 Message Date
Todd C. Miller
00727a310c Ignore the result of send() on exec error, if it fails the other 
end of the pipe is gone and we are headed for exit.
Coverity CID 104066.
 2016-05-07 04:47:12 -06:00
Todd C. Miller
6473d55aa7 Cast the return value of fcntl() to void when setting FD_CLOEXEC. 
Coverity CID 104063, 104064, 104069, 104070, 104071, 104072, 104073, 104074
 2016-05-05 16:16:24 -06:00
Todd C. Miller
829917f008 pid_t is defined by POSIX as a signed integer type so we don't need 
a cast when comparing to -1.
 2016-05-04 14:14:38 -06:00
Todd C. Miller
c70da6dcdf In dispatch_signal() for stopped processes check for tcgetpgrp() 
returning -1.  Also change checks from "saved_pgrp != -1" to
"fd != -1".  Coverity CID 104098.
 2016-05-04 14:13:44 -06:00
Todd C. Miller
2cd22f2906 In relabel_tty() always jump to bad: on error, regardless of the 
value of se_state.enforcing.  On error, return -1 if enforcing,
else 0.  Coverity CID 104099.
 2016-05-04 13:48:44 -06:00
Todd C. Miller
4ce39df38f In io_callback() if we write the complete buffer and find that there 
is no associated reader just return as there is nothing else to be
done.  In practice is it not possible for SUDO_EV_READ to be set
if revent is NULL but an early return is harmless and possibly
easier to understand.  Coverity CID 104124.
 2016-05-04 12:53:20 -06:00
Todd C. Miller
6ea903623b Handle read() returning -1 when creating temporary files. 
Coverity CID 104100
 2016-05-04 12:48:17 -06:00
Todd C. Miller
f88da1c1a0 Do group setup in policy_init_session() before calling out to the 
plugin.  This makes it possible for the pam_group module to change
the group in pam_setcred().  It's a bit bogus since pam_setcred()
is documented as not changing the group or user ID, but pam_group
is shipped with stock Linux-PAM so we need to support it.
 2016-04-28 11:01:58 -06:00
Todd C. Miller
3e9702580e style fix; fork_cmnd should start on a new line 2016-04-25 09:58:32 -06:00
Todd C. Miller
b4309d4aea Ignore SIGPIPE for the duration of sudo and not just in a few select 
places.  We have no control over what nss, PAM modules or sudo
plugins might do so ignoring SIGPIPE is safest.
 2016-04-22 16:36:36 -06:00
Todd C. Miller
70cf5674b5 Use string_to_security_class() instead of pulling SECCLASS_CHR_FILE 
from flask.h.  Avoids a warning with new SELinux includes.
 2016-04-22 11:36:08 -06:00
Todd C. Miller
42548a1b01 src/load_plugins.c needs _PATH_SUDO_CONF so allow it to be overridden 
via the Makefile like other consumers of _PATH_SUDO_CONF.  Bug #735
 2016-02-18 16:13:51 -07:00
Todd C. Miller
6cbba7d665 Add an administrative domain to the passwd/group cache key for 
AIX which can have different name <-> ID mappings depending
on whether the database is local, LDAP, etc.
 2016-02-01 11:08:58 -07:00
Todd C. Miller
a7e5ae1e5b When freeing the iobs after pty tear-down, also free the associated 
event structures.  Quiets a memory leak warnings from address
sanitizer and valgrind.
 2016-01-29 10:31:54 -07:00
Todd C. Miller
7b2fbed45d Rename gc_cleanup to gc_run and remove I/O plugins from the plugin 
list when freeing them.
 2016-01-28 14:48:11 -07:00
Todd C. Miller
23aeb0b5ec Free up the garbage via an atexit() handler instead of requiring 
a call to gc_exit.
 2016-01-28 11:01:42 -07:00
Todd C. Miller
78ac87cd90 Plug a memory leak in sudo_edit. 2016-01-28 10:54:34 -07:00
Todd C. Miller
9b3ef072f9 Add support for garbage collecting info passed to the plugin before 
exit to appease address sanitizer's leak detector (and valgrind's
leak checker).  We can't free these sooner since the plugin may be
using the memory.  For plugin API 2.0 it should be make clear that
the plugin must make a copy of the data in the arrays passed in to
the plugin's open() function.  Only enabled if NO_LEAKS is defined.
 2016-01-27 15:37:15 -07:00
Todd C. Miller
91bce65e29 Remove sudo_fatalx() calls from format_plugin_settings(). 2016-01-27 13:59:04 -07:00
Todd C. Miller
5507b2328c Pass updated user_env_out, not envp, to the I/O open function. 2016-01-26 07:42:57 -07:00
Todd C. Miller
ca330adada Pass updated argv/envp to the I/O open function like the plugin API 
documents.
 2016-01-26 07:39:43 -07:00
Todd C. Miller
f4e5b135bb Update copyright year 2016-01-20 15:40:51 -07:00
Todd C. Miller
726b4dc968 If the user runs "sudoedit /" we will receive ENOENT from openat(2) 
and sudoedit will try to create a file with the null string.  If
path is empty, open the cwd instead so sudoedit can give a sensible
error message.
 2016-01-20 15:36:20 -07:00
Todd C. Miller
5bae35c05c Fix off by one error in new SET_FLAG macro. 2016-01-20 15:09:32 -07:00
Todd C. Miller
5e300f1e4c There are no systems that support O_SEARCH/O_PATH that do not also 
support O_DIRECTORY so simplify the definition of DIR_OPEN_FLAGS a
bit.
 2016-01-19 19:50:27 -07:00
Todd C. Miller
de0208a01b Make sudoedit_checkdir the default and update the documentation accordingly. 2016-01-19 14:16:25 -07:00
Todd C. Miller
e719d954e7 Add a SET_FLAG macro to simplify parsing command details boolean 
flags.  Previously, flags were only set and never cleared even if
the boolean value was false.  This was not a problem as there were
no default flags for the plugin to enable.  That will change in the
future.
 2016-01-19 10:32:33 -07:00
Todd C. Miller
4b96e94f37 Need to be root when switching to a different user. 2016-01-18 13:12:50 -07:00
Todd C. Miller
9f481f128d Use O_SEARCH on systems without O_PATH if present. It can be used 
for a similar purpose.
 2016-01-18 12:38:41 -07:00
Todd C. Miller
c1b1481204 Use faccessat(2) for directory writability instead of doing the 
checks manually where possible.  This also allows us to remove the
#ifdef __linux__ bits since we no longer use fstat(2) on Linux with
an O_PATH fd.
 2016-01-18 10:45:47 -07:00
Todd C. Miller
051fe2d4cf Add missing dfd argument to the version of sudo_edit_openat_nofollow() 
for systems without O_NOFOLLOW.
 2016-01-11 16:36:40 -07:00
Todd C. Miller
c7c80913ef No need to check whether the fd we opened is really a directory in 
sudo_edit_open_nonwritable() since if not, the openat() will fail
with ENOTDIR anyway.
 2016-01-11 11:15:42 -07:00
Todd C. Miller
68c1073fe5 Rewritten sudoedit_checkdir support that checks all the dirs in the 
path and refuses to follow symlinks in writable directories.
This is a better fix for CVE-2015-5602.
Adapted from a diff by Ben Hutchings.  Bug #707
 2016-01-10 18:31:29 -07:00
Todd C. Miller
b20977d445 Add support for using fexecve() if supported on commands that are 
checksummed.
 2016-01-04 10:35:18 -07:00
Todd C. Miller
97e86c74ff Call openat() with the basename not the full path. From Ben Hutchings. 2015-12-29 13:38:14 -07:00
Todd C. Miller
88a634b7fb Check for existing dso in LD_PRELOAD and only add it if it is not 
already present.
 2015-12-20 14:08:47 -07:00
Todd C. Miller
ad1068c1ee Actually use the plugin_dir Path setting in sudo.conf. 2015-12-18 14:05:02 -07:00
Todd C. Miller
55531958de Allow sudo.conf Path settings to disable path names (by setting the 
value of NULL).
 2015-12-18 12:31:28 -07:00
Todd C. Miller
7a57bae1e6 Change noexec flag in selinux_execve() from int to bool. 2015-12-16 15:16:48 -07:00
Todd C. Miller
4536480800 Refactor code to set LD_PRELOAD (or the equivalent) in the environment 
into a preload_dso() function.  Also avoid allocating a new copy
of the environment array if the size of the array does not change.
 2015-12-16 15:08:01 -07:00
Todd C. Miller
9ecf12daa7 Set errno to EISDIR instead of ENOTDIR if directory is writable 
since ENOTDIR can be a legitimate errno.  This avoids a bogus
"directory is writable" error in that case.
 2015-10-25 14:28:38 -06:00
Todd C. Miller
5d66b840d8 When creating a new file, sudoedit will now check that the file's 
parent directory exists before running the editor.
 2015-10-24 06:20:20 -06:00
Todd C. Miller
c50cead833 Add directory writability checks for sudoedit. 2015-10-23 14:04:35 -06:00
Todd C. Miller
e91a10ce45 Ignore the SUDO_CONV_PROMPT_ECHO_OK flag when echo is enabled. 
This was preventing a match of SUDO_CONV_PROMPT_ECHO_ON which
resulted in a masked password instead of an echoed one.
 2015-10-06 15:21:41 -06:00
Todd C. Miller
6dc5151d5d Remove S_ISREG check from sudo_edit_open(), it is already done in 
the caller.
 2015-10-02 20:35:55 -06:00
Todd C. Miller
37dff5fbcb Open sudoedit files with O_NONBLOCK and fail if they are not regular 
files.
 2015-10-02 14:45:09 -06:00
Todd C. Miller
5ad68edd65 It is possible for WIFSTOPPED to be true even if waitpid() is not 
given WUNTRACED if the child is ptraced.  Don't exit the waitpid()
loop if WIFSTOPPED is true, just in case.
 2015-10-02 11:24:01 -06:00
Todd C. Miller
37abc1b7e4 There's no point in trying to interpose protected versions of the 
exec family of functions.  Many modern C libraries use hidden symbols
for the functions and syscalls defined in libc such that they cannot
be overridden inside libc itself.  We have to just wrap all the exec
variants plus system and popen.
 2015-09-28 21:20:37 -06:00
Todd C. Miller
282b921333 Also wrap popen(3). 2015-09-28 15:34:16 -06:00
Todd C. Miller
8695ae1049 Also interpose system(3). On glibc systems you cannot interpose 
the syscalls used internally by libc.
 2015-09-28 15:10:00 -06:00