isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,930 Commits 1 Branch 0 Tags
db17cadaf65c7fc85d54c9f1a126136f6a9297b0
Commit Graph

1172 Commits

Author SHA1 Message Date
Todd C. Miller
db17cadaf6 Add an approval plugin type that runs after the policy plugin. 
The basic idea is that the approval plugin adds an additional
layer of policy.  There can be multiple approval plugins.
 2020-02-06 12:49:11 -07:00
Todd C. Miller
d219c64635 Only enable pwfeedback when reading password from /dev/tty. 
This effectively disables pwfeedback when the -S or -A options are used.
 2020-02-05 10:53:49 -07:00
Todd C. Miller
658702b6d4 For plugin events, set the sudo event base for setbase(NULL). 
This makes it possible for a plugin to change the event base
to a local one and then reset it back to its original value.
 2020-02-02 12:37:11 -07:00
Todd C. Miller
1b7dc82fee Change audit close arguments to a type and value. 
That way we can distinguish between different error types.
 2020-01-30 17:05:27 -07:00
Todd C. Miller
22105009d8 Define a new plugin type that receives accept and reject messages. 
This can be used to implement logging-only plugins.
The plugin functions now take an errstr argument that can be used
to return an error string to be logged on failure or error.
 2020-01-30 13:25:34 -07:00
Todd C. Miller
fa8ffeb175 Fix a buffer overflow when pwfeedback is enabled and input is a not a tty. 
In getln() if the user enters ^U (erase line) and the write(2) fails,
the remaining buffer size is reset but the current pointer is not.
While here, fix an incorrect break for erase when write(2) fails.
Also disable pwfeedback when input is not a tty as it cannot work.
CVE-2019-18634
Credit: Joe Vennix from Apple Information Security.
 2020-01-29 20:15:21 -07:00
Robert Manner
74f559155a src/load_plugins.c: plugins can supply a clone function 
if they want to support getting loaded multiple times.
 2020-01-23 12:46:14 -07:00
Todd C. Miller
fb5fc9876a Refactor code to allocate and fill struct plugin_container. 
This will help avoid duplicate code in the audit and approval plugins.
 2020-01-22 12:35:44 -07:00
Todd C. Miller
c3bd025052 Store the server host name and IP in client_closure_fill(). 
Also check for getpeername() and inet_ntop() failure.
 2020-01-20 14:03:41 -07:00
Todd C. Miller
0d2195c374 Iterate over io_plugins list in the iolog_* wrappers. 
Moving the iteration into the wrapper functions simplifies the calling code.
 2020-01-07 20:05:29 -07:00
Todd C. Miller
b0a84c4292 policy_plugin is global, no need to pass it to policy_* functions. 2020-01-07 18:40:36 -07:00
Todd C. Miller
5913c63642 Add abs_top_srcdir and abs_top_builddir and use them. 
Configure provides absolution versions of srcdir, builddir, top_srcdir
and top_builddir.  We can use these instead of calling pwd.
 2020-01-20 06:37:42 -07:00
Todd C. Miller
d2b7148b6c Using "libtool --clean" to remove regular files is slow. 
We only need to use libtool's clean mode to remove files created by libtool.
 2020-01-18 05:53:55 -07:00
Todd C. Miller
9e12b71776 Treat EROFS (like EACCES) as a non-fatal error in dir_is_writable(). 
Fixes sudoedit on macOS 10.15 and above where the root file system
is mounted read-only.  See https://support.apple.com/en-us/HT210650.
From Dan Villiom Podlaski Christiansen.  Bug #913
 2020-01-16 13:55:32 -07:00
Todd C. Miller
405d26f5b8 Wrap calls to plugin event callbacks to use the plugin's debug instance. 
Otherwise, the debug output in a plugin's event callback will go
to the sudo debug file, not sudoers.
 2020-01-15 14:05:08 -07:00
Todd C. Miller
9c5c79194d Fix handling of duplicate policy and I/O plugins. 
The warning message said the later I/O plugin was ignored but it
actually overwrote the existing one instead.
The first registered plugin of the same name now is used, as was intended.
Specifying more than one policy plugin is no longer a fatal error;
this allows the admin to fix the situation.
 2020-01-14 13:53:52 -07:00
Todd C. Miller
c592470dbd For sudoedit_checkdir consider a user-owner directory to be writable. 
The non-faccessat() code already did this so this just brings the
faccessat() path into alignment.  Bug #912
 2020-01-11 15:32:48 -07:00
Todd C. Miller
1e25d03c98 Use 64-bit resource limits on AIX. 2019-12-25 16:39:11 -07:00
Todd C. Miller
dfabda3d49 When restoring old resource limits, try to recover if we receive 
EINVAL.  On NetBSD, setrlimit(2) can return EINVAL if the new soft
limit is lower than the current resource usage.  This can be a
problem when restoring the old stack limit if sudo has raised it.
 2019-12-25 13:48:04 -07:00
Todd C. Miller
dbc905fdf8 Sudo doesn't require such a large stack. 2019-12-25 13:13:20 -07:00
Todd C. Miller
c6f8f4b545 Move init.d and sudo.pp to the etc dir. 2019-12-23 14:29:27 -07:00
Todd C. Miller
486ee2b71f debug_decl and debug_decl_vars now require a semicolon at the end. 2019-12-22 08:48:16 -07:00
Todd C. Miller
4392b5726e Output the name of the limit when warning about setrlimit or getrlimit. 
From Kimmo Suominen.
 2019-12-18 09:42:14 -07:00
Robert Manner
c0d53d75eb src/load_plugins, plugins/sudoers: added developer_mode sudo.conf option 
It can be used to disable the enforcement that a plugin (shared object or
an imported python module) must be owned by root and not modifiable by
others.
This can make plugin development easier.
 2019-12-14 12:55:42 -07:00
Todd C. Miller
718e6997fc Save/restore the raw form of the file context in case mctrans is not available. 2019-12-11 13:06:05 -07:00
Todd C. Miller
d0b80b404c Replace timeleft with pending in sudo plugin event API. 2019-12-07 08:42:10 -07:00
Todd C. Miller
f976a5d866 For plugin API 1.15 and up, always call the plugin close function. 
Previously, it was only called when a command was run (including
sudoedit).  Now, plugin operations list, validate, invalidate, and
show_version are also closed.
 2019-11-20 10:57:47 -07:00
Todd C. Miller
e0a4b2d68a Fix potential fd leak when converting trailing newline to cr + nl. 
Coverity CID 205872
 2019-11-19 18:57:22 -07:00
Todd C. Miller
368e12b0f9 If there is no session or terminal group ID, pass the plugin a value of 0. 
This behavior already matches what is documented in the sudo_plugin
manual for "sid" but the "tcpgid" entry needed to be updated.
 2019-11-18 16:25:52 -07:00
Todd C. Miller
82237194dd Add support for logging to the log server 2019-11-15 13:41:51 -07:00
Todd C. Miller
5793023ffd Add a plugin interface to sudo main event loop. 2019-11-15 13:36:01 -07:00
Todd C. Miller
9309ca0074 Simplify resource limit fallback logic a bit. 2019-11-12 07:26:14 -07:00
Todd C. Miller
f3ebe5025a Don't set the RLIMIT_STACK soft/hard limits to unlimited. 
Use 8Mb for soft and 64Mb for hard.
Works around issues on macOS and docker.  See also Bug #908
 2019-11-11 17:57:10 -07:00
Todd C. Miller
4a893912ce Restore resource limits before executing the askpass program. 
Linux with docker seems to have issues executing a program when the
stack size is unlimited.  Bug #908
 2019-11-11 16:07:43 -07:00
Todd C. Miller
ad52ce6612 Check for replies pointer being NULL just in case. 2019-11-11 14:10:13 -07:00
Todd C. Miller
6863a848d6 Convert trailing newline to carriage return + newline for tty. 
Does not currently handle embedded newlines.
 2019-11-09 10:13:56 -07:00
Todd C. Miller
655fdde22b We haven't needed -I$(top_srcdir) for a long time. 2019-11-02 12:00:04 -06:00
Todd C. Miller
356287557f Use dup3() instead of dup2(). 
This is less error prone since dup3() returns an error if old == new.
Sudo guarantees that fds 0-2 are already open.
 2019-11-02 10:55:50 -06:00
Todd C. Miller
352212c7bf Open all pipes using pipe2() with O_CLOEXEC. 
We no longer depend on calling closefrom() before exec.
 2019-11-02 10:52:34 -06:00
Todd C. Miller
7acbfc18a9 Call closefrom() before we change to a non-root UID. 
This prevents another process from changing the NOFILE resource limit
of the child process and defeating the closefrom() call.
Reported by Joe Vennix from Apple Information Security.
 2019-11-02 10:51:49 -06:00
Todd C. Miller
0d8062c100 macOS does not allow rlim_cur to be set to RLIM_INFINITY for RLIMIT_NOFILE. 
We need to use OPEN_MAX instead as per the macOS setrlimit manual.
Bug #904
 2019-10-29 08:28:52 -06:00
Todd C. Miller
059b55ce72 Refactor code in sudoers that creates I/O log files to share with logsrvd. 2019-10-24 20:04:31 -06:00
Todd C. Miller
0d69de5b25 Move openat() emulation to lib/util and at unlinkat() emulation. 2019-10-24 20:04:30 -06:00
Todd C. Miller
271ead2fd3 Don't pass an invalid session or process group ID to the plugin. 
Fixes a regression in 1.8.28 when there is no terminal session leader.
 2019-10-23 12:47:44 -06:00
Todd C. Miller
5391ee2d5e Not all systems support RLIMIT_NPROC and RLIMIT_RSS 2019-10-21 16:03:10 -06:00
Todd C. Miller
b157b96893 Add depend target to all Makefile.in files. 2019-10-21 15:20:21 -06:00
Todd C. Miller
e80079eaa8 Set resource limits in the sudo process to unlimited. 
We don't want sudo to be limited by the caller's resource limits.
The original resource limits are restore before session setup.
 2019-10-21 11:41:48 -06:00
Todd C. Miller
f57e2d04a3 Older FreeBSD needs sys/param.h included before sys/user.h. 
From Darren Tucker
 2019-10-20 19:18:27 -06:00
Todd C. Miller
c3ce3a84fb Refer to user-ID and group-ID instead of "user ID" and "group ID" 2019-10-19 14:26:41 -06:00
Todd C. Miller
40bf4081be Rename sudo_strtoid() to sudo_strtoidx() and add simplified sudo_strtoid() 2019-10-20 10:21:29 -06:00