isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,930 Commits 1 Branch 0 Tags
db17cadaf65c7fc85d54c9f1a126136f6a9297b0
Commit Graph

1172 Commits

Author SHA1 Message Date
Todd C. Miller
994f86b40f In pty_close(), call del_io_events with the SUDO_EVLOOP_ONCE flag 
so the event loop will exit after a single run through.  Otherwise,
we may hang at exit on non-BSD systems.
 2016-05-20 08:12:46 -06:00
Todd C. Miller
38f4ba2249 Bump I/O buffer size to 64K. We don't use PIPE_BUF or _PC_PIPE_BUF 
for this because that corresponds to the value for atomic pipe
writes.  The actual pipe buffer is much larger on modern systems
and 64K is what BSD and Linux support for large pipe buffers.
 2016-05-17 08:31:23 -06:00
Todd C. Miller
3b6cb9d65b Don't use SUDO_EVLOOP_NONBLOCK when flushing buffers at pty close 
time, only when the user suspends sudo.  Fixes a problem where all
buffers might not get flushed at exit when logging I/O.  Reproducible
via "sudo tar cf - foo | (cd /tmp && sudo tar xf -)" on OpenBSD.
 2016-05-17 08:16:43 -06:00
Todd C. Miller
a2e541aef8 O_NOCTTY has no effect when opening /dev/tty as the open can only 
succeed if there is already a controlling tty.
 2016-05-16 11:17:20 -06:00
Todd C. Miller
3b39377246 Do not need to open /dev/tty with O_NONBLOCK, it doesn't block on 
first open like a physical terminal.  By definition, if you have a
controlling tty, the first open (which might block) has already
occurred.
 2016-05-16 11:12:54 -06:00
Todd C. Miller
4e6b6fd0fa Use O_NOCTTY when opening a tty. 2016-05-16 11:00:31 -06:00
Todd C. Miller
3161c05a04 regen 2016-05-16 10:29:30 -06:00
Todd C. Miller
009f3e6456 Check fputs() return value. 2016-05-14 19:34:42 -06:00
Todd C. Miller
a2085809fa Fix last commit, now that argc is not reset we need to explicitly 
start the copy from argv[1].  From Daniel Kopecek
 2016-05-13 06:40:59 -06:00
Todd C. Miller
ea5bd18b92 cosmetic change to warning string 2016-05-12 10:35:06 -06:00
Todd C. Miller
d3622b0f2c Repair SELinux support, broken by 397722cdd7ec. 
From Daniel Kopecek.
 2016-05-11 14:02:43 -06:00
Todd C. Miller
b04c49dbd3 Break up io_callback() into read_callback() and write_callback() 
to make it clear that we can't get an event with both read and write
set.
 2016-05-09 10:53:20 -06:00
Todd C. Miller
094854adfe In io_callback() make sure we clear SUDO_EV_READ if we close the 
fd.  It should not be possible for SUDO_EV_READ to be set when
revent is non-NULL but this makes static analyzers happier.
Coverity CID 104124.
 2016-05-07 14:51:37 -06:00
Todd C. Miller
e99e3c26c8 In sudo_edit_create_tfiles(), fix fd leak if sudo_edit_mktemp() fails. 
Coverity CID 104114.
 2016-05-07 05:10:11 -06:00
Todd C. Miller
355cce4570 Fix fd leak in sudo_edit_open_nonwritable() if dir_is_writable() 
returns an error.  Coverity CID 104113.
 2016-05-07 05:07:38 -06:00
Todd C. Miller
d733dd7783 Fix memory leak of sesh_args in selinux_edit_copy_tfiles(). 
Coverity CID 104112.
 2016-05-07 05:05:30 -06:00
Todd C. Miller
0f359e038c Fix memory leak on error if sudo_new_key_val() fails. 
Coverity CID 104103.
 2016-05-07 04:57:11 -06:00
Todd C. Miller
00727a310c Ignore the result of send() on exec error, if it fails the other 
end of the pipe is gone and we are headed for exit.
Coverity CID 104066.
 2016-05-07 04:47:12 -06:00
Todd C. Miller
6473d55aa7 Cast the return value of fcntl() to void when setting FD_CLOEXEC. 
Coverity CID 104063, 104064, 104069, 104070, 104071, 104072, 104073, 104074
 2016-05-05 16:16:24 -06:00
Todd C. Miller
829917f008 pid_t is defined by POSIX as a signed integer type so we don't need 
a cast when comparing to -1.
 2016-05-04 14:14:38 -06:00
Todd C. Miller
c70da6dcdf In dispatch_signal() for stopped processes check for tcgetpgrp() 
returning -1.  Also change checks from "saved_pgrp != -1" to
"fd != -1".  Coverity CID 104098.
 2016-05-04 14:13:44 -06:00
Todd C. Miller
2cd22f2906 In relabel_tty() always jump to bad: on error, regardless of the 
value of se_state.enforcing.  On error, return -1 if enforcing,
else 0.  Coverity CID 104099.
 2016-05-04 13:48:44 -06:00
Todd C. Miller
4ce39df38f In io_callback() if we write the complete buffer and find that there 
is no associated reader just return as there is nothing else to be
done.  In practice is it not possible for SUDO_EV_READ to be set
if revent is NULL but an early return is harmless and possibly
easier to understand.  Coverity CID 104124.
 2016-05-04 12:53:20 -06:00
Todd C. Miller
6ea903623b Handle read() returning -1 when creating temporary files. 
Coverity CID 104100
 2016-05-04 12:48:17 -06:00
Todd C. Miller
f88da1c1a0 Do group setup in policy_init_session() before calling out to the 
plugin.  This makes it possible for the pam_group module to change
the group in pam_setcred().  It's a bit bogus since pam_setcred()
is documented as not changing the group or user ID, but pam_group
is shipped with stock Linux-PAM so we need to support it.
 2016-04-28 11:01:58 -06:00
Todd C. Miller
3e9702580e style fix; fork_cmnd should start on a new line 2016-04-25 09:58:32 -06:00
Todd C. Miller
b4309d4aea Ignore SIGPIPE for the duration of sudo and not just in a few select 
places.  We have no control over what nss, PAM modules or sudo
plugins might do so ignoring SIGPIPE is safest.
 2016-04-22 16:36:36 -06:00
Todd C. Miller
70cf5674b5 Use string_to_security_class() instead of pulling SECCLASS_CHR_FILE 
from flask.h.  Avoids a warning with new SELinux includes.
 2016-04-22 11:36:08 -06:00
Todd C. Miller
42548a1b01 src/load_plugins.c needs _PATH_SUDO_CONF so allow it to be overridden 
via the Makefile like other consumers of _PATH_SUDO_CONF.  Bug #735
 2016-02-18 16:13:51 -07:00
Todd C. Miller
6cbba7d665 Add an administrative domain to the passwd/group cache key for 
AIX which can have different name <-> ID mappings depending
on whether the database is local, LDAP, etc.
 2016-02-01 11:08:58 -07:00
Todd C. Miller
a7e5ae1e5b When freeing the iobs after pty tear-down, also free the associated 
event structures.  Quiets a memory leak warnings from address
sanitizer and valgrind.
 2016-01-29 10:31:54 -07:00
Todd C. Miller
7b2fbed45d Rename gc_cleanup to gc_run and remove I/O plugins from the plugin 
list when freeing them.
 2016-01-28 14:48:11 -07:00
Todd C. Miller
23aeb0b5ec Free up the garbage via an atexit() handler instead of requiring 
a call to gc_exit.
 2016-01-28 11:01:42 -07:00
Todd C. Miller
78ac87cd90 Plug a memory leak in sudo_edit. 2016-01-28 10:54:34 -07:00
Todd C. Miller
9b3ef072f9 Add support for garbage collecting info passed to the plugin before 
exit to appease address sanitizer's leak detector (and valgrind's
leak checker).  We can't free these sooner since the plugin may be
using the memory.  For plugin API 2.0 it should be make clear that
the plugin must make a copy of the data in the arrays passed in to
the plugin's open() function.  Only enabled if NO_LEAKS is defined.
 2016-01-27 15:37:15 -07:00
Todd C. Miller
91bce65e29 Remove sudo_fatalx() calls from format_plugin_settings(). 2016-01-27 13:59:04 -07:00
Todd C. Miller
5507b2328c Pass updated user_env_out, not envp, to the I/O open function. 2016-01-26 07:42:57 -07:00
Todd C. Miller
ca330adada Pass updated argv/envp to the I/O open function like the plugin API 
documents.
 2016-01-26 07:39:43 -07:00
Todd C. Miller
f4e5b135bb Update copyright year 2016-01-20 15:40:51 -07:00
Todd C. Miller
726b4dc968 If the user runs "sudoedit /" we will receive ENOENT from openat(2) 
and sudoedit will try to create a file with the null string.  If
path is empty, open the cwd instead so sudoedit can give a sensible
error message.
 2016-01-20 15:36:20 -07:00
Todd C. Miller
5bae35c05c Fix off by one error in new SET_FLAG macro. 2016-01-20 15:09:32 -07:00
Todd C. Miller
5e300f1e4c There are no systems that support O_SEARCH/O_PATH that do not also 
support O_DIRECTORY so simplify the definition of DIR_OPEN_FLAGS a
bit.
 2016-01-19 19:50:27 -07:00
Todd C. Miller
de0208a01b Make sudoedit_checkdir the default and update the documentation accordingly. 2016-01-19 14:16:25 -07:00
Todd C. Miller
e719d954e7 Add a SET_FLAG macro to simplify parsing command details boolean 
flags.  Previously, flags were only set and never cleared even if
the boolean value was false.  This was not a problem as there were
no default flags for the plugin to enable.  That will change in the
future.
 2016-01-19 10:32:33 -07:00
Todd C. Miller
4b96e94f37 Need to be root when switching to a different user. 2016-01-18 13:12:50 -07:00
Todd C. Miller
9f481f128d Use O_SEARCH on systems without O_PATH if present. It can be used 
for a similar purpose.
 2016-01-18 12:38:41 -07:00
Todd C. Miller
c1b1481204 Use faccessat(2) for directory writability instead of doing the 
checks manually where possible.  This also allows us to remove the
#ifdef __linux__ bits since we no longer use fstat(2) on Linux with
an O_PATH fd.
 2016-01-18 10:45:47 -07:00
Todd C. Miller
051fe2d4cf Add missing dfd argument to the version of sudo_edit_openat_nofollow() 
for systems without O_NOFOLLOW.
 2016-01-11 16:36:40 -07:00
Todd C. Miller
c7c80913ef No need to check whether the fd we opened is really a directory in 
sudo_edit_open_nonwritable() since if not, the openat() will fail
with ENOTDIR anyway.
 2016-01-11 11:15:42 -07:00
Todd C. Miller
68c1073fe5 Rewritten sudoedit_checkdir support that checks all the dirs in the 
path and refuses to follow symlinks in writable directories.
This is a better fix for CVE-2015-5602.
Adapted from a diff by Ben Hutchings.  Bug #707
 2016-01-10 18:31:29 -07:00