isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,586 Commits 1 Branch 0 Tags
df969d30b44f80ff1112a50d5713b0865e604619
Commit Graph

277 Commits

Author SHA1 Message Date
Todd C. Miller
fa6c857112 Allow ldap_conf and ldap_secret to be specified as plugin arguments 
in sudo.conf
 2013-04-25 14:49:02 -04:00
Todd C. Miller
a40de4135e Replace DPRINTF with DPRINTF1 and DPRINTF2 macros that use 
SUDO_DEBUG_DIAG and SUDO_DEBUG_INFO respectively for logging to the
debug file with the ldap subsystem.
The sudoers_debug setting in ldap.conf is still honored for now but
will be removed in a future release.
 2013-04-25 10:12:42 -04:00
Todd C. Miller
95b50f84af Use time(&now) instead of now = time(NULL) when storing the current 
time in a time_t (better compiler error checking).
Better parsing and printing of 64-bit time_t on 32-bit platforms.
 2013-04-23 13:15:22 -04:00
Todd C. Miller
39acd2fcba Rename error/errorx -> fatal/fatalx and remove the exit value as 
it was always 1.
 2013-04-18 14:07:59 -04:00
Todd C. Miller
cc3c76b85d Add digest support for sudoers in ldap and sss. 2013-04-16 16:03:37 -04:00
Todd C. Miller
35375a2b7e Initial implementation of checksum support in sudoers. 
Currently supports SHA-224, SHA-256, SHA-384, SHA-512.
TODO: checksum format validation in parser and base64 support.
      checksum support for ldap sudoers
 2013-04-14 07:00:21 -04:00
Todd C. Miller
1da8739c38 Use userpw_matches() for username matching so #uid works for 
sudoRunAsUser.
 2013-02-21 07:03:52 -05:00
Todd C. Miller
7aae6bd6e3 Add line continuation support to sudo_parseln() and make it use 
getline() instead of fgets() internally.
 2013-02-07 10:56:01 -05:00
Todd C. Miller
1d7072fe09 Don't include <sys/param.h>. We only needed it for MAXPATHLEN, 
MAXHOSTNAMELEN and the MIN/MAX macros.  We now use PATH_MAX and
HOST_NAME_MAX throughout without falling back on MAXPATHLEN or
MAXHOSTNAMELEN and define our own MIN/MAX macros as needed.
 2012-12-04 10:40:47 -05:00
Todd C. Miller
7b3d268687 Call gettext() on parameters for warning()/warningx() instead of 
having warning() do it for us.
 2012-11-25 09:34:04 -05:00
Todd C. Miller
595d3b2651 Display warning/error messages in the user's locale. 2012-11-08 15:37:44 -05:00
Todd C. Miller
bdf93e8d3e Enable non-Unix group support for LDAP sudoers. We now check for 
non-Unix groups and netgroups with the same query in the second
pass.  Bug #571
 2012-09-15 13:41:24 -04:00
Todd C. Miller
f205243bd7 Active Directory apparently requires that tenths of a second be 
present in a date so append .0 to the "now" value in the time filter.
Also remove space for the global AND from TIMEFILTER_LENGTH since
it was not being used consistently.  Buffers of TIMEFILTER_LENGTH
now need to account for the terminating NUL byte.
 2012-07-30 11:09:11 -04:00
Todd C. Miller
3c57d6a06d Add support for ldaps using Tivoli LDAP libraries. 
Add ldap.conf option to specify Tivoli key db password.
Allow TLS ciphers to be configured for Tivoli.
 2012-06-29 12:14:45 -04:00
Todd C. Miller
f56bada404 Tivoli Directory Server 6.3 libs always return a (bogus) error 
when setting LDAP_OPT_CONNECT_TIMEOUT.
 2012-06-28 15:42:38 -04:00
Todd C. Miller
cfe0034cdf Treat LDAP_OPT_CONNECT_TIMEOUT (Tivoli Directory Server 6.3) the 
same as LDAP_OPT_CONNECT_TIMEOUT (OpenSSH).
Don't make failure to a set an ldap option fatal.
 2012-06-28 14:58:15 -04:00
Todd C. Miller
e9f5a38398 Use MAX_UID_T_LEN + 1 for uid/gid buffers, not MAX_UID_T_LEN to 
prevent potential truncation.  Bug #562.
 2012-06-27 13:41:58 -04:00
Todd C. Miller
649edc3192 Export group cache from sudoers.so for system_group.so to use. 2012-06-13 16:21:45 -04:00
Todd C. Miller
e82b67314c Need to call ldapssl_clientauth_init() for start_tls on Mozilla 
LDAP SDK.
 2012-04-24 12:52:36 -04:00
Todd C. Miller
28268ed99c Fix printing of invalid uri 2012-04-24 10:34:02 -04:00
Todd C. Miller
f6c7ae2519 sudo_ldap_set_options_global() should not take an LDAP handle as 
an argument since the options affect the global settings.
 2012-04-23 19:56:41 -04:00
Todd C. Miller
cde9f8aa12 Provide a more useful error message if using a Mozilla-style LDAP 
SDK and you forgot to specify TLS_CERT in ldap.conf.
 2012-04-23 15:30:34 -04:00
Todd C. Miller
9f461efd5f Split global and per-connection LDAP options into separate arrays. 
Set global LDAP options before calling ldap_initialize() or ldap_init().
After we have an LDAP handle, set the per-connection options.
Fixes a problem with OpenLDAP using the nss crypto backend; bug #342
 2012-04-23 13:08:57 -04:00
Todd C. Miller
55d1a1a79d Use ecalloc() when allocating structs. 2012-03-19 11:24:24 -04:00
Todd C. Miller
37770ecf1e Initial cut at a hooks implementation. The plugin can register 
hooks for getenv, putenv, setenv and unsetenv.  This makes it
possible for the plugin to trap changes to the environment made by
authentication methods such as PAM or BSD auth so that such changes
are reflected in the environment passed back to sudo for execve().
 2012-03-07 16:35:42 -05:00
Todd C. Miller
4f9da8fdaa When adding gids to the LDAP filter, only add the primary gid once. 
This is consistent with the space computation/allocation.
From Eric Lakin
 2012-02-24 15:17:48 -05:00
Todd C. Miller
666d8d6359 Escape values in the search expression as per RFC 4515. 2011-12-07 15:12:22 -05:00
Todd C. Miller
21a2f95821 Use stdbool.h instead of rolling our own TRUE/FALSE macros. 2011-12-02 11:27:33 -05:00
Todd C. Miller
b12b4fdc7b Add support for permitting access by group ID in addition to group name. 2011-11-29 16:24:45 -05:00
Todd C. Miller
627e485c0e Older Netscape LDAP SDKs don't prototype ldapssl_set_strength() 2011-11-29 15:37:48 -05:00
Todd C. Miller
839919566e Add debug_decl/debug_return (almost) everywhere. 
Remove old sudo_debug() and convert users to sudo_debug_printf().
 2011-10-22 14:40:21 -04:00
Todd C. Miller
3bcc9048c3 Add support for DEREF in ldap.conf. 2011-09-16 16:50:04 -04:00
Todd C. Miller
4f9a93f658 Fix some potential problems found by the clang static analyzer, 
none serious.
 2011-07-28 10:59:37 -04:00
Todd C. Miller
b124635b04 Instead of keeping separate groups and gids arrays, create struct 
group_info and use it to store both, along with a count for each.
Cache group info on a per-user basis using getgrouplist() to get
the groups.  We no longer need special to special case the user or
list user for user_in_group() and thus no longer need to reset the
groups list when listing another user.
 2011-07-20 11:58:45 -04:00
Todd C. Miller
56321ec778 Resolve the list of gids passed in from the sudo frontend (the 
result of getgroups()) to names and store both the group names and
ids in the sudo_user struct.  When matching groups in the sudoers
file, match based on the names in the groups list first and
only do a gid-based match when we absolutely have to.  By matching
on the group name (as it is listed in sudoers) instead of id
(which we would have to resolve) we save a lot of group lookups
for sudoers files with a lot of groups in them.
 2011-07-01 14:13:47 -04:00
Todd C. Miller
ab3b3eb83b Quiet gcc warnings. 2011-05-28 15:27:14 -04:00
Todd C. Miller
086cbfe376 Tivoli Directory Server requires that seconds be present in a 
timestamp, even though RFC 4517 states that they are optional.
 2011-05-25 15:04:34 -04:00
Todd C. Miller
bd36d4f2ab Add primitive format string support to the lbuf code to make translations 
simpler.
 2011-05-20 15:25:03 -04:00
Todd C. Miller
67cc4ff025 Translate help / usage strings. 2011-05-19 16:07:14 -04:00
Todd C. Miller
27cb585142 Do not mark untranslatable strings for translation 2011-05-18 13:16:32 -04:00
Todd C. Miller
fce0b906eb cannot -> "unable to" in warning/error messages 2011-05-18 12:41:06 -04:00
Todd C. Miller
917c8d48ad We don't want to translate debugging messages. 2011-05-17 18:37:18 -04:00
Todd C. Miller
b643b190a7 Prepare sudoers module messages for translation. 2011-05-16 16:32:05 -04:00
Todd C. Miller
b00cf92eff Remove extraneous parens in LDAP filter when sudoers_search_filter 
is enabled that causes a search error.  From Matthew Thomas.
 2011-04-12 11:48:04 -04:00
Todd C. Miller
e8776da730 Add support for sudoers_search_filter setting in ldap.conf. This 
can be used to restrict the set of records returned by the LDAP
query.
 2011-03-18 09:38:42 -04:00
Todd C. Miller
cf7ec7a3cc Fix typo; tupple vs. tuple 2011-03-15 15:52:18 -04:00
Todd C. Miller
21d8f01fac return foo not return(foo) 2011-02-07 06:47:29 -05:00
Todd C. Miller
ae2f7638f5 standardize on "return foo;" rather than "return(foo);" or "return (foo);" 2011-01-24 15:15:18 -05:00
Todd C. Miller
be034d5e7e In sudo_ldap_lookup(), always do the initial sudoers check as the 
invoking user.  If we are listing another user's privs we will
do a separate lookup using list_pw later.
 2011-01-21 08:10:26 -05:00
Todd C. Miller
f7f8b6867e Update copyright year to 2011 2011-01-20 16:46:56 -05:00