mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-29 21:38:05 +00:00
Code Issues Releases Wiki Activity
8,350 Commits 6 Branches 326 Tags
Commit Graph

928 Commits

Author SHA1 Message Date
Todd C. Miller
4b96e94f37 Need to be root when switching to a different user. 2016-01-18 13:12:50 -07:00
Todd C. Miller
9f481f128d Use O_SEARCH on systems without O_PATH if present. It can be used 
for a similar purpose.
 2016-01-18 12:38:41 -07:00
Todd C. Miller
c1b1481204 Use faccessat(2) for directory writability instead of doing the 
checks manually where possible.  This also allows us to remove the
#ifdef __linux__ bits since we no longer use fstat(2) on Linux with
an O_PATH fd.
 2016-01-18 10:45:47 -07:00
Todd C. Miller
051fe2d4cf Add missing dfd argument to the version of sudo_edit_openat_nofollow() 
for systems without O_NOFOLLOW.
 2016-01-11 16:36:40 -07:00
Todd C. Miller
c7c80913ef No need to check whether the fd we opened is really a directory in 
sudo_edit_open_nonwritable() since if not, the openat() will fail
with ENOTDIR anyway.
 2016-01-11 11:15:42 -07:00
Todd C. Miller
68c1073fe5 Rewritten sudoedit_checkdir support that checks all the dirs in the 
path and refuses to follow symlinks in writable directories.
This is a better fix for CVE-2015-5602.
Adapted from a diff by Ben Hutchings.  Bug #707
 2016-01-10 18:31:29 -07:00
Todd C. Miller
b20977d445 Add support for using fexecve() if supported on commands that are 
checksummed.
 2016-01-04 10:35:18 -07:00
Todd C. Miller
97e86c74ff Call openat() with the basename not the full path. From Ben Hutchings. 2015-12-29 13:38:14 -07:00
Todd C. Miller
88a634b7fb Check for existing dso in LD_PRELOAD and only add it if it is not 
already present.
 2015-12-20 14:08:47 -07:00
Todd C. Miller
ad1068c1ee Actually use the plugin_dir Path setting in sudo.conf. 2015-12-18 14:05:02 -07:00
Todd C. Miller
55531958de Allow sudo.conf Path settings to disable path names (by setting the 
value of NULL).
 2015-12-18 12:31:28 -07:00
Todd C. Miller
7a57bae1e6 Change noexec flag in selinux_execve() from int to bool. 2015-12-16 15:16:48 -07:00
Todd C. Miller
4536480800 Refactor code to set LD_PRELOAD (or the equivalent) in the environment 
into a preload_dso() function.  Also avoid allocating a new copy
of the environment array if the size of the array does not change.
 2015-12-16 15:08:01 -07:00
Todd C. Miller
9ecf12daa7 Set errno to EISDIR instead of ENOTDIR if directory is writable 
since ENOTDIR can be a legitimate errno.  This avoids a bogus
"directory is writable" error in that case.
 2015-10-25 14:28:38 -06:00
Todd C. Miller
5d66b840d8 When creating a new file, sudoedit will now check that the file's 
parent directory exists before running the editor.
 2015-10-24 06:20:20 -06:00
Todd C. Miller
c50cead833 Add directory writability checks for sudoedit. 2015-10-23 14:04:35 -06:00
Todd C. Miller
e91a10ce45 Ignore the SUDO_CONV_PROMPT_ECHO_OK flag when echo is enabled. 
This was preventing a match of SUDO_CONV_PROMPT_ECHO_ON which
resulted in a masked password instead of an echoed one.
 2015-10-06 15:21:41 -06:00
Todd C. Miller
6dc5151d5d Remove S_ISREG check from sudo_edit_open(), it is already done in 
the caller.
 2015-10-02 20:35:55 -06:00
Todd C. Miller
37dff5fbcb Open sudoedit files with O_NONBLOCK and fail if they are not regular 
files.
 2015-10-02 14:45:09 -06:00
Todd C. Miller
5ad68edd65 It is possible for WIFSTOPPED to be true even if waitpid() is not 
given WUNTRACED if the child is ptraced.  Don't exit the waitpid()
loop if WIFSTOPPED is true, just in case.
 2015-10-02 11:24:01 -06:00
Todd C. Miller
37abc1b7e4 There's no point in trying to interpose protected versions of the 
exec family of functions.  Many modern C libraries use hidden symbols
for the functions and syscalls defined in libc such that they cannot
be overridden inside libc itself.  We have to just wrap all the exec
variants plus system and popen.
 2015-09-28 21:20:37 -06:00
Todd C. Miller
282b921333 Also wrap popen(3). 2015-09-28 15:34:16 -06:00
Todd C. Miller
8695ae1049 Also interpose system(3). On glibc systems you cannot interpose 
the syscalls used internally by libc.
 2015-09-28 15:10:00 -06:00
Todd C. Miller
04457ecee9 Set active debug instance to sudo_debug_instance() during the 
conversation function.
 2015-09-28 12:28:18 -06:00
Todd C. Miller
9486afb4e5 When the command sudo is running is killed by a signal, sudo will 
now send itself the same signal with the default signal handler
instead of exiting.  The bash shell appears to ignore some signals,
e.g.  SIGINT, unless the command is killed by that signal.  This
makes the behavior of commands run under sudo the same as without
sudo when bash is the shell.  Bug #722
 2015-09-26 10:53:16 -06:00
Todd C. Miller
3f6f1cd15c When a terminal device is closed, SIGHUP is sent to the controlling 
process associated with that terminal.  It is not sent to the entire
process group so sudo needs to relay SIGHUP to the command when it
is not being run in a new pty.  Bug #719
 2015-09-15 10:30:36 -06:00
Todd C. Miller
38b7aea6b7 Restore old signal handlers before tty settings. That way SIGTTOU 
is at its original value if sudo_term_restore() should fail.
 2015-09-09 15:27:09 -06:00
Todd C. Miller
edfeee6a7a No need to have version macros for hooks, callbacks and the sudoers 
group plugin.  We can just use the main sudo API macros.  The sudoers
group plugin macros are preserved for source compatibility but are
not documented.
 2015-09-09 14:56:52 -06:00
Todd C. Miller
2f1d675055 Ignore callbacks if major version doesn't match. 2015-09-09 13:29:57 -06:00
Todd C. Miller
67183d74f4 Remove include/compat/timespec.h. Systems old enough to lack struct 
timespec are too old to build a modern sudo.
 2015-09-09 11:13:22 -06:00
Todd C. Miller
d08faa73a7 Fill in cstat if exec_setup() fails. Previously it was only filled 
in for an execve() failure.  Fixes an unkillable sudo process when
exec_setup() fails and I/O logging is enabled.
 2015-09-09 10:50:21 -06:00
Todd C. Miller
27c2a3d158 Fix running commands as non-root when neither setresuid() not 
setreuid() are available.  At this point we are already root so
setuid() must succeed.  Bug #713
 2015-09-09 10:45:56 -06:00
Todd C. Miller
0dbfbee035 Cast uid_t to unsigned int when printing as %u 2015-09-09 10:14:03 -06:00
Todd C. Miller
70914b3328 sudo_term_* already restart themselve for all but SIGTTOU so we 
don't need to use our own restart loops.
 2015-09-07 06:06:08 -06:00
Todd C. Miller
0c70df5de9 Implement suspend/resume callbacks for the conversation function. 
If suspended, close the timestamp file (dropping all locks).  On
resume, lock the record before reading the password.

For this to work properly we need to be able to run th callback
when tsetattr() suspends us, not just when the user does.  To
accomplish this the term_* functions now return EINTR if SIGTTOU
would be generated.  The caller now has to restart the term_*
function (and send itself SIGTTOU) instead of it being done
automatically.
 2015-09-07 06:06:08 -06:00
Todd C. Miller
98a15d9879 Add a struct sudo_conv_callback that contains on_suspend and on_resume 
function pointer args plus a closure pointer and at it to the
conversation function.
 2015-09-07 06:06:08 -06:00
Todd C. Miller
13869d349c Linux sets si_pid in struct siginfo to 0 when the process that sent 
the signal is in a different container since the PID namespaces in
different conatiners are separate.  Avoid looking up the process
group by id when si_pid is 0 since getpgid(0) returns the process
group of the current process.  Since sudo ignores signals sent
by processes in its own process group, this had the effect of
ignoring signals sent from other containers.  From Maarten de Vries
 2015-08-10 15:13:37 -06:00
Todd C. Miller
2fbce103f6 Change warning when user tries to sudoedit a symbolic link. 2015-08-07 07:09:01 -06:00
Todd C. Miller
3354d27a17 Do not follow symbolic links in sudoedit by default. This behavior 
can be controlled by the sudoedit_follow Defaults flag as well as
the FOLLOW/NOFOLLOW tags.
 2015-08-06 13:20:01 -06:00
Todd C. Miller
918190fce9 Include sys/types.h for id_t. Bug #711 2015-08-02 19:59:32 -06:00
Todd C. Miller
ddd35459c3 The init.d files are generated from a .in file so we need to install 
from top_builddir not top_srcdir.  From Ross Burton.  Bug #708
 2015-07-24 13:38:03 -06:00
Todd C. Miller
0765f5fe7f fix typo in previous commit 2015-07-22 06:21:21 -06:00
Todd C. Miller
83d8cbf811 Fix errno value from get_process_ttyname() when no tty is present. 2015-07-21 15:20:49 -06:00
Todd C. Miller
aeaa6a6111 On AIX, only convert the tty device number from dev64_t to dev32_t 
if dev_t is 32-bits.
 2015-07-21 15:02:56 -06:00
Todd C. Miller
d96f8bcabb Avoid needless memory allocation when resolving the tty name. 2015-07-19 20:19:22 -06:00
Todd C. Miller
d4211081c0 Add some debugging printfs when malloc fails and we don't have an 
explicit call to sudo_warnx().
 2015-07-14 15:28:01 -06:00
Todd C. Miller
374146f70f Avoid calling dlerror() multiple times since it clear the error 
status after printing the error.
Problem caused by sudo_warn/sudo_fatal being macros...
 2015-07-10 10:31:21 -06:00
Todd C. Miller
43a57126ea Solaris 2.6 has the prototypes for inet_pton() and inet_ntop() in 
resolv.h.
 2015-07-09 10:11:25 -06:00
Todd C. Miller
61182c87ea In io_callback() service writes before reads. That way, if both 
SUDO_EV_READ and SUDO_EV_WRITE are set and read() returns 0 (EOF)
we don't close the fd before the write() is performed.

If the write() returns EPIPE, ENXIO, EIO or EBADF, clear SUDO_EV_READ
before we close the fd to avoid calling read() on a closed fd.
 2015-07-08 10:12:15 -06:00
Todd C. Miller
445e6f2e9a Check sudo_conf_read() return value and exit on fatal error (a 
warning was already printed by sudo_conf_read()).
 2015-07-07 13:17:50 -06:00