isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,713 Commits 1 Branch 0 Tags
e5834bd405906ba8ebde4f9ba99db6eb8b40a44d
Commit Graph

87 Commits

Author SHA1 Message Date
Todd C. Miller
e5834bd405 Use #include <config.h> not #include "config.h" for consistency. 
Otherwise, some compilers may do the wrong thing in a build
dir if there is a config.h file in the source dir too.
 2022-06-29 08:47:16 -06:00
Todd C. Miller
13672f28df Make sudo pass -Wwrite-strings 2022-06-28 16:33:15 -06:00
Todd C. Miller
f5ac1317c4 Make sudo pass -Wmissing-prototypes 2022-06-27 12:48:03 -06:00
Todd C. Miller
161b01fccd Treat EINTR in a callback like we do EAGAIN. 
We shouldn't get EINTR in practice since we set SA_RESTART when
registering signal handlers but it doesn't hurt to be consistent.
 2022-06-07 09:25:07 -06:00
Todd C. Miller
db6fc237c4 If write(2) returns EAGAIN just re-enter the event loop. 
This is consistent with how we handle EAGAIN for read(2).
 2022-06-06 19:42:06 -06:00
Todd C. Miller
38c6e1bffb Standardize protobuf "unable to unpack" warning messages. 2022-05-26 09:35:18 -06:00
Todd C. Miller
d7df7abf87 If ERR_reason_error_string() returns NULL, fall back on strerror(errno). 
That way we get reasonable error messages for missing files, etc.
 2022-05-17 09:18:03 -06:00
Todd C. Miller
cc6157d7d4 Add support for WolfSSL's OpenSSL compatibility layer. 
Based on changes from Hayden Roche
 2021-10-25 13:17:57 -06:00
Todd C. Miller
87c1dd9d7d Move include of log_server.pb-c.h into logsrvd.h and sendlog.h 
This way there is no include file order issue with the
PROTOBUF_C_VERSION_NUMBER check.
 2021-10-25 12:25:24 -06:00
Todd C. Miller
e73e9d5e47 sudo_sendlog: send runenv, rungid and runuid from log.json too 
With this change, sudo_sendlog can now round-trip sudo-style I/O
logs that use the newer log.json format without losing any information.
 2021-10-23 09:04:26 -06:00
Todd C. Miller
14873832c6 sudo_sendlog: send multiple I/O log records together if possible 
Try to fill the write buffer and then send to the server instead
of sending records one at a time.
 2021-10-20 19:16:23 -06:00
Todd C. Miller
1a26d2c883 sudo_sendlog: support multiple write buffers like sudo_logsrvd 2021-10-20 19:03:19 -06:00
Todd C. Miller
5eebc30987 sendlog: use runargv from log.json if available 2021-10-19 09:42:48 -06:00
Todd C. Miller
a71d1f7ce6 sudo_sendlog: send exit data in eventlog if present 2021-10-19 09:42:46 -06:00
Todd C. Miller
70aef0eb2d sudo_debug_register: add minfd argument to specify lowest fd number 
Use this in sudo_intercept.so to avoid allocating a low-numbered
fd which the shell reserves for use by scripts.
 2021-08-26 09:57:24 -06:00
Todd C. Miller
0e2094471b Call shutdown() on sockets before closing() if they are connected. 
This should ensure that the other side sees any queued data before
the connection is dropped.
 2021-08-11 14:08:48 -06:00
Todd C. Miller
79129613e5 If SSL_shutdown() returns 0 it needs to be called one more time. 2021-08-11 10:16:36 -06:00
Todd C. Miller
5a3bbba12b Use sudo_warnx?() instead of sudo_debug_printf for errors. 
We now hook the warn functions so the messages are logged.
The messages still show up in the debug log too.
 2021-06-15 13:58:12 -06:00
Todd C. Miller
9d734d57e7 sudo_sendlog: rename -m (max-time) to -s (stop-after). 2021-05-04 12:14:02 -06:00
Todd C. Miller
7376fa632f Add "-m elapsed" option to specify the max elapsed time of records to send. 
Useful for testing the ability of the server to handle restarted log
transfers.
 2021-05-04 08:22:34 -06:00
Todd C. Miller
109a0331a5 Don't hard-code the TLS connect timeout, use normal connect timeout. 
For sudo_logsrvd, this is the relay connect_timeout setting.
For sudoers, this is the log_server_timeout setting.
 2021-05-03 09:01:00 -06:00
Todd C. Miller
b1c4de2088 Add support for relaying to another sudo_logsrvd via TLS. 2021-04-06 14:44:19 -06:00
Todd C. Miller
72c40ae0e1 Move common TLS client code to tls_client.c and use it in sendlog.c. 2021-04-06 14:44:19 -06:00
Todd C. Miller
71e5275a1c Move common TLS initialization code to tls_init.c. 2021-03-10 16:29:27 -07:00
Todd C. Miller
5a79841208 Return NULL if init_tls_client_context() fails. 
Otherwise, we will call SSL_new with a freed SSL context.
Bug #970
 2021-03-31 07:57:09 -06:00
Todd C. Miller
dceab7d756 Break up the long help string into multiple printf() statements. 
AIX xlc compiler doesn't like cpp directives in between strings.
Also fixes a complaint from cppcheck and makes translation easier.
 2021-01-28 08:53:25 -07:00
Todd C. Miller
de58c11dba Set server_name before initiating TLS connection so verify function works. 
Fixes a crash in the SSL_VERIFY_PEER callback.  Also call inet_ntop(3)
with addr pointer, not sockaddr pointer so we get the correct IP address.
 2020-11-02 09:30:45 -07:00
Todd C. Miller
e0c2635fb3 Apply Google inclusive language guidelines. 
Also replace backwards with backward.
 2020-10-30 10:15:30 -06:00
Todd C. Miller
db72498257 Use struct eventlog in place of struct iolog_info. 2020-10-26 15:31:41 -06:00
Todd C. Miller
eaa95acb31 Post-process protoc-c files to avoid depending on anonymous unions. 
Based on a patch from Michael Osipov.
GitHub issue #60
 2020-09-04 13:17:51 -06:00
Todd C. Miller
961a4afe67 Fix some warnings from pvs-studio 2020-08-12 13:45:09 -06:00
Todd C. Miller
cbad17a994 Move inclusion of compat headers up with the system headers. 
Now that sudo_dso_public is defined in config.h we don't need sudo_compat.h
before including the compat headers.
 2020-08-12 10:07:07 -06:00
Todd C. Miller
985af422d2 Rename __dso_public -> sudo_dso_public and move to config.h. 2020-08-12 09:57:42 -06:00
Todd C. Miller
076d0376db We no longer need to include sudo_gettext.h before sudo_compat.h 2020-08-12 09:50:35 -06:00
Todd C. Miller
63dadad9df Refactor freeing of InfoMessage list into free_info_messages(). 
Also fixes a false positive from the clang analyzer.
 2020-08-07 14:22:28 -06:00
Todd C. Miller
03ad96e445 Use the fallthrough attribute instead of /* FALLTHROUGH */ comments. 2020-08-01 13:10:50 -06:00
Todd C. Miller
8da1f31954 Fix memory leak on error in fmt_info_messages(). 2020-06-06 14:08:34 -06:00
Todd C. Miller
84f0ae0cb8 Use PACKAGE_VERSION instead of 0.1 as the client and server version. 2020-05-18 11:33:13 -06:00
Todd C. Miller
27355e6aae Fix handling of accept and reject messages without an I/O log. 
Only set expect_iobufs in AcceptMessage if sending I/O logs.
Set state to FINISHED immediately after sending a RejectMessage.
 2020-05-12 19:19:16 -06:00
Todd C. Miller
d5888e2745 Add -A and -R options to test logging of accept and reject events. 
If -A is specified, no I/O will be sent, only the accept event.
For -R, a reject event with the specified reason is sent.
 2020-05-12 14:45:46 -06:00
Todd C. Miller
6901fc97ac Add a ClientHello message that client sends to the server. 
This makes it easier to detect a plaintext client sending to a
TLS port.  Without this, the TLS server will be silent as it
waits for the client to initiate the TLS connection.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
1e765e1caf Better error messages when there is a problem with the TLS connection. 
If SSL_read, SSL_write or SSL_connect fails we can use the reason
string to let the user know what the problem is.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
e5f8214c0a Remove the tls parameter from the ServerHello message. 
The TLS connection is now initiated before ServerHello is received.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
1659d96c55 Use port 30343 for plaintext and port 30344 for TLS. 
For TLS connections we now do the TLS handshake immediately before
the ServerHello message.  This lets the client recieve an alert
from the server is there is a handshake error after the TLS connect
has succeeded.  It also means that the contents of the ServerHello
are protected from a man-in-the-middle attack.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
7d621fc6f1 Plug memory leaks in sudo_sendlog 2020-05-04 11:25:47 -06:00
Todd C. Miller
aba4915b83 On error, remove the connection with an error without freeing the closure. 
Fixes the final message at the end when there is a network error.
 2020-04-30 15:54:35 -06:00
Todd C. Miller
5dec0f763f Allow -t option even without OpenSSL 
Also add -t to the usage message
 2020-04-23 14:16:02 -06:00
Todd C. Miller
0fafcf6aea Use sudo_strtonum() instead of relying on strtoll(). 
Older, pre-C99, systems may not include strtoll() in their C library.
 2020-04-23 11:15:03 -06:00
Todd C. Miller
69b6783be6 Store the result of ERR_get_error() so we can use it for both warn and debug. 
Otherwise, only the debug framework gets the actual error and the
user won't see the problem.
 2020-04-08 09:26:41 -06:00
Todd C. Miller
ea9b711a70 Write an extended I/O info log in JSON format. 
This will be used by sudoreplay if it exists to get more information
about the command being replayed.
 2020-03-29 05:05:08 -06:00