mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-29 13:28:10 +00:00
Code Issues Releases Wiki Activity
11,564 Commits 6 Branches 326 Tags
Commit Graph

239 Commits

Author SHA1 Message Date
Todd C. Miller
3ee8bcefb0 Kill the command if intercept_setup() or ptrace_seize() fail. 2022-05-03 09:25:58 -06:00
Todd C. Miller
8e375445fb Check the policy for ptrace-based intercept mode. 2022-04-29 13:08:59 -06:00
Todd C. Miller
01733a5214 Add scaffolding for ptrace-based intercept mode. 2022-04-29 12:35:31 -06:00
Todd C. Miller
22866f2423 Handle multiple child processes in the SIGCHLD handler. 
This is required by the uncoming ptrace intercept code.
 2022-04-29 08:02:57 -06:00
Todd C. Miller
46edc4e198 Stop using the WCONTINUED flag with waitpid(2). 
We don't use it for anything other than a debug message and it will
cause problems when intercept mode starts using ptrace(2).
 2022-04-29 08:02:57 -06:00
Todd C. Miller
de47380350 Block SIGCHLD when forking the mailer. 
Otherwise, it may be picked up by the signal handler instead of our
waitpid(2) call.
Don't warn if waitpid() returns 0 in a SIGCHLD handler.
 2022-03-14 13:54:12 -06:00
Todd C. Miller
a8c4d9800b Add intercept_cleanup() to free the closure used by intercept_accept_cb(). 2021-09-20 08:50:42 -06:00
Todd C. Miller
ba171724f7 Rename log_children -> log_subcmds 2021-08-26 16:36:41 -06:00
Todd C. Miller
c465d8971d Change intercept IPC to use a localhost socket instead of inherited fd. 
This allows intercept mode to work with shells that close all open
fds upon startup.  The ctor in sudo_intercept.so requests the port
number and secret over the socket inherited from the parent then
closes it.  For each policy request, a TCP connection is made to
the sudo parent process to perform the policy check.  Child processes
re-use the TCP socket to request the port number and secret just like
the initial process started by sudo does.
 2021-08-25 14:24:36 -06:00
Todd C. Miller
a55b54329e Add missing stdint.h and sudo_rand.h includes. 
Needed for arc4random() and uin64_t.
 2021-08-13 09:25:01 -06:00
Todd C. Miller
eaf03a382b Pass a secret value to sudo_intercept.so and verify after policy check. 
The goal is to make it harder for someone to have a fake policy checker.
This will not stop a determined adversary since the secret is present
in the address space of the running process.
 2021-08-13 09:10:44 -06:00
Todd C. Miller
13b89e9103 Make the log_children option only log and not check policy. 2021-08-09 15:50:25 -06:00
Todd C. Miller
a556b373c9 Allocate a socketpair to communicate with sudo_intercept.so over. 
This is used for the intercept and log_children options.
 2021-08-09 15:50:25 -06:00
Todd C. Miller
3147bbeb24 Don't set the command status in the closure when the command is suspended. 
This should only be set for signals that terminate the process.
Fixes a bug where the sudo front-end could call the plugin close
function with a non-terminal signal argument.
 2021-05-10 13:42:06 -06:00
Todd C. Miller
ece5adc662 Add struct sudo_cred to hold the invoking or runas user credentials. 
We can use this when we need to pass around credential info instead
of the user_details and command_details structs.
 2021-01-06 13:01:09 -07:00
Todd C. Miller
24d812d037 Pass command_info[] to audit plugin on I/O log plugin reject or error. 
The audit plugin should cope with a NULL command_info but there's no
reason not to pass the info when we have it.
 2020-11-17 13:15:15 -07:00
Todd C. Miller
961a4afe67 Fix some warnings from pvs-studio 2020-08-12 13:45:09 -06:00
Todd C. Miller
03ad96e445 Use the fallthrough attribute instead of /* FALLTHROUGH */ comments. 2020-08-01 13:10:50 -06:00
Todd C. Miller
8bb5aedacf Replace master/slave in code with leader/follower. 2020-06-15 16:21:32 -06:00
Todd C. Miller
a380709215 If event loop fails due to ENXIO, remove /dev/tty events and recover. 
This fixes an issue on Solaris 11.4 (and probably others) with "sudo
reboot" when I/O logging is enabled.  Previously, sudo would kill
the command if it was still running after the event loop terminated,
leaving the system in a half-dead state.
 2020-06-02 08:59:38 -06:00
Todd C. Miller
592eb7ab49 Don't try to suspend sudo if the user's tty has gone away. 
Fixes a problem on Solaris 11.4 (and possibly others) where sudo
continually tries to put itself in the background after the user's
terminal has been revoked.
 2020-06-01 14:19:50 -06:00
Todd C. Miller
de31e6d53b Back out WIP code that was mistakenly committed. 2020-06-01 14:04:15 -06:00
Todd C. Miller
ad70fb4f1e On Solaris 11.4 the openpty(3) prototype lives in termios.h. 2020-06-01 12:59:29 -06:00
Todd C. Miller
446ae3f507 Include string.h unconditionally and only use strings.h for strn?casecmp() 
In the pre-POSIX days BSD had strings.h, not string.h.
Now strings.h is only used for non-ANSI string functions.
 2020-05-18 07:59:24 -06:00
Todd C. Miller
0cf2e09e0c Apply spelling fixes. 
Fixes from PR #30 (ka7) and Bug #925 (fossies.org codespell)
 2020-05-06 09:27:43 -06:00
Todd C. Miller
3221c8b4d8 Don't kill the command just because the loop exited unexpectedly. 
We currently have no good way to distinguish between an error
executing the command and an error while the command is running.

In the future, we should have additional status codes so we
can tell what type of condition caused the loop to exit.

For now, only kill the command if cstat is left uninitialized.
 2020-03-31 08:49:30 -06:00
Todd C. Miller
ac61b5655d Use EXIT_SUCCESS and EXIT_FAILURE more consistently. 2020-02-08 12:43:00 -07:00
Todd C. Miller
22105009d8 Define a new plugin type that receives accept and reject messages. 
This can be used to implement logging-only plugins.
The plugin functions now take an errstr argument that can be used
to return an error string to be logged on failure or error.
 2020-01-30 13:25:34 -07:00
Todd C. Miller
486ee2b71f debug_decl and debug_decl_vars now require a semicolon at the end. 2019-12-22 08:48:16 -07:00
Todd C. Miller
82237194dd Add support for logging to the log server 2019-11-15 13:41:51 -07:00
Todd C. Miller
5793023ffd Add a plugin interface to sudo main event loop. 2019-11-15 13:36:01 -07:00
Todd C. Miller
352212c7bf Open all pipes using pipe2() with O_CLOEXEC. 
We no longer depend on calling closefrom() before exec.
 2019-11-02 10:52:34 -06:00
Todd C. Miller
112dff276a Fix restoring the file context of the user's tty with SELinux. 
Also fix broken tty labeling when running a command in a pty.
Includes a fix for a typo introduced in the last change set.
 2019-09-27 15:32:49 -06:00
Todd C. Miller
1e1ef61902 Add SPDX-License-Identifier to files. 2019-04-29 07:21:51 -06:00
Todd C. Miller
985600e7f0 Minor snprintf() usage tweaks: 
1) don't assume snprintf() returns -1 on error, check for <0
2) when comparing return value of sizeof(foo), cast the sizeof, not the len
3) cast return value to void in cases where snprintf cannot fail
 2019-01-20 07:49:48 -07:00
Todd C. Miller
64d08d8bf2 Update copyright year 2019-01-03 11:09:00 -07:00
Todd C. Miller
b2f7983c84 Fix setting of utmp entry when running command in a pty. 
Regression introduced in sudo 1.8.22.
 2019-01-02 07:39:33 -07:00
Todd C. Miller
6c3d20cb41 Convert PVS-Studio comment to ANSI C. 2018-10-26 08:39:09 -06:00
Todd C. Miller
64e5d34c57 Add comments in .c files so PVS-Studio will check them. 2018-10-21 08:46:05 -06:00
Todd C. Miller
b89cf34b53 Replace sudo_fatal(NULL) with an "unable to allocate memory" message 
that includes the function name.
 2018-10-12 08:39:12 -06:00
Todd C. Miller
cf07dc0757 Add a suspend event type to the I/O log to log suspend/resume of 
the command so we can skip that delay during replay.
 2018-10-05 14:16:08 -06:00
Todd C. Miller
e2570307e6 Initialize the pty rows/cols based on the values we stored in user_details. 
This fixes a minor issue where we would send an extra window size
change event the first time the command was suspended.
 2018-10-05 14:04:29 -06:00
Todd C. Miller
59e5e379be Move the loop to free the monitor_messages list into free_exec_closure_pty() 2018-08-23 11:10:57 -06:00
Todd C. Miller
5cca421867 Close the pty slave in the parent so that when the command and 
monitor exit, the pty gets recycled without our having to close
it directly.
 2018-08-20 10:04:15 -06:00
Todd C. Miller
6953e7fc79 Move updating of the window size to the monitor process. 
This will allow us to close the slave in the main sudo process in
the future so only the command and monitor have it open.
 2018-08-20 10:04:14 -06:00
Todd C. Miller
dc1e0e7168 Work around a bug on AIX where closing the pty slave causes the 
main sudo process to lose its controlling tty (which was *not* the
pty slave).
 2018-07-23 11:37:26 -06:00
Todd C. Miller
a42cf67acb In pty_close() we still need to check whether the pty master and 
slave fds are open before closing them.  When no tty is present but
we are I/O logging pty_close() will be called when there is no
actual pty in use.
 2018-03-27 16:00:08 -06:00
Todd C. Miller
2336496347 In pty_close() there is no need to remove events associated with 
the pty slave as there are none.  We also don't need to check for
the pty fds being -1 since they are not closed elsewhere and
pty_close() is only called if pty_setup() succeeds.
 2018-03-26 06:28:23 -06:00
Todd C. Miller
4df454310d In pty_close() close the slave and remove any events associated 
with it.  Fixes a potential hang when performing the final flush
on non-BSD systems.
 2018-03-25 06:03:19 -06:00
Todd C. Miller
d5d170252a In pty_cleanup() we need to call sudo_term_restore() even if no I/O 
plugins are present as long as /dev/tty exists.  Fixes the use_pty
case with no I/O plugins.
 2018-02-19 11:00:12 -07:00