isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,443 Commits 1 Branch 0 Tags
df1bb3814babb29458d2a8a4504bde47c9a47f7c
Commit Graph

11443 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
df1bb3814b Reword some of the NEWS items for 1.9.10. 2022-02-13 08:55:01 -07:00
Todd C. Miller
33f54c853b Limit regular expressions to 1024 characters each. 
Avoids a problem with the fuzzer creating large regular expressions
that blow up the glibc regcomp().
 2022-02-12 09:33:02 -07:00
Todd C. Miller
63b2a62f8a Substitute values in the example syslog.conf too. 
Also update ignore files for example changes
 2022-02-11 19:19:09 -07:00
Todd C. Miller
0bbe4b1813 Substitute paths set by configure in examples. Bug #1023 2022-02-11 19:07:08 -07:00
Todd C. Miller
0e2e4b6882 Update Project-Id-Version to 1.9.10. 2022-02-11 18:34:04 -07:00
Todd C. Miller
541c165e65 Update .pot files for 1.9.10 2022-02-11 14:15:31 -07:00
Todd C. Miller
85f9f2beb6 Sudo 1.9.10 2022-02-11 14:14:32 -07:00
Todd C. Miller
7c17f84a35 Add helper function to compile a regex that supports (?i). 2022-02-11 12:01:31 -07:00
Todd C. Miller
86d2173937 Add support for matching command and args using regular expressions. 
Either the command, its arguments or both may be (separate)
regular expressions.
 2022-02-10 18:26:24 -07:00
Todd C. Miller
c8bf591042 Clear sudoers_errstr after it is used. 
This way we avoid printing the same error message more than once
if there are multiple ERROR tokens returned from the lexer.
 2022-02-10 16:09:44 -07:00
Todd C. Miller
3c1ce4bf72 store_iobuf_local: fix potential double free on the error path. 2022-02-10 13:33:24 -07:00
Todd C. Miller
3b6f620e3e Update links to sudo web site and reference markdown docs. 2022-02-10 13:15:39 -07:00
Todd C. Miller
7b5f0dfaf7 Use a 4n indent for code blocks instead of the default 6n. 2022-02-10 13:05:34 -07:00
Todd C. Miller
4e3a48f2d1 testsudoers: disable argument permutation in GNU getopt 
This makes it easier to test commands with arguments.
 2022-02-10 10:36:03 -07:00
Todd C. Miller
b6a2fcf59f iolog_pwfilt_run: fix types in error return 2022-02-10 09:43:33 -07:00
Todd C. Miller
c5027c796c Free potential leaks of passprompt_regex_handle. 
Coverity CID 249057
 2022-02-10 09:08:31 -07:00
Todd C. Miller
8dc2dc8bbc Merge pull request #133 from Dzejrou/main 
Do not unset user timeout when no default timeout is set.
 2022-02-09 10:09:05 -07:00
Jaroslav Jindrak
1f3815c4fb Do not unset user timeout when no default timeout is set. 2022-02-09 17:37:26 +01:00
Todd C. Miller
10ad934b77 Don't escape double quotes (") in a command when printing it. 
Previously, cvtsudoers and "sudo -l" would escape double quotes in
a command or command line argument, which is not valid sudoers syntax.
 2022-02-08 15:44:18 -07:00
Todd C. Miller
8adad85b4b A few minor (mostly cosmetic) fixes. 
Add missing ALL to Runas_Member and Host.
Replace some tabs with spaces.
Fix the syntax of a sudoedit example.
 2022-02-08 11:26:55 -07:00
Todd C. Miller
53d3e20099 Merge pull request #132 from ninedotnine/patch-1 
Sync example sudoers with default sudoers
 2022-02-04 12:33:50 -07:00
dan soucy
8130dc9cb7 Sync example sudoers with default sudoers 
`sudoers.in` was changed by 1d13533
 2022-02-04 19:29:34 +00:00
Todd C. Miller
c5133d84eb Upgrade http links to https where possible and fix some broken links. 2022-02-04 08:31:03 -07:00
Todd C. Miller
6aa320c96a Remove "This incident will be reported." from user warnings. 
This used to indicate that email had been sent to the administrator
telling them that someone tried to run sudo.  Whether or not sudo
sends email is now configurable, so the warning may not be accurate.
It is also confusing to the user since they will not know who the
incident is being reported to.  See also https://xkcd.com/838/
 2022-02-03 19:47:44 -07:00
Todd C. Miller
4d0aeea688 Log fn_get_values() return code in the debug log on error. 
Also move a nested switch() statement out of 'case 0' for
improved readability.
 2022-02-03 12:31:56 -07:00
Todd C. Miller
de0f4398e2 Do not return an error if we cannot connect to the SSSD connector. 
This may simply mean that nsswitch.conf lists sss as a sudoers
source but SSSD is not configured for sudo.  Otherwise, the user
will receive a useless "problem with defaults entries" when the
sssd backend tries to fetch the global defaults.  Bug #1022.
 2022-02-03 11:31:05 -07:00
Todd C. Miller
c236d58b5a Set client_closure to NULL after freeing it. 2022-02-03 10:55:45 -07:00
Todd C. Miller
3f1bb7bc97 client_closure_alloc: init write_bufs/free_bufs before other allocations. 
We must initialize the tail queues before any possible call to
client_closure_free(), such as due to malloc() failure.
 2022-02-03 10:40:03 -07:00
Todd C. Miller
c4e67624e3 Add missing default return in last commit. 2022-02-03 10:24:10 -07:00
Todd C. Miller
d18ee79354 sudo_logsrvd: make sure journal exists before writing the alert message. 
Fixes a potential NULL dereference when journaling an alert message.
 2022-02-03 10:19:40 -07:00
Todd C. Miller
2e957cd43d Fix compilation on Debian kFreeBSD. 
The configure script correctly detects that utimensat() and futimens()
are missing but the headers define stub versions of the functions.
Including sys/stat.h pulls in the system definitions  so we can override
them safely.  Bug #1021.
 2022-02-03 09:33:30 -07:00
Todd C. Miller
a299406291 Add fallback if /proc/self/stat or /proc/pid/psinfo is missing or invalid. 
If the /proc file indicates no terminal is present there is no fallback.
Bug #1020
 2022-02-02 08:32:44 -07:00
Todd C. Miller
85fef8b50f Add sudoers option to perform authentication even in non-interative mode. 
If noninteractive_auth is set, authentication methods that do not
require input from the user's terminal may proceed.  It is off by
default, which restores the pre-1.9.9 behavior of "sudo -n".
 2022-02-01 20:08:26 -07:00
Todd C. Miller
6564f1ae4c Work around a glibc regcomp() bug with repeated '+' operators. 
Glibc regcomp() has a bug where it uses excessive memory for repeated
'+' ops.  Collapse them to avoid running the fuzzer out of memory.
 2022-02-01 13:12:19 -07:00
Todd C. Miller
ac555d454f Rebase seed corpus on updated sudo_logsrvd.conf example. 2022-02-01 13:10:05 -07:00
Todd C. Miller
ad719d06be Fix parsing of "retry_interval" in the relay section. 
The setting was present but the callback was missing so it could
not be parsed in the conf file.
 2022-02-01 13:08:40 -07:00
Todd C. Miller
2df2276d56 Use TIME_T_MAX as the upper limit when parsing timeouts. 2022-02-01 13:07:27 -07:00
Todd C. Miller
46ca288216 converse: don't set response pointer on error 
Linux pam_conv(3) says not to set the pointer on PAM_CONV_ERR.
 2022-02-01 10:57:40 -07:00
Todd C. Miller
3c84aef902 Add missing sudoers4 test file for new cvtsudoers test. 2022-01-31 19:28:06 -07:00
Todd C. Miller
960bf99656 defaults_check_conflict: it is only really a conflict if the binding match 
If the Defaults name matched but the binding does not, we can simply
leave it be.  Fixes a problem where given two sudoers sources that
have a host specified, if they contain conflicting Defaults entries
we would drop one of the Defaults instead of keeping both after
making them host-specific.
 2022-01-31 19:18:04 -07:00
Todd C. Miller
8f4351a897 Make it possible to merge a host-based Defaults with a global one. 
We convert the global Defaults to a host-based one with a single
"ALL" member.  Later, when we simplify the host list, we'll convert
this back to a global Defaults.
 2022-01-31 19:18:03 -07:00
Todd C. Miller
be4d62e9a4 Check for garbage after [section] in sudo_logsrvd.conf. 2022-01-29 10:50:03 -07:00
Todd C. Miller
9303aec0de Sync fuzzing dictionary with current configuration keyword list. 2022-01-29 10:30:37 -07:00
Todd C. Miller
5ea0bf4ee2 Escape/unescape commas when serializing/deserializing a stringlist. 2022-01-28 08:52:42 -07:00
Todd C. Miller
9b93961b3e Add new log_passwords and passprompt_regex settings. 
When logging terminal input, if log_passwords is false and any
of the regular expressions in the passprompt_regex list are found
in the terminal output, terminal input will be replaced with '*'
characters until a newline or carriage return is found in the input
or an output character is received.
 2022-01-28 08:52:42 -07:00
Todd C. Miller
c58a080dd5 Add a flag to avoid splitting list entries on white space. 2022-01-28 08:52:41 -07:00
Todd C. Miller
0efe280037 Add a new sudoers settings log_passwords and passprompt_regex. 
When logging terminal input, if log_passwords is disabled and any
of the regular expressions in the passprompt_regex list are found
in the terminal output, terminal input will be replaced with '*'
characters until a newline or carriage return is found in the input
or an output character is received.
 2022-01-28 08:52:41 -07:00
Todd C. Miller
946404434e lib/iolog: add support for filtering password out of tty input 
If a password regex is found in the tty output, tty input will be
replaced with '*' chars until a newline or another tty output
character is received.
 2022-01-28 08:52:41 -07:00
Todd C. Miller
86f123cd9d Pass the operator to the Defaults callback too. 
That way we can tell what to do in callbacks for lists.
 2022-01-28 08:52:41 -07:00
Todd C. Miller
be45d8fef4 "plain text" -> "plaintext" for consistency. 2022-01-27 12:43:19 -07:00