We cannot perform passwd/group lookups _after_ changing the root
directory. This does mean that symbolic links in a path are not
currently handled properly when matching chroot()ed commands.
Fixes a local privilege escalation vulnerability where a user could
craft their own nsswitch.conf file to load a shared library of their
choosing and run arbitrary code. CVE-2025-32463
Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU).
This fixes a bug where a user with sudoers privileges on a different
host could execute a command on the local host, even if the sudoers
file would not otherwise allow this. CVE-2025-32462
Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU).
fwrite is not the same as write; you have to explicitly compare against the length to detect errors, and sometimes number of items is mistaken for length.
If the user is not allowed to run a command, we try to give them a
more useful message than "Sorry, user foo may not run sudo on bar."
However, this should only be done when running, not listing, a
command. Otherwise, it would be possible for a user with no sudo
privileges to use "sudo -l /path/to/some/command" to determine
whether an executable exists in a directory that they do not have
search access to.
The intent is to allow the user to run a command or edit a file as
themself without entering a password. It should not apply to listing
a command via "sudo -l command".
The return values are used in ways that assume they are positive.
In practice, it is not possible to have a negative return value
other than -1 due to the size of the buffers being read from or
written to. Also add overflow checks when updating the buffer len.
Quiets several coverity warnings.
Instead of modifying the len parameter and using it for bounds
checking, compute the end of the source string and bound check on
that instead. Also simplify the code slightly and enable debugging.
This fixes the display of the timeout values in the "sudo -V" output
on systems without a C99-compliant snprintf(). The snprintf()
replacement sudo ships with does not support floating point.
Command tags are inherited from previous Cmnds in a Cmnd_Spec_List.
There is a special case of the SETENV tag for the "ALL" command,
where SETENV is implied if no explicit SETENV or NOSETENV tag is
specified. The code to inherit the SETENV tag didn't take into
account that an implied value for SETENV should also be overridden
by an explicit SETENV or NOSETENV tag in the previous Cmnd in the
Cmnd_Spec_List.
The sudo plugin API defines sudo_hook_fn_t as a function with
unspecified arguments. This is no longer supported in C23 so use
a variadic function for sudo_hook_fn_t instead. Moving to a union
may be a better long-term fix. GitHub issue #420.
This avoids sending mail for users running "sudo -nv" or "sudo -nl"
even when mail_badpass or mail_always are enabled. We already avoid
logging in that case but mailing was not disabled when that change
was made. Bug #1072.
PAM modules can change the user during their execution, in such case,
sudo would still use the user that has been provided giving potentially
access to another user with the credentials of another one.
So prevent this to happen, by ensuring that the final PAM user is
matching the one which started the transaction
This adds support for --with-secure-path-value=no to allow packagers
to ship the sudoers configuration file with the secure path
line commented out if required.
The change to always get the current time when building a struct
evlog in sudoers broke the data and time written for exit records.
This only affected file-based logs, not syslog. GitHub issue #405.
Fixes building on systems that lack strtoull(). While dev_t is
unsigned on most systems, we can still use sudo_strtonum() here as
long as we allow the full range of values [LLONG_MIN,LLONG_MAX].
We don't use strtoul() here since some 32-bit systems have 64-bit
dev_t.
