isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,586 Commits 1 Branch 0 Tags
df969d30b44f80ff1112a50d5713b0865e604619
Commit Graph

277 Commits

Author SHA1 Message Date
Todd C. Miller
608574a219 For ldap/sssd, include defaults in the generate privilege unless 
we are listing in short mode (in which case we convert them to tags
if possible).  Fixes a problem where sudoOptions were not being
applied to the command.
 2018-08-02 14:45:00 -06:00
Todd C. Miller
70d519c8ad o Move userspecs, defaults and aliases into a new struct sudoers_parse_tree. 
o The parse tree is now passed to the alias, match and defaults functions.
o The nss API has been changed so that the nss parse() function returns
  a pointer to a struct sudoers_parse_tree which will be filled in
  by the getdefs() and query() functions.
 2018-07-26 15:12:33 -06:00
Todd C. Miller
2270b1e89f Avoid duplicate free when netgroup_base is invalid. 2018-07-15 07:46:34 -06:00
Todd C. Miller
919b567229 The getdefs() function now get called multiple times so use the 
cached data if present.
 2018-05-29 10:53:47 -06:00
Todd C. Miller
c990d93a4e Remove a needless copy when parsing options. 2018-05-29 09:39:42 -06:00
Todd C. Miller
0b31f186cd Move cached userspecs and defaults into the handle object. 2018-05-29 09:39:40 -06:00
Todd C. Miller
e401f92830 Reorder things to avoid the need to declare static functions. 2018-05-28 07:35:51 -06:00
Todd C. Miller
8ad51fe089 Some ldap_get_values_len -> sudo_ldap_get_values_len that were 
missed before.
 2018-05-16 10:37:15 -06:00
Todd C. Miller
f38317269d Add free_userspecs() and free_default() and use them instead of 
looping over the lists and calling free_userspec() and free_default().
 2018-05-15 16:35:07 -06:00
Todd C. Miller
d052f8a68b Add checks for ldap/sss functions failing due to memory allocation 
errors.
 2018-05-14 09:05:05 -06:00
Todd C. Miller
904f37e03f Let the main sudoers lookup code check the host name. We still 
check the user name so it is possible to use a single userspec
but this may change in the future.
 2018-05-14 09:05:04 -06:00
Todd C. Miller
f9be3a48a2 Simplify the nss interface such that each sudoers provider fills 
in a per-nss list of userspecs and defaults instead of using separate
lookup and list functions.  This makes it possible to have a single
implementation of the code for sudoers lookup and listing.
 2018-05-14 09:05:03 -06:00
Todd C. Miller
71e98d9493 Include parse.h in sudoers.h since it will soon be required. 2018-05-14 09:05:02 -06:00
Todd C. Miller
e26ef96a65 Add case_insensitive_group and case_insensitive_user sudoers options, 
which are enabled by default.
 2018-03-05 10:42:02 -07:00
Todd C. Miller
5c36f9dec3 Initial support for adding comments that will be emitted when 
sudoers is formatted.  Currently adds a comment for the source
sudoRole when converting from ldif -> sudoers.
 2018-03-04 07:03:43 -07:00
Todd C. Miller
ceea24b965 Initial support for parsing sudoers LDIF files in cvtsudoers. 
This makes it possible to convert from LDAP sudoers to a traditional
sudoers file.  Semantic differences between file sudoers and LDAP
sudoers mean that LDIF -> sudoers is not completely equivalent.
 2018-02-22 09:53:12 -07:00
Todd C. Miller
43a3a23fed Move LDAP configuration bits into ldap_conf.c 2018-02-11 07:36:08 -07:00
Todd C. Miller
0c08de88cd No longer need to include stddef.h 2018-02-10 13:37:59 -07:00
Todd C. Miller
34820c6b15 simplify iterator 2018-02-10 04:29:43 -07:00
Todd C. Miller
4459ee42ed Use an iterator instead of fragile pointer arithmetic to iterate 
over value arrays in sudo_ldap_role_to_priv().
 2018-02-09 22:06:56 -07:00
Todd C. Miller
64e99328e3 Move sudoers formatting code into fmtsudoers. 2018-02-09 18:22:04 -07:00
Todd C. Miller
2522229e86 Rename sudo_file_append_default() -> sudo_lbuf_append_default() and 
use it for ldap and sssd too.
 2018-02-09 18:22:02 -07:00
Todd C. Miller
3226f7e28b Move common bits of ldap to sudoers conversion into ldap_common.c 
and use it in sssd.c.
 2018-02-09 18:21:40 -07:00
Todd C. Miller
4e2402a8e4 Convert ldap results into a sudoers userspec so we can use the "sudo 
-l" output functions in parse.c.
 2018-02-09 18:21:01 -07:00
Todd C. Miller
57e7b4b49e For "sudo -l", if a word includes spaces, print it in double quotes. 
Also escape spaces in the command path.  This matches the sudoers
quoting rules.
 2018-02-04 12:53:32 -07:00
Todd C. Miller
3189de5bb9 Display sudoNotBefore and sudoNotAfter in "sudo -l" 2018-02-03 14:56:00 -07:00
Todd C. Miller
a885b952fb Remove use of AC_HEADER_TIME, only obsolete platforms actually 
need this.  Also stop removing sys/time.h unless the source file
uses struct timeval.
 2018-01-17 09:52:15 -07:00
Todd C. Miller
6ca8447e00 An empty RunAsUser means run as the invoking user, similar to how 
the sudoers files works.
 2017-12-12 14:20:56 -07:00
Todd C. Miller
48fba3c2cc update my email to Todd.Miller@sudo.ws 2017-12-03 17:53:40 -07:00
Todd C. Miller
250209d7a8 When running a command as the invoking user we cannot use the gid 
list from the front-end since it may not correspond to the user's
aux group vector as defined by the group database.
 2017-11-28 09:48:43 -07:00
Todd C. Miller
ca2e1a455a Plug some memory leaks on error, some found by the clang static analyzer. 2017-11-16 09:43:24 -07:00
Todd C. Miller
88faa58735 In list (-l) or verify (-v) mode, if we have a match but authentication 
is required, clear FLAG_NOPASSWD so that when listpw/verifypw is
set to "all" and there are multiple sudoers sources a password will
be required unless none of the entries in all sources require
authentication.  From Radovan Sroka of RedHat
 2017-11-15 15:06:45 -07:00
Todd C. Miller
2cbdc26540 When checking the results for "sudo -l" and "sudo -v", keep checking 
even after we get a match since the value of doauth may depend on
evaluating all the results.  From Radovan Sroka of RedHat.
 2017-11-15 12:27:39 -07:00
Todd C. Miller
06d52c97c2 The fix for matching when no sudoRunAsUser is present in a sudoRole 
was incomplete.  If no -g option was specified on the command line
but sudoRunAsGroup is present in a sudoRole, we need to treat the
group match as failed instead of missing.
 2017-09-01 11:36:15 -06:00
Todd C. Miller
5cdee2c2c0 Fix the pass2 ldap query string when no search filter is defined. 
Due to the addition of "(sudoUser=*)" to the query we always need
the AND operator, even if no search filter is present.
 2017-08-31 11:05:48 -06:00
Todd C. Miller
98369bf985 Avoid unused variable warning when sasl is not used. 2017-07-28 14:05:54 -06:00
Todd C. Miller
7db97c7835 Avoid a clang analyzer false positive. 2017-05-12 10:02:18 -06:00
Todd C. Miller
b5e7b7bd2c Move the file digest code out of match.c and into filedigest.c. 
Inspired by RedHat changes that used libgcrypt.
Also add digest_type_to_name() to map a sudo digest type (int)
to a name (string) and use it.
 2017-02-20 16:44:12 -07:00
Todd C. Miller
e954facb9d List SELinux role/type for "sudo -l" with LDAP and SSSd backends. 
Also fix printing of the timeout.
 2017-02-14 15:56:34 -07:00
Todd C. Miller
3980f1531b Add support for command timeouts in sudoers. After the timeout, 
the command will be terminated.
 2017-02-14 15:56:34 -07:00
Todd C. Miller
df03020c4c Add support for SASL_MECH in ldap.conf; Bug #764 2017-01-17 11:09:23 -07:00
Todd C. Miller
b4f524fe7d Don't overwrite the return value of ldap_sasl_interactive_bind_s() 
by the subsequent call to sudo_set_krb5_ccache_name().  From Paul
Zirnik of SUSE.
 2017-01-16 11:20:26 -07:00
Todd C. Miller
d6c30ba273 Add sudo_ldap_is_negated() and sudo_ldap_is_negated() functions 
and use them to parse negated entries instead of doing it manually.
 2016-11-16 13:46:38 -07:00
Todd C. Miller
da73733724 Fix printing of sudoedit_follow in "sudo -l" 2016-11-16 11:03:50 -07:00
Todd C. Miller
8820ff3efb Use readline() in sudo_ldap_read_secret() 2016-11-16 09:22:18 -07:00
Todd C. Miller
79ca752802 Go back to parsing Defaults entries in update_defaults instead of 
as sudoers is read.  Otherwise, we cannot properly support early
defaults like sudoers_locale.
 2016-11-09 16:00:12 -07:00
Todd C. Miller
17868f89d7 Fix a bug in host matching where a negated sudoHost entry would 
prevent other sudoHosts following it from matching.
 2016-11-08 14:35:23 -07:00
Todd C. Miller
738c3cbf3e Use "ret", not "rc" for the function return value. 2016-11-07 13:39:42 -07:00
Todd C. Miller
df8404dbd4 Instead of parsing sudoers Defaults twice, parse once while reading 
sudoers and then just set the parsed value in update_defaults().
 2016-11-06 18:59:49 -07:00
Todd C. Miller
75e29f163e Add file:linenumber prefix to all Defaults warnings so we can see 
them when running sudo too.  For LDAP/SSSD we print the sudoRole
instead of the file name and omit the line number.
 2016-11-02 17:07:32 -06:00