isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,767 Commits 1 Branch 0 Tags
e4f08157b6693b956fe9c7c987bc3eeac1abb2cc
Commit Graph

11767 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tim Shearer
e4f08157b6 Fix incorrect SHA384/512 digest calculation. 
Resolves an issue where certain message sizes result in an incorrect
checksum. Specifically, when:
(n*8) mod 1024 == 896
where n is the file size in bytes.
 2022-08-02 10:53:15 -04:00
Todd C. Miller
cf250354fc Defer chdir(2) until sesh when running with SELinux. 
We need to be running with the correct security context or the
chdir(2) may fail.  GitHub issue #160.
 2022-08-01 13:40:47 -06:00
Todd C. Miller
555474d3aa Merge pull request #166 from c4rlo/patch-1 
visudo.c: add nvim (Neovim) to lineno_editor list
 2022-07-31 13:06:39 -06:00
Carlo Teubner
2b5dcf255d visudo.c: add nvim (Neovim) to lineno_editor list 
Neovim supports it: https://neovim.io/doc/user/starting.html#-+
 2022-07-31 17:20:50 +01:00
Todd C. Miller
4de5e12ddb Document the TOCTOU issue with intercept mode. 
Describe how intercept_verify attempts to reduce the risk.
 2022-07-29 20:18:55 -06:00
Todd C. Miller
3eb6e78569 Update a codespell exclude pattern. 2022-07-29 19:51:57 -06:00
Todd C. Miller
3ce19efca9 Add intercept_verify sudoers option to control execve(2) argument checking. 2022-07-29 15:22:27 -06:00
Todd C. Miller
b80b012de0 Use PTRACE_EVENT_EXEC to stop execution before return from execve(2). 
We can now verify that the arguments match what we accepted before
the command actually runs.  If there is a mismatch, the process is
killed.  Shell scripts must be handled specially since the path
executed will be the interpreter, not the script name.
Linux allows interpreters to be nested up to 4 deep.
 2022-07-29 15:22:26 -06:00
Todd C. Miller
620a563b54 Only set MODE_POLICY_INTERCEPTED if we are running a command. 
Fixes an error with "sudo -l" when intercept is enabled globally.
 2022-07-29 15:17:45 -06:00
Todd C. Miller
25513b4f37 The length returned by ptrace_read_string() include the NUL. 
We were wasting a extra byte in the string table for each entry.
 2022-07-27 14:11:13 -06:00
Todd C. Miller
882990b1b3 Use gcc's malloc attribute for malloc-like allocation functions. 2022-07-26 15:14:03 -06:00
Todd C. Miller
23ab31fce0 Avoid a Coverity positive. 2022-07-26 13:05:46 -06:00
Todd C. Miller
6c9b3c7613 fmtstr: add missing va_end() for the overflow case 
Coverity CID 275335
 2022-07-26 12:54:52 -06:00
Todd C. Miller
3421c8b6ce Fix potential NULL pointer deference found by clang-analyzer. 2022-07-26 11:44:12 -06:00
Todd C. Miller
f5dc739ea3 Quiet some harmless PVS-Studio warnings. 2022-07-26 11:28:38 -06:00
Todd C. Miller
de3d5fe934 Reject relative command paths if runcwd is not set. 
This is now treated as a policy rejection.
 2022-07-26 11:04:29 -06:00
Todd C. Miller
16ea0bb3fd intercept_check_policy: close saved_dir before returning 2022-07-26 08:56:27 -06:00
Todd C. Miller
3c1f3ef102 Change to runcwd during the policy check where possible. 
Otherwise, attempts to run "./command" from a shell with intercept
set will fail if the current working directory is different from
the main sudo process.
 2022-07-26 08:43:44 -06:00
Todd C. Miller
5516cdcd5b For preload DSO make copies of cmnd, argv, envp and map them read-only. 2022-07-25 19:56:54 -06:00
Todd C. Miller
226a6cd754 Use sudo_mmap_alloc functions in DSO-based intercept code. 2022-07-25 16:05:11 -06:00
Todd C. Miller
e43c964c43 Use sudo_mmap_alloc functions instead of private versions. 
We no longer need to keep track of the allocation size.
 2022-07-25 16:05:10 -06:00
Todd C. Miller
fccf3c9c56 Add sudo_mmap_{alloc,allocarrary,strdup,free} functions. 
These allocate memory via mmap anonymous regions and store the mapped
size immediately before the returned pointer as an unsigned long.
They are intended to be used in cases where malloc(3) and free(3)
are unsuitable due to concerns about corrupting global state in
multi-threaded programs or signal handlers.
 2022-07-25 15:08:11 -06:00
Todd C. Miller
15fd62f0d5 resolve_path: skip non-regular files 2022-07-25 08:51:49 -06:00
Todd C. Miller
308a6c31d9 Sync with schema.OpenLDAP for user/group utf8 support. 2022-07-25 11:02:47 -06:00
Todd C. Miller
36b603aa95 Merge pull request #163 from Firstyear/20220725-sudo-ldap-schema 
Update sudoUser to be utf8 in ldap schemas
 2022-07-25 10:37:28 -06:00
William Brown
7f9ea23e74 Update sudoUser to be utf8 in ldap schemas 
In most unix-style LDAP servers, uid is a utf8 string defined by
OID 1.3.6.1.4.1.1466.115.121.1.15. However, sudoUser was defined
as an IA5 String (OID 1.3.6.1.4.1.1466.115.121.1.26) which meant
that sudoUser could only represent a subset of possible values.

In some cases when using sudoers.ldap, the uid from the machine
which was utf8 was fed back into sudo which would then issue a
search for sudoUsers. If this uid contained utf8 characters, the
ldap server would refuse to match into sudoUsers because these
were limited to IA5.

This is a safe-forward upgrade as IA5 is a subset of UTF8 meaning
that this change will not impact existing deployments and their
rules.
 2022-07-25 15:21:39 +10:00
Todd C. Miller
75e97fd5b2 Make sure the plugin provides a command, argv and envp. 2022-07-14 09:49:00 -06:00
Todd C. Miller
e5652fc65a Linux execve(2) allows argv or envp to be NULL. 
Add checks to make sure we don't deference a NULL pointer.
 2022-07-14 09:29:40 -06:00
Todd C. Miller
a5ac29219a intercept_check_policy: add oom label and fix approval failure case. 
If the approval plugin fails we need to set the state to POLICY_REJECT
just like we do if the policy rejected the command.
 2022-07-13 13:06:21 -06:00
Todd C. Miller
a2b0a8330c Fix a few whitespace issues. 2022-07-09 11:21:17 -06:00
Todd C. Miller
e7b7fbaf6e Increase the realloc increment from 128 to 1024. 
The contents of the env_add array should not include the leading
"env=" prefix.
 2022-07-09 09:02:25 -06:00
Todd C. Miller
224d78993a sudo_putenv_nodebug: require that the environment string include a '=' 2022-07-09 09:00:48 -06:00
Todd C. Miller
fba81260ad If update_defaults() fails, treat it as a parse error. 2022-07-08 14:01:15 -06:00
Todd C. Miller
3dc8497b48 Add additional PVS-studio suppression comments for generated code. 2022-07-08 10:53:00 -06:00
Todd C. Miller
a7f9c8162e Fix compilation error when SUDOERS_NAME_MATCH is defined. 2022-07-07 20:28:49 -06:00
Todd C. Miller
5a59ce159e Fix a NOPASSWD issue with a non-existent command when fdexec=always 
In command_matches_all(), if the command is fully-qualified and
open_cmnd() return false, only treat it as an error if we are able
to stat(2) the command.  For "sudo ALL" a non-existent command is
not an error.
 2022-07-07 20:11:44 -06:00
Todd C. Miller
41e7532c90 Quote ^foo$ on command line to protect it from the shell. 2022-07-07 10:13:22 -06:00
Todd C. Miller
f6e4d2765a Add explicit include of unistd.h for getopt(3) and related variables. 2022-07-05 11:35:25 -06:00
Todd C. Miller
42c6d9fb50 In timegm() initialize tm_isdst to 0 like tzcode does. 2022-07-01 14:23:28 -06:00
Todd C. Miller
fd0c5566ac Merge pull request #161 from likunyur/lky 
sudoers/cvtsudoers: Remove the repeated ';' from code
 2022-07-04 09:00:58 -06:00
Li kunyu
a9a164e71c src/send: Remove the repeated ';' from code 
Signed-off-by: Li kunyu <kunyu@nfschina.com>
 2022-07-04 12:36:11 +08:00
Li kunyu
a311180bbc sudoers/cvtsudoers: Remove the repeated ';' from code 
Signed-off-by: Li kunyu <kunyu@nfschina.com>
 2022-07-04 12:31:50 +08:00
Todd C. Miller
3cd9c5f5e6 Stop sending an InterceptResponse to a PolicyCheckRequest for log_subcmds. 
There's no real reason for the command to wait for sudo send back a
response that will always be a PolicyAcceptMessage.
 2022-06-30 13:35:07 -06:00
Todd C. Miller
985a2261bc sudoers_main: defer setting return value until the end when running a command 
Otherwise, we could return success when there was an error from a
system call or memory allocation failure.
 2022-06-30 13:35:04 -06:00
Todd C. Miller
885abf48d7 Save the initial command run via sudo and use it when logging exit status. 
Otherwise, if we are in intercept mode or logging sub-commands the
exit status will be logged with the wrong command.
 2022-06-30 11:10:43 -06:00
Todd C. Miller
3badff39ca Define _LARGEFILE64_SOURCE if _FILE_OFFSET_BITS == 64. 
Fixes a -Wwrite-strings warning on 32-bit systems.
 2022-06-29 16:59:50 -06:00
Todd C. Miller
50813f8160 Quiet another -Wwrite-strings warning. 2022-06-29 16:41:11 -06:00
Todd C. Miller
bfc6249902 Fix a clang analyzer 14 warning about a possible NULL deref. 2022-06-29 11:18:16 -06:00
Todd C. Miller
424fa7f2b1 sudo_preload_dso: make the envp function argument const 
This lets us fix an inappropriate cast in sudo_intercept_common.c.
 2022-06-21 14:31:30 -06:00
Todd C. Miller
5f534979ef Regenerate dependencies 2022-06-29 10:18:56 -06:00