isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,819 Commits 1 Branch 0 Tags
ecdf0c80f36e971f3090c495377b03a11931816c
Commit Graph

12819 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
747c340591 Sudo now logs the submitenv in the JSON logs. 2023-11-06 10:14:03 -07:00
Todd C. Miller
3686c9fdd1 Document special cases for AIX-style shared libraries. 
The shared object is a member of an archive file that is specified
in parentheses.
 2023-11-06 09:39:36 -07:00
Todd C. Miller
e772479272 Add sudoers plugin Debug example and x-ref sudoers man page for details. 2023-11-04 19:36:35 -06:00
Todd C. Miller
ec6906f63b The HP-UX getgrouplist() code has been disabled due to bugs. 2023-11-04 18:51:36 -06:00
Todd C. Miller
097bec06bd sudo_conf_debug_files: special handling of DSO members for AIX 
When matching debug files for AIX-style DSOs like sudoers.a(sudoers.so)
we want to match on the full name, the name without the member and
on the member itself.  This makes it possible to use the existing
examples in the sudo.conf fiile on AIX.
 2023-11-03 11:29:20 -06:00
Todd C. Miller
24351bdadc sudo_set_grlist and sudo_set_gidlist: set auth registry based on username 
Previously we used the global registry but since we have the user's
passwd info we should use that when storing the group and gid lists.
 2023-11-03 10:30:56 -06:00
Todd C. Miller
2ffcda8e15 role_to_sudoers: only try to reuse a privilege if one is present 2023-11-02 14:42:42 -06:00
Todd C. Miller
1a11be4d9f store_plugin: avoid potential NULL deref in boolean context 
Coverity CID 330466
 2023-11-02 14:26:44 -06:00
Todd C. Miller
4833ac0f01 Avoid passing sudo_term_is_raw() -1 for the fd. 
Coverity CID 330472
Coverity CID 330468
 2023-11-02 14:17:51 -06:00
Todd C. Miller
3b891c136e fmt_info_messages: bump info_msgs_size for submitenv 2023-11-02 13:57:18 -06:00
Todd C. Miller
77c2582907 Better log message when rejecting a setid command in intercept mode. 2023-11-02 13:44:19 -06:00
Todd C. Miller
886f1414eb Move the check for running setid commands in intercept mode to later. 
Checking for setid commands in intercept mode after command matching
allows us to log a proper error message.  Previously, we simply
ignored setid commands when matching and the only indication of why
was in the debug logs.
 2023-11-02 13:44:17 -06:00
Todd C. Miller
45e3c0dd17 timestamp_open: add some debugging 2023-11-02 09:10:49 -06:00
Todd C. Miller
3297ffa267 sudo_sia_begin_session: add missing struct sudoers_context * arg. 2023-10-31 10:26:57 -06:00
Todd C. Miller
747114f331 verify_krb_v5_tgt: auth name must be const to match struct sudo_auth. 2023-10-31 10:13:19 -06:00
Todd C. Miller
9ef52151ef Disable PAM before enabling Kerberos V. 2023-10-31 10:00:24 -06:00
Todd C. Miller
7ed7b4536f Add Kerberos V build and test to CI. 2023-10-31 09:54:57 -06:00
Todd C. Miller
145faa3fe9 Updated translations from translationproject.org 2023-10-30 16:25:36 -06:00
Renato Botelho
75e829b740 Add missing sudoers_context to verify_krb_v5_tgt() 
Commit 2440174954 added ctx variable to log_warningx() call but that
variable was not declared in that context, breaking the build.
 2023-10-31 07:50:45 -06:00
Todd C. Miller
5f3a6b4f6a Mention new Indonesian translation and sudo_logsrvd fd limit change. 2023-10-23 10:19:28 -06:00
Todd C. Miller
31bcdec232 Set the open file descriptor limit to the maximum allowed value. 
Each connection can require up to 9 descriptors.
 2023-10-27 11:17:32 -06:00
Todd C. Miller
bf722e18b7 Updated translations from translationproject.org 2023-10-23 07:52:36 -06:00
Todd C. Miller
86f1d52a0b Add Andika Triwidada 2023-10-23 07:52:23 -06:00
Todd C. Miller
9a2a882d12 New Indonesian translation from translationproject.org 2023-10-23 07:51:29 -06:00
Todd C. Miller
0fbb17de5e Mention GitHub issue #318 2023-10-22 10:58:22 -06:00
Todd C. Miller
392ae0f030 Avoid a double-free in fuzz_policy caused by the early env_init(NULL). 
This adds an env_free() function to explicitly free both the old
and new copies of the environment.  It is really only needed by
fuzz_policy, which calls the policy module multiple times.
 2023-10-22 09:56:16 -06:00
Todd C. Miller
3bbc7c8f85 Store submitenv in eventlog and pass it to sudo_logsrvd. 2023-10-22 08:36:44 -06:00
Todd C. Miller
726b646b48 struct eventlog: rename argv/env to runargv/runenv. 
This matches the JSON logs.
 2023-10-21 19:15:46 -06:00
Todd C. Miller
c7a61a9438 struct sudoers_user_context: rename env_vars to env_add 2023-10-21 19:15:45 -06:00
Todd C. Miller
2b87749f8f Only log the run environment for commands that are allowed. 
It may not be available otherwise and unless the command is being
run it has no real meaning.
 2023-10-21 19:15:44 -06:00
Todd C. Miller
077826292c Free the private copy of the environment in sudoers_check_cmnd(). 
This reverts 5118eb5797fb, which had the side-effect of the PAM
session code running with the run environment instead of the invoking
user's environment.  Issue #318
 2023-10-21 19:15:42 -06:00
Todd C. Miller
8486976b9e iolog_swapids: short circuit if effective ids match iolog ids. 2023-10-19 16:22:42 -06:00
Todd C. Miller
09a4264372 logsrvd: display error string in message if iolog_mkpath() fails 2023-10-19 14:39:13 -06:00
Todd C. Miller
29f7967420 Update .pot files for 1.9.15 2023-10-19 10:03:50 -06:00
Todd C. Miller
e3edd7a09a Add example for disabling intercept/log_subcmds for certain commands. 2023-10-18 17:35:40 -06:00
Todd C. Miller
78edde5ea1 Use NSIG instead of nitems(array) for the loop bound. 
This matches the sudo_sys_siglist[] and sudo_sys_signame[] declarations.
 2023-10-18 13:32:08 -06:00
Todd C. Miller
385d506d35 tsdump: fix compiler warnings 2023-10-18 10:02:16 -06:00
Todd C. Miller
14d514e5ac Avoid using %zu or %zd with printf() and fprintf(). 
This prevents problems on systems where the system printf(3) is not
C99-compliant.  We use our own snprintf() on such systems so that
is safe.
 2023-10-17 20:14:53 -06:00
Todd C. Miller
58d6554a78 Use vsnprintf() instead of vfprintf() for sudo_printf() to avoid 
problems on systems where the system printf(3) is not C99-compliant.
We use our own snprintf() on such systems.
 2023-10-17 20:09:16 -06:00
Todd C. Miller
cf9fc5317e strlcpy_expand_host, sudo_getdelim, sudo_realpath: add restrict qualifier 2023-10-17 10:47:43 -06:00
Todd C. Miller
29ddd26793 Fixed GitHub issue #312. 2023-10-17 10:28:55 -06:00
Rose
97f8052427 Add restrict to strlcpy and expand_prompt 2023-10-17 10:33:15 -06:00
Todd C. Miller
fabb6264fc Better handling of multiple sudo processes modifying terminal settings. 
1. Lock the terminal before tcgetattr/tcsetattr
2. Don't restore terminal settings if changed by another process
3. Don't set terminal to raw mode if it is already raw
GitHub issue #312
 2023-10-16 19:27:27 -06:00
Todd C. Miller
2f80865e73 Add a little extra debugging info. 2023-10-16 12:07:35 -06:00
Rose
b2a44430b5 Redundant cast removal in sudoers_hooks 
def_sudoers_locale is already a char*
 2023-10-15 11:25:28 -06:00
Rose
e095069d2a Prefer fputs over fprintf where possible 
fprintf does extra work and meant for formatting strings.
 2023-10-15 10:28:57 -06:00
Rose
a4cbd7fe7b Swap calloc arguments to use them properly. 2023-10-15 10:19:58 -06:00
Rose
dd8426f9cf Specify 1U over 1 for bitmaps 2023-10-14 16:23:59 -06:00
Todd C. Miller
873e0de078 ptrace_intercept_execve: make flags unsigned to match command_details 2023-10-14 16:12:06 -06:00
Todd C. Miller
2d437c793d Fix spelling: resistent -> resistant 2023-10-12 10:20:34 -06:00