isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,198 Commits 1 Branch 0 Tags
edf30c727398f8de75f5b366c47cc4ebe7ee25d0
Commit Graph

173 Commits

Author SHA1 Message Date
Todd C. Miller
0ea561ca6a Limit paths for command, cwd and chroot to PATH_MAX bytes. 
This helps prevent the fuzzer from going off the rails.
 2021-09-19 18:13:43 -06:00
Todd C. Miller
d7cdf1e47c append_defaults() should not be passed a value for boolean flags. 
The operation should simply be set to true/false.
Also treat a NULL file as coming from the front-end.
Bug #993.
 2021-09-14 08:02:37 -06:00
Todd C. Miller
ba171724f7 Rename log_children -> log_subcmds 2021-08-26 16:36:41 -06:00
Todd C. Miller
bb5843055e Replace messages like "unknown foo: %s" with "unknown foo %s". 
The colon really doesn't belong there; we generally use a colon to
separate a message from the warning detail.
 2021-08-19 09:44:11 -06:00
Todd C. Miller
462e8ab471 Avoid some double frees in the fuzzer 
Now that sudoers free old values of NewArgv and command_info the
fuzzer needs to reset those values.  Otherwise we end up with
stashed values that have already been garbage collected.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
3a090dcdcd Plug some memory leaks when sudoers_policy_main is called multiple times. 
These would get cleaned up a policy close time but we don't want
to bloat sudo's memory footprint when running a shell with multiple
commands.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
788708c9ff Add intercept_authenticate sudoers option, defaults to false. 
By default, sudoers will not require authentication of commands run
via an intercepted session.  To require authenticaton of subsequent
commands, enable intercept_authenticate in sudoers.
 2021-08-09 15:50:26 -06:00
Todd C. Miller
132936f8f0 Make it possible to call the sudoers policy check function multiple times. 
We need to reset the Defaults values to their original state.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
786e5865cb Add "intercept" Defaults setting to allow interception of sub-commands. 
This causes "intercept" to be set to true in command_info[] which
the sudo front-end will use to determine whether or not to intercept
attempts to run further commands, such as from a shell.  Also add
"log_children" which will use the same mechanism but only log (audit)
further commands.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
fa7250ead7 Create a UUID and log it in the JSON version of the event log. 2021-07-15 11:07:25 -06:00
Todd C. Miller
17a415ae77 Add log_exit_status sudoers option to log when a command exits. 
This option defaults to off.
 2021-07-09 11:08:44 -06:00
Todd C. Miller
cc647c32e1 Fix group list ref leak in sudoers_policy_store_result() on error path. 2021-05-26 07:31:19 -06:00
Todd C. Miller
958066eddb Update comment to match reality. 2021-05-24 13:10:53 -06:00
Alexandru Ardelean
058fde9251 plugins: sudoers: policy: add MODE_IMPLIED_SHELL to RUN_VALID_FLAGS 
Since this flag isn't set, the sudo_mode variable gets invalidated and
running the 'sudo' command seems to error out with message
'sudoers_policy_check: invalid mode flags from sudo front end: 0x80001"'
 2021-03-15 09:18:11 -06:00
Todd C. Miller
f86c11c4a1 Add MODE_CHECK to LIST_VALID_FLAGS, fixes "sudo -l command". 2021-02-28 08:55:18 -07:00
Todd C. Miller
65b598602b Only add command_info to garbage collector on successful return. 
Otherwise it will be freed on failure.
 2021-02-25 19:48:46 -07:00
Todd C. Miller
b3b80fe6df Implement sudoers_policy_deregister_hooks() 
Register/deregister hooks in fuzz_policy and also call show_version().
 2021-02-25 15:02:09 -07:00
Todd C. Miller
a18b2a9ddf Limit max_groups in sudo.conf to 1024. 
The max_groups setting should no longer be needed anyway.
 2021-02-16 12:37:23 -07:00
Todd C. Miller
df91e15b82 In sudoers_policy_close() call sudoers_cleanup() instead of sudo_user_free(). 
If we didn't call sudoers_policy_main() due to an early error there
may be more things to clean up.
 2021-02-16 10:37:04 -07:00
Todd C. Miller
ecdf732adc Check for invalid flag combinations from front-end for all cases. 
The checks are now performed in the check_policy, list, validate
and invalidate functions instead of as part of the open function.
We can't perform the checks in open because we don't yet know what
operation is going to be performed.
 2021-02-16 09:33:39 -07:00
Todd C. Miller
ae3a098d2f Always dynamically allocate user_cmnd, it is freed in sudo_user_free(). 
Instead of setting user_cmnd in the policy functions, always set argv.
Calling sudoers_policy_main() with argc of 0 is no longer allowed.
 2021-02-16 09:32:34 -07:00
Todd C. Miller
c09169e812 No need for sudoers_cleanup() in sudoers_policy_invalidate(). 
The sudoers close() function is now called even for "sudo -k".
Also no need to set user_cmnd, it is not used in this code path.
 2021-02-16 08:26:49 -07:00
Todd C. Miller
52e3fcc795 Free struct sudo_user in sudoers_policy_close() and sudoers_cleanup(). 
Also, do not NULL out the close function if NO_LEAKS is defined.
 2021-02-15 08:29:47 -07:00
Todd C. Miller
7f3c670a13 Fix sudoers garbage collection and run it in policy fuzzer. 2021-02-14 14:01:31 -07:00
Todd C. Miller
7f0b269238 Do not include errno string for invalid params from front-end. 2021-02-14 07:48:58 -07:00
Todd C. Miller
561740cd54 Always dynamically allocate user_role, user_type, user_privs, user_limitprivs 2021-02-14 07:47:48 -07:00
Todd C. Miller
5c0454495c Remove dead code, front-end does not set runas_privs or runas_limitprivs 2021-02-14 07:39:41 -07:00
Todd C. Miller
e89a8133ac Reset sudoers path, owner and mode before parsing plugin arguments. 
This is only needed when calling sudoers_policy_deserialize_info()
more than once, which is true for the policy fuzzer.
 2021-02-12 21:15:36 -07:00
Todd C. Miller
ed79627699 Plug memory leak if there are duplicate user_info entries. 2021-02-12 19:04:37 -07:00
Todd C. Miller
e5ad88488d Fix NO_ROOT_MAILER, broken by the eventlog refactor in sudo 1.9.4. 
init_eventlog_config() is called immediately after initializing the
Defaults settings, which is before struct sudo_user is setup.  This
adds a call to eventlog_set_mailuid() if NO_ROOT_MAILER is defined
after the invoking user is determined.  Reported by Roman Fiedler.
 2021-01-29 05:42:34 -07:00
Todd C. Miller
c4d384082f Add sudoedit flag checks in plugin that are consistent with front-end. 
Don't assume the sudo front-end is sending reasonable mode flags.
These checks need to be kept consistent between the sudo front-end
and the sudoers plugin.
 2021-01-23 08:43:59 -07:00
Todd C. Miller
1b72d6a5cc Allow SELinux support to be disabled via the sudoers file. 
Defaults to true if sudo is built with SELinux support and SELinux
is not disabled on the system.
 2021-01-08 19:29:17 -07:00
Todd C. Miller
4551b19f6c The lower bounds for the "closefrom" option is 3, not 4. 
This is a regression introduced in sudo 1.8.9 with the strtonum()
conversion.  Bug #950.
 2020-12-16 18:22:40 -07:00
Todd C. Miller
63739dd326 Store the user-provided runas user and group name in struct sudo_user. 
This makes it available for event logging in case the name doesn't resolve.
 2020-12-05 09:05:42 -07:00
Todd C. Miller
7d0b19d2a0 Don't free the private copy of the environment until the close function. 
We may need to use it when logging from the audit reject function.
 2020-11-17 13:44:32 -07:00
Todd C. Miller
4416bd5977 Use libeventlog in sudoers instead of doing our own logging. 2020-10-26 16:10:40 -06:00
Todd C. Miller
a5a5cc7f85 sudoers_policy_store() -> sudoers_policy_store_result() 2020-10-16 05:56:03 -06:00
Todd C. Miller
bf9d208662 Rename sudoers_policy_exec_setup() -> sudoers_policy_store(). 
It is called even when there is no command to execute.
Also pass in status of whether or not the command was accepted.
 2020-10-14 06:33:35 -06:00
Todd C. Miller
88dcdcd11d Fix -Wshadow warnings. 2020-09-25 15:09:45 -06:00
Todd C. Miller
226307591c Log the runcwd not submitcwd in the sudo-style log file. 
The log entry should reflect the working directory the command
actually ran in.
 2020-09-02 11:23:26 -06:00
Todd C. Miller
1676f0ceeb Support "*" for CWD/CHROOT to allow user to specify cwd or chroot. 
Adds two new command line options, -D (--chdir) and -R (--chroot)
that can only be used when sudoers sets runcwd or runchroot to "*".
 2020-09-01 14:10:02 -06:00
Todd C. Miller
6bdfd010d2 Add CHROOT and CWD sudoers options. 
Also matching runchroot and runcwd Defaults settings.
 2020-09-01 06:26:00 -06:00
Todd C. Miller
609910cc21 sudoers error recovery can be configured via an "error_recovery" setting. 
This setting is an argument to the sudoers plugin, similar to how
sudoers_file, sudoers_mode, sudoers_uid, etc. are implemented.
The default value is true.
 2020-08-17 13:14:30 -06:00
Todd C. Miller
961a4afe67 Fix some warnings from pvs-studio 2020-08-12 13:45:09 -06:00
Todd C. Miller
985af422d2 Rename __dso_public -> sudo_dso_public and move to config.h. 2020-08-12 09:57:42 -06:00
Todd C. Miller
a5a7215936 Track whether the session was opened in sudoers. 
In sudoers_policy_close() only warn about being unable to run the
command if we actually opened the session (and thus passed all
approval plugins).
 2020-06-04 13:34:20 -06:00
Todd C. Miller
b519481912 Defer logging of the successful command until approval plugins have run. 
This adds audit plugin support to the sudoers module, currently
only used for accept events.  As a result, the sudoers file is now
initially parsed as an audit plugin.
 2020-06-02 09:07:46 -06:00
Todd C. Miller
446ae3f507 Include string.h unconditionally and only use strings.h for strn?casecmp() 
In the pre-POSIX days BSD had strings.h, not string.h.
Now strings.h is only used for non-ANSI string functions.
 2020-05-18 07:59:24 -06:00
Todd C. Miller
8186b98208 Adapt sudoers iolog client to log server dual port changes. 
The TLS handshake now occurs before the ServerHello message is read.
This fixes potential man-in-the-middle attacks and works better with
TLS 1.3.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
ae7bb12335 Free passwd and group caches in I/O plugin after log_warning(), not before. 
The logging functions may try to use the cache via set_perms(PERM_ROOT).
 2020-04-17 15:07:25 -06:00