The sudo plugin API defines sudo_hook_fn_t as a function with
unspecified arguments. This is no longer supported in C23 so use
a variadic function for sudo_hook_fn_t instead. Moving to a union
may be a better long-term fix. GitHub issue #420.
Fixes building on systems that lack strtoull(). While dev_t is
unsigned on most systems, we can still use sudo_strtonum() here as
long as we allow the full range of values [LLONG_MIN,LLONG_MAX].
We don't use strtoul() here since some 32-bit systems have 64-bit
dev_t.
We need to track the (monotonic) command start time to be able to
generate an accurate run time. Instead of setting submit time when
the policy initializes (and using that time for logging purposes),
set evlog->submit_time to the current wallclock time when we need
to perform logging. This is more consistent with how sudo logging
was performed in the past. Fixes GitHub issues #327.
This reverts 5118eb5797fb, which had the side-effect of the PAM
session code running with the run environment instead of the invoking
user's environment. Issue #318
We rely on the include path to find many of these headers. It
especially doesn't make sense to use #include "foo.h" for headers
in the top-level include directory.
We now pass a pointer to the context where necessary. There are a
few cases where we need to request the context from sudoers via
sudoers_get_context() for the plugin API functions. If the plugin
API was able to pass around a closure pointer this would not be
necessary.
Previously, check_user_runcwd() would return true if the runcwd
matched the user's cwd, even if sudoers specified a different one.
The user-specified runcwd was ignored but it is better to error out
in this case. It is now also possible to use "sudo -D" with the
directory specified in sudoers.
The lack of setting to NULL is a holdover from when command_info was a local variable and not a global one. However, we given how other global variables are set to NULL, it is best that we do the same here to avoid potential issues should sudoers_policy_store_result be called again after the first time failed, otherwise we could get a double-free.
We just need a way for the policy (and visudo) to override the
default sudoers path. This adds a getter to be used in file.c when
sudoers is first opened.
This splits the code to find the command, perform a sudoers lookup,
ask for a password as needed, and perform post-lokup checks out
into sudoers_check_common(). The old sudoers_policy_main() has
been replaced by sudoers_check_cmnd() (called by sudoers_policy_check()),
sudoers_validate_user() (called by sudoers_policy_validate()) and
sudoers_list() (called by sudoers_policy_list()). The list_user
lookup is now performed in sudoers_list().
