mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-30 13:58:05 +00:00
Code Issues Releases Wiki Activity
13,161 Commits 6 Branches 326 Tags
Commit Graph

13161 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Todd C. Miller
3a77314373 Add a separate file for visudo callbacks. 2023-09-18 12:42:51 -06:00
Todd C. Miller
c277e55f42 Rename callbacks.c -> sudoers_cb.c. 2023-09-18 12:42:51 -06:00
Todd C. Miller
0cb3e33444 Wait on a socketpair for the parent to grant child the controlling tty. 
This upgrades the error pipe to a bi-directional socketpair that
the parent will write to after it has granted the child process the
controlling terminal.  That fixes an issue where the child could
end up in a tight CPU loop waiting on the parent which may not be
scheduled immediately.
 2023-09-18 12:26:19 -06:00
Todd C. Miller
a127ddf6db Undefine AUTH_{SUCCESS,FAILURE,ERROR} before defining them. 
Quiets a warning on AIX where usersec.h defines AUTH_SUCCESS and
AUTH_FAILURE.  We avoided this problem in the past because the old
values for AUTH_SUCCESS and AUTH_FAILURE match what AIX defines.
 2023-09-15 10:53:28 -06:00
Todd C. Miller
49c7c1f4d3 Only cast TIOCSWINSZ to int on systems that might require it (AIX). 
Otherwise we end up with a -Wconversion warning on systems where
the ioctl() request argument is unsigned long.
 2023-09-15 10:26:29 -06:00
Todd C. Miller
51d6b0f425 Promote verbose flag to int for display_privs and display_cmnd. 
A negative verbosity will prevent non-error output from being
displayed.
 2023-09-15 10:01:35 -06:00
Todd C. Miller
a9ee97580a No need to include cvtsudoers.h here. 2023-09-13 19:44:02 -06:00
Todd C. Miller
0011333f8e Remove pivot_get_root() and pivot_get_cwd(). 
They are unnecessary since struct sudoers_pivot is not opaque.
The implementation details are private to match_command.c.
 2023-09-13 16:46:23 -06:00
Todd C. Miller
2aae36f345 Quiet some -Wconversion warnings in the tests. 2023-09-13 15:15:54 -06:00
Todd C. Miller
b8f2680cf0 Make flag in union sudo_defs_val bool to match how it is used. 
Adjust find_path()'s ignore_dot function argument to match.
 2023-09-13 14:59:29 -06:00
Todd C. Miller
a9801cc99d Parse euid and egid from sudo front-end. 
These are needed by bsm_audit.c.
 2023-09-13 12:43:39 -06:00
Todd C. Miller
38ddbb14f1 Parse pid and ppid from sudo front-end. 
We can now use the stored ppid in ts_init_key().
 2023-09-13 12:29:40 -06:00
Todd C. Miller
34990c0e08 Use struct sudoers_pivot instead of defining sudoers_pivot_t. 
We want to pass around a pointer, not the struct itself.
 2023-09-13 08:36:07 -06:00
Todd C. Miller
15b3d786d7 Don't expose the implementation of the pivot_root state. 2023-09-11 16:21:11 -06:00
Todd C. Miller
0b52ffd1a2 Don't expose the implementation of the pivot_root state. 2023-09-11 16:15:41 -06:00
Todd C. Miller
4117ad1462 Only call ptrace_verify_post_exec() for intercept, not log_subcmds. 
This fixes a logic goof introduced in sudo 1.9.14.
 2023-09-11 13:11:49 -06:00
Todd C. Miller
c0553cd383 tsgetusershell.c: don't rely on GNU sed extensions. 2023-09-10 17:59:18 -06:00
Todd C. Miller
0a85869286 testsudoers: add -S option to specify /etc/shells path. 2023-09-10 16:44:24 -06:00
Todd C. Miller
034b2f3bdd Add testsudoers_setshellfile() and use it in testsudoers. 2023-09-10 16:38:53 -06:00
Todd C. Miller
62b92c7fb8 regen 2023-09-10 16:37:26 -06:00
Todd C. Miller
166ef55aa7 Remove unnecessary sudo_gettext.h include and add missing const. 2023-09-10 10:23:04 -06:00
Todd C. Miller
c54bdd799b Return AUTH_* flags from check_user() instead of 1/0/-1. 2023-09-09 14:59:46 -06:00
Todd C. Miller
2fdb4db339 Wrap valid_shell and add to sudo_pwutil_set_backend(). 
This will make it possible to support a different getusershell()
implementation for testsudoers in the future.
 2023-09-09 14:48:25 -06:00
Todd C. Miller
d18ee8e0e7 Move check_user_shell() to pwutil.c as user_shell_valid() 
This will make it possible to support a different backend which may
be used by testsudoers in the future.
 2023-09-09 14:07:28 -06:00
Todd C. Miller
28a13501d8 Merge check_user() and check_user_interactive(), move getpass callbacks. 
The getpass callbacks are now defined in sudo_auth.c, which implements
auth_getpass().  As a result, struct getpass_closure is now public
and defined in timestamp.h.
 2023-09-09 14:07:11 -06:00
Todd C. Miller
0495afac57 Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}. 2023-09-09 14:07:07 -06:00
Todd C. Miller
2ef90231a1 Make all match functions return ALLOW/DENY not true/false. 2023-09-09 14:07:06 -06:00
Todd C. Miller
7873f8334c Try to make sudo less vulnerable to ROWHAMMER attacks. 
We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS,
AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE.  In addition, we
explicitly test for expected values instead of using a negated test
against an error value.  In the parser match functions this means
explicitly checking for ALLOW or DENY instead of accepting anything
that is not set to UNSPEC.

Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk
Sunar, all affiliated with the Vernam Applied Cryptography and
Cybersecurity Lab at Worcester Polytechnic Institute, for the report.
Paper preprint: https://arxiv.org/abs/2309.02545
 2023-09-09 14:07:04 -06:00
Todd C. Miller
525803db23 Honor ignore_perms plugin argument for @include and @includedir. 2023-09-09 14:06:11 -06:00
Todd C. Miller
499121229e Don't set on_suspend and on_resume twice. 2023-09-06 20:17:00 -06:00
Todd C. Miller
956de5cbbc sudoers_sethost: refactor code to set host names in sudoers_context. 
The sudoers_sethost() function can be shared by the sudoers plugin,
visudo, cvtsudoers and testsudoers.
 2023-09-02 15:25:58 -06:00
Todd C. Miller
0c9ca88f5b sudoers_trace_print: use debug_decl_vars instead of doing it by hand. 2023-09-01 16:55:19 -06:00
Todd C. Miller
080e08b0fb sudo_realpath() returns char *, not void *. 2023-09-01 13:28:04 -06:00
Todd C. Miller
d898d073bf Only print "no valid sudoers sources found, quitting" for multiple sources. 
If there is only a single source (usually the sudoers file), the
open function provide enough of an error message.  Printing two
error messages is just confusing.
 2023-08-31 14:05:08 -06:00
Todd C. Miller
f5b3f99098 user_in_group: the user's group vector already includes the primary group. 
There's no need to look up the name of user's primary group (pw_gid),
we always include the primary group ID in the group vector.
 2023-08-30 13:36:41 -06:00
Todd C. Miller
05f823df22 Move sudoers_debug.c prototypes to sudoers_debug.h. 2023-08-29 13:54:45 -06:00
Todd C. Miller
35a7283dd9 sudo_conv, sudo_printf and plugin_event_alloc live in policy.c. 2023-08-29 13:46:43 -06:00
Todd C. Miller
68a9e91860 Move default value for "iolog_file" to sudo_iolog.h. 2023-08-29 11:46:58 -06:00
Todd C. Miller
75209e2718 Rename check.h -> timestamp.h and add remaining timestamp.c prototypes. 2023-08-29 11:16:23 -06:00
Todd C. Miller
8cd0d74fbb Restore AUTH_INTR support, it is still needed. 
We still need AUTH_INTR to know when to break out of the password
prompt loop.
 2023-08-29 10:02:09 -06:00
Todd C. Miller
3c05e748a4 Add ignore_perms plugin argument to skip the sudoers file security checks. 
This is not intended to be used in a production environment.
 2023-08-29 09:55:09 -06:00
Todd C. Miller
1eb4392e14 Fix test for unsetenv() returning void with clang 16. 
Clang has dropped support for K&R function definitions so rewrite
the test to require a unsetenv() prototype in stdlib.h.
Fixes GitHub issue #302.
 2023-08-28 18:37:06 -06:00
Todd C. Miller
07003d9020 Disable fast_glob and fdexec if SUDOERS_NAME_MATCH is defined. 
We use SUDOERS_NAME_MATCH for fuzzing when we want to avoid searching
the file system for commands.
 2023-08-28 13:18:37 -06:00
Todd C. Miller
c858acc481 Rename AUTH_FATAL -> AUTH_ERROR. 2023-08-26 10:45:29 -06:00
Todd C. Miller
cf00568d88 Do not rely on the definition of ALLOW/DENY being true/false. 
We now explicitly check for ALLOW and DENY when checking return
values and negating values.
 2023-08-26 10:32:37 -06:00
Todd C. Miller
bae716642c Replace AUTH_INTR return with AUTH_FAILURE. 
The two were treated identically by the caller.
 2023-08-26 10:08:32 -06:00
Todd C. Miller
b42cab112f Call log_allowed() even when "log_allowed" is disabled. 
Otherwise, sudo will not send mail if "mail_always" or "mail_all_cmnds"
is set.
 2023-08-25 11:19:42 -06:00
Todd C. Miller
4cdee2e312 Don't set defaults values for features that are not present. 
This means that lecture_status_dir and timestampdir are only set
if _PATH_SUDO_LECTURE_DIR and _PATH_SUDO_TIMEDIR respectively are
set.  Also, the log server defaults are only set when SUDOERS_LOG_CLIENT
is defined.
 2023-08-25 11:19:42 -06:00
Todd C. Miller
993ee338d9 Only set I/O logging callbacks if SESSID_MAX is defined. 2023-08-25 11:19:42 -06:00
Todd C. Miller
30fc288291 Move tty_present() into policy.c as sudoers_tty_present(). 
This function is policy-dependent.  For the modern sudo front-end
it will simply check tcpgid and/or ttypath.
 2023-08-25 11:19:42 -06:00