The pty_cleanup() function, which may be called via fatal()/fatalx(),
expects that ec->details is set. If there is a fatal error after
the cleanup hook is registered but before the exec closure it filled
in, pty_cleanup() would dereference a NULL pointer.
Reported by Bjorn Baron.
The return values are used in ways that assume they are positive.
In practice, it is not possible to have a negative return value
other than -1 due to the size of the buffers being read from or
written to. Also add overflow checks when updating the buffer len.
Quiets several coverity warnings.
Previously, we compared the terminal device number returned by
get_process_ttyname() with that of stdin, stdout and stderr. This
causes problems on Linux if the user is logged in on the console,
which is a virtual device that may correspond to one of several
different terminal devices. In this specific case, there is a
mismatch between the controlling terminal listed in /proc/self/stat
(which corresponds to the underlying terminal device) and the device
number of stdin, stdout and stderr (which is that of /dev/console).
Instead of modifying the len parameter and using it for bounds
checking, compute the end of the source string and bound check on
that instead. Also simplify the code slightly and enable debugging.
The ppid field in /proc/self/stat is the fourth and not the third.
The latter is the process state (S, R, etc.).
Signed-off-by: Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
This fixes the display of the timeout values in the "sudo -V" output
on systems without a C99-compliant snprintf(). The snprintf()
replacement sudo ships with does not support floating point.
The current warning message mentions using sudo's -S option but
this will cause the password to be echoed without a terminal.
In most cases, the user just needs to run ssh with the -t option.
Command tags are inherited from previous Cmnds in a Cmnd_Spec_List.
There is a special case of the SETENV tag for the "ALL" command,
where SETENV is implied if no explicit SETENV or NOSETENV tag is
specified. The code to inherit the SETENV tag didn't take into
account that an implied value for SETENV should also be overridden
by an explicit SETENV or NOSETENV tag in the previous Cmnd in the
Cmnd_Spec_List.
The sudo plugin API defines sudo_hook_fn_t as a function with
unspecified arguments. This is no longer supported in C23 so use
a variadic function for sudo_hook_fn_t instead. Moving to a union
may be a better long-term fix. GitHub issue #420.
If one of std{in,out,err} matches the specified device, try to
resolve it to a path by using /proc/self/fd/{0,1,2}. This avoids
searching all of /dev and works in a chroot where /proc is mounted
but /dev/pts is not. GitHub issue #421.
If sudo cannot map the device number to a device file, set name to
the empty string. The caller now checks for an empty name and only
passes the tty path to the plugin if it is non-empty. This allows
sudo to run without warnings in a chroot() jail where the terminal
device files are not present. GitHub issue #421.
This avoids sending mail for users running "sudo -nv" or "sudo -nl"
even when mail_badpass or mail_always are enabled. We already avoid
logging in that case but mailing was not disabled when that change
was made. Bug #1072.
