mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-30 22:05:46 +00:00
Code Issues Releases Wiki Activity
10,333 Commits 6 Branches 326 Tags
24b35393e3c38c483efb10c8e45a3ba0d1522bf5
Commit Graph

2638 Commits

Author SHA1 Message Date
Todd C. Miller
9b8cb1a57a Do not try to delete creds we did not set. 
If pam_setcred() fails when opening the PAM session, we don't want
to call it with PAM_DELETE_CRED when closing the session.
 2020-04-02 09:32:41 -06:00
Todd C. Miller
ec3fdd3aa8 Add a force flag to sudo_auth_cleanup() to force immediate cleanup. 
This is used for PAM authentication to make sure pam_end() is called
via sudo_auth_cleanup() when the user authenticates successfully but
sudoers denies the command.  Debian bug #669687
 2020-04-01 14:41:38 -06:00
Todd C. Miller
5e95c24d81 Increase the maximum delay for slower systems. 
Otherwise we may get a spurious test failure.
 2020-04-01 10:23:50 -06:00
Todd C. Miller
93aa9f9e90 Add cwd_optional to command details and enable it in the sudoers plugin. 
If cwd_optional is set to true, a failure to set the cwd will be a
warning, not an error, and the command will still run.
Debian bug #598519
 2020-03-31 19:43:48 -06:00
Todd C. Miller
5b1de6cfc8 Updated translations from translationproject.org 2020-03-29 05:05:09 -06:00
Todd C. Miller
0f0d03a575 Update sudoers.pot with json parser warnings. 2020-03-29 05:05:08 -06:00
Todd C. Miller
f24dacdee2 Create files for check_iolog_plugin in the build dir, not src dir. 2020-03-29 05:05:08 -06:00
Todd C. Miller
056173e572 Parse I/O JSON info file in JSON if present. 
The JSON version includes more information than the original "log"
file in the I/O log dir.
 2020-03-29 05:05:08 -06:00
Todd C. Miller
ea9b711a70 Write an extended I/O info log in JSON format. 
This will be used by sudoreplay if it exists to get more information
about the command being replayed.
 2020-03-29 05:05:08 -06:00
Todd C. Miller
a644c1d1d2 iolog_parse_loginfo() now opens the log file itself. 2020-03-29 05:05:08 -06:00
Todd C. Miller
5034ea91be Some new source files got created with my old email address. 2020-03-29 05:05:08 -06:00
Todd C. Miller
390ace9253 Only set errstr for plugin API version 1.15 and above. 2020-03-16 14:26:56 -06:00
Todd C. Miller
7ace49a333 regen 2020-03-12 17:39:56 -06:00
Todd C. Miller
1015b493b0 Work around two Coverity false positives; CID 208813 208815 2020-03-11 19:30:00 -06:00
Todd C. Miller
277b297ae0 Fix typo introduced on systems with O_PATH or O_EXEC 2020-03-11 15:42:46 -06:00
Todd C. Miller
ea8445e364 Allow the ALL keyword to be specified with a digest list. 2020-03-11 11:19:37 -06:00
Todd C. Miller
3edd30a27d A struct member of type ALL should have its name field set to NULL. 2020-03-11 11:17:52 -06:00
Todd C. Miller
4eca443246 Allow a list of digests to be specified for a command. 2020-03-11 11:17:52 -06:00
Todd C. Miller
8c08f5ef03 Allow Cmd_Alias in addition to Cmnd_Alias. 
Some people find using Cmd_Alias more natural.
 2020-03-11 11:17:38 -06:00
Todd C. Miller
e1df9d1dc3 Add pam_ruser and pam_rhost sudoers flags. 2020-03-01 13:37:00 -07:00
Todd C. Miller
bf2bc931ab Revert change to initialize io_operations earlier. 
Instead, check io_operations.open for NULL which is the case for
"sudo -V".  Also move the early return in sudoers_io_open() for
"sudo -V" until after we have initialized debugging.
 2020-03-01 13:36:54 -07:00
Todd C. Miller
f590f81b3c Initialize io_operations earlier. 2020-02-28 07:03:15 -07:00
Todd C. Miller
34972e834f Mark up some remaining TODOs 2020-02-27 14:11:54 -07:00
Todd C. Miller
5635c22f6b Add --disable-log-server and --disable-log-client configure options. 
These can be used to optionally disable building sudo_logsrvd and
support for remote I/O logging in the sudoers plugin respectively.
 2020-02-26 13:17:40 -07:00
Todd C. Miller
f6a264e719 Avoid calling sudoers_policy_exec_setup() on error. 
We only want to pass the execution environment back for commands
that are accepted or rejected.
Also avoid potentially freeing the wrong pointer when garbage
collection is enabled.
 2020-02-24 19:59:44 -07:00
Todd C. Miller
4b4db9694a Regenerate dependencies to match the recent JSON changes. 2020-02-20 11:35:28 -07:00
Todd C. Miller
8ef5b734c4 Rework the JSON API to write to a memory buffer, not a stdio stream. 2020-02-17 16:10:55 -07:00
Todd C. Miller
2e836cc571 The environment in the accept message is runenv not submitenv. 
The I/O logging plugin is passed the environment the command will
run with, not the user's original environment.
 2020-02-16 16:37:14 -07:00
Todd C. Miller
e7bd19bd1e Add test for #include directive without a trailing newline. 2020-02-14 14:13:55 -07:00
Todd C. Miller
d2314acae8 Don't require a newline at the end of include or includedir directives. 2020-02-14 14:06:45 -07:00
Todd C. Miller
0e4c3c47d1 Move duplicated code to parse plugin debug flags to libsudo_util. 
There's no need for four copies of sudo_debug_parse_flags().
 2020-02-11 15:15:36 -07:00
Todd C. Miller
9e2e79b6fa Add regress test for parsing Defaults lists. 
Currently only env_check, env_delete, env_keep and log_servers are lists.
 2020-02-10 17:58:59 -07:00
Todd C. Miller
ac61b5655d Use EXIT_SUCCESS and EXIT_FAILURE more consistently. 2020-02-08 12:43:00 -07:00
Todd C. Miller
c92f39ed3d Use json functions from libsudo_util in cvtsudoers. 2020-02-08 09:11:02 -07:00
Todd C. Miller
2fe127d108 Move some scripts from the top level src dir to a scripts dir. 2020-02-06 14:30:26 -07:00
Todd C. Miller
c2faa9e6ef Add runas_user and runas_group (if set) to command_info for audit plugin. 
Otherwise, the audit plugin has to look up the runas name and group
by user or group ID.
 2020-02-05 10:53:50 -07:00
Todd C. Miller
658702b6d4 For plugin events, set the sudo event base for setbase(NULL). 
This makes it possible for a plugin to change the event base
to a local one and then reset it back to its original value.
 2020-02-02 12:37:11 -07:00
Todd C. Miller
49e7e4ecd5 Don't display "error in event loop" on loop break reading ServerHello. 
We should already have displayed a more useful error message.
Otherwise, we can get two "error in event loop" warnings if
the TLS handshake fails (in addition to other error messages).
 2020-02-01 08:32:27 -07:00
Todd C. Miller
b9bea25592 Read ServerHello message synchronously before the command is executed. 
Otherwise, the command could be run before the TLS handshake completes.
 2020-01-31 19:48:27 -07:00
Todd C. Miller
45e589d443 Pass back a failure or error string to the front end. 
The audit_failure() function now stores the failure string.
This will allow an audit plugin to log the reason if the user's
request is a rejected.
 2020-01-30 13:25:36 -07:00
Todd C. Miller
604945f93e Fix warning about unresolved host name with "sudo -l -h hostname". 
The resolve_host() function returns 0 on success, not bool.
 2020-01-28 13:00:54 -07:00
Todd C. Miller
5472b17516 Fix crash in sudo 1.8.30 when suspending sudo at the password prompt. 
The closure pointer in sudo_conv_callback was being filled in with
a struct getpass_closure ** instead of a struct getpass_closure *.
The bug was introduced in the fix for Bug #910; previously the
closure variable was a struct getpass_closure, not a pointer.
Fix from Michael Norton; Bug #914.
 2020-01-24 11:13:55 -07:00
Laszlo Orban
24c9438486 logserver option to disable certificate verification on server side and server authentication on client side 2020-01-23 10:12:12 -07:00
Laszlo Orban
9935a7e2ff Rename tls_checkpeer to tls_reqcert in ServerHello message 2020-01-23 10:12:12 -07:00
Laszlo Orban
6f3f45aa24 sudoers: disable SO_KEEPALIVE socket option based on log_server_disable_keepalive flag in sudoers 2020-01-22 10:52:18 -07:00
Todd C. Miller
dde86e585f Add support for building on OpenSSL 1.0.2. 
This adds compatibility defines for some OpenSSL 1.1.x functions.
 2020-01-21 13:27:40 -07:00
Todd C. Miller
c3bd025052 Store the server host name and IP in client_closure_fill(). 
Also check for getpeername() and inet_ntop() failure.
 2020-01-20 14:03:41 -07:00
Todd C. Miller
2d91555e85 Fix handling of SSL_ERROR_WANT_{READ,WRITE} during normal I/O. 
If we get SSL_ERROR_WANT_WRITE during SSL_read(), we need to resume
the SSL_read(), not call SSL_write() as we were doing.  Likewise
for SSL_ERROR_WANT_READ received from SSL_write().
This introduces a flag so we call the proper callback even when
the I/O direction doesn't match the read/write calls.
 2020-01-20 12:42:39 -07:00
Todd C. Miller
5913c63642 Add abs_top_srcdir and abs_top_builddir and use them. 
Configure provides absolution versions of srcdir, builddir, top_srcdir
and top_builddir.  We can use these instead of calling pwd.
 2020-01-20 06:37:42 -07:00
Todd C. Miller
47d9504716 Add debugging statements to certificate checks. 2020-01-18 12:57:24 -07:00