2022-06-27 Todd C. Miller
* src/preload.c:
Fix missing prototype warning.
[66e460d3c1d2] [tip]
* lib/zlib/zconf.h.in:
Define _LFS64_LARGEFILE, _LARGEFILE64_SOURCE if 64-bit or
_LARGE_FILES set. autoconf does not define _LARGEFILE64_SOURCE by
default but zlib expects it (its own configure script will define
it). Fixes a missing prototype for crc32_combine_gen64() on AIX and
HP-UX.
[c5b314bebbcb]
* configure, configure.ac, include/sudo_iolog.h, include/sudo_util.h,
lib/iolog/host_port.c, lib/iolog/regress/fuzz/fuzz_iolog_json.c,
lib/iolog/regress/fuzz/fuzz_iolog_legacy.c,
lib/iolog/regress/fuzz/fuzz_iolog_timing.c,
lib/iolog/regress/iolog_json/check_iolog_json.c,
lib/iolog/regress/iolog_timing/check_iolog_timing.c,
lib/util/regress/fuzz/fuzz_sudo_conf.c,
lib/util/regress/glob/globtest.c,
lib/util/regress/mktemp/mktemp_test.c, lib/util/strtoid.c,
logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c,
logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, logsrvd/sendlog.c,
plugins/python/pyhelpers.c, plugins/python/python_plugin_approval.c,
plugins/python/python_plugin_approval_multi.inc,
plugins/python/python_plugin_audit.c,
plugins/python/python_plugin_audit_multi.inc,
plugins/python/python_plugin_common.c,
plugins/python/python_plugin_group.c,
plugins/python/python_plugin_io.c,
plugins/python/python_plugin_io_multi.inc,
plugins/python/python_plugin_policy.c,
plugins/python/regress/check_python_examples.c,
plugins/python/sudo_python_module.c, plugins/sudoers/audit.c,
plugins/sudoers/getdate.c, plugins/sudoers/getdate.y,
plugins/sudoers/gram.c, plugins/sudoers/gram.y,
plugins/sudoers/iolog.c, plugins/sudoers/log_client.c,
plugins/sudoers/regress/fuzz/fuzz_policy.c,
plugins/sudoers/regress/fuzz/fuzz_stubs.c,
plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c,
plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c,
plugins/sudoers/stubs.c, plugins/sudoers/timestamp.c,
plugins/sudoers/timestr.c, plugins/sudoers/tsgetgrpw.h,
plugins/sudoers/unesc_str.c, src/copy_file.c, src/exec_ptrace.c,
src/load_plugins.c, src/net_ifs.c, src/sudo.h, src/sudo_intercept.c,
src/sudo_intercept_common.c, src/sudo_noexec.c:
Make sudo pass -Wmissing-prototypes
[195b024b9f54]
* src/exec_ptrace.c:
Include inttypes.h if stdint.h is not present. Bug #1035
[da6185c4c418]
2022-06-21 Todd C. Miller
* src/exec_ptrace.c:
readlink(2) does NUL-terminate the buffer, do it manually. Fixes a
bug where the current working directory could include garbage in
intercept mode using ptrace(2).
[dc7c547f518f]
* src/exec_intercept.c:
intercept_write: remove unused CD_USE_PTRACE code. It is not
possible to end up in intercept_write when CD_USE_PTRACE is set.
[f8bdc5e37294]
2022-06-20 Todd C. Miller
* NEWS, configure, configure.ac:
Sudo 1.9.11p3
[c96ded63ae46]
* src/exec_intercept.c, src/sudo_intercept_common.c:
Set TCP_NODELAY on the socket used for intercept IPC to reduce
latency. On some systems, Nagle's algorithm was delaying receipt of
the data, causing commands with intercept or log_subcmds to run
slowly. Related to Bug #1034.
[11b129850ac1]
* src/sudo_intercept_common.c:
Use blocking I/O when talking to the sudo process. Also check for
EAGAIN/EINTR when reading the message size. Fixes a problem seen on
AIX where recv_intercept_response() could fail unexpectedly. Bug
#1034.
[8554618665a2]
* src/exec_intercept.c:
Add debug printfs when send/recv return EAGAIN or EINTR. These are
not actually errors but can help gain insight into what is going on
and, in the case of EAGAIN, whether or not there may be a kernel
resource starvation problem.
[fd2dee906d2f]
2022-06-14 Todd C. Miller
* plugins/sudoers/logging.c:
log_exit_status: make local variables match struct evlog members.
[f93d5141e818]
2022-06-13 Todd C. Miller
* lib/util/getgrouplist.c:
Quiet a compiler warning on macOS. The getgrouplist() groups array
on macOS is int * instead of gid_t *.
[c64bf72a1416]
2022-06-12 Todd C. Miller
* NEWS, configure, configure.ac:
Sudo 1.9.11p2
[9505276e5c97]
2022-06-11 Todd C. Miller
* src/exec_ptrace.h:
Fix compilation on Linux/x32; GitHub issue #158
[8cebfdd49205]
2022-06-10 Todd C. Miller
* plugins/sudoers/policy.c:
Fix pasto in comment after HAVE_PRIV_SET #endif
[2275ab3b016d]
* include/sudo_compat.h:
Fix typo, we should define SSIZE_MAXÂ if it is not defined.
[51c68f801479]
2022-06-09 Todd C. Miller
* plugins/sudoers/env.c:
Change black list -> blocklist This was missed in the previous
conversion.
[da610ebb5cb1]
* plugins/sudoers/audit.c, plugins/sudoers/iolog.c,
plugins/sudoers/log_client.c, plugins/sudoers/log_client.h,
plugins/sudoers/logging.c, plugins/sudoers/logging.h,
plugins/sudoers/policy.c,
plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c,
plugins/sudoers/sudoers.h:
Save a pointer to the event_alloc parameter in the plugin open
function. That way we don't need to pass event_alloc around to the
log client functions.
[a8a47f3770b3]
* lib/protobuf-c/protobuf-c.c:
Fix regression with zero-length messages introduced in protobuf-c PR
500.
[42062b9f75d5]
2022-06-08 Todd C. Miller
* NEWS, configure, configure.ac:
Sudo 1.9.11p1
[7fcfdaacb15e]
2022-06-07 Todd C. Miller
* src/exec_pty.c:
Make read and write events persistent and disable as needed. For the
read callback, disable reader when the buffer is full. For the write
callback, disable writer when the buffer is consumed.
[2b6953dc4224]
* config.h.in, configure, configure.ac, src/sudo_exec.h,
src/sudo_noexec.c:
Check for SECCOMP_MODE_FILTER not SECCOMP_SET_MODE_FILTER. This
matches the actual prctl() call we use.
[4222768293d1]
* Merge pull request #157 from 0x2b3bfa0/improve-tag-spec-ebnf-docs
Improve Tag_Spec EBNF documentation
[f528335aded5]
* logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c:
Treat EINTR in a callback like we do EAGAIN. We shouldn't get EINTR
in practice since we set SA_RESTART when registering signal handlers
but it doesn't hurt to be consistent.
[acf3394e2df2]
* Merge pull request #156 from delroth/aarch64-build
exec_ptrace: fix missing sudo_pt_regs on aarch64
[a7062c609a96]
2022-06-07 Pierre Bourdon
* src/exec_ptrace.h:
exec_ptrace: fix missing sudo_pt_regs on aarch64
AArch64 already had an existing "user_pt_regs" struct and didn't
need a struct alias before the renaming to "sudo_pt_regs". Make the
code build again by adding the now missing alias.
Fixes: 2eb8ff17
[3b55f40e9b83]
2022-06-07 Helio Machado <0x2b3bfa0+git@googlemail.com>
* docs/sudoers.man.in, docs/sudoers.mdoc.in:
Improve Tag_Spec EBNF documentation
[7e23ec31d124]
2022-06-07 Todd C. Miller
* Merge pull request #154 from 0x2b3bfa0/fix-tag-spec-docs
Add missing colon in Tag_Spec documentation
[ec8f4610b677]
* Merge pull request #152 from particleflux/fix-sudoers-typo
Fix typo in sudoers comment
[bbbcff4c14ba]
2022-06-07 Helio Machado <0x2b3bfa0+git@googlemail.com>
* docs/sudoers.man.in, docs/sudoers.mdoc.in:
Add missing colon in Tag_Spec documentation
[e6f4c612e22a]
2022-06-07 Stefan Linke
* plugins/sudoers/sudoers.in:
Fix typo in sudoers comment
Fix a typo in the sudoers comment about `maxseq` param.
Introduced by 906eb19ece47023c659b4b3db2e7a6bb57dff0d9 in 1.9.11.
[b38fae41b3eb]
2022-06-06 Todd C. Miller
* lib/protobuf-c/protobuf-c.c:
Only shift unsigned values to avoid implementation-specific
behavior. This converts the arithmetic shifts to logical shifts.
[e25aa8e9891a]
* lib/protobuf-c/protobuf-c.c:
Fix issue protobuf-c#499: unsigned integer overflow Signed-off-by:
10054172
[f3637be4df4f]
* include/sudo_event.h, lib/util/event_select.c:
Fix building with select (not poll) when fd_set is not defined in
sys/types.h. We can use a void * for the fd_set arrays and just add
a cast when using the FD_SET macros.
[5c636cbc11f0]
* src/exec_pty.c:
Reinstall the event handler if we get EAGAIN from read/write
callback. The read and write events do not set SUDO_EV_PERSIST so we
need to explicitly re-enable the event if there is still data to be
read. Bug #963.
[0006cb6531f4]
* logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c:
If write(2) returns EAGAIN just re-enter the event loop. This is
consistent with how we handle EAGAIN for read(2).
[e6478d917a0f]
* docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in:
Document how setting ModulePath affects the Python search path. Also
advise the user to use a unique prefix to avoid name space
collisions with installed Python modules. Bug #1031.
[68a9d50d7806]
* configure, configure.ac, docs/sudo_plugin_python.man.in,
docs/sudo_plugin_python.mdoc.in:
Add EXAMPLES variables for use in the man pages for the examples
directory.
[148272d9a6d3]
2022-06-04 Todd C. Miller
* plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po:
Updated translations from translationproject.org
[985902730e5b]
* plugins/sudoers/po/hr.mo, po/hr.mo:
Rebuild Croatian message catalog.
[438136f65c13]
2022-06-03 Todd C. Miller
* .gitignore, .hgignore:
Add new test binaries to the ignore files.
[ea9de2ded48d]
* po/cs.mo, po/cs.po:
Updated translations from translationproject.org
[eac0aba546ed]
* lib/protobuf-c/protobuf-c.c:
Define WORDS_BIGENDIAN on big endian systems. Instead of a configure
check, we use endian.h (or a fallback).
[4d5603a9528c]
* include/intercept.pb-c.h, include/log_server.pb-c.h,
include/protobuf-c/protobuf-c.h, lib/protobuf-c/protobuf-c.c,
scripts/unanon:
Update to protobuf-c 1.4.0
[47ff9b8bab21]
* logsrvd/logsrvd.c, plugins/sudoers/cvtsudoers_csv.c:
Quiet two clang analyzer false positives.
[2c878f7853cc]
* src/exec_intercept.c:
Move a comment to the correct location.
[caacb3fae078]
* logsrvd/logsrvd.c:
union sockaddr_union: pass in sockaddr_union * instead of sockaddr
*. This eliminates the need for a few casts and is consistent with
how create_listener() is written.
[4def05f8d895]
* src/exec_ptrace.c:
Eliminate some dead stores that clang-analyzer complains about.
[3aac29fe0101]
* src/exec_ptrace.c:
ptrace_read_vec: don't try to free memory on the error path This is
leftover from when ptrace_read_string() allocated its own memory.
[7f5b5d21bce9]
* config.h.in, configure, configure.ac, src/sudo_intercept.c:
Avoid using vfork(2) in the DSO system(3) wrapper. Traditional
vfork(2) semantics make it unsafe for use for more than just
vfork(2) + execve(2).
[9a8ce7aef55d]
2022-06-02 Todd C. Miller
* po/vi.mo, po/vi.po:
Updated translations from translationproject.org
[e3197ef8a98d]
* NEWS:
Mention sudo_logsrvd.conf "log_server" parsing fix.
[575a31b83bfd]
* MANIFEST, logsrvd/Makefile.in,
logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.1.in,
logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.2.in,
logsrvd/regress/logsrvd_conf/tls/sudo_logsrvd.conf.1.in,
logsrvd/regress/logsrvd_conf/tls/sudo_logsrvd.conf.2.in:
For logsrvd_conf_test include both tls and non-tls configs.
[ec1815793aab]
* MANIFEST, logsrvd/Makefile.in,
logsrvd/regress/logsrvd_conf/cacert.pem,
logsrvd/regress/logsrvd_conf/logsrvd_cert.pem,
logsrvd/regress/logsrvd_conf/logsrvd_conf_test.c,
logsrvd/regress/logsrvd_conf/logsrvd_dhparams.pem,
logsrvd/regress/logsrvd_conf/logsrvd_key.pem,
logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.1.in,
logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.2.in:
Add a simple regression test for logsrvd.conf parser. Unlike the
parser fuzzer, this includes sample certs and keys. This test would
have detected the BIO_new_file() bug in set_dhparams().
[7ddabb9d022f]
* logsrvd/logsrvd_conf.c:
Fix inverted logic when setting server_log. A value that starts with
a '/' should be treated as a path.
[8941fd924fbf]
* plugins/audit_json/Makefile.in, plugins/sample_approval/Makefile.in:
Use abs_top_builddir instead of `pwd`/$(top_builddir).
[0f4e20a7aeed]
2022-06-01 Todd C. Miller
* lib/util/regress/parse_gids/parse_gids_test.c:
Plug a memory leak.
[8a9eb498ed55]
* plugins/sudoers/parse_ldif.c:
Fix bug in last commit, need to reinitialize role to NULL.
[1e454b967993]
* plugins/sudoers/parse_ldif.c:
Simplify the check for when we can reuse the previous user and host
specs. This makes the code easier to read and quiets a cppcheck
false positive.
[037c4943f1ac]
* docs/Makefile.in:
Install the plugin man pages in section 5 (or 4 for System V). The
manual had the correct section in the text but was installed in the
wrong directory.
[5df7d3f9a010]
* plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po,
plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po,
plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po,
plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po,
plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po,
plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po,
plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po,
plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, po/de.mo,
po/de.po, po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/hr.mo,
po/hr.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo,
po/ro.po, po/uk.mo, po/uk.po:
Updated translations from translationproject.org
[9ac84e5c9250]
* NEWS:
Sudo now supports intercepting system(3).
[a46db96a3b03]
2022-05-31 Todd C. Miller
* plugins/sudoers/log_client.c:
Only display "unable to connect to log server" warning once.
Previously, in intercept mode, if the log server is unreachable the
message would be printed for each sub-command.
[df4c53518bb7]
* src/exec.c, src/exec_monitor.c, src/exec_nopty.c, src/sudo_exec.h:
When using ptrace(2), push the point where we suspend into
exec_cmnd(). This should reduce the amount of time the child has to
wait for the parent to use PTRACE_SEIZE to seize control and then
PTRACE_CONT to continue the child.
[f9caab4bf18b]
* config.h.in, configure, configure.ac, src/sudo_intercept.c:
Add configure check for vfork(2) and fall back to fork(2) if
missing.
[ddfaba8d2a09]
* docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudoers.man.in,
docs/sudoers.mdoc.in, src/intercept.exp.in, src/sudo_intercept.c:
Add support for intercepting the system(3) function. This also means
we can log system(3) with log_subcmds.
[aca241d96c0b]
* include/compat/endian.h:
Newer compilers define __BYTE_ORDER__ and
__ORDER_{BIG,LITTLE}_ENDIAN__ Also add riscv the little endian list.
[55731e5517fc]
2022-05-29 Todd C. Miller
* configure, configure.ac:
On AIX, fmemopen(3) has a bug where feof() returns false at EOF. See
https://www.ibm.com/support/pages/apar/IJ11845
[a703278bceed]
2022-05-27 Todd C. Miller
* plugins/sudoers/defaults.c:
Fix potential signed integer overflow on 32-bit CPUs. Converting
fractional minutes to nanoseconds could overflow a 32-bit integer,
use long long instead.
[b1d2afc0cc4d]
* plugins/sudoers/Makefile.in:
Fix path to example sudoers file, it is now in the build dir.
[899850a04adf]
* plugins/sudoers/gram.c, plugins/sudoers/gram.y:
init_options: initialize apparmor_profile to NULL
[ad0de9e0474f]
* NEWS:
Update with latest 1.9.11 changes.
[12650d2b6184]
* docs/sudoers.man.in, docs/sudoers.mdoc.in:
Fix typo
[ce83f628330c]
* docs/CONTRIBUTORS.md:
Update contributors.
[5b69f27ea398]
* logsrvd/tls_init.c:
Fix uninitialized use of ca_store when building with wolfSSL.
[e7cc6d8d9f7e]
* docker/debian/testing/Dockerfile, docker/ubuntu/devel/Dockerfile,
docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
Newer Debian/Ubuntu uses libsepol-dev not libsepol1-dev.
[b2c1326bfb0d]
* configure, configure.ac, plugins/sudoers/def_data.h,
plugins/sudoers/gram.c, plugins/sudoers/gram.h,
plugins/sudoers/toke.c, src/Makefile.in:
Regenerate files after merging AppArmor integration.
[d24fcec2cb87]
* Merge pull request #148 from kernelmethod/apparmor_support
Add AppArmor support to sudo
[fcbfb2410afd]
* docs/sudoers.man.in, docs/sudoers.mdoc.in,
plugins/sudoers/def_data.c, plugins/sudoers/def_data.h,
plugins/sudoers/def_data.in, plugins/sudoers/policy.c,
plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h,
src/parse_args.c, src/sudo.c, src/sudo.h:
Merge branch 'main' into apparmor_support
[7832ecc5eb7f]
2022-05-26 Todd C. Miller
* src/sudo_intercept.c:
Pass envp, not environ, to real execve() from exec_wrapper() if
possible. The replacement execve() function was passing the global
environ to exec_wrapper() instead of the envp parameter. This caused
the command to be run with the wrong environment on AIX systems, and
possibly others, when intercept or log_subcmds was enabled. Bug
#1030.
[dc0187c68c1b]
* plugins/sudoers/po/sudoers.pot, po/sudo.pot:
Update .pot files for 1.9.11
[b4c8ec57842f]
* src/exec_ptrace.c:
Consolidate some translatable strings.
[05dae7c3c8da]
* logsrvd/logsrvd.c, logsrvd/logsrvd_journal.c,
logsrvd/logsrvd_relay.c, logsrvd/sendlog.c,
plugins/sudoers/log_client.c, src/exec_intercept.c:
Standardize protobuf "unable to unpack" warning messages.
[6f4e026c7a02]
* docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in,
include/sudo_plugin.h, plugins/python/regress/testdata/check_multipl
e_approval_plugin_and_arguments.stdout, src/exec.c:
Bump plugin minor version and document new intercept-related
settings. There should have been a minor version bump for sudo 1.9.8
when intercept was originally implemented.
[2b7591704df4]
2022-05-25 Todd C. Miller
* plugins/sudoers/policy.c, plugins/sudoers/sudoers.c,
plugins/sudoers/sudoers.h:
Reset intercept_allow_setid if intercept_type changes from trace to
dso. But only reset intercept_allow_setid if the user didn't
explicitly set it.
[e398111d824e]
2022-05-24 Todd C. Miller
* etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
CentOS Stream only uses a major version number, no minor version.
This prevents the packages from being created as foo.el.arch.rpm
since we were assuming that the version number was two digits.
[a3caed91ea8c]
* src/exec_ptrace.c, src/exec_ptrace.h:
Add support for running o32 and n32 binaries on mips64.
[887ab363f2a4]
* src/exec_ptrace.c, src/exec_ptrace.h, src/sudo_exec.h:
Enable ptrace support for MIPS but only for log_subcmds. It is not
possible to change the syscall return value on MIPS so we cannot
support full intercept mode. Another complication on MIPS is that if
a system call is invoked via syscall(__NR_###), v0 holds
__NR_O32_Linux and the real syscall is in the first arg (a0) and
other args are shifted by one.
[0345a4137047]
* docs/sudoers.man.in, docs/sudoers.mdoc.in,
plugins/sudoers/def_data.c, plugins/sudoers/def_data.h,
plugins/sudoers/def_data.in, plugins/sudoers/defaults.c,
plugins/sudoers/policy.c, plugins/sudoers/sudoers.h,
src/exec_ptrace.c, src/parse_args.c, src/sudo.c, src/sudo.h,
src/sudo_exec.h:
Add intercept_type sudoers option to set intercept/log_subcmds
mechanism.
[b97e461f7da1]
2022-05-23 kernelmethod
* MANIFEST, include/sudo_debug.h, src/Makefile.in, src/apparmor.c,
src/parse_args.c, src/sudo.c, src/sudo.h:
Add an apparmor_profile sudo setting
Define a new sudo setting, `apparmor_profile`, that can be used to
pass in an AppArmor profile that should be used to confine commands.
If apparmor_profile is specified, sudo will execute the command
using the new `apparmor_execve` function, which confines the command
under the provided profile before exec'ing it.
[a54897efe031]
* plugins/sudoers/check.c, plugins/sudoers/cvtsudoers_csv.c,
plugins/sudoers/cvtsudoers_json.c,
plugins/sudoers/cvtsudoers_ldif.c,
plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/def_data.c,
plugins/sudoers/def_data.h, plugins/sudoers/def_data.in,
plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.y,
plugins/sudoers/parse.c, plugins/sudoers/parse.h,
plugins/sudoers/policy.c,
plugins/sudoers/regress/fuzz/fuzz_policy.dict,
plugins/sudoers/regress/fuzz/fuzz_sudoers.dict,
plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h,
plugins/sudoers/toke.l:
Add an APPARMOR_PROFILE user spec option to sudoers
sudoers now supports an APPARMOR_PROFILE option, which can be
specified as e.g.
alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo ALL
The line above says "user alice can run any command as any
user/group, under confinement by the AppArmor profile 'foo'."
Profiles can be specified in any way that complies with the rules of
aa_change_profile(2). For instance, the sudoers configuration
alice ALL=(ALL:ALL) APPARMOR_PROFILE=unconfined ALL
allows alice to run any command unconfined (i.e., without an
AppArmor profile), while
alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo//&bar ALL
tells sudoers that alice can run any command under the stacked
AppArmor profiles 'foo' and 'bar'.
The intention of this option is to give sysadmins on Linux distros
supporting AppArmor better options for fine-grained access control.
Among other things, this option can enforce mandatory access control
(MAC) over the operations that a privileged user is able to perform
to ensure that they cannot privesc past the boundaries of a
specified profile. It can also be used to limit which users are able
to get unconfined system access, by enforcing a default AppArmor
profile on all users and then specifying
'APPARMOR_PROFILE=unconfined' for a privileged subset of users.
[2afe8c910959]
* config.h.in, configure.ac, scripts/mkdep.pl, scripts/mkpkg:
Add a --with-apparmor build flag
Add a new build flag, --with-apparmor, that builds sudo with
AppArmor support. Modify the build script for Debian and Ubuntu to
enable this flag by default.
[596b4e6dce4d]
* INSTALL.md, docs/sudoers.man.in, docs/sudoers.mdoc.in:
Add documentation for AppArmor support
- Document the AppArmor userspec option in the sudoers man pages.
- Add information about the --with-apparmor build configuration option
to INSTALL.md.
[524dde965b94]
2022-05-22 kernelmethod
* docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile,
docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile,
docker/ubuntu/rolling/Dockerfile:
Add libapparmor-dev to the Debian and Ubuntu Dockerfiles
Install libapparmor-dev on Debian- and Ubuntu-based Docker images so
that they can build sudo with AppArmor support.
[8491c8b6d240]
2022-05-19 Todd C. Miller
* src/exec_nopty.c, src/exec_pty.c:
Pass the WUNTRACED flag to waitpid() even if __WALL is present.
Otherwise, we won't get the wait status of a suspended command that
is not being traced.
[7c2b46ec73be]
* configure, configure.ac, lib/iolog/Makefile.in,
lib/logsrv/Makefile.in, logsrvd/Makefile.in,
plugins/sudoers/Makefile.in:
Use explicit library dependencies instead of implicit. We now
include all the dependent libraries when linking. Fixes a linking
problem on CentOS Stream 9.
[6f06cdbb1552]
* plugins/sudoers/logging.c:
mail_parse_errors: allocate the correct amount of space for mail
body. Use strlen(), not sizeof(), on "problem parsing sudoers" since
it is a tranlated string and not a constant. This was caught by the
existing overflow checks.
[5aa53136cd9d]
2022-05-18 Todd C. Miller
* MANIFEST, src/Makefile.in, src/exec_nopty.c, src/exec_pty.c,
src/regress/intercept/test_ptrace.c, src/sudo_exec.h,
src/suspend_nopty.c:
Move code to suspend sudo when no pty is in use to separate file.
Use this in test_ptrace.c to be able to suspend just like sudo does.
[ddef421918b7]
2022-05-17 Todd C. Miller
* src/exec_nopty.c, src/exec_ptrace.c, src/exec_pty.c,
src/regress/intercept/test_ptrace.c, src/sudo_exec.h:
Fix suspending a sudo-run shell in ptrace intercept mode with no
pty. When ptracing a process, we receive the signal-delivery-stop
signal before the group-stop signal. If sudo is running the command
in the same terminal, we need to wait until the stop signal is
actually delivered to the command before we can suspend sudo itself.
If we suspend sudo before receiving the group-stop, the command will
be restarted with PTRACE_LISTEN too late and will miss the SIGCONT
from sudo.
[bf9a482ecddd]
* docs/TROUBLESHOOTING.md, docs/sudo_logsrvd.man.in,
docs/sudo_logsrvd.mdoc.in:
OpenSSL 3.x requires the key usage extension be present in CA and
certs. Certificates generated with a CA that doesn't set the key
usage extension will fail to validate if "tls_verify" is enabled.
[3ae4ef1ecf57]
* logsrvd/tls_init.c:
Include the cert or ca file in error messages where applicable.
[3e0558886a3d]
* logsrvd/tls_init.c:
Add missing include of string.h for strerror(3).
[253a5634d441]
* logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c,
logsrvd/tls_client.c, logsrvd/tls_init.c,
plugins/sudoers/log_client.c:
If ERR_reason_error_string() returns NULL, fall back on
strerror(errno). That way we get reasonable error messages for
missing files, etc.
[d2423ef0e284]
* logsrvd/tls_init.c:
set_dhparams: pass BIO_new_file() "r" for the file mode, not
O_RDONLY. Unlike BIO_new_fp(), BIO_new_file() takes an fopen-style
mode string.
[7a67aec88cb4]
* src/exec_ptrace.c:
The set_sc_arg3, get_sc_arg3 and set_sc_arg4 functions are not used.
Use ifdef notyet to disable for now since they may be used in the
future.
[99d2f2a42da5]
2022-05-16 Todd C. Miller
* src/exec_ptrace.h, src/sudo_exec.h:
Use __x86_64__ preprocessor symbol, not __amd64__ Also clarify a
comment about MIPS ptrace.
[b02ad513eb64]
* src/exec_ptrace.h, src/sudo_exec.h:
ptrace support has been tested on Debian/s390x. It should also work
on s390 but this has not been tested. I have not added a compat mode
to trace 31-bit binaries on s390x due to the lack of a test system.
[3176433e7456]
* src/exec_ptrace.h:
Define sudo_pt_regs instead of user_pt_regs and include the struct
keyword. On s390, the struct is typedef'd without a name.
[b2b74f378eef]
* src/exec_ptrace.h, src/sudo_exec.h:
ptrace support has been tested on Debian/riscv64.
[e1011074d984]
2022-05-15 Todd C. Miller
* plugins/sudoers/sudoers.in:
Add maxseq setting to log_output example. This should make it more
obvious that you need to adjust maxseq unless you have (virtually)
unlimited disk space.
[5203240a248b]
* scripts/mkpkg:
Fix dependency check for libssl on Debian/Ubuntu with OpenSSL 3.
Also add check for python 3.10 and 3.11 and remove versions < 3.4.
Fixes building on Ubuntu 22.04.
[c9114582911c]
2022-05-14 Todd C. Miller
* src/exec_ptrace.h:
Tracing 32-bit arm binaries from a 64-bit sudo works.
[c1e1602874ed]
* src/exec_ptrace.c:
ptrace_write_string: the terminating NUL fix was reverted by
mistake.
[587dd11b2783]
* src/exec_ptrace.h, src/sudo_exec.h:
ptrace-based intercept has now been tested on 32-bit arm
[493b17a89e63]
2022-05-13 Todd C. Miller
* src/exec_ptrace.h:
Don't use PTRACE_SET_SYSCALL for 32-bit arm binaries running on
aarch64. Use PTRACE_SETREGSET with NT_ARM_SYSTEM_CALL instead just
like we would for a 64-bit binary. Newer Linux headers don't define
PTRACE_SET_SYSCALL for aarch64.
[5930846e9c9e]
* src/regress/intercept/test_ptrace.c:
Replace verbose flag with debug flag. This is more accurate since it
actually uses the debug subsystem.
[dda8b8af8bd2]
* src/exec_ptrace.h:
Initial cut at MIPS support, untested. Mips is a bit different in
that most Linux distros appear to use the n32 ABI on 64-bit CPUs. We
don't currently support tracing a 64-bit binary from a 32-bit sudo.
We could suport tracing o32 ABI binaries in compat mode, though.
[05e5e246463a]
2022-05-12 Todd C. Miller
* src/regress/intercept/test_ptrace.c:
Add have_seccomp_action("trap") call to check for
SECCOMP_MODE_FILTER.
[250c6b72c4f4]
* src/exec_ptrace.c, src/exec_ptrace.h:
Add arm-specific code to set the system call number. Fixes rejection
of commands due to policy on arm when in intercept mode.
[74c5bd26713b]
* scripts/mkpkg:
Fix OS major version detection on CentOS Stream
[cd4d5aaf59a7]
* src/exec_ptrace.c:
Repair ptrace_write_vec() for compat binaries.
[77ee302b0631]
* src/regress/intercept/test_ptrace.c:
Fix a crash when not run in verbose mode.
[adf481623228]
* src/exec_ptrace.c:
ptrace_intercept_execve: read back the updated syscall args in test
mode. This makes it easier to detect problems with the syscall
rewrite code when testing with test_ptrace.
[4eb9e09d90d9]
2022-05-11 Todd C. Miller
* src/exec_ptrace.c, src/exec_ptrace.h, src/sudo_exec.h:
Enable ptrace intercept on powerpc. Tested on ppc64 and ppc64le.
[fbd12baa1a02]
* src/exec_ptrace.c:
Fix tracing compat binaries on big endian systems. We need to swap
the order of the two 32-bit addresses for big-endian.
[375004a3ef09]
* src/exec_ptrace.c:
Move code to write a string vector to ptrace_write_vec().
[8401e0397f11]
* src/exec_ptrace.c:
Fix compilation error on systems with no compat arch. Currently only
affects i386.
[b95c707298c5]
* MANIFEST, src/Makefile.in, src/exec_intercept.h, src/exec_ptrace.c,
src/regress/intercept/test_ptrace.c, src/sudo_exec.h:
Add test_ptrace program to test ptrace-based intercept support.
[5f7162bcdbfd]
* src/exec_ptrace.c:
Use unsigned long for addresses so we don't have to worry about sign
extension.
[7a0d4ea2fa70]
2022-05-10 Todd C. Miller
* src/exec_ptrace.c:
ptrace_write_string: make sure we always write the terminating NUL.
We can't check *str for NUL since it may not have been written yet.
[9d95217981ac]
* src/exec_ptrace.c:
Fix compilation error when SECCOMP_AUDIT_ARCH_COMPAT is not defined.
[3162054bac24]
2022-05-09 Todd C. Miller
* src/exec_ptrace.c, src/exec_ptrace.h:
It is now safe to make WORDALIGN use compat (not native) aligment.
We allocate space for an extra pointer between argv and the string
table for compat binaries so there is no need to align address to
sizeof(long).
[898626f1cdf6]
* src/exec_ptrace.c, src/exec_ptrace.h:
Use the entire word in ptrace_get_vec_len() and ptrace_read_vec().
For compat binaries, use the upper 32-bits as the next word instead
of calling ptrace(2) to get it. This reduces the number of ptrace(2)
calls when reading argv and envp for compat binaries.
[cf5d1ae47dbe]
2022-05-07 Todd C. Miller
* src/exec_ptrace.c:
We don't need to align strings in the string table. We align the
start of the string table to a word boundary to help prevent overlap
when writing the pointers. However, the actual strings themselves
don't need to be aligned.
[219a1a07fc2e]
2022-05-06 Todd C. Miller
* src/exec_ptrace.c:
Avoid potentially overwriting string table when writing argv. In
compat mode, if argc is odd, writing the last pointer of argv will
overlap with the address of argv[0], so leave an extra word in
between. Also remove incorrect comments about PTRACE_PEEKDATA
unaligned access.
[13f7e63a31bd]
* src/exec_ptrace.c, src/exec_ptrace.h:
Use native word size for padding and when reading/writing strings.
If we try to use the compat word size we can end up in a situation
where a subsequent PTRACE_POKEDATA overwrites part of what we've
already written since it always writes in sizeof(long) units.
[e0d7fdc3f8e2]
2022-05-05 Todd C. Miller
* src/exec_ptrace.c:
ptrace_intercept_execve: rewrite path to exec if changed by the
policy
[089f0e32cf2a]
* src/exec_ptrace.c:
ptrace_intercept_execve: plug memory leak of get_execve_info()
buffer
[5ce2cf252c80]
* MANIFEST, src/Makefile.in, src/exec_intercept.h, src/exec_ptrace.c,
src/exec_ptrace.h:
Move register definitions to exec_ptrace.h
[59cc9bec6925]
* src/exec_ptrace.c:
Add support for intercepting 32-bit binaries on 64-bit systems. We
need to define the ptrace register struct ourselves for the 32-bit
system since there is no good way to get it from the system headers.
Currently only implemented for x86_64 and aarch64.
[a0407bb1fee0]
* src/exec_ptrace.c:
Add setters and getters for ptrace(2) register access. This will be
used when running 32-bit binaries from a 64-bit sudo.
[f7da9453d9fa]
* src/exec_ptrace.c:
exec_ptrace_handled: don't return early if ptrace_intercept_execve()
fails. We need to continue the traced process even if there is a
fatal error. Otherwise, sudo will appear to hang as the running
process is left in PTRACE_EVENT stop.
[5b3bd75c4486]
* src/exec_ptrace.c:
Don't use PTRACE_GETREGS, it is too complicated when runing compat
binaries. Unlike PTRACE_GETREGSET, PTRACE_GETREGS requires that we
manually map registers from 64-bit to 32-bit layouts when running,
e.g. a 32-bit binary from a 64-bit sudo process.
[bb3476230373]
2022-05-04 Todd C. Miller
* docs/sudoers.man.in, docs/sudoers.mdoc.in,
plugins/sudoers/defaults.c, plugins/sudoers/policy.c,
plugins/sudoers/sudoers.h, src/exec_nopty.c, src/exec_pty.c,
src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_exec.h:
Initialize intercept_allow_setid to true if we use ptrace(2) and
seccomp(2).
[57e58c0ada44]
2022-05-03 Todd C. Miller
* src/exec_nopty.c, src/exec_ptrace.c, src/exec_pty.c,
src/sudo_exec.h:
If the process is already being traced, just resume it and clear
flags. This makes it possible to run sudo in ptrace intercept mode
from within a shell (or other process) that is already being traced
by sudo.
[db4d7cd5f673]
* src/exec_ptrace.c:
exec_ptrace_handled: fix delivery of non-stop signals. We need to
deliver signals to the tracee as long as it is not a group stop.
Fixes a hang while tracing another sudo process.
[4ede8b4cfbd9]
* src/exec_nopty.c:
Make SIGCHLD handler more consistent with the pty version. No real
change other than a few debug statements.
[bd52284b1e2a]
* plugins/sudoers/parse.c:
sudoers_lookup_check: preserve intercepted flag when reinitializing
cmnd_info Otherwise we may not reject an attempt to run a set-user-
ID command.
[43d72d1537b2]
* src/exec_nopty.c, src/exec_pty.c:
Kill the command if intercept_setup() or ptrace_seize() fail.
[1037f81b327b]
2022-05-02 Todd C. Miller
* plugins/sudoers/match_command.c:
Move intercept setid check out of do_stat() and into its own
function. For command_matches_all() we should only perform the setid
check if the file exists and intercept is enabled. Otherwise, we can
end up returning an error if the fully-qualified command does not
exist. Fixes a regression introduced in sudo 1.9.0 with the support
for digests in conjunction with "sudo ALL".
[1b5f9ed2160a]
* src/exec_ptrace.c:
Add support for intercepting x32 binaries on Linux x64_64.
[c5fc89f38c43]
2022-04-29 Todd C. Miller
* NEWS, configure, configure.ac:
Sudo 1.9.11
[d3e832f94348]
* plugins/sudoers/auth/kerb5.c, src/exec_ptrace.c:
Fix typos
[8ef3e84fc62e]
* MANIFEST, docs/CONTRIBUTORS.md, po/ka.mo, po/ka.po:
New Georgian translation from translationproject.org
[f6b9c7d2192c]
* src/exec_ptrace.c:
Short-circuit the policy check if the command doesn't exist.
Otherwise, both sudo and the shell will report the error.
[f16f1b6705d9]
* src/exec_ptrace.c:
Add support for replacing argv in ptrace intecept mode. The new argv
is written below the tracee's stack and the system call argument is
replaced with the new argv address.
[3974c784be8b]
* src/exec_ptrace.c:
Check architecture in the seccomp filter. Currently only supports
the native architecture.
[13f88e436ae0]
* src/exec_common.c, src/exec_monitor.c, src/exec_nopty.c,
src/exec_ptrace.c:
Suspend the child process and wait for SIGUSR when using ptrace.
This fixes a race condition in ptrace-based intercept mode when
running the command in a pty. It was possible for the monitor to
receive SIGCHLD when the command sent itself SIGSTOP before the main
sudo process did.
[cf1f0bea9931]
* plugins/sudoers/parse.c, src/exec.c, src/selinux.c, src/sudo.h:
Enable intercept and log_subcmds for SELinux using ptrace and
seccomp.
[5d7a3df4457e]
* src/exec_intercept.c, src/exec_intercept.h, src/exec_ptrace.c,
src/sudo.c, src/sudo.h:
For ptrace intercept mode, do not do a policy check for the initial
command. We can skip the policy check for the execve(2) of the
initial command since it has already been check. Otherwise, we would
log the command twice. When using fexecve(2) due to a digest check,
there should be no need to skip the initial command since it will be
executed via execveat(2) not execve(2). However, on older kernels
without execveat(2), glibc will emulate fexecve(2) using /proc which
will result in the extra log entry.
[e411d6bc3855]
* docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudoers.man.in,
docs/sudoers.mdoc.in:
Update intercept documentation.
[f44f1cb2a5d2]
* src/exec_intercept.c, src/exec_ptrace.c:
In ptrace(2) intercept mode, add execveat to the seccomp(2) filter.
This allows us to avoid logging the initial command twice regardless
of whether the kernel supports execveat(2) or not.
[d39bd5adac13]
* src/exec_ptrace.c:
Use PTRACE_GETREGS/PTRACE_SETREGS on platforms that support it. This
has a better chance of working on things like user-mode Linux.
[c53475bd4020]
* MANIFEST, src/Makefile.in, src/exec_intercept.c,
src/exec_intercept.h, src/exec_nopty.c, src/exec_ptrace.c,
src/exec_pty.c, src/sudo_exec.h:
Check the policy for ptrace-based intercept mode.
[6eadd667ca6d]
* src/exec_ptrace.c:
Add support for getting the execve(2) arguments via ptrace(2). This
will be used to perform a policy check in intercept mode.
[84b23ae53e2f]
* MANIFEST, src/Makefile.in, src/exec.c, src/exec_common.c,
src/exec_intercept.c, src/exec_nopty.c, src/exec_ptrace.c,
src/exec_pty.c, src/sudo.h, src/sudo_exec.h:
Add scaffolding for ptrace-based intercept mode.
[34a6269ac4eb]
* include/sudo_compat.h, src/exec_monitor.c, src/exec_nopty.c,
src/exec_pty.c:
Stop using the WCONTINUED flag with waitpid(2). We don't use it for
anything other than a debug message and it will cause problems when
intercept mode starts using ptrace(2).
[1f55993d68eb]
* src/exec_nopty.c, src/exec_pty.c:
Handle multiple child processes in the SIGCHLD handler. This is
required by the uncoming ptrace intercept code.
[6dd72fb8f53f]
2022-04-24 Todd C. Miller
* logsrvd/iolog_writer.c, logsrvd/logsrvd_journal.c,
plugins/sudoers/log_client.c:
sudo_logsrvd: update elapsed time for winsize and suspend in journal
mode Fixes a bug in store-first relay mode where the commit point
messages sent by the server were incorrect.
[5607e8c7b559]
2022-04-23 Todd C. Miller
* docs/visudo.man.in, docs/visudo.mdoc.in:
Fix typo; GitHub issue #144
[fb1a539569b4]
2022-04-20 Todd C. Miller
* docs/TROUBLESHOOTING.md:
Expand section about expired accounts to include /etc/shadow info.
GitHub issue #143
[78368dadddfb]
* src/exec_monitor.c:
Add struct command details * to struct monitor_closure. This will be
used in the future by the ptrace intercept code.
[0603acf1ff96]
* src/exec.c:
Translate "unable to set limit privileges" strings.
[a8426e224497]
* ABOUT-NLS, MANIFEST, docs/CONTRIBUTING.md:
Remove ABOUT-NLS file, it is no longer maintained as part of GNU
gettext. Expand the Translations section in CONTRIBUTING.md.
[b4f0269a8f13]
* src/exec.c, src/exec_intercept.c:
Don't require a pty for intercept or log_subcmmds. The code to take
back control of the tty before a policy check doesn't appear to be
needed. If the command is run in its own pty, sudo has control over
the user's tty. If the command is run in the user's tty, sudo should
be in the foreground process group.
[bddcc0d9fee6]
2022-04-19 Todd C. Miller
* config.h.in, configure, configure.ac:
Define _TIME_BITS=64 on systems that define __TIMESIZE, like GNU
libc. This should be replaced by a specialized autoconf macro when
one becomes available.
[f63b7f9ea5c2]
2022-04-11 Todd C. Miller
* plugins/python/regress/testdata/check_example_group_plugin_is_able_t
o_debug.log, plugins/python/regress/testhelpers.c:
clean_output: prune lines that consisting of '^' characters and
whitespace. Starting with Python 3.11, backtraces may contain a line
with '^' characters to bring attention to the important part of the
line. Also replace "REJECT" with "0" in backtrace output for Python
3.11.
[f6a5d1c05b2b]
2022-04-04 Todd C. Miller
* configure, configure.ac:
Fix check for EVP_MD_CTX_new() when -pthread is in Libs.private.
[4f3fd0d1fd34]
2022-04-01 Todd C. Miller
* configure, configure.ac, lib/eventlog/Makefile.in,
lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in,
lib/logsrv/Makefile.in, lib/protobuf-c/Makefile.in,
lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in,
plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in,
plugins/python/Makefile.in, plugins/sample/Makefile.in,
plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in,
plugins/system_group/Makefile.in, src/Makefile.in:
Rename SSP_(C|LD)FLAGS -> HARDENING_(C|LD)FLAGS
[92aa57606481]
* INSTALL.md:
Mention other hardening compilation and linker options.
[7da9cf428e39]
2022-03-31 Todd C. Miller
* configure, configure.ac:
Fix check for EVP_MD_CTX_new using static libcrypto with
dependencies.
[c02d6b6e474c]
* configure, m4/libtool.m4, m4/ltoptions.m4, m4/ltsugar.m4,
m4/ltversion.m4, m4/lt~obsolete.m4, scripts/ltmain.sh:
Update to libtool 2.4.7.
[b8824f6b792c]
2022-03-30 Todd C. Miller
* configure, configure.ac:
--enable-openssl: don't add non-existent directories to
PKG_CONFIG_LIBDIR
[daa9cab172da]
2022-03-29 Todd C. Miller
* scripts/mkpkg:
Fix a typo in the AIX section.
[4d122a222632]
2022-03-28 Todd C. Miller
* lib/zlib/crc32.c, lib/zlib/crc32.h, lib/zlib/deflate.c,
lib/zlib/deflate.h, lib/zlib/gzguts.h, lib/zlib/gzlib.c,
lib/zlib/gzread.c, lib/zlib/gzwrite.c, lib/zlib/infback.c,
lib/zlib/inffast.c, lib/zlib/inflate.c, lib/zlib/inflate.h,
lib/zlib/inftrees.c, lib/zlib/trees.c, lib/zlib/zlib.exp,
lib/zlib/zlib.h, lib/zlib/zutil.c, lib/zlib/zutil.h:
Update embedded copy of zlib to version 1.2.12. Fixes CVE-2018-25032
[3e2517079d86]
2022-03-16 Todd C. Miller
* plugins/sudoers/auth/kerb5.c:
Minor style nit.
[9bdde2c81a3d]
* Merge pull request #138 from dfskoll/main
If we're using Kerberos, don't overwrite a custom prompt
[266b04c9ee0a]
2022-03-16 Dianne Skoll
* plugins/sudoers/auth/kerb5.c:
If we're using Kerberos, don't overwrite a custom prompt if one was
given with -p
Thanks to @thend20 for testing this patch.
[e62136f88c3e]
2022-03-15 Todd C. Miller
* src/conversation.c:
Write the \r\n pair to ttyfp if possible, falling back on fp. This
is consistent with the vfprintf() call and fixes a problem
introduced by the last commit where the newline could be written
before the message instead of after.
[3aaebbec4ee5]
* include/sudo_util.h,
plugins/sudoers/regress/starttime/check_starttime.c:
Adjust starttime test when run under Debian faketime. Bug #1026
[b8ac7dec6e11]
2022-03-14 Todd C. Miller
* src/conversation.c:
sudo_conversation_printf: convert trailing nl to cr + nl combo. This
fixes output when the terminal is in raw mode and is consistent with
how sudo_conversation() behaves.
[e377f2a71021]
* lib/eventlog/eventlog.c, src/exec_monitor.c, src/exec_nopty.c,
src/exec_pty.c, src/tgetpass.c:
Block SIGCHLD when forking the mailer. Otherwise, it may be picked
up by the signal handler instead of our waitpid(2) call. Don't warn
if waitpid() returns 0 in a SIGCHLD handler.
[e34a3f90de5b]
* plugins/sudoers/sudoers.c:
Do not warn, log or send mail for errors when reinitializing
defaults. If there is a problem, we would have already warned,
logged or mailed it. The one exception is the initial defaults,
which should never fail.
[0d273f4d307d]
* plugins/sudoers/logging.c, plugins/sudoers/logging.h,
plugins/sudoers/parse.c, plugins/sudoers/regress/fuzz/fuzz_policy.c,
plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
plugins/sudoers/sudoers.c:
If there are multiple parse errors, send them in a single mail
message.
[5de37ad1101f]
* lib/eventlog/Makefile.in, lib/iolog/Makefile.in,
lib/util/Makefile.in, logsrvd/Makefile.in,
plugins/python/Makefile.in, plugins/sudoers/Makefile.in,
src/Makefile.in:
Unset LANGUAGE when running tests, otherwise it may override LC_ALL.
Bug #1025.
[87573102f25b]
2022-03-11 Todd C. Miller
* plugins/sudoers/visudo.c:
Looser owner/permission checks for an uninstalled sudoers file. We
don't check the owner or permissions on a sudoers file that is
specified as an argument to visudo by default. However, the owner
and mode of files included via @includedir were still checked. This
commit makes the owner and permissions checks for filed included via
@includedir follow the same as for the original sudoers file.
[db78857306d4]
* lib/util/regress/getdelim/getdelim_test.c:
getdelim_test: increase longstr to check end pointer after realloc
This would have caught the recent bug in our getdelim replacement
when run under address-sanitizer or valgrind.
[6559a42a3205]
* plugins/sudoers/check_aliases.c:
Add missing va_start/va_end around call to sudoers_error_hook().
Coverity CID 250885
[49d026ba67b2]
* lib/util/getdelim.c:
Correctly update the end pointer when we expand the buffer. From
Robert Manner.
[99617ae8332d]
2022-03-10 Todd C. Miller
* lib/util/secure_path.c:
sudo_secure_path: pass the struct stat * argument directly to
stat(2) Set the pointer to a struct stat on the stack if st is NULL.
Avoids a needless memcpy() at the end.
[11636745ce29]
* plugins/sudoers/gram.c, plugins/sudoers/gram.y:
Fix off-by-one when storing line number in userspec. We store the
line number *after* parsing the newline so we need to subtract one.
[40d6521a966e]
* lib/eventlog/eventlog.c:
For alert messages, the command or runuser may not be set. This
fixes the logging of parse errors when JSON logging is enabled.
[cfde228ef422]
* plugins/sudoers/defaults.c, plugins/sudoers/defaults.h,
plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c,
plugins/sudoers/locale.c, plugins/sudoers/logging.h,
plugins/sudoers/regress/fuzz/fuzz_policy.c,
plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h,
plugins/sudoers/testsudoers.c:
Pass file, line and column to sudoers defaults callbacks.
[04a26b1a224c]
* plugins/sudoers/audit.c, plugins/sudoers/check_aliases.c,
plugins/sudoers/cvtsudoers.c, plugins/sudoers/defaults.c,
plugins/sudoers/file.c, plugins/sudoers/gram.c,
plugins/sudoers/gram.h, plugins/sudoers/gram.y,
plugins/sudoers/logging.c, plugins/sudoers/logging.h,
plugins/sudoers/parse.h, plugins/sudoers/policy.c,
plugins/sudoers/regress/fuzz/fuzz_policy.c,
plugins/sudoers/regress/sudoers/test18.toke.ok,
plugins/sudoers/regress/visudo/test2.err.ok,
plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h,
plugins/sudoers/visudo.c:
Add a hook for sudoers parse errors (including defaults and
aliases). The hook can be used to log parser errors (sudoers module)
or keep track of which files have an error (visudo). Previously, we
only kept track of a single parse error.
[601915bb6265]
2022-03-09 Todd C. Miller
* plugins/sudoers/file.c, plugins/sudoers/ldap.c,
plugins/sudoers/regress/fuzz/fuzz_policy.c,
plugins/sudoers/regress/sudoers/test18.out.ok,
plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.h,
plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c:
Add a source to struct sudo_nss and use it if getdefs() fails. Also
remove useless "Problem with defaults entries" warning in
testsudoers.
[f9ba65e975a0]
2022-03-08 Todd C. Miller
* lib/iolog/regress/iolog_path/check_iolog_path.c,
lib/util/regress/getgrouplist/getgrouplist_test.c:
Plug a few test memory leaks now that they return from main().
[dc4db97a1d57]
2022-03-06 Todd C. Miller
* lib/eventlog/regress/logwrap/check_wrap.c,
plugins/sudoers/regress/parser/check_addr.c:
Remove extra newline in sudo_warnx() calls.
[3366401671fc]
* plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c,
plugins/sudoers/file.c, plugins/sudoers/gram.c,
plugins/sudoers/gram.h, plugins/sudoers/gram.y,
plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c:
Preserve the column and error message when there is a syntax error.
This information is now included in the error mail sent to root.
[a224b006bfb3]
* plugins/python/python_plugin_common.c:
Deinit python subinterpreters in reverse order (last to first). This
appears to work around a crash on OpenBSD with Python 3.9.10.
[ad4d7b33da9b]
2022-03-03 Todd C. Miller
* lib/eventlog/Makefile.in, lib/iolog/Makefile.in,
lib/util/Makefile.in, logsrvd/Makefile.in,
plugins/python/Makefile.in, plugins/sudoers/Makefile.in,
src/Makefile.in:
For 'make check-verbose' run fuzzers with -verbose=1 This is the
default for libFuzzer but not for the stub fuzzer lib.
[7f2551a87c08]
2022-03-02 Todd C. Miller
* INSTALL.md:
INSTALL.md: Mention "make check" and "make check-verbose"
[17a30e329ba7]
* scripts/generate_test_coverage.sh:
Repair generate_test_coverage.sh after move to scripts directory.
[ffef93da0436]
* Makefile.in, docs/Makefile.in, examples/Makefile.in,
include/Makefile.in, lib/eventlog/Makefile.in,
lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in,
lib/logsrv/Makefile.in, lib/protobuf-c/Makefile.in,
lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in,
plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in,
plugins/python/Makefile.in, plugins/sample/Makefile.in,
plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in,
plugins/system_group/Makefile.in, src/Makefile.in:
Add check-verbose Makefile target that runs tests in verbose mode.
[929d079dbfc7]
* lib/eventlog/regress/logwrap/check_wrap.c,
lib/iolog/regress/host_port/host_port_test.c,
lib/iolog/regress/iolog_filter/check_iolog_filter.c,
lib/iolog/regress/iolog_json/check_iolog_json.c,
lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c,
lib/iolog/regress/iolog_path/check_iolog_path.c,
lib/iolog/regress/iolog_timing/check_iolog_timing.c,
lib/util/regress/closefrom/closefrom_test.c,
lib/util/regress/fnmatch/fnm_test.c,
lib/util/regress/getdelim/getdelim_test.c,
lib/util/regress/getgrouplist/getgids.c,
lib/util/regress/getgrouplist/getgrouplist_test.c,
lib/util/regress/glob/globtest.c,
lib/util/regress/mktemp/mktemp_test.c,
lib/util/regress/parse_gids/parse_gids_test.c,
lib/util/regress/progname/progname_test.c,
lib/util/regress/strsig/strsig_test.c,
lib/util/regress/strsplit/strsplit_test.c,
lib/util/regress/strtofoo/strtobool_test.c,
lib/util/regress/strtofoo/strtoid_test.c,
lib/util/regress/strtofoo/strtomode_test.c,
lib/util/regress/strtofoo/strtonum_test.c,
lib/util/regress/sudo_conf/conf_test.c,
lib/util/regress/sudo_parseln/parseln_test.c,
lib/util/regress/tailq/hltq_test.c,
lib/util/regress/uuid/uuid_test.c:
Add -v option parsing to regress tests, currently a no-op. This will
be used by a "check-verbose" target in the future.
[9cdcc23e6a70]
2022-03-01 Todd C. Miller
* plugins/python/regress/check_python_examples.c,
plugins/python/regress/testhelpers.h:
Less verbose output unless the -v option is used. Also display a
test summary at the end.
[b18a8f6526e9]
* src/regress/net_ifs/check_net_ifs.c,
src/regress/noexec/check_noexec.c,
src/regress/ttyname/check_ttyname.c:
verbose flag is boolean, not int
[8663ac48be27]
* configure.ac:
Update copyright year.
[461698b72a64]
* plugins/sudoers/Makefile.in, src/Makefile.in:
Regenerate dependencies.
[f007ec225986]
* MANIFEST, configure, configure.ac, lib/util/Makefile.in,
lib/util/regress/closefrom/closefrom_test.c:
Add sudo_closefrom() regression test.
[14f4439a8437]
* NEWS, config.h.in, configure, configure.ac, lib/util/closefrom.c:
Use close_range(2) in closefrom() emulation if available. On Linux,
prefer our own closefrom() emulation since the glibc version may
fail if /proc is not present and close_range() is not supported. On
FreeBSD, closefrom(3) will either call the closefrom or close_range
system call, depending on which is available.
[d84eff07783f]
* configure, configure.ac:
Repair --enable-pvs-studio on Linux.
[add3c7fff7f5]
* configure, configure.ac:
Mention apple radar 3710161 in the comment about broken macOS
poll(2).
[ffb6c8c070dc]
2022-02-28 Todd C. Miller
* src/regress/net_ifs/check_net_ifs.c,
src/regress/noexec/check_noexec.c,
src/regress/ttyname/check_ttyname.c:
Only display test totals unless run in verbose mode.
[f543b41f226e]
* lib/util/regress/harness.in, plugins/sudoers/regress/harness.in:
Allow test harness to be run from any directory. Also add missing
copyright notice.
[5e60bc5beb52]
* lib/util/regress/harness.in:
Adapt test harness for lib/util and move to regress directory.
[f415d958bca7]
* .gitignore, .hgignore, MANIFEST, configure, configure.ac,
lib/util/Makefile.in, plugins/sudoers/Makefile.in,
plugins/sudoers/harness.in, plugins/sudoers/regress/harness.in:
Adapt test harness for lib/util and move to regress directory.
[5f488712f797]
* lib/fuzzstub/fuzzstub.c:
Make fuzzer stub main() quiet by default. LLVM LibFuzzer displays
the input and running time by default but we don't care about that
for the stub fuzzer library.
[728005c2de78]
* .gitignore, .hgignore, MANIFEST, configure, configure.ac,
plugins/sudoers/Makefile.in, plugins/sudoers/harness.in:
Move the cvtsudoers/sudoers/testsudoers/visudo tests into a script.
It is easier to maintain these tests in script form. The output now
more closely matches that of the other tests. The harness script can
be invoked directly and supports running specific tests.
[fbad6e93201e]
2022-02-27 Todd C. Miller
* plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po:
Updated translations from translationproject.org
[b2622a56fcbc]
2022-02-25 Todd C. Miller
* logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
sudo_regex_compile_v1 stub: set errstr on error
[2da61535e60d]
* logsrvd/Makefile.in, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
fuzz_logsrvd_conf: add stub version of sudo_regex_compile_v1(). We
want to fuzz our parser, not the libc regular expression code.
[2662a181acc8]
* plugins/sudoers/regress/testsudoers/test18.out.ok,
plugins/sudoers/regress/testsudoers/test18.sh:
testsudoers/test18: don't rely on /usr/bin/w being present Fixes a
test failure on Alpine Linux.
[5b3915cef32b]
2022-02-24 Todd C. Miller
* configure, configure.ac:
Add configure check for gzclearerr() when using system zlib.
[388dd60cd577]
* configure, configure.ac:
Fix PVS-Studio platform check for macOS.
[cc46ae5d60a3]
* plugins/sudoers/ldap.c:
sudo_ldap_parse_options: fix memory leak of sudoRole cn string.
Coverity CID 249976
[bcf86c362e05]
* src/sudo_intercept_common.c:
command_allowed: plug memory leak on strdup() failure. Coverity CID
249972
[f15a58ed68d6]
2022-02-23 Todd C. Miller
* plugins/sudoers/check.c:
display_lecture: just return if callback is NULL
[3e7352fbc28b]
* lib/eventlog/eventlog.c:
For alert messages it is possible for evlog to be NULL. Coverity CID
238641
[3e89523699fd]
* logsrvd/logsrv_util.c:
iolog_seekto: initialize struct timing_closure before using.
Coverity CID 249977
[ea53680a2367]
* logsrvd/iolog_writer.c:
iolog_rewrite: initialize struct timing_closure before using.
Coverity CID 249971
[d214237f3ce8]
* scripts/mkpkg:
Allow ARCH_FLAGS to be overridden and handle macOS 12.
[f04f3405fa50]
* scripts/mkpkg:
Prefer if [ ... ]; then over if test ...; then.
[4ba3e6ed7280]
* .circleci/config.yml:
Do not build with -Werror on macOS. Some macOS warnings are bogus,
for instance it has an incorrect getgrouplist(3) definition.
[7e5f469cb0ec]
* .circleci/config.yml:
Build and test macos with circleci.
[fc62dc986646]
2022-02-22 Todd C. Miller
* NEWS:
Mention lecture behavior change.
[cc034a54eb11]
* lib/iolog/regress/iolog_filter/check_iolog_filter.c:
Fix compilation on systems without a real openat(2).
[25067ad6772b]
* plugins/sudoers/match_digest.c:
Better warning message when the digest in sudoers is the wrong
length.
[c2043906f356]
* lib/iolog/regress/fuzz/fuzz_iolog_json.c,
lib/iolog/regress/fuzz/fuzz_iolog_legacy.c,
lib/iolog/regress/fuzz/fuzz_iolog_timing.c,
lib/util/regress/fuzz/fuzz_sudo_conf.c,
logsrvd/regress/fuzz/fuzz_logsrvd_conf.c,
plugins/sudoers/regress/fuzz/fuzz_policy.c,
plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Do not disable fuzzer output if SUDO_FUZZ_VERBOSE env variable is
set.
[fd3d5706ffda]
2022-02-21 Todd C. Miller
* plugins/sudoers/auth/afs.c, plugins/sudoers/auth/dce.c,
plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c,
plugins/sudoers/check.h, plugins/sudoers/timestamp.c:
Display the lecture immediately before prompting for a password.
This means we no longer display the lecture unless the user is going
to enter a password. Authentication methods that don't interact with
the user via the terminal don't trigger the lecture.
[17ef981664c3]
* NEWS, plugins/sudoers/logging.c:
Add back warning when a user is not allowed to run a command.
Previously, the warning was displayed when a user was not in the
sudoers file, or was present but not listed for the local host. The
new behavior is to display the warning if a command is denied and
mail is sent to the administrator. Whether or not mail is sent is
controlled by the "mail_*" flags in sudoers. The warning text is now
"This incident has been reported to the administrator." which is
hopefully less confusing. The message will not be printed if either
the "mailto" or "mailerpath" sudoers settings are disabled.
[dcaeadb7e558]
* docs/sudoers.man.in, docs/sudoers.mdoc.in:
Document that negating mailto or mailerpath disables sending mail.
[02d8aabd9af3]
* TODO:
Remove obsolete TODO file.
[98e112abab92]
2022-02-20 Todd C. Miller
* plugins/sudoers/logging.c:
Don't try to send mail if mailto not set or the mailer is not
present.
[37166e692a9c]
2022-02-18 Todd C. Miller
* plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po,
plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po,
plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po,
plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po,
plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po,
plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po,
plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po,
plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po,
plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po,
plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po,
plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po,
plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo,
po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo,
po/fi.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ja.mo,
po/ja.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo,
po/ro.po, po/sr.mo, po/sr.po, po/uk.mo, po/uk.po, po/vi.mo,
po/vi.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
Updated translations from translationproject.org
[194b42011062]
* MANIFEST, lib/iolog/Makefile.in,
lib/iolog/regress/iolog_filter/check_iolog_filter.c,
lib/iolog/regress/iolog_filter/test1/log,
lib/iolog/regress/iolog_filter/test1/timing,
lib/iolog/regress/iolog_filter/test1/ttyin,
lib/iolog/regress/iolog_filter/test1/ttyin.filtered,
lib/iolog/regress/iolog_filter/test1/ttyout,
lib/iolog/regress/iolog_filter/test2/log,
lib/iolog/regress/iolog_filter/test2/timing,
lib/iolog/regress/iolog_filter/test2/ttyin,
lib/iolog/regress/iolog_filter/test2/ttyin.filtered,
lib/iolog/regress/iolog_filter/test2/ttyout,
lib/iolog/regress/iolog_filter/test3/log,
lib/iolog/regress/iolog_filter/test3/timing,
lib/iolog/regress/iolog_filter/test3/ttyin,
lib/iolog/regress/iolog_filter/test3/ttyin.filtered,
lib/iolog/regress/iolog_filter/test3/ttyout:
Add tests for iolog filtering. This is the functionality used by the
log_passwords and passprompt_regex options.
[07e587dfd765]
* lib/iolog/iolog_filter.c:
iolog_pwfilt_run: apply regex on ttyout even if we disabled
filtering. The heuristic used to decide when to disable filtering is
when we see another ttyout buffer or find a cr or nl in the ttyin
buffer. However, we should also check the buffer that caused us to
disable filtering for a matching regex that would re-enable
filtering. Programs that prompt for a password twice might otherwise
not have the second password filtered.
[f34bf167c3b4]
2022-02-16 Todd C. Miller
* INSTALL.md, README.LDAP.md, docs/TROUBLESHOOTING.md,
docs/UPGRADE.md, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in,
docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in,
docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in,
docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_plugin.man.in,
docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in,
docs/sudo_plugin_python.mdoc.in, docs/sudoers.ldap.man.in,
docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in,
docs/sudoers.mdoc.in, docs/sudoreplay.man.in,
docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in,
examples/sudo_logsrvd.conf.in:
Avoid using "note that" and "note: " in documentation.
[d75995c86fe0]
* INSTALL.md, README.LDAP.md, README.md, docs/CONTRIBUTING.md,
docs/CONTRIBUTORS.md, docs/SECURITY.md, docs/TROUBLESHOOTING.md,
docs/UPGRADE.md, docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in,
docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in,
docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in,
docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in,
docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_logsrvd.man.in,
docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.man.in,
docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in,
docs/sudo_plugin_python.mdoc.in, docs/sudo_sendlog.man.in,
docs/sudo_sendlog.mdoc.in, docs/sudoers.ldap.man.in,
docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in,
docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in,
docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.man.in,
docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
Remove "please" from the documentation, it is considered bad style.
[9c4a7bc1b48c]
* docs/UPGRADE.md:
Mention regular expressions and "sudo -l -U user" behavior change.
[9bf947ed3e30]
* docs/sudoers.man.in, docs/sudoers.mdoc.in:
Add security notes about regular expressions in sudoers rules.
[1748e3a05906]
* NEWS:
Update NEWS for GitHub issue #134.
[c69636554901]
2022-02-15 Todd C. Miller
* lib/eventlog/eventlog.c:
do_logfile_sudo: plug memory leak of full_line Coverity CID 249329
[d1d2bc51077a]
* plugins/sudoers/logging.c:
log_server_alert: plug potential memory leak Coverity CID 249328
[4d01a8e7dffb]
* plugins/sudoers/logging.c:
fmt_authfail_message: compute the exact amount of space needed.
Instead of truncating on overflow, warn and return NULL.
[96542ddc9674]
* plugins/sudoers/parse.c:
Fix potential NULL deref if getpwuid(0) fails. Coverity CID 249326
[23249273cd01]
2022-02-14 Todd C. Miller
* docs/sudo.man.in, docs/sudo.mdoc.in, plugins/sudoers/parse.c,
plugins/sudoers/policy.c:
Restrict "sudo -U other -l" to users with sudo ALL for root or
"other". Having "sudo ALL" permissions in no longer sufficient to be
able to list another user's privileges. The invoking user must now
have "sudo ALL" for root or the target user. GitHub issue #134
[e2b4f8400599]
2022-02-13 Todd C. Miller
* NEWS:
Reword some of the NEWS items for 1.9.10.
[b2d757e7889c]
2022-02-12 Todd C. Miller
* docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in,
docs/sudoers.man.in, docs/sudoers.mdoc.in, lib/util/regex.c,
po/sudo.pot:
Limit regular expressions to 1024 characters each. Avoids a problem
with the fuzzer creating large regular expressions that blow up the
glibc regcomp().
[83b1cac11c79]
2022-02-11 Todd C. Miller
* .gitignore, .hgignore, MANIFEST, configure, configure.ac,
examples/Makefile.in, examples/sudo.conf.in, examples/syslog.conf,
examples/syslog.conf.in:
Substitute values in the example syslog.conf too. Also update ignore
files for example changes
[b13a7e6a630c]
* MANIFEST, configure, configure.ac, docs/sudo.conf.man.in,
docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in,
docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in,
docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in,
docs/sudoers.man.in, docs/sudoers.mdoc.in, examples/Makefile.in,
examples/sudo_logsrvd.conf, examples/sudo_logsrvd.conf.in,
examples/sudoers, examples/sudoers.in:
Substitute paths set by configure in examples. Bug #1023
[f528fe7a8f88]
* plugins/sudoers/po/sudoers.pot, po/sudo.pot:
Update Project-Id-Version to 1.9.10.
[0ad7934baa9f]
* plugins/sudoers/po/sudoers.pot:
Update .pot files for 1.9.10
[c7a477455e2e]
* NEWS, configure, configure.ac:
Sudo 1.9.10
[b437c4c37971]
* MANIFEST, docs/sudo_logsrvd.conf.man.in,
docs/sudo_logsrvd.conf.mdoc.in, docs/sudoers.man.in,
docs/sudoers.mdoc.in, include/sudo_util.h, lib/iolog/iolog_filter.c,
lib/util/Makefile.in, lib/util/regex.c, lib/util/util.exp.in,
plugins/sudoers/defaults.c, plugins/sudoers/match_command.c,
plugins/sudoers/regress/sudoers/test28.in,
plugins/sudoers/regress/sudoers/test28.json.ok,
plugins/sudoers/regress/sudoers/test28.ldif.ok,
plugins/sudoers/regress/sudoers/test28.ldif2sudo.ok,
plugins/sudoers/regress/sudoers/test28.out.ok,
plugins/sudoers/regress/sudoers/test28.toke.ok,
plugins/sudoers/sudoreplay.c, plugins/sudoers/toke.c,
plugins/sudoers/toke.h, plugins/sudoers/toke.l,
plugins/sudoers/toke_util.c:
Add helper function to compile a regex that supports (?i).
[d680d423d2df]
2022-02-10 Todd C. Miller
* MANIFEST, configure, configure.ac, docs/sudoers.man.in,
docs/sudoers.mdoc.in, examples/sudoers,
plugins/sudoers/fmtsudoers.c, plugins/sudoers/match_command.c,
plugins/sudoers/parse.h, plugins/sudoers/regress/sudoers/test28.in,
plugins/sudoers/regress/sudoers/test28.json.ok,
plugins/sudoers/regress/sudoers/test28.ldif.ok,
plugins/sudoers/regress/sudoers/test28.ldif2sudo.ok,
plugins/sudoers/regress/sudoers/test28.out.ok,
plugins/sudoers/regress/sudoers/test28.toke.ok,
plugins/sudoers/regress/sudoers/test29.in,
plugins/sudoers/regress/sudoers/test29.json.ok,
plugins/sudoers/regress/sudoers/test29.ldif.ok,
plugins/sudoers/regress/sudoers/test29.out.ok,
plugins/sudoers/regress/sudoers/test29.toke.ok,
plugins/sudoers/regress/testsudoers/test18.out.ok,
plugins/sudoers/regress/testsudoers/test18.sh,
plugins/sudoers/toke.c, plugins/sudoers/toke.h,
plugins/sudoers/toke.l, plugins/sudoers/toke_util.c:
Add support for matching command and args using regular expressions.
Either the command, its arguments or both may be (separate) regular
expressions.
[bef0b1a14771]
* plugins/sudoers/gram.c, plugins/sudoers/gram.y:
Clear sudoers_errstr after it is used. This way we avoid printing
the same error message more than once if there are multiple ERROR
tokens returned from the lexer.
[8a7509cd1c46]
* logsrvd/logsrvd_local.c:
store_iobuf_local: fix potential double free on the error path.
[f9a0e3cb3c7f]
* docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in,
docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in,
docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in,
docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in,
docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_logsrvd.man.in,
docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.man.in,
docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in,
docs/sudo_plugin_python.mdoc.in, docs/sudo_sendlog.man.in,
docs/sudo_sendlog.mdoc.in, docs/sudoers.ldap.man.in,
docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in,
docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in,
docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.man.in,
docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
Update links to sudo web site and reference markdown docs.
[da9a9eb04f04]
* docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in,
docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in,
docs/sudo.mdoc.in, docs/sudo_logsrvd.man.in,
docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin_python.man.in,
docs/sudo_plugin_python.mdoc.in, docs/sudoers.man.in,
docs/sudoers.mdoc.in, docs/sudoreplay.man.in,
docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
Use a 4n indent for code blocks instead of the default 6n.
[7322dd26a3d4]
* plugins/sudoers/testsudoers.c:
testsudoers: disable argument permutation in GNU getopt This makes
it easier to test commands with arguments.
[fb005b03a75e]
* lib/iolog/iolog_filter.c:
iolog_pwfilt_run: fix types in error return
[663deea257d0]
* lib/iolog/iolog_filter.c, plugins/sudoers/iolog.c:
Free potential leaks of passprompt_regex_handle. Coverity CID 249057
[d562ea42ab66]
2022-02-09 Todd C. Miller
* Merge pull request #133 from Dzejrou/main
Do not unset user timeout when no default timeout is set.
[58504381014e]
2022-02-09 Jaroslav Jindrak
* plugins/sudoers/policy.c:
Do not unset user timeout when no default timeout is set.
[25f32be7d18d]
2022-02-08 Todd C. Miller
* plugins/sudoers/fmtsudoers.c, plugins/sudoers/parse.h,
plugins/sudoers/regress/sudoers/test2.in,
plugins/sudoers/regress/sudoers/test2.json.ok,
plugins/sudoers/regress/sudoers/test2.ldif.ok,
plugins/sudoers/regress/sudoers/test2.ldif2sudo.ok,
plugins/sudoers/regress/sudoers/test2.out.ok,
plugins/sudoers/regress/sudoers/test2.toke.ok:
Don't escape double quotes (") in a command when printing it.
Previously, cvtsudoers and "sudo -l" would escape double quotes in a
command or command line argument, which is not valid sudoers syntax.
[3bd0505b03e2]
* docs/sudoers.man.in, docs/sudoers.mdoc.in:
A few minor (mostly cosmetic) fixes. Add missing ALL to Runas_Member
and Host. Replace some tabs with spaces. Fix the syntax of a
sudoedit example.
[a943116eb35b]
2022-02-04 Todd C. Miller
* Merge pull request #132 from ninedotnine/patch-1
Sync example sudoers with default sudoers
[8c903452e624]
2022-02-04 dan soucy
* examples/sudoers:
Sync example sudoers with default sudoers
`sudoers.in` was changed by 1d13533
[f34657ff9345]
2022-02-04 Todd C. Miller
* ABOUT-NLS, INSTALL.md, NEWS, README.LDAP.md, docs/CONTRIBUTING.md,
plugins/sudoers/po/README, po/README:
Upgrade http links to https where possible and fix some broken
links.
[e33d61fdafdb]
2022-02-03 Todd C. Miller
* plugins/sudoers/logging.c:
Remove "This incident will be reported." from user warnings. This
used to indicate that email had been sent to the administrator
telling them that someone tried to run sudo. Whether or not sudo
sends email is now configurable, so the warning may not be accurate.
It is also confusing to the user since they will not know who the
incident is being reported to. See also https://xkcd.com/838/
[b2860bb51393]
* plugins/sudoers/sssd.c:
Log fn_get_values() return code in the debug log on error. Also move
a nested switch() statement out of 'case 0' for improved
readability.
[ad609804a70c]
* plugins/sudoers/sssd.c:
Do not return an error if we cannot connect to the SSSD connector.
This may simply mean that nsswitch.conf lists sss as a sudoers
source but SSSD is not configured for sudo. Otherwise, the user will
receive a useless "problem with defaults entries" when the sssd
backend tries to fetch the global defaults. Bug #1022.
[60bb147ed3e6]
* plugins/sudoers/log_client.c, plugins/sudoers/logging.c:
Set client_closure to NULL after freeing it.
[20da8f0c9226]
* plugins/sudoers/log_client.c:
client_closure_alloc: init write_bufs/free_bufs before other
allocations. We must initialize the tail queues before any possible
call to client_closure_free(), such as due to malloc() failure.
[5dd7d1ba2b76]
* logsrvd/logsrvd_journal.c:
Add missing default return in last commit.
[e17820ba6ff8]
* logsrvd/logsrvd_journal.c:
sudo_logsrvd: make sure journal exists before writing the alert
message. Fixes a potential NULL dereference when journaling an alert
message.
[19d109fb1420]
* include/sudo_compat.h:
Fix compilation on Debian kFreeBSD. The configure script correctly
detects that utimensat() and futimens() are missing but the headers
define stub versions of the functions. Including sys/stat.h pulls in
the system definitions so we can override them safely. Bug #1021.
[10775e14164a]
2022-02-02 Todd C. Miller
* src/ttyname.c:
Add fallback if /proc/self/stat or /proc/pid/psinfo is missing or
invalid. If the /proc file indicates no terminal is present there is
no fallback. Bug #1020
[c32620c9f115]
2022-02-01 Todd C. Miller
* docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/check.c,
plugins/sudoers/def_data.c, plugins/sudoers/def_data.h,
plugins/sudoers/def_data.in, plugins/sudoers/defaults.c:
Add sudoers option to perform authentication even in non-interative
mode. If noninteractive_auth is set, authentication methods that do
not require input from the user's terminal may proceed. It is off by
default, which restores the pre-1.9.9 behavior of "sudo -n".
[f06dcd0957d0]
* MANIFEST, lib/iolog/iolog_filter.c,
logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.7:
Work around a glibc regcomp() bug with repeated '+' operators. Glibc
regcomp() has a bug where it uses excessive memory for repeated '+'
ops. Collapse them to avoid running the fuzzer out of memory.
[db423326311f]
* logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.1,
logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.2,
logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.3,
logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.4,
logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.5,
logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.6:
Rebase seed corpus on updated sudo_logsrvd.conf example.
[1f30b95c6ce6]
* logsrvd/logsrvd_conf.c:
Fix parsing of "retry_interval" in the relay section. The setting
was present but the callback was missing so it could not be parsed
in the conf file.
[09666425a392]
* logsrvd/logsrvd_conf.c:
Use TIME_T_MAX as the upper limit when parsing timeouts.
[989eaa812d4e]
* plugins/sudoers/auth/pam.c:
converse: don't set response pointer on error Linux pam_conv(3) says
not to set the pointer on PAM_CONV_ERR.
[79934c8631c0]
2022-01-31 Todd C. Miller
* MANIFEST, plugins/sudoers/regress/cvtsudoers/sudoers4:
Add missing sudoers4 test file for new cvtsudoers test.
[5b9f3084d9e9]
* MANIFEST, plugins/sudoers/cvtsudoers_merge.c,
plugins/sudoers/regress/cvtsudoers/test38.out.ok,
plugins/sudoers/regress/cvtsudoers/test38.sh:
defaults_check_conflict: it is only really a conflict if the binding
match If the Defaults name matched but the binding does not, we can
simply leave it be. Fixes a problem where given two sudoers sources
that have a host specified, if they contain conflicting Defaults
entries we would drop one of the Defaults instead of keeping both
after making them host-specific.
[9b8ad3d1e163]
* MANIFEST, plugins/sudoers/cvtsudoers_merge.c,
plugins/sudoers/regress/cvtsudoers/sudoers1,
plugins/sudoers/regress/cvtsudoers/sudoers2,
plugins/sudoers/regress/cvtsudoers/sudoers3,
plugins/sudoers/regress/cvtsudoers/test34.out.ok,
plugins/sudoers/regress/cvtsudoers/test34.sh,
plugins/sudoers/regress/cvtsudoers/test35.out.ok,
plugins/sudoers/regress/cvtsudoers/test35.sh,
plugins/sudoers/regress/cvtsudoers/test36.out.ok,
plugins/sudoers/regress/cvtsudoers/test36.sh,
plugins/sudoers/regress/cvtsudoers/test37.out.ok,
plugins/sudoers/regress/cvtsudoers/test37.sh:
Make it possible to merge a host-based Defaults with a global one.
We convert the global Defaults to a host-based one with a single
"ALL" member. Later, when we simplify the host list, we'll convert
this back to a global Defaults.
[152c16a608c1]
2022-01-29 Todd C. Miller
* logsrvd/logsrvd_conf.c:
Check for garbage after [section] in sudo_logsrvd.conf.
[46a222b60747]
* logsrvd/regress/fuzz/fuzz_logsrvd_conf.dict,
plugins/sudoers/regress/fuzz/fuzz_sudoers.dict:
Sync fuzzing dictionary with current configuration keyword list.
[9af3929a2f6a]
2022-01-28 Todd C. Miller
* docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in,
examples/sudo_logsrvd.conf, logsrvd/logsrvd.h,
logsrvd/logsrvd_conf.c, logsrvd/logsrvd_local.c:
Add new log_passwords and passprompt_regex settings. When logging
terminal input, if log_passwords is false and any of the regular
expressions in the passprompt_regex list are found in the terminal
output, terminal input will be replaced with '*' characters until a
newline or carriage return is found in the input or an output
character is received.
[1d07eaada99c]
* MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c,
plugins/sudoers/policy.c,
plugins/sudoers/regress/serialize_list/check_serialize_list.c,
plugins/sudoers/regress/unescape/check_unesc.c,
plugins/sudoers/serialize_list.c, plugins/sudoers/sudoers.h,
plugins/sudoers/unesc_str.c:
Escape/unescape commas when serializing/deserializing a stringlist.
[17c422c0b236]
* plugins/sudoers/defaults.c, plugins/sudoers/defaults.h,
plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c,
plugins/sudoers/locale.c, plugins/sudoers/logging.h,
plugins/sudoers/regress/fuzz/fuzz_policy.c,
plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h,
plugins/sudoers/testsudoers.c:
Pass the operator to the Defaults callback too. That way we can tell
what to do in callbacks for lists.
[d541809b62bf]
* MANIFEST, include/sudo_iolog.h, lib/iolog/Makefile.in,
lib/iolog/iolog_filter.c:
lib/iolog: add support for filtering password out of tty input If a
password regex is found in the tty output, tty input will be
replaced with '*' chars until a newline or another tty output
character is received.
[19c3a58dfe29]
* docs/sudoers.man.in, docs/sudoers.mdoc.in,
plugins/sudoers/Makefile.in, plugins/sudoers/def_data.c,
plugins/sudoers/def_data.h, plugins/sudoers/def_data.in,
plugins/sudoers/defaults.c, plugins/sudoers/defaults.h,
plugins/sudoers/iolog.c, plugins/sudoers/policy.c,
plugins/sudoers/sudoers.c:
Add a new sudoers settings log_passwords and passprompt_regex. When
logging terminal input, if log_passwords is disabled and any of the
regular expressions in the passprompt_regex list are found in the
terminal output, terminal input will be replaced with '*' characters
until a newline or carriage return is found in the input or an
output character is received.
[5fa969cfdef4]
* plugins/sudoers/def_data.c, plugins/sudoers/def_data.in,
plugins/sudoers/defaults.c, plugins/sudoers/defaults.h:
Add a flag to avoid splitting list entries on white space.
[32ac4cd5eae7]
2022-01-27 Todd C. Miller
* docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in:
"plain text" -> "plaintext" for consistency.
[6cbefac27286]
2022-01-25 Todd C. Miller
* po/ro.mo, po/ro.po:
Updated translations from translationproject.org
[c264de490846]
* INSTALL.configure:
Sync with autoconf git.
[efd6e2df1b4f]
* scripts/mkdep.pl:
Fix potential infinite loop when trying to format long lines.
[e17a3b7b657b]
2022-01-20 Todd C. Miller
* docs/sudo.man.in, docs/sudo.mdoc.in:
Document how commands are passed to the shell for the -i and -s
options. The concatenation of command and arguments and escaping of
special characters was not documented. Text adapted from GitHub
issue #121 from Kris Rinzwind
[852f803234af]
* docs/TROUBLESHOOTING.md:
Also mention no_new_privs error in the troubleshooting guide.
[70cc0679098f]
* INSTALL.md, docs/TROUBLESHOOTING.md, docs/sudo.conf.man.in,
docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in,
docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in,
docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in,
docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in,
docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/visudo.man.in,
docs/visudo.mdoc.in:
Replace uid and gid with user-ID and group-ID in more places.
[2b6bc95509fd]
2022-01-19 Todd C. Miller
* INSTALL.md:
PAM is enabled on NetBSD by default too.
[3bc31511f687]
* INSTALL.md, README.LDAP.md, docs/HISTORY.md,
docs/TROUBLESHOOTING.md, docs/UPGRADE.md:
Use the Oxford comma consistently, it is helpful in technical
documents.
[3df4b26d035e]
* docs/sudo.man.in, docs/sudo.mdoc.in:
Document the error message when no_new_privs is set.
[492a154dec10]
* docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in:
Sudo now recovers from sudoers syntax errors.
[77d457c4e722]
* docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in,
docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in,
docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in,
docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in,
docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_plugin.man.in,
docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in,
docs/sudo_plugin_python.mdoc.in, docs/sudoers.ldap.man.in,
docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in,
docs/sudoers.mdoc.in, docs/sudoreplay.man.in,
docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in,
examples/sudo.conf.in, examples/sudo_logsrvd.conf:
Use the Oxford comma consistently, it is helpful in technical
documents.
[e8d29c772963]
* INSTALL.md:
Mention docker configuration.
[8312350518cb]
* plugins/sudoers/ldap_util.c:
Quiet a cppcheck false positive.
[023468af3269]
* docs/CONTRIBUTING.md:
Mention https://www.sudo.ws/security/fuzzing/ in the fuzzing
section.
[87767f7b89ad]
* plugins/sudoers/sssd.c:
Fix logic inversion when setting negated flag.
[3e4051bc9f30]
* src/sudo.c:
Quiet a PVS-Studio format string warning.
[77e953f3c46f]
2022-01-18 Todd C. Miller
* plugins/sudoers/po/sudoers.pot, po/sudo.pot:
Regen .pot files.
[b999972bc90d]
* NEWS:
Bug #1016, #1017 and negated sudoUser in LDAP.
[4ec54e728437]
* plugins/sudoers/defaults.c:
Don't set/run early Defaults if a custom defaults_list is specified.
Defaults settings passed in by the front end are already "early" so
there is no need to treat any of them as special.
Otherwise, we end up running the early defaults callbacks before
sudoers has been parsed. This means that, for instance, it is not
possible to disable the fqdn flag before its callback is run if sudo
is build with the --with-fqdn option. Bug #1016.
[8c6eaa503793]
* plugins/sudoers/defaults.c, plugins/sudoers/defaults.h:
Mark is_early_default(), run_early_defaults(), set_early_default()
static. They are not used outside of defaults.c.
[1045e8c7a92e]
* plugins/sudoers/sssd.c:
Add support in SSSD for negated users.
[bca3d02cdd8b]
* docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in,
plugins/sudoers/ldap.c:
Add support in the LDAP filter for negated users. Based on a diff
from Simon Lees
[e1d48d44229e]
2022-01-12 Todd C. Miller
* lib/util/mkdir_parents.c:
Use PATH_MAX, not NAME_MAX+1 for the directory entry length. On some
systems, such as Solaris, the max length of a directory entry is
filesystem-dependent. We could use fpathconf() and dynamically
allocate the name but it is simpler to just use PATH_MAX here.
[d1a097783717]
* plugins/python/python_plugin_common.c:
Only emulate Py_FinalizeEx for Python 3.[0-5].
[b314942c0f2f]
* lib/util/getcwd.c, lib/util/mkdir_parents.c:
Use POSIX NAME_MAX, not the obsolete MAXNAMLEN define. Fixes
compilation with musl libc.
[a1609b2d968f]
2022-01-11 Todd C. Miller
* src/limits.c:
When applying fallback limits, make sure we don't reduce rlim_max.
Fixes a problem where sudo could reduce the max stack size on some
systems if the original limit was higher than the fallback limit,
but not unlimited/infinity.
[1fef77204f17]
* src/limits.c:
Don't modify the stack limit if it is >= SUDO_STACK_MIN.
[b9e473780083]
* plugins/sudoers/Makefile.in:
The pre-install target requires visudo, add an explicit dependency.
[b5b073d2fc9b]
2022-01-09 Todd C. Miller
* src/sudo.c:
If sudo is not set-user-ID root, check for the no_new_privs flag on
Linux. This flag disables set-user-ID at execve(2) time and may be
set by default for some containers. GitHub issue #129.
[462249058274]
2022-01-08 Todd C. Miller
* docs/sudoers.man.in, docs/sudoers.mdoc.in,
plugins/sudoers/auth/pam.c, plugins/sudoers/def_data.c,
plugins/sudoers/def_data.h, plugins/sudoers/def_data.in,
plugins/sudoers/policy.c, plugins/sudoers/sudoers.h,
src/parse_args.c:
Add pam_askpass_service sudoers setting for "sudo -A". This makes it
possible to use a different PAM configuration for when "sudo -A" is
used. The main use case is to only use PAM modules that can interact
with the askpass program. GitHub issue #112.
[5f59bc3f9d81]
2022-01-07 Todd C. Miller
* lib/iolog/iolog_loginfo.c:
Improve debugging info when fdopen() fails.
[0d9711d8564a]
2022-01-06 Todd C. Miller
* plugins/sudoers/sssd.c:
sss_sudo_free_values() checks for NULL, no need to do it manually.
[ccf012907a01]
* plugins/sudoers/getdate.c, plugins/sudoers/getdate.y:
Quiet a clang analyzer false positive.
[90b6791616b0]
2022-01-05 Todd C. Miller
* plugins/sudoers/getdate.c, plugins/sudoers/getdate.y:
Quiet a clang analyzer false positive.
[3c66e9be5f24]
* plugins/sudoers/auth/sudo_auth.c:
Fix return value for non-interactive mode for non-standalone auth
methods. AUTH_NONINTERACTIVE was being stored in the wrong variable.
[199a180e7fab]
* plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po,
plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po,
plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, po/fi.mo,
po/fi.po, po/ko.mo, po/ko.po, po/tr.mo, po/tr.po:
Updated translations from translationproject.org
[032877650fe6]
* plugins/sudoers/cvtsudoers_merge.c:
defaults_var_matches() should return bool, not enum match_result.
Remove enum match_result as it is no longer used.
[6559769ddcd1]
* plugins/sudoers/audit.c, plugins/sudoers/auth/sudo_auth.c:
Quiet two PVS-studio warnings.
[3a7c89cff3d6]
* plugins/sudoers/auth/pam.c:
Remove PAM_TTY workaround for old, buggy PAM modules. In the past,
some PAM modules assumed that PAM_TTY was set and would misbehave
(or crash) if not. This was primarily obsolete versions of Linux-
PAM, so it should now be safe to remove this. Setting PAM_TTY to an
empty string can cause its own set of issues. GitHub issue #74
[491cb67ea43b]
2022-01-04 Todd C. Miller
* NEWS:
Mention fix for Bug #956 and GitHub issue #83.
[8692b9985381]
* plugins/sudoers/auth/API, plugins/sudoers/auth/afs.c,
plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c,
plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c,
plugins/sudoers/auth/pam.c, plugins/sudoers/auth/securid5.c,
plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c,
plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c,
plugins/sudoers/logging.c, plugins/sudoers/sudoers.h:
Push non-interactive mode checking down into the auth methods. For
"sudo -n" we only want to reject a command if user input is actually
required. In the case of PAM at least, we may not need to interact
with the user. Bug #956, GitHub issue #83
[bc9653ffe82f]
2022-01-03 Todd C. Miller
* plugins/sudoers/cvtsudoers_merge.c,
plugins/sudoers/regress/cvtsudoers/sudoers1,
plugins/sudoers/regress/cvtsudoers/sudoers2,
plugins/sudoers/regress/cvtsudoers/sudoers3,
plugins/sudoers/regress/cvtsudoers/test34.out.ok,
plugins/sudoers/regress/cvtsudoers/test35.out.ok,
plugins/sudoers/regress/cvtsudoers/test36.out.ok:
userspec_overridden: fix checks when there is more than one userspec
[199996d29f50]
* MANIFEST, plugins/sudoers/cvtsudoers_merge.c,
plugins/sudoers/regress/cvtsudoers/test35.out.ok,
plugins/sudoers/regress/cvtsudoers/test36.out.ok,
plugins/sudoers/regress/cvtsudoers/test36.sh:
Fix merging of global/ALL entries when each input file has a host.
If a host is specified for the input file, cvtsudoers will bind
global Defaults to that host and change host "ALL" in a userspec to
the host name. However, if all the input files have matching hosts
we can simplify the merged file by converting back to ALL after
resolving conflicts.
[bfdb2edfca71]
* LICENSE.md:
Welcome to 2022.
[039e8c0efd7e]
* docs/Makefile.in:
LICENSE.md moved to the top-level src dir.
[b1c2687eef9d]
2021-12-22 Todd C. Miller
* Merge pull request #127 from Tyler887/main
Typo
[c4780c2a3056]
2021-12-22 Tyler887
* INSTALL.md:
Typo
[b650bec9f275]
2021-12-22 Todd C. Miller
* NEWS, docs/UPGRADE.md, plugins/sudoers/policy.c, src/selinux.c,
src/sudo.c:
Back out changes to enable SELinux by default. This may return in a
future release in a different form.
[73e46fbe5c27]
* LICENSE.md, MANIFEST, README.md, docs/LICENSE.md:
Move LICENSE.md out of docs and back to the top-level. GitHub
expects it to be in the top-level directory.
[3c62dd396aff]
2021-12-20 Todd C. Miller
* MANIFEST, plugins/sudoers/cvtsudoers_merge.c,
plugins/sudoers/regress/cvtsudoers/test35.out.ok,
plugins/sudoers/regress/cvtsudoers/test35.sh:
cvtsudoers: fix a regression when merging matching Defaults. If a
host is specified with a sudoers file, we have to treat Defaults as
Defaults@host checking for duplicates.
[9db413953938]
2021-12-18 Todd C. Miller
* plugins/sudoers/gram.c, plugins/sudoers/gram.y:
add_defaults: add defs == NULL check to quiet coverity false
positive
[a534eee04069]
2021-12-17 Todd C. Miller
* plugins/sudoers/cvtsudoers_merge.c,
plugins/sudoers/regress/cvtsudoers/test34.out.ok,
plugins/sudoers/regress/cvtsudoers/test34.sh:
When merging Defaults, allow a subsequent global Defaults (no
binding) to override a prior Defaults setting with a binding.
[0be52fa6d4d8]
* plugins/sudoers/gram.c, plugins/sudoers/gram.y:
add_defaults: defs can never be NULL
[9ba97823b757]
* plugins/sudoers/cvtsudoers_merge.c:
Plug memory leak when making a default host-specific. We don't need
to allocate new space for the binding list, just the members of the
list.
[5667d09136f2]
2021-12-16 Todd C. Miller
* MANIFEST, examples/Makefile.in, examples/cvtsudoers.conf:
Add an example cvtsudoers.conf file.
[aa738148e712]
* docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in,
plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h:
Add group_file, match_local, and passwd_file to cvtsudoers.conf.
Previously, these were only settable via command line options.
[a7a8b0af3c42]
2021-12-12 Todd C. Miller
* docs/TROUBLESHOOTING.md:
Remove question about running Solaris 11 binaries on Solaris 10.
Current versions of sudo use many APIs that are not present on
Solaris 10. If you want a sudo Solaris 10 binary, build it on
Solaris 10, not 11.
[0346a46cf595]
* MANIFEST, plugins/sudoers/regress/cvtsudoers/test34.out.ok,
plugins/sudoers/regress/cvtsudoers/test34.sh:
Add simple test for cvtsudoers merge functionality.
[fda86b17249a]
* plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po,
plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po,
plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po,
plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po,
plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po,
plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po,
plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po,
plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po,
plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po,
plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo,
po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fr.mo,
po/fr.po, po/hr.mo, po/hr.po, po/ja.mo, po/ja.po, po/pl.mo,
po/pl.po, po/sr.mo, po/sr.po, po/uk.mo, po/uk.po, po/zh_CN.mo,
po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
Updated translations from translationproject.org
[edfdaac9b1e7]
* MANIFEST, plugins/sudoers/po/es.mo, plugins/sudoers/po/es.po:
Add sudoers Spanish translation from translationproject.org
[502d45c0af5f]
2021-12-11 Todd C. Miller
* NEWS:
Bugs #1013 and #1014
[1a7b533c5829]
* lib/util/mkdir_parents.c:
sudo_mkdir_parents: make sure the path we created is a directory For
extra paranoia, verify that the directory we created is still a
directory before we fchown() it.
[75c23aaa9fca]
* docs/sudo.man.in, docs/sudo.mdoc.in:
In SECURITY NOTES, clarify that PATH may be overridden by the
policy. Bug #1014
[4f7035d6b921]
* MANIFEST, config.h.in, configure, configure.ac,
include/sudo_compat.h, include/sudo_util.h, lib/util/Makefile.in,
lib/util/mkdir_parents.c, lib/util/mkdirat.c, logsrvd/logsrvd.c,
plugins/sudoers/timestamp.c, scripts/mkdep.pl:
Avoid TOCTOU in sudo_mkdir_parents() using openat(2) and mkdirat(2).
This also allows us to make path const as it should be.
[46db77e4afb8]
* plugins/sudoers/ldap_conf.c, plugins/sudoers/sudo_ldap_conf.h:
Sudo parsed "deref" and "tls_reqcert" in ldap.conf but didn't set
the options. The switch() in the sudo_ldap_set_options_table()
function needed to be updated to treat CONF_DEREF_VAL and
CONF_REQCERT_VAL data types as int. Fix from Dennis Filder. Bug
#1013.
[5f5bdf9010d7]
2021-12-10 Todd C. Miller
* docs/SECURITY.md:
Minor formatting tweak so we can import into the sudo web site.
[220c647b6635]
* plugins/sudoers/defaults.c, plugins/sudoers/pwutil_impl.c:
Fix CodeQL "Multiplication result converted to larger type"
warnings.
[a17db0b94018]
2021-12-09 Todd C. Miller
* docs/SECURITY.md:
Surround email addresses with angle brackets, not square backets.
[b9514c0165f2]
2021-12-08 Todd C. Miller
* plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po,
plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po,
plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, po/fa.mo,
po/fa.po, po/fi.mo, po/fi.po, po/ja.mo, po/ja.po, po/sr.mo,
po/sr.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
Updated translations from translationproject.org
[b2815226875b]
* plugins/sudoers/po/sudoers.pot, po/sudo.pot:
Update .pot files for 1.9.9
[e4e903808160]
2021-12-06 Todd C. Miller
* README.LDAP.md, docs/CONTRIBUTING.md, docs/TROUBLESHOOTING.md,
docs/UPGRADE.md:
Minor formatting tweaks.
[eee91b1fc68c]
2021-12-05 Todd C. Miller
* INSTALL, INSTALL.md, MANIFEST, README, README.LDAP, README.LDAP.md,
README.md, docs/CONTRIBUTING.md, docs/CONTRIBUTORS,
docs/CONTRIBUTORS.md, docs/HISTORY, docs/HISTORY.md, docs/LICENSE,
docs/LICENSE.md, docs/Makefile.in, docs/TROUBLESHOOTING,
docs/TROUBLESHOOTING.md, docs/UPGRADE, docs/UPGRADE.md, etc/sudo-
logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
Convert README and docs files to markdown. This makes things look
better on GitHub and we can use the markdown version directly in the
new sudo web site.
[1cdcbce74a73]
2021-12-04 Todd C. Miller
* docs/SECURITY.md:
Policy -> Disclosure Policy
[13f278869e03]
* Merge pull request #124 from juspence/main
Allow sudo -g anyone and sudo -u anyone -g anytwo
[1a000f5aaba1]
2021-12-04 juspence <87657842+juspence@users.noreply.github.com>
* plugins/sudoers/sudoers.in:
Allow sudo -g anyone and sudo -u anyone -g anytwo
When only the user (ALL) is specified explicitly, and the group is
implied, only sudo -u works. Specifying both the user and group,
like (ALL:ALL), is required to:
1) Use sudo -g by itself (with no -u user) 2) Use sudo -u and -g
together, with a -g group that is different from the -u user's
primary group
[ca31aaa0b074]
2021-12-02 Todd C. Miller
* lib/util/Makefile.in:
Add build dir to include search path for mksiglist.h and mksigname.h
Fixes out of tree builds on systems without sys_siglist[] or
sys_signame[]. GitHub issue #123.
[fccd76813052]
2021-11-29 Todd C. Miller
* MANIFEST, plugins/sudoers/cvtsudoers_merge.c,
plugins/sudoers/regress/cvtsudoers/sudoers1,
plugins/sudoers/regress/cvtsudoers/sudoers2,
plugins/sudoers/regress/cvtsudoers/sudoers3:
cvtsudoers: better merging of lists that are not exact duplicates
When merging rules, if one list would be overridden by another,
remove the overridden rule and continue merging.
[19dc52bd9c6f]
2021-11-28 Todd C. Miller
* NEWS:
Update NEWS with latest changes.
[fafe74e0b20f]
2021-11-27 Todd C. Miller
* src/edit_open.c:
dir_is_writable: don't treat EPERM from faccessat() as a fatal
error. We can get EPERM on Linux with SELinux. GitHub issue #122.
[25bbc56b2f6d]
2021-11-24 Todd C. Miller
* docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in,
plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h,
plugins/sudoers/cvtsudoers_json.c,
plugins/sudoers/cvtsudoers_merge.c:
cvtsudoers: add -l option to log merge actions The "-l logfile"
option can be used to store a log of what actions cvtsudoers took
when merging multiple files. For example, which aliases were
renamed, which entries were overriden or removed as duplicated.
[fa96976882aa]
* NEWS, configure, configure.ac:
Sudo 1.9.9
[dad415a982bc]
2021-11-21 Todd C. Miller
* MANIFEST, docs/CONTRIBUTORS, po/fa.mo, po/fa.po:
New Persian (Farsi) translation from translationproject.org
[3665533a7219]
2021-11-20 Todd C. Miller
* plugins/sudoers/cvtsudoers_csv.c:
Quiet a PVS Studio warning. The warning that need_comma is always
false is correct but in this case it is better to use a consistent
construct so that if the code is re-ordered no bugs are introduced.
[5109a34444f5]
* lib/util/getentropy.c:
Pass correct size to free_zero(). Coverity CID 241233
[2ba51f57deb5]
* plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c,
plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c,
plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/defaults.c,
plugins/sudoers/fmtsudoers_cvt.c, plugins/sudoers/gram.c,
plugins/sudoers/gram.y, plugins/sudoers/parse.c,
plugins/sudoers/parse.h, plugins/sudoers/parse_ldif.c:
Add reference counting to Defaults bindings. Previously, we checked
that the previous entry's binding pointer was not the same while
freeing. However, to be able to merge Defaults records we cannot
rely on Defaults entries with the same binding being immediately
adjacent. This removes the prev_binding checks in favor of a
reference count which allows us to plug the memory leak in
cvtsudoers when merging Defaults.
[0a789516622b]
2021-11-19 Todd C. Miller
* MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c,
plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h,
plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/parse.h:
cvtsudoers: merge aliases when multiple sudoers files are specified
Duplicate aliases are remove. If there are conflicting alias names,
the conflicts are renamed by appending a numerical suffix. For
example, if there are two SERVERS Host_Aliases, the second one will
be renamed to SERVERS_1.
[d9b602626b8c]
* plugins/sudoers/cvtsudoers_merge.c:
cvtsudoers: merge Defaults when multiple sudoers files are specified
If a hostname is specified with the sudoers file, it will be used to
make the Defaults setting host-specific, if possible. Duplicate
Defaults settings are removed and conflicts are warned about. It is
not possible to resolve all conflicts automatically.
[756b05304ccb]
* plugins/sudoers/cvtsudoers_merge.c:
cvtsudoers: merge userspecs when multiple sudoers files are
specified If a hostname is specified with the sudoers file, it will
be used to make the userspec host-specific, if possible. Duplicate
userspecs are removed but conflicting entries are not currently
pruned.
[643b533bb4f4]
* docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in:
Document how to merge sudoers files with cvtsudoers.
[241c3786f5a8]
* plugins/sudoers/gram.c, plugins/sudoers/gram.y,
plugins/sudoers/parse.h,
plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sssd.c:
init_parse_tree() now takes ownership of lhost and shost, if any.
This means that lhost and shost in struct sudoers_parse_tree are no
longer const and that free_parse_tree() will free lhost/shost. The
only consumer that passed in lho.st/shost was the SSSD back-end
which has been updated to avoid a double-free.
[650bb75666fb]
* plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_merge.c:
cvtsudoers: use init_parse_tree() to initialize a parse tree. Also
free the parse tree before exit.
[9d8f8bb88192]
* MANIFEST, Makefile.in, etc/macos-background.png, etc/sudo-
logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
Add a background image for the macOS installer.
[39889307b278]
* scripts/pp:
Update PolyPkg
[44b1d08be1b0]
2021-11-18 Todd C. Miller
* scripts/mkpkg:
mkpkg: handle a macOS SDK that just uses the major version. For
example, MacOSX11.sdk instead of MacOSX11.3.sdk.
[ce41fc5aa672]
* lib/util/Makefile.in:
Add missing dependencies for timegm.
[b20c4936504b]
2021-11-16 Todd C. Miller
* plugins/sudoers/cvtsudoers.c:
Add support for specifying the hostname as a prefix to the sudoers
file. If present, the host name is copied into the struct
sudoers_parse_tree.
[e87e11cccb6e]
2021-11-11 Todd C. Miller
* plugins/sudoers/cvtsudoers.c:
cvtsudoers: parse multiple sudoers files and store them in a tail
queue In the future the parsed files will be merged before they are
output.
[89c77b3f4157]
* plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c,
plugins/sudoers/gram.h, plugins/sudoers/gram.y,
plugins/sudoers/parse.h:
Add sudoers_parse_tree_list, a tail queue of struct
sudoers_parse_tree. This will be used to store multiple parse trees
and merge them into a single sudoers_parse_tree.
[073ada18f18b]
* docs/CONTRIBUTING.md:
Fix formatting of links.
[df50208b3f70]
* MANIFEST, docs/CONTRIBUTING.md:
Add contributing guide.
[a99f3a0757f6]
* .github/workflows/codeql-analysis.yml:
Create codeql-analysis.yml
[efab25dab29c]
2021-11-10 Todd C. Miller
* MANIFEST, docs/SECURITY.md:
Add security doc, inspired by the Microsoft template.
[0a8012f8ee35]
* .gitignore, .hgignore, INSTALL, MANIFEST, Makefile.in, README,
configure, configure.ac, doc/CONTRIBUTORS, doc/HISTORY, doc/LICENSE,
doc/Makefile.in, doc/TROUBLESHOOTING, doc/UPGRADE,
doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, doc/fixman.sh,
doc/fixmdoc.sed, doc/schema.ActiveDirectory, doc/schema.OpenLDAP,
doc/schema.iPlanet, doc/schema.olcSudo, doc/sudo.conf.man.in,
doc/sudo.conf.man.in.sed, doc/sudo.conf.mdoc.in, doc/sudo.man.in,
doc/sudo.man.in.sed, doc/sudo.mdoc.in, doc/sudo_logsrv.proto.man.in,
doc/sudo_logsrv.proto.mdoc.in, doc/sudo_logsrvd.conf.man.in,
doc/sudo_logsrvd.conf.mdoc.in, doc/sudo_logsrvd.man.in,
doc/sudo_logsrvd.mdoc.in, doc/sudo_plugin.man.in,
doc/sudo_plugin.mdoc.in, doc/sudo_plugin_python.man.in,
doc/sudo_plugin_python.mdoc.in, doc/sudo_sendlog.man.in,
doc/sudo_sendlog.mdoc.in, doc/sudoers.ldap.man.in,
doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in,
doc/sudoers.man.in.sed, doc/sudoers.mdoc.in,
doc/sudoers_timestamp.man.in, doc/sudoers_timestamp.mdoc.in,
doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.man.in,
doc/visudo.mdoc.in, docs/CONTRIBUTORS, docs/HISTORY, docs/LICENSE,
docs/Makefile.in, docs/TROUBLESHOOTING, docs/UPGRADE,
docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/fixman.sh,
docs/fixmdoc.sed, docs/schema.ActiveDirectory, docs/schema.OpenLDAP,
docs/schema.iPlanet, docs/schema.olcSudo, docs/sudo.conf.man.in,
docs/sudo.conf.man.in.sed, docs/sudo.conf.mdoc.in, docs/sudo.man.in,
docs/sudo.man.in.sed, docs/sudo.mdoc.in,
docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in,
docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in,
docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in,
docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in,
docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in,
docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in,
docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in,
docs/sudoers.man.in, docs/sudoers.man.in.sed, docs/sudoers.mdoc.in,
docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in,
docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in,
docs/visudo.mdoc.in, etc/codespell.skip:
Rename "doc" directory to "docs" for better GitHub compatibility.
[1268c3ae0916]
* lib/util/Makefile.in:
Use $(SED), not sed, when generating mksiglist.h/mksigname.h
[7a7b636a3f32]
* configure, configure.ac, lib/iolog/Makefile.in,
lib/util/Makefile.in, logsrvd/Makefile.in,
plugins/sudoers/Makefile.in:
Add configure check for sha1sum and use "openssh dgst -sha1" if
missing. Only needed when building the seed corpus zip files.
[3c74ceba0446]
* include/sudo_compat.h:
sudo_compat.h: include unistd.h regardless of OS type This helps to
avoid issues with mismatched headers and libraries.
[4a22435a2832]
2021-11-09 Todd C. Miller
* plugins/sudoers/visudo.c:
install_sudoers: fix return value when there is no temp file to
install This can happen when no changes were made. Also preserve the
edited temp file on error if we are unable to move it into place.
[01c1052ac874]
* plugins/python/regress/testdata/check_multiple_approval_plugin_and_a
rguments.stdout:
Bump plugin version in test data to 1.18.
[138b9f6a6143]
* plugins/sudoers/defaults.c:
free_defs_val: free rlimits like strings (which they are).
[ade32de829cb]
* plugins/sudoers/visudo.c:
Rename {check,set}_perms variable to {check,set}_mode. Avoids a name
clash with the set_perms() function.
[a2dfa0d36690]
* src/edit_open.c:
Avoid symbol name clash with is_writable() function variable. Rename
"is_writable" variable to "writable".
[a52bd106933b]
* doc/sudoers.man.in, doc/sudoers.mdoc.in:
Document new resource limit settings.
[022e51bff860]
* doc/UPGRADE:
Mention that the core dump size resource limit now defaults to 0.
[22997e8008c9]
* doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in,
include/sudo_plugin.h, src/exec.c:
Document resource limit support in command_info[] and Bump plugin
API minor. This is supported beginning with sudo 1.9.9 and plugin
API 1.17.
[2004a71a11b3]
2021-11-08 Todd C. Miller
* config.h.in, configure, configure.ac, plugins/sudoers/defaults.c,
src/limits.c:
Use strtoul() on systems without strtoull(). We can assume that
systems without strtoull() have 32-bit resource limits.
[59c1be5a0387]
* src/exec.c, src/limits.c, src/sudo.c, src/sudo.h:
Add front-end support for setting resouce limits. The special value
"user" means preserve the invoking user's limit. The value "default"
means don't override the default limit for the user as assigned by
the system (PAM, loging.conf, userdb, etc).
[7ad6961d5d72]
* plugins/sudoers/def_data.c, plugins/sudoers/def_data.h,
plugins/sudoers/def_data.in, plugins/sudoers/defaults.c,
plugins/sudoers/defaults.h, plugins/sudoers/mkdefaults,
plugins/sudoers/policy.c:
Add basic support for setting resource limits in sudoers. The
default for rlimit_core is "0,0" Resource limits are passed back to
the front-end in command_info[] when set.
[298d5e228635]
* src/edit_open.c:
switch_user_nonfatal: only define if using faccessat()
[1a6b2c0240f5]
2021-11-06 Todd C. Miller
* doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/visudo.c:
visudo: add -O and -P options to check/set owner and permissions.
This can be used in conjunction with the -c option to check that the
sudoers file ownership and permissions are correct. Bug #1007
[1f20721148b0]
2021-11-05 Todd C. Miller
* doc/UPGRADE:
UPGRADE: mention SELinux behavior change.
[0b8cef633225]
* src/selinux.c, src/sudo.h, src/sudo_edit.c:
Rename selinux_setcon -> selinux_setexeccon
[50bde2e4d922]
* src/selinux.c:
In the SELinux role is "unconfined_r", disable SELinux support. We
only want to apply SELinux to confined users. This is a bit of a
hack as unconfined_r is specific to the targeted policy.
[aaa8ee97f31e]
* src/exec_monitor.c, src/exec_nopty.c, src/selinux.c, src/sudo.c,
src/sudo.h, src/sudo_edit.c:
Separate out the code to compute the context from selinux_setup().
This makes it possible to determine whether we really need to
execute the command via the sesh helper. What was left of
selinux_setup() is now selinux_relabel_tty() and
selinux_audit_role_change().
[687a81e59fdd]
* plugins/sudoers/policy.c, src/selinux.c, src/sudo.c:
Pass status of selinux sudoers setting to front-end as selinux-rbac.
The front-end uses this to decide whether or not to enable SELinux.
If selinux-rbac is true _or_ if it is not present and selinux_role
or selinux_type are set, SELinux support is enabled. Previously,
SELinux support was only enabled if a role was specified.
[2f21ae08ebbd]
* src/edit_open.c:
dir_is_writable: add fallback if changing UIDs fails The SELinux
policy may not allow uid/gid changes which will break the
writability checks and cause sudoedit to fail.
[5c5928a0c314]
2021-11-04 Todd C. Miller
* scripts/mkpkg:
Build python package on Fedora
[7261434fc60c]
2021-11-01 Todd C. Miller
* src/selinux.c:
Make get_exec_context static, it is unused outside selinux.c.
[be59f91e53dd]
* doc/sudo.conf.mdoc.in:
Fix lint warning: skipping paragraph macro: Pp before Bd
[f84297a652d8]
2021-10-31 Todd C. Miller
* doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in,
doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in:
Escape some minus signs ('-') as required by newer groff.
[4a1a2d6d5c19]
* MANIFEST, config.h.in, configure, configure.ac,
include/sudo_compat.h, lib/util/timegm.c,
plugins/sudoers/Makefile.in, plugins/sudoers/gentime.c,
plugins/sudoers/gmtoff.c, plugins/sudoers/parse.h, scripts/mkdep.pl:
parse_gentime: use timegm() to generate time since the epoch The
timegm() function is non-standard but widely available. Provide an
implementation for those systems that lack it. Bug #1006
[3ca20dfdb44c]
* include/sudo_compat.h, lib/util/Makefile.in, scripts/mkdep.pl:
Fix pasto in gmtime_r and localtime_r macros. Also add missing
Makefile targets for them.
[2310e188fdd4]
* plugins/sudoers/gmtoff.c:
Take daylight saving time into consideration when computing offset.
Otherwise, the resulting time may be off by and hour, depending on
whether DST is currently active compared to the target time.
[20c60fe8e8fc]
2021-10-29 Todd C. Miller
* scripts/mkpkg:
Back out f2d82771e7dd, arm64e on macOS is still in preview state.
Until arm64e on macOS is finalized, continue to build arm64
packages.
[6c3bbd6ffc3a]
2021-10-27 Todd C. Miller
* scripts/mkpkg:
Build arm64e ABI binaries on macOS 11 and above. We originally used
arm64 here but the correct ABI is arm64e. The arm64 arch will be
removed in a future release.
[f2d82771e7dd]
* logsrvd/logsrvd_local.c:
Use iolog_openat() when opening the log.json file in the I/O log
dir.
[9041b20b8d01]
2021-10-26 Todd C. Miller
* logsrvd/tls_init.c:
Use BIO_new_file() not BIO_new_fd() to read dhparams file. Older
versions of OpenSSL and wolfSSL lack BIO_new_fd(). Also explicitly
include openssl/bio.h and openssl/dh.h for wolfSSL.
[8338f58d5ba0]
* INSTALL, config.h.in, configure, configure.ac:
wolfSSL not WolfSSL
[4ee7f96ef87c]
* .circleci/config.yml:
Add wolfSSL variant to continuous integration tests.
[dbbab23e069c]
* docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile,
docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile,
docker/ubuntu/rolling/Dockerfile:
Add libwolfssl-dev to Debian and Ubuntu Dockerfiles Fedora does not
appear to have an official wolfssl package.
[12c0feaa0ebb]
* doc/sudoers.man.in, doc/sudoers.mdoc.in:
White space in an include file path supported by sudo 1.9.1 or
higher.
[9a22034de181]
2021-10-25 Todd C. Miller
* INSTALL, config.h.in, configure, configure.ac,
include/sudo_compat.h, lib/iolog/hostcheck.c,
lib/util/digest_openssl.c, lib/util/getentropy.c, logsrvd/logsrvd.c,
logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c,
logsrvd/sendlog.h, logsrvd/tls_client.c, logsrvd/tls_common.h,
logsrvd/tls_init.c, plugins/sudoers/log_client.c,
plugins/sudoers/log_client.h:
Add support for WolfSSL's OpenSSL compatibility layer. Based on
changes from Hayden Roche
[568557ecb77b]
* lib/util/Makefile.in, plugins/sudoers/Makefile.in:
regenerate dependencies
[d36bf7724e49]
* logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h,
logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c,
logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c,
logsrvd/logsrvd_relay.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c,
logsrvd/sendlog.c, logsrvd/sendlog.h:
Move include of log_server.pb-c.h into logsrvd.h and sendlog.h This
way there is no include file order issue with the
PROTOBUF_C_VERSION_NUMBER check.
[23678487ffaf]
* docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile,
docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile,
docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile,
docker/ubuntu/rolling/Dockerfile:
Add pkg-config to all Dockerfile
[63457bb84c4d]
2021-10-24 Todd C. Miller
* logsrvd/tls_init.c:
Use SSL_FILETYPE_PEM with SSL_CTX_use_PrivateKey_file, not
X509_FILETYPE_PEM While they are defined to the same value in
OpenSSL one should not rely on this.
[1a1557931dbf]
2021-10-23 Todd C. Miller
* configure, configure.ac:
Fix setting _PATH_ASAN_LIB, need to double up the square brackets.
[98143164620a]
* logsrvd/sendlog.c:
sudo_sendlog: send runenv, rungid and runuid from log.json too With
this change, sudo_sendlog can now round-trip sudo-style I/O logs
that use the newer log.json format without losing any information.
[d9d3dad6cca3]
2021-10-22 Todd C. Miller
* config.h.in, configure, configure.ac, lib/util/arc4random.c:
arc4random: need to include sys/random.h on Solaris too. This was
removed when Linux genentropy() was disabled.
[18ea9b386950]
2021-10-21 Todd C. Miller
* lib/iolog/hostcheck.c, lib/util/inet_ntop.c, logsrvd/logsrv_util.h,
plugins/sudoers/log_client.h:
Make sure INET_ADDRSTRLEN and INET6_ADDRSTRLEN are defined.
[e347465e0a05]
* plugins/sudoers/audit.c, plugins/sudoers/iolog.c,
plugins/sudoers/log_client.c, plugins/sudoers/log_client.h,
plugins/sudoers/logging.c, plugins/sudoers/logging.h:
Only include log_client.h if SUDOERS_LOG_CLIENT is defined.
[c318f74cf2a8]
* Merge pull request #118 from larb0b/main
Define MAP_FAILED where relevant if undefined
[74f3e9f1a1f4]
2021-10-21 Larkin Nickle
* lib/util/getentropy.c, lib/util/regress/mktemp/mktemp_test.c,
lib/util/snprintf.c:
Define MAP_FAILED where relevant if undefined
On systems such as HP-UX 10.20, MAP_FAILED is not defined.
[9f4976caa567]
2021-10-20 Todd C. Miller
* configure, m4/libtool.m4:
Improve macOS version detection to support macOS 11 and simplify
legacy logic From Jeremy Huddleston Sequoia
[f09b45ab460a]
* logsrvd/sendlog.c:
sudo_sendlog: send multiple I/O log records together if possible Try
to fill the write buffer and then send to the server instead of
sending records one at a time.
[0b084cd75d64]
* logsrvd/sendlog.c, logsrvd/sendlog.h:
sudo_sendlog: support multiple write buffers like sudo_logsrvd
[a46b88eff200]
* configure, configure.ac, lib/util/Makefile.in:
Always link libsudo_util.so with libcrypto.so if using OpenSSL. We
may need to use RAND_bytes() in the getentropy() emulation.
[9c805a008d76]
* config.h.in, configure, configure.ac, lib/util/getentropy.c,
plugins/sudoers/boottime.c:
Add an explicit check for sys/sysctl.h. This test needs to be done
after AC_LANG_WERROR to avoid including sys/sysctl.h on systems
where it is marked as deprecated via a #warning directive.
[d9f1f97b0f37]
* config.h.in, configure, configure.ac, lib/util/arc4random.c:
Use our own getentropy() by default on Linux. The glibc getentropy()
emulation will fail on older kernels that don't support getrandom().
Also use sudo_fatal() instead of sending SIGKILL on getentropy()
failure. GitHub issue #117.
[1ca9d10ff780]
* lib/util/getentropy.c:
Use the OpenSSL RAND_bytes() function if getrandom() fails.
[5f82f6d2ea36]
* lib/util/Makefile.in, lib/util/arc4random_buf.c, scripts/mkdep.pl:
Fix compilation of standalone arc4random_buf(). Apparently this code
was never compiled anywhere.
[a66c68c3a976]
* lib/util/uuid.c:
sudo_uuid_create: no longer need a union for the uuid.
[a9277bf0078c]
2021-10-19 Todd C. Miller
* lib/eventlog/eventlog_free.c:
eventlog_free: free signal_name too
[1da686483f2a]
* lib/iolog/regress/fuzz/fuzz_iolog_json.dict:
Add new log.json keywords
[f4a30fc6c4ed]
* lib/iolog/regress/fuzz/fuzz_iolog_json.c:
fuzz_iolog_json: initialize exit_value to -1
[bac9826b95a1]
* logsrvd/logsrvd.c:
Fix potential use-after-free when calling iolog_flush_all(). We need
to call iolog_flush_all() _before_ scheduling the commit point. If
we fail to schedule to commit point, the closure will be freed.
Coverity CID 220557
[364736f15a06]
* logsrvd/sendlog.c:
sendlog: use runargv from log.json if available
[88a0f4d7bb94]
* logsrvd/sendlog.c:
sudo_sendlog: send exit data in eventlog if present
[fdacc0f68c56]
* include/sudo_eventlog.h, lib/eventlog/eventlog.c,
logsrvd/logsrvd_local.c, plugins/sudoers/logging.c:
No longer need to pass exit params to eventlog_exit(), use struct
eventlog. Now that struct eventlog includes the exit parameters we
can simplify how eventlog_exit() is called.
[8580c0e8334d]
* include/sudo_eventlog.h, lib/iolog/iolog_json.c,
lib/iolog/iolog_loginfo.c, logsrvd/iolog_writer.c:
Read command run_time, signal and exit_value from I/O log log.json
file.
[05223c4cca0c]
* logsrvd/logsrvd_local.c:
Log the command run-time and exit status in the I/O log.
[8b02b373f79b]
* lib/eventlog/eventlog.c:
format_json: fix pasto when setting dumped_core boolean
[ca11285c088a]
2021-10-18 Todd C. Miller
* lib/eventlog/eventlog.c, logsrvd/logsrvd_local.c:
Handle a missing run_time in an ExitMessage. It is now possible to
pass a NULL run_time to eventlog_exit().
[f3e989682931]
2021-10-16 Todd C. Miller
* doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in,
logsrvd/logsrvd.c:
No need to flush logs before commit point if we flush after each
write. Also document that logs are flushed before sending a commit
point even when flushing is disabled.
[50323241569d]
2021-10-15 Todd C. Miller
* MANIFEST, include/sudo_iolog.h, lib/iolog/Makefile.in,
lib/iolog/iolog_conf.c, lib/iolog/iolog_flush.c,
logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h:
Flush I/O logs before we send a commit point. The commit point
message means we have written the data to disk so we should not be
buffering it any longer. We do not currently fsync(2) the data after
flushing, perhaps we should.
[5233172b7531]
* logsrvd/logsrv_util.c:
Do not treat a resume point of [0, 0] as an error. If the connecton
is interrupted before sudo sends back a commit_point message,
resuming at [0, 0] is correct. Also add a warning on unexpected EOF
parsing the timing file.
[105f29878ad7]
2021-10-11 Todd C. Miller
* plugins/sudoers/sudoers.c:
Display a more helpful message if the user tries to run "sudo cd".
Since "cd" is a shell built-in command it cannot be run directly via
sudo. The user either needs to spawn a shell via "sudo -s" or use
the -D option to run a command in a specific directory.
[4d45797dfb11]
* configure, configure.ac:
Don't install sudoers.a when configured with --enable-static-
sudoers. We already avoid installing it when --disable-shared-util
is specified.
[0d2022bc07cb]
2021-10-10 Todd C. Miller
* scripts/mkpkg:
mkpkg: preserve make exit value on exit Fixes a problem where the
exit value from mkpkg was 0 even on error.
[0d0f15bf10cf]
* plugins/sudoers/cvtsudoers_csv.c:
Fix typos in SELinux and Solaris priv support.
[16b9a1459f1d]
* MANIFEST, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in,
plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c,
plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_csv.c:
cvtsudoers: initial support for CSV output For CSV output we double
quotes strings that contain commas. For each literal double quote
character present inside the string, two double quotes are output.
[8f7763b74563]
* lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in,
plugins/sudoers/Makefile.in:
regenerate dependencies
[09d11b5c7d41]
* docker/README, etc/codespell.ignore:
Fix typo and avoid a codespell false positive.
[81a365b29c3c]
2021-10-08 Todd C. Miller
* .circleci/config.yml:
Add build-nointercept and test-nointercept
[d39877327ccc]
2021-10-07 Todd C. Miller
* .circleci/config.yml:
circleci: test multiple build options We now do separate builds with
LDAP/SSSD enabled, logsrv client/server disabled, and static-sudoers
enabled.
[4d8a9b45156c]
* configure, configure.ac, plugins/sudoers/Makefile.in:
Fix fuzzer build with when --enable-static-sudoers is used. This
introduces a sudoers-specific version of LT_STATIC instead of
appending the --tag=disable-shared to SUDOERS_LDFLAGS. I've also
removed the -static flag as it should not be needed.
[864a2fd4e3f7]
2021-10-05 Todd C. Miller
* docker/README:
Mention --security-opt=seccomp=unconfined workaround for bleeding
edge. May be needed for Fedora rawhide and Ubuntu testing, among
others.
[a465fdb0a7de]
* configure, configure.ac:
Try to handle the case where libasan.so is a linker script. Fixes
check_noexec with ASAN on Fedora where libasan.so just includes the
actual library file.
[f96d1d0cea53]
* .circleci/config.yml, docker/README,
docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile:
Enable address and undefined behavior sanitizers in CI builds. We
need to disable leak sanitizer during "make check" because it uses
ptrace which is not allowed for unprivileged containers.
[9378e3856a60]
2021-10-04 Todd C. Miller
* .circleci/config.yml:
Switch to Ubuntu latest for circleci build.
[1270ca1ba47d]
* .circleci/config.yml, docker/debian/latest/Dockerfile,
docker/debian/testing/Dockerfile, docker/fedora/latest/Dockerfile,
docker/fedora/rawhide/Dockerfile, docker/ubuntu/devel/Dockerfile,
docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
Add build user for circleci instead of running as root.
[27dcb5218cb2]
* .circleci/config.yml, MANIFEST, docker/README,
docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile,
docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile,
docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile,
docker/ubuntu/rolling/Dockerfile:
Use circleci for continuous integegration. Build container
descriptions are in the new docker directory.
[d5b5b16b0624]
2021-10-03 Todd C. Miller
* .gitignore, .hgignore:
Update ignore file.
[7fe8afa88e96]
2021-10-01 Todd C. Miller
* plugins/sudoers/sudoreplay.c:
Sync "sudo -l" output with normal sudo log format. It now prints
runchroot and runcwd (falling back on cwd). As a result, submithost
is now printed first, matching sudo. Also avoid printing NULL
pointers and skip entries that don't have at least command,
submituser and runuser set.
[0d6b96ec88a1]
* lib/iolog/iolog_json.c:
iolog_parse_json_object: optimize for large argv
[5fa1929189a3]
2021-09-29 Todd C. Miller
* configure, configure.ac:
Add "-fcf-protection" to SSP_CFLAGS and SSP_LDFLAGS if supported.
Can be disabled via --disable-hardening.
[589507ecadf4]
* configure, configure.ac:
Add "-z now" to hardened link options if supported. Can be disabled
via --disable-hardening.
[11ff1d86440b]
* doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/editor.c,
plugins/sudoers/regress/editor/check_editor.c,
plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h,
plugins/sudoers/visudo.c:
find_editor: remove the env_error argument There is no case where we
should fail to find an editor just because the values of EDITOR,
VISUAL and SUDO_EDITOR are unavailable. Both sudoedit and the
"env_editor" sudoers setting are documented as falling back on the
hard-coded list of editors in the "editors" sudoers setting. Bug
#1000
[caa529a0cab6]
* plugins/sudoers/check_aliases.c:
Use sudo_printf(SUDO_CONV_ERROR_MSG) instead of fprintf(stderr).
Avoids extraneous output in the fuzzer.
[981d3abd96c7]
* plugins/sudoers/Makefile.in,
plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Stub out sudo_printf() and avoid other use of stderr in fuzzers.
This makes it possible to parse sudoers without using quiet mode,
resulting in better coverage.
[3215cad4174f]
2021-09-28 Todd C. Miller
* lib/iolog/regress/fuzz/fuzz_iolog_json.c,
lib/iolog/regress/fuzz/fuzz_iolog_legacy.c,
lib/iolog/regress/fuzz/fuzz_iolog_timing.c,
lib/util/regress/fuzz/fuzz_sudo_conf.c,
logsrvd/regress/fuzz/fuzz_logsrvd_conf.c,
plugins/sudoers/regress/fuzz/fuzz_policy.c,
plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Use a consistent version of fuzz_conversation() with all fuzzers.
Also undo a change to fuzz_sudoers.c that snuck in to the last
commit.
[8a94b06302b7]
* lib/iolog/regress/fuzz/fuzz_iolog_json.c,
lib/iolog/regress/fuzz/fuzz_iolog_legacy.c,
lib/iolog/regress/fuzz/fuzz_iolog_timing.c,
lib/util/regress/fuzz/fuzz_sudo_conf.c,
logsrvd/regress/fuzz/fuzz_logsrvd_conf.c,
plugins/sudoers/Makefile.in,
plugins/sudoers/regress/fuzz/fuzz_policy.c,
plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Fuzzers should not produce output. Excessive output makes the fuzzer
runs much less efficient.
[b9c485009c0f]
* logsrvd/logsrv_util.c:
expand_buf: fix conditional for when we need to preserve existing
data It is possible for the buffer offset to be zero when the length
is non-zero. The proper value to use is the same as is used for the
memcpy/memmove size. Fixes buffer corruption caused by a very long
command line that usually results in a dropped connection.
[59a4319b3463]
2021-09-27 Todd C. Miller
* config.h.in, configure, configure.ac, lib/util/closefrom.c:
Emulate closefrom() on macOS using proc_pidinfo(). This avoids
relying on /dev/fd which may not exist in a chroot jail. Adapted
from a change in OpenSSH by likan_999.student AT sina.com
[2e86d4150ce5]
2021-09-26 Todd C. Miller
* src/edit_open.c:
Handle EMLINK and EFTYPE errno values for O_NOFOLLOW failure.
FreeBSD returns EMLINK and NetBSD returns EFTYPE instead of ELOOP.
This is only used to present the user with a more appropriate error
message.
[ca5499c8c40f]
2021-09-24 Todd C. Miller
* plugins/sudoers/cvtsudoers.c:
Fix typo in last commit, use boolean AND not bitwise.
[685bd5d9ce6f]
* doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in,
plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h,
plugins/sudoers/gram.c, plugins/sudoers/gram.y,
plugins/sudoers/parse.h:
Add the ability to filter/match by command via the -m option. For
example "cvtsudoers -m cmd=/bin/ls" would only display entries that
would allow /bin/ls to be allowed or denied.
[3534a0170c59]
2021-09-23 Todd C. Miller
* doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in,
plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c,
plugins/sudoers/cvtsudoers.h, plugins/sudoers/pwutil.c:
Add --group-file and --passwd-file options to cvtsudoers. These are
based on the code in testsudoers.
[3286dd5dd0bf]
2021-09-22 Todd C. Miller
* lib/util/mkdir_parents.c:
Move cppcheck suppression annotation to where it needs to be.
[17d601bc91f3]
* lib/util/mksigname.c:
format string fix: print signal number as unsigned. Quiets a
cppcheck warning; mksiglist.c already has this fixed.
[a28b72dceec4]
* plugins/sudoers/ldap_util.c:
Fix memory leak on error path if snprintf() overflows. Coverity CID
188804
[73872d2e2cd0]
2021-09-21 Todd C. Miller
* plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c,
plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/passwd.c,
plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c:
Avoid reinitializing other auth methods.
[af0495460943]
* plugins/sudoers/toke.c, plugins/sudoers/toke.l:
expand_include: add bounds checking when expanding %h escape.
[3c0ca1f0d4e5]
* plugins/sudoers/iolog.c, plugins/sudoers/ldap.c,
plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Check snprintf() return values even if we preallocated the correct
amount. There are no remaining unchecked snprintf() that can
actually overflow.
[0eaf1d4daa84]
* include/sudo_iolog.h, lib/iolog/iolog_nextid.c:
iolog_nextid(): make iolog_dir argument const. We make a copy of the
directory so there's no real reason that parameter can't be const.
[f278847ca9aa]
* plugins/sudoers/ldap_util.c:
Amend truncation fix, the real problem was the size passed to
snprintf(). sudo_rcstr_alloc() takes a length (not a size) parameter
so when calling snprintf() we need to add one to the length.
[92f8a8b86d20]
* plugins/sudoers/ldap_util.c:
Fix truncation of the last char of the sudoRole cn passed to
append_default(). This string is primarily used for warning
messages. Also check the snprintf() return value to avoid silent
truncation. GitHub issue #115
[22b8d7bc62f8]
2021-09-20 Todd C. Miller
* NEWS, configure, configure.ac:
Sudo 1.9.8p2
[f29fdeb8ae5b]
* etc/codespell.exclude:
Standardize on "front-end" not "front end" in the man pages.
[b0ad634852e7]
* configure, configure.ac:
fix typo
[4d8738449daa]
* logsrvd/logsrvd_journal.c:
Reuse existing journal file for an accepted/rejected sub-command.
Otherwise we end up with zero-length files in the incoming queue dir
and may end up relaying one of those instead of the actual journal
file.
[545897a2761c]
* plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Re-enable error output for the sudoers parser. It is only the alias
and defaults warnings we need to suppress.
[114bd7756a7c]
* src/exec_intercept.c:
Add intercept_cleanup() stub for when building w/o intercept
support.
[bd6f32a90787]
* src/exec_intercept.c, src/exec_nopty.c, src/exec_pty.c,
src/sudo_exec.h:
Add intercept_cleanup() to free the closure used by
intercept_accept_cb().
[55f6aea8b517]
* plugins/sudoers/auth/pam.c:
Don't re-initialize PAM for sub-commands.
[faa7aec4d145]
* logsrvd/logsrvd_local.c:
sudo_logsrvd: only send log ID for first command of a session There
is no need to send the log ID for each sub-command.
[625b18c5f821]
* plugins/sudoers/log_client.c:
Only store the first log id received from the server. Plugs a small
memory leak in intercept mode if the log server sends the log ID
again for sub-commands.
[ca2ad5b219cd]
2021-09-19 Todd C. Miller
* plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
fuzz_sudoers: don't warn about unknown defaults entries Some fuzzing
inputs cause a huge number of warnings and displaying them all can
result in the fuzz run timing out. If we disable the warnings we can
avoid the timeout.
[4823ee305937]
* plugins/sudoers/defaults.c, plugins/sudoers/gram.c,
plugins/sudoers/gram.h, plugins/sudoers/gram.y,
plugins/sudoers/policy.c:
Limit paths for command, cwd and chroot to PATH_MAX bytes. This
helps prevent the fuzzer from going off the rails.
[9550fa76a645]
* plugins/sudoers/sudoers.c:
sudo -i: missing NULL terminator when moving argv to make room for
--login Fixes a potential crash for "sudo -i" when the target user
has bash as the shell (which needs the --login option). Bug #998.
[4b297f2ead15]
* lib/eventlog/eventlog.c:
Only append argv[] to the log line if argv[0] is not NULL. It should
not be possible to reach this point with a command defined but
argv[] empty but it doesn't hurt to check.
[61f9cf744673]
2021-09-18 Todd C. Miller
* plugins/sudoers/check_aliases.c:
Only warn about an undefined alias or a cycle a single time. There's
no point in warning about the same problem multiple times. This
implementation assumes a small number of warnings and so just uses a
simple listed link.
[4461f65d1bad]
* configure, configure.ac:
Remove now-unused CHECK_INTERCEPT variable.
[447dbf8bea48]
* plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Quiet pvs-studio false positive: V557 Array overrun is possible.
Make the zero length check explicit so as not to confuse static (or
human) analyzers.
[512ab29a9f28]
2021-09-17 Todd C. Miller
* MANIFEST, plugins/sudoers/regress/testsudoers/test17.out.ok,
plugins/sudoers/regress/testsudoers/test17.sh:
Test that digest matching works with LDAP sudoCommand: ALL
[f7ec49401d4f]
* plugins/sudoers/ldap_util.c:
Allow a digest to be specified with the "ALL" command for ldap/sssd
back-ends. This has been possible with sudoers file entries since
sudo 1.9.0 but no corresponding change was made for ldap/sssd.
[89a30bbd7dac]
* lib/eventlog/eventlog.c:
Use localtime_r() not gmtime_r() when formatting the local time.
This is consistent with how sudo formatted time stamps prior to the
logging code being split off into libeventlog. We only need to use
gmtime_r() for ISO 8601 time.
[aee6e29ba9d6]
* lib/eventlog/eventlog.c,
lib/iolog/regress/iolog_path/check_iolog_path.c,
lib/util/sudo_debug.c, plugins/audit_json/audit_json.c,
plugins/sudoers/cvtsudoers_json.c,
plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c,
plugins/sudoers/ldap.c, plugins/sudoers/parse.c,
plugins/sudoers/timestr.c:
Check strftime(3) return value in all cases. Old versions of
strftime(3) didn't guarantee to NUL-terminate the buffer so we
explicitly clear the last byte of the buffer and check it.
[bc402e4bd4d2]
* config.h.in, configure, configure.ac, logsrvd/tls_init.c:
tls_init.c: use SSL_CTX_set0_tmp_dh_pkey if present. Fixes a warning
on OpenSSL 3.0 and plugs a memory leak of dhparams on config reload.
[02027ea86d3b]
* configure, configure.ac, lib/util/digest_openssl.c:
Use the EVP digest routines instead of calling SHA2 functions
directly. Avoids compiler warnings with OpenSSL 3.0.
EVP_MD_CTX_new() is only available for OpenSSL 1.1 and higher--we
will fall back to sudo's SHA2 code if necessary.
[6fbac28175f9]
* configure, configure.ac:
When using pkg-config, don't assume the names of the ssl and crypto
libs. On the HP-UX build machines these are named libssl_pic.a and
libcrypto_pic.a to avoid conflicting with the system libs.
[a8eb772b3a4d]
* lib/util/sudo_debug.c:
Store milliseconds in the debug file timestamp. Sometime second
granularity is not enough.
[1df3e75f1133]
* MANIFEST, config.h.in, configure, configure.ac,
include/sudo_compat.h, lib/util/gmtime_r.c, lib/util/localtime_r.c:
Add gmtime_r and localtime_r tests and compat if missing.
[709671c493a3]
* lib/eventlog/eventlog.c, lib/iolog/iolog_path.c,
lib/iolog/regress/iolog_path/check_iolog_path.c,
lib/util/sudo_debug.c, plugins/audit_json/audit_json.c,
plugins/sample_approval/sample_approval.c,
plugins/sudoers/cvtsudoers_json.c,
plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c,
plugins/sudoers/getdate.c, plugins/sudoers/getdate.y,
plugins/sudoers/gmtoff.c, plugins/sudoers/ldap.c,
plugins/sudoers/parse.c, plugins/sudoers/timestr.c:
Use gmtime_r() and localtime_r() instead of gmtime() and
localtime().
[5758514b25cb]
* doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in:
Plugin lines are for approval and audit plugins too.
[67bb7c0687f2]
* doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in,
doc/sudo.mdoc.in, doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in,
doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in,
doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in,
doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in,
doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/visudo.man.in,
doc/visudo.mdoc.in:
Standardize on "front-end" not "front end" in the man pages.
[68748f8cc8a6]
* MANIFEST, plugins/sudoers/regress/testsudoers/test16.out.ok,
plugins/sudoers/regress/testsudoers/test16.sh:
Add a test to exercise Bug #994
[eef2ece0e8d4]
* scripts/mkpkg:
mkpkg: limit the number of cores used to 16
[5b8f2aa834b8]
2021-09-16 Todd C. Miller
* NEWS:
fix typo
[120b1e7d2aca]
* NEWS:
Bug #994.
[14ea3a741b25]
* plugins/sudoers/ldap_util.c:
Always allocate a struct sudo_command for the command, even for ALL.
This was missed in the previous set of changes, resulting in a crash
for LDAP and SSSD rules that give sudo "ALL" privileges. Bug #994.
[91d0379b068a]
* plugins/sudoers/Makefile.in:
Add SUDOERS_LDFLAGS to FUZZ_LDFLAGS Fixes a fuzzer link error when
building with ldap if the ldap libs are not in the default library
search path.
[a450881f9763]
* configure, configure.ac:
Fix the OpenSSL link order for the non-pkg-config case. Since -lssl
depends on -lcrypto, -lcrypto must be listed after -lssl. Fixes
linking of non-dynamic OpenSSL libs.
[787724ab6e87]
2021-09-15 Todd C. Miller
* NEWS, configure, configure.ac:
Sudo 1.9.8p1
[fc8c69d55348]
* src/sudo_intercept_common.c:
sudo_interposer_init: verify message type from sudo We should only
get a HelloResponse from sudo at this point.
[a021319260b3]
* include/intercept.pb-c.h, src/exec_intercept.c,
src/intercept.pb-c.c, src/intercept.proto,
src/sudo_intercept_common.c:
Avoid symbol name clash to fix --enable-static-sudoers linking.
[5cc5e415844f]
2021-09-14 Todd C. Miller
* plugins/sudoers/defaults.c, plugins/sudoers/policy.c:
append_defaults() should not be passed a value for boolean flags.
The operation should simply be set to true/false. Also treat a NULL
file as coming from the front-end. Bug #993.
[86e69d358916]
2021-09-13 Todd C. Miller
* configure, configure.ac, plugins/python/Makefile.in,
scripts/mkdep.pl, src/Makefile.in:
Teach mkdep.pl about --tag=disable-static in LTFLAGS. If static objs
are disabled we need to add explicit dependencies for .o files. The
OpenBSD libtool doesn't use a pic object file when linking
executables so we need to build the non-pic objects too.
[cdefeeb41a64]
* configure, configure.ac:
Use SUDO_APPEND_LIBPATH when appending to LIBTLS and LIBMD. The
OpenSSL pkgconfig files only include -L paths, not -R paths. Using
SUDO_APPEND_LIBPATH ensures the rpath is set correctly so the
binaries will run (not just link).
[29d051972287]
* INSTALL, configure, configure.ac:
Add --enable-openssl-pkgconfig-template option. This can be used to
find the correct openssl pkg-config file if it is not named
"openssl" (also libcrypto).
[77cd3463cefa]
* plugins/sudoers/getdate.c, plugins/sudoers/getdate.y:
Some POSIX yacc fixes for bison 3.8 yyerror() must be extern void
declare tokens with type instead of using separate %type lines
[c4e57f9e7df5]
2021-09-09 Todd C. Miller
* .gitignore, .hgignore:
Add src/intercept.exp to ignore files.
[4eaa182a8808]
2021-09-08 Todd C. Miller
* plugins/sudoers/po/cs.mo:
regen
[8c168099301b]
* NEWS:
Mention --enable-static-sudoers fix.
[c93a42253fd0]
* configure, configure.ac:
Fix typo introduced in 1.9.7 that set SUDO_LDFLAGS to
SUDOERS_LDFLAGS. Copy pasta is not always the best kind of pasta.
[08188442f77b]
* MANIFEST, configure, configure.ac, m4/sudo.m4, src/Makefile.in,
src/intercept.exp, src/intercept.exp.in, src/sudo_intercept.c:
sudo_intercept.so: only replace execvpe() if it is present.
execvpe() is a GNU extension also found on *BSD (but not macOS).
[26153ad9c6ca]
* NEWS:
We now intercept more than just execve().
[33e453f035f8]
2021-09-07 Todd C. Miller
* src/sudo_intercept.c:
Implement simple PATH resolution for execvp(). We want to use PATH
from the current value of the environment, not the initial value of
PATH when the policy was opened. This is a little different from how
real execvp() works since we use stat() instead of just execve().
[fae58e1962cc]
* doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudoers.man.in,
doc/sudoers.mdoc.in, src/intercept.exp, src/sudo_intercept.c:
Add support for execl, execle, execlp, execvp, and execvpe.
Currently, PATH traversal is handled by sudoers which uses the
original PATH, not the one updated by the shell.
[59dfbbd39bf6]
2021-09-03 Todd C. Miller
* plugins/sudoers/gram.c, plugins/sudoers/gram.h,
plugins/sudoers/gram.y:
Remove conditional include of alloca.h, we don't define
HAVE_ALLOCA_H. The configure check for alloca() was removed long ago
but this got missed.
[4c64529df149]
* doc/sudoers.man.in, doc/sudoers.mdoc.in:
Define RBAC and mention incompatibility with intercept/log_subcmds.
[a44d8f96cad6]
2021-09-02 Todd C. Miller
* src/exec_intercept.c:
Fix computation of the token address when handling a partial read.
We want to treat it as an array of bytes, not an array of tokens.
Coverity CID 240011
[0bb3fb3315ce]
* plugins/sudoers/parse.c:
Quiet a PVS-Studio format string warning.
[4e445c646dc8]
* plugins/sudoers/po/sudoers.pot, po/sudo.pot:
Regen .pot files.
[4cec17bc24da]
* plugins/sudoers/po/cs.po:
Updated translations from translationproject.org
[62fdbab57411]
2021-09-01 Todd C. Miller
* src/Makefile.in:
regen
[a2f37ca5473b]
* configure, configure.ac, lib/util/sudo_conf.c, scripts/mkdep.pl,
src/Makefile.in, src/exec_common.c, src/exec_intercept.c:
Do not compile intercept code if --disable-intercept is specified.
[9d31e2822c24]
* doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in:
We now intercept execv() too.
[f0eac891cb5c]
* INSTALL:
INSTALL: --disable-intercept will also disable "log_subcmds"
[55ddfdae455d]
* doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/parse.c:
Can't use intercept or log_subcmds with SELinux RBAC. SELinux policy
will prevent the inherited socket from sudo from being used and may
also restrict the ability to connect back to the sudo process.
[b73409172859]
* m4/ax_prog_cc_for_build.m4:
Fix typo in comment.
[3259f09e6952]
* po/cs.mo, po/cs.po:
Updated translations from translationproject.org
[7543d0d50ee2]
* include/intercept.pb-c.h, src/exec_intercept.c,
src/intercept.pb-c.c, src/intercept.proto, src/sudo_exec.h,
src/sudo_intercept_common.c:
Switch to a 128-bit token instead of a 64-bit secret. Protobuf
doesn't have a 128-bit type so use two u64s. We now support partial
reads of the token.
[e39ece25fb3b]
2021-08-31 Todd C. Miller
* MANIFEST, lib/util/Makefile.in, lib/util/regress/uuid/uuid_test.c,
lib/util/uuid.c:
Fix random uuid generation, no need to convert between byte order.
Also add regression test.
[fd2940acffc2]
* include/intercept.pb-c.h, src/exec_intercept.c,
src/intercept.pb-c.c, src/intercept.proto,
src/sudo_intercept_common.c:
sudo_intercept.so: send the secret immediately after connecting.
Sending the secret out of band, before the message size is read,
should make it harder to mount a DoS attack.
[4c8b6577bd8c]
* src/sudo_intercept_common.c:
Handle reading large messages that don't fit in a single recv(). We
know the length of what we are receiving so just loop until we have
it all, get EOF or an error.
[1b8aa927ea83]
* configure, configure.ac:
Add checks for -fstack-clash-protection and -Wl,-z,noexecstack We
use -Wc,-fstack-clash-protection as the linker flag to prevent
libtool from removing it from the link line.
[7cd701b5039e]
* src/exec_intercept.c:
Make the sudo side of the intercept socket non-blocking.
[3fe7129ea1f2]
* src/exec_intercept.c:
Handle partial read/write by dropping back into the event loop.
[fa216d963e18]
* src/exec_intercept.c:
intercept_check_policy: Fix double free introduced in last commit If
the command is not accepted we don't rebuild command_info[] and must
not free it. It will be freed by the policy instead.
[8bbd2af0924b]
2021-08-27 Todd C. Miller
* include/intercept.pb-c.h, src/exec_intercept.c,
src/intercept.pb-c.c, src/intercept.proto,
src/sudo_intercept_common.c:
Update runcwd in command_info[] before passing it to the audit
plugin. Since sudoers does rejected commands itself the runcwd will
still not be correct for those.
[5462a5e1d760]
* src/exec_preload.c:
Fix LD_PRELOAD formatting when there is an existing LD_PRELOAD var.
[04d8d7750ff6]
2021-08-26 Todd C. Miller
* src/exec_intercept.c:
intercept_check_policy: fix potential NUL dereference on the error
path.
[4d1b3f39ccb1]
* NEWS, doc/sudoers.man.in, doc/sudoers.mdoc.in,
plugins/sudoers/def_data.c, plugins/sudoers/def_data.h,
plugins/sudoers/def_data.in, plugins/sudoers/policy.c, src/exec.c,
src/exec_common.c, src/exec_nopty.c, src/exec_pty.c, src/sudo.c,
src/sudo.h:
Rename log_children -> log_subcmds
[abd73fc939c3]
* plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po,
plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po,
plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po,
plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po,
plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po,
plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po,
plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po,
plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po,
plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po,
plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po,
plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po,
plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po,
plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/eo.mo,
po/eo.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ko.mo,
po/ko.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo,
po/pt_BR.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/zh_CN.mo,
po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
Updated translations from translationproject.org
[f948528780fb]
* lib/util/sudo_debug.c:
Add sudo_debug_register_v2() stub for fuzzing build.
[ba522c0c2075]
* src/exec_intercept.c:
Fix use-after-free on error. Also remove useless free of a ptr that
is always NULL on the error path.
[75200535be80]
* src/exec_common.c:
No longer need to remap intercept fd but we do need to remap debug
fd. The intercept fd is closed in the ctor but the debug fd will
still be open.
[b48125b884f3]
* include/sudo_debug.h, lib/util/sudo_debug.c, lib/util/util.exp.in,
logsrvd/logsrvd.c, logsrvd/sendlog.c,
plugins/audit_json/audit_json.c, plugins/python/sudo_python_debug.c,
plugins/sample_approval/sample_approval.c,
plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c,
src/sesh.c, src/sudo.c, src/sudo_intercept_common.c:
sudo_debug_register: add minfd argument to specify lowest fd number
Use this in sudo_intercept.so to avoid allocating a low-numbered fd
which the shell reserves for use by scripts.
[50b23c4d0531]
* src/exec_intercept.c:
Fix command name of sub-command in logs when log_children is set.
[c1b35686d8b4]
2021-08-25 Todd C. Miller
* plugins/sudoers/audit.c, plugins/sudoers/logging.c,
plugins/sudoers/logging.h:
log_allowed: pass struct eventlog * instead of argv[] and envp[].
This lets us log based on the command_info[] list passed in from the
front-end. Previously, much of the struct eventlog was constructed
from internal sudoers state instead.
[4c4a7ddfeba3]
* include/sudo_compat.h:
sudo_compat.h: include unistd.h on HP-UX to safely redefine
pread/pwrite HP-UX 11.31 defines static functions for pread() and
pwrite() which will conflict with our macros.
[2dd64cdc261f]
* config.h.in, configure, configure.ac, include/intercept.pb-c.h,
src/exec_intercept.c, src/exec_nopty.c, src/exec_pty.c,
src/intercept.pb-c.c, src/intercept.proto, src/sudo_exec.h,
src/sudo_intercept_common.c:
Change intercept IPC to use a localhost socket instead of inherited
fd. This allows intercept mode to work with shells that close all
open fds upon startup. The ctor in sudo_intercept.so requests the
port number and secret over the socket inherited from the parent
then closes it. For each policy request, a TCP connection is made to
the sudo parent process to perform the policy check. Child processes
re-use the TCP socket to request the port number and secret just
like the initial process started by sudo does.
[7e7e4a389f11]
* src/exec_intercept.c:
Add a state variable to intercept_closure, replaces policy_result.
[60fae103a4cd]
* plugins/sudoers/match_command.c:
command_matches: avoid printf("%s") of NULL in debug for sudo ALL.
[5c81c2c32b4c]
* Merge pull request #111 from commodo/fix-cflags
lib/util/Makefile.in: use host CFLAGS and CPPFLAGS for
mksig{name,list}
[ee86d28da792]
2021-08-25 Alexandru Ardelean
* lib/util/Makefile.in:
lib: util: Makefile.in: use host CFLAGS and CPPFLAGS for
mksig{name,list}
When cross-build support was added for mkig{name,list} was added,
the CFLAGS and CPPFLAGS should have been updated to the
HOSTCFLAGS/HOSTCPPFLAGS vars.
In a cross-build scenario, some of these flags don't match what the
compiler can understand (because they may be architecture specific)
and may fail the build.
Using the HOSTCFLAGS/HOSTCPPFLAGS works and builds successfully.
Also the output binary works on the target.
This is in continuation of
- https://github.com/sudo-project/sudo/pull/104
- https://github.com/sudo-project/sudo/pull/109
Signed-off-by: Alexandru Ardelean
[f76870e1a6c5]
2021-08-24 Todd C. Miller
* src/exec_intercept.c:
Fold intercept_closure_reset() into intercept_close().
[ff00ab240672]
* src/exec_preload.c:
Fix typo that caused SUDO_INTERCEPT_FD to overwrite LD_PRELOAD.
[e4cd1043c7bb]
* src/exec_preload.c:
Fix off-by-one that could result in duplicate SUDO_INTERCEPT_FD
vars.
[9044d0dff708]
* src/sudo_intercept.c:
Fix typo in macOS execv change.
[1c637d909382]
2021-08-21 Todd C. Miller
* doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudoers.man.in,
doc/sudoers.mdoc.in, src/intercept.exp, src/sudo_intercept.c:
Add execv(3) support to sudo_intercept.so. This allows intercept to
work with csh which uses execv(3) not execve(2).
[690ebf72b6f8]
2021-08-20 Todd C. Miller
* doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudoers.man.in,
doc/sudoers.mdoc.in:
Sync the list of functions trapped by sudo_noexec.so.
[b1f7799209ff]
* doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in:
Add a Debug example for sudo_intercept.so Don't try to enumerate all
the sudo programs that support debugging since all of them do.
[9c1201eaaca2]
* doc/sudoers.man.in, doc/sudoers.mdoc.in:
Update sudoers Debug example to match the debug changes from sudo
1.8.12.
[7c831aa9b6d5]
* doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in:
sudo_intercept.so only intercepts execve(2) for now.
[7314abc72fb9]
* plugins/sudoers/parse.c:
Fix formatting for bound defaults with multiple entries in the
binding. The entries in the binding were separated with " ," instead
of ", ".
[14442701f793]
* MANIFEST, src/Makefile.in, src/intercept.exp:
Add exports file for sudo_intercept.so that only exports execve()
[ac97417435ab]
* src/Makefile.in, src/sudo_intercept.c, src/sudo_intercept_common.c:
Add some debugging to the sudo_intercept.so.
[2dee003b5cc7]
* config.h.in, configure, configure.ac:
Use AC_FUNC_FSEEKO instead of AC_CHECK_FUNCS_ONCE([fseeko]). This
will define _LARGEFILE_SOURCE, if needed, to make the prototype
visible on older systems.
[3f4314f6a795]
2021-08-19 Todd C. Miller
* config.h.in, configure, configure.ac, include/sudo_compat.h:
We still need the pread/pwrite hack for HP-UX 11.11 at least. This
time around, avoid defining _LARGEFILE64_SOURCE and just declare
pread64/pwrite64 ourselves.
[66e01b14a10f]
* include/sudo_compat.h:
Fix prototypes for sudo_pread() and sudo_pwrite().
[15acfc576a71]
* src/exec_intercept.c:
intercept_fd_cb: store the passed fd in newfd, not fd only affects
the old BSD-style fd passing code, not POSIX-style.
[4b13aa4593ba]
* lib/util/Makefile.in:
Fix mksiglist and mksigname dependencies.
[31519cc5ec2b]
* doc/sudoers.man.in, doc/sudoers.mdoc.in:
set-user-ID and set-group-ID not set user-ID and set group-ID.
[0ddf5fedc896]
* NEWS:
The fix for bug #989 will make sudo 1.9.8. Also mention
intercept_authenticate and intercept_allow_setid.
[fa8b7444486b]
* plugins/sudoers/po/sudoers.pot:
regen
[c8993c070218]
* .gitignore, .hgignore, MANIFEST, aclocal.m4, configure,
configure.ac, lib/util/Makefile.in, lib/util/mksiglist.c,
lib/util/mksiglist.h, lib/util/mksigname.c, lib/util/mksigname.h,
lib/util/sys_siglist.h, lib/util/sys_signame.h,
m4/ax_prog_cc_for_build.m4:
Cross-build support for mksigname and mksiglist We must build these
with the host C compiler but use the target preprocessor to generate
the output.
[bf2919b63fb9]
2021-08-19 a1346054 <36859588+a1346054@users.noreply.github.com>
* .clang-format, INSTALL, MANIFEST, autogen.sh, doc/LICENSE,
etc/sudo.pp, examples/Makefile.in:
Minor cleanup (#110)
* fix trivial shell script issues
* remove trailing whitespace
[f9d4de3dee50]
2021-08-19 Todd C. Miller
* logsrvd/logsrvd_conf.c, plugins/sudoers/check.c,
plugins/sudoers/cvtsudoers.c, plugins/sudoers/exptilde.c,
plugins/sudoers/iolog.c, plugins/sudoers/logging.c,
plugins/sudoers/mkdefaults, plugins/sudoers/policy.c,
plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c,
plugins/sudoers/tsdump.c:
Replace messages like "unknown foo: %s" with "unknown foo %s". The
colon really doesn't belong there; we generally use a colon to
separate a message from the warning detail.
[a1b99c8821ae]
* doc/sudoers.man.in, doc/sudoers.mdoc.in:
log_server_peer_cert and log_server_peer_key are not required by
default. They are only required if sudo_logsrvd has tls_checkpeer
enabled.
[0d9099ce5d74]
* logsrvd/logsrvd_conf.c:
Sync warning messages with sudoers/logging.c Avoids 3 translation
strings that were effectively duplicated.
[eb058a820998]
2021-08-18 Todd C. Miller
* lib/protobuf-c/Makefile.in, src/Makefile.in:
regen
[ab9d4b22d7cb]
* doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c,
plugins/sudoers/def_data.h, plugins/sudoers/def_data.in,
plugins/sudoers/match_command.c, plugins/sudoers/parse.c,
plugins/sudoers/parse.h,
plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Add intercept_allow_setid sudoers option, disabled by default. With
this change, a shell in intercept mode cannot run a setuid or setgid
binary by default. On most systems, the dynamic loader will ignore
LD_PRELOAD for setuid/setgid binaries such as sudo which would
effectively disable intercept mode.
[cdb876f62882]
* plugins/sudoers/gram.c, plugins/sudoers/gram.y,
plugins/sudoers/match.c:
Always allocate a struct sudo_command for the command, even for ALL.
Previously we special-cased handling of ALL but this complicates
some upcoming changes.
[d552109d739c]
2021-08-16 Todd C. Miller
* etc/codespell.exclude:
Update TAGS_CHANGED macro based on parse.h
[261e4bad3f55]
* doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoers.man.in,
doc/sudoers.mdoc.in:
Better document the limitations of intercept mode. Also mention
log_children under "Preventing shell escapes"
[0dfca8d0672d]
* plugins/sudoers/po/sudoers.pot, po/sudo.pot:
Update .pot files for 1.9.8.
[ed2582c37765]
* doc/sudoers.man.in, doc/sudoers.mdoc.in:
Try to clarify log_server_peer_key and log_server_peer_cert. These
are client-side not server-side.
[ffa4ee3e2557]
* logsrvd/logsrvd_conf.c:
Print the section when warning about an illegal key in the conf
file. This should make it easier to tell when a setting is present
in the wrong section.
[8150a7775155]
2021-08-14 Todd C. Miller
* lib/eventlog/eventlog.c:
new_logline: limit offset to two significant digits after the
decimal Now instead of TSID=0001L3@5.168230749 we would log
TSID=0001L3@5.16.
[089f7a1285cb]
* logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c,
logsrvd/logsrvd_journal.c:
Set umask to be less restrictive before creating parent directories.
Otherwise we could end up creating them with a more restrictive mode
than indended. Coverity CID 221592
[1bbb3621106a]
* lib/eventlog/eventlog.c:
new_logline: handle case where evlog is NULL
[e14ded2179e8]
* logsrvd/logsrvd_local.c:
store_alert_local: fix memory leak on error path Coverity CID 238642
[2a3c7fb50c38]
* plugins/sudoers/audit.c:
log_server_accept: fix memory leak of evlog when logging a sub-
command. Coverity CID 238643
[36a7325b3dc2]
* src/exec_intercept.c:
Fix memory leak when client requests secret. Move closure allocation
closer to where it is used.
[773ffe0cb216]
* logsrvd/logsrvd_local.c:
store_accept_local: fix return value on error
[de0d06a1ade2]
2021-08-13 Todd C. Miller
* lib/eventlog/eventlog.c:
Cast iolog_offset.tv_sec to long long for %lld printf format. Quiets
a compiler warning on systems where tv_sec in struct timeval is not
long long.
[54d757357a00]
* doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in,
lib/iolog/iolog_timing.c, plugins/sudoers/sudoreplay.c:
Add support for an optional offset when parsing the ID to replay.
The offset is a suffix in the form of @sec[.nanosec]
[f8cda41ea0ae]
* include/sudo_eventlog.h, lib/eventlog/eventlog.c,
logsrvd/logsrvd_local.c, plugins/sudoers/logging.c:
For intercepted commands, log an offset into the current I/O log.
This can be used with sudoreplay to jump to when a specific command
was executed within a session log.
[fd9431d7c878]
* logsrvd/logsrvd_local.c:
Don't overwrite closure->evlog for sub-commands.
[925c97582b1d]
* config.h.in, configure, configure.ac, include/sudo_compat.h:
Older Solaris has getusershell() et al but does not declare it.
[df4cd6a5e07f]
* src/exec_intercept.c, src/exec_nopty.c, src/exec_pty.c,
src/sudo_intercept_common.c:
Add missing stdint.h and sudo_rand.h includes. Needed for
arc4random() and uin64_t.
[47fd965524fe]
* include/intercept.pb-c.h, src/exec_intercept.c, src/exec_nopty.c,
src/exec_pty.c, src/intercept.pb-c.c, src/intercept.proto,
src/sudo_exec.h, src/sudo_intercept_common.c:
Pass a secret value to sudo_intercept.so and verify after policy
check. The goal is to make it harder for someone to have a fake
policy checker. This will not stop a determined adversary since the
secret is present in the address space of the running process.
[7938c63384df]
2021-08-11 Todd C. Miller
* MANIFEST, src/Makefile.in, src/exec.c, src/exec_intercept.c:
Split off intercept code into exec_intercept.c.
[2c05715c4885]
* scripts/mkpkg:
Add trivial support for FreeBSD packages. The actual FreeBSD port
supports multiple options but this is sufficient for testing
purposes.
[6bb8a1cdf26c]
* scripts/pp:
FreeBSD: Set default directory and file mode if not specified in
%files Otherwise, a mode of 0 will be used, potentially rendering
the system unusable.
[a3be86a5f85f]
* plugins/sudoers/logging.c:
Use same check for intercepted commands as log_server_accept().
Previously, log_server_reject() and log_server_alert() just checked
whether client_closure has been set.
[41177f7c32f4]
* logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c,
plugins/sudoers/log_client.c:
Call shutdown() on sockets before closing() if they are connected.
This should ensure that the other side sees any queued data before
the connection is dropped.
[beaafc6c17cf]
* logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c,
plugins/sudoers/log_client.c:
If SSL_shutdown() returns 0 it needs to be called one more time.
[52bb0acfb659]
* plugins/sudoers/editor.c:
resolve_editor: sudoers_gc_remove(editor) before freeing it.
[534cc939264f]
2021-08-10 Todd C. Miller
* lib/util/mksigname.h, lib/util/siglist.in:
Sync siglist.in with the generated files. The change to prefer
SIGSYS over SIGUNUSED wasn't made to siglist.in. Also, mksigname.c
doesn't need to explicitly set sudo_sys_signame[0].
[c331b05f8fc5]
* plugins/sudoers/Makefile.in, plugins/sudoers/editor.c,
plugins/sudoers/gc.c, plugins/sudoers/sudoers.c,
plugins/sudoers/sudoers.h:
Add garbage collection to resolve_editor(). Fixes a leak when
evaluating the policy multiple times if sudoedit is set.
[ab011d864e87]
2021-08-09 Todd C. Miller
* src/exec_common.c:
Fix compilation when configure option --disable-shared is specified.
[98687e01c8e4]
* doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/check.c,
plugins/sudoers/def_data.c, plugins/sudoers/def_data.h,
plugins/sudoers/def_data.in, plugins/sudoers/policy.c,
plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Add intercept_authenticate sudoers option, defaults to false. By
default, sudoers will not require authentication of commands run via
an intercepted session. To require authenticaton of subsequent
commands, enable intercept_authenticate in sudoers.
[b428c75da1ad]
* config.h.in, configure, configure.ac, src/exec.c,
src/sudo_intercept_common.c:
If msg_control is not present in struct msghdr use msg_accrights
instead. Fixes building on Solaris and probably others. It is
possible to expose msg_control on Solaris but this requires a
specific set of feature flag defines which can cause other
complications.
[6ee77b869a8c]
* configure, configure.ac, src/exec_preload.c:
Require that our dso be first in the list to make sure it takes
effect. Otherwise, another dso could take precedence and ours would
not be run.
[58ba4086357c]
* configure, configure.ac, pathnames.h.in, src/Makefile.in,
src/exec_preload.c:
If building with address sanitizer make sure its DSO is first.
Address sanitizer requires that it be preloaded before any other DSO
in LD_PRELOAD. This should not be required for clang, which links in
asan statically by default.
[a812062f42a8]
* plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
Plug some memory leaks when sudoers_policy_main is called multiple
times. These would get cleaned up a policy close time but we don't
want to bloat sudo's memory footprint when running a shell with
multiple commands.
[7fee001ffeae]
* plugins/sudoers/audit.c, plugins/sudoers/iolog.c,
plugins/sudoers/log_client.c, plugins/sudoers/log_client.h,
plugins/sudoers/logging.c:
Fix logging intercepted commands to a log server in sudoers. Only
available when the server supports the subcommands capability.
[5975770561de]
* plugins/sudoers/audit.c, plugins/sudoers/logging.c,
plugins/sudoers/logging.h:
Use a separate uuid for intercepted commands. We use the uuid to
match the command with its exit status.
[467f0db6e2c6]
* plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
Avoid some double frees in the fuzzer Now that sudoers free old
values of NewArgv and command_info the fuzzer needs to reset those
values. Otherwise we end up with stashed values that have already
been garbage collected.
[2a1b5808d272]
* NEWS, configure, configure.ac:
Sudo 1.9.8
[bc96c8f95abf]
* doc/sudoers.man.in, doc/sudoers.mdoc.in,
plugins/sudoers/cvtsudoers_json.c,
plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/def_data.c,
plugins/sudoers/def_data.h, plugins/sudoers/def_data.in,
plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c,
plugins/sudoers/gram.h, plugins/sudoers/gram.y,
plugins/sudoers/parse.c, plugins/sudoers/parse.h,
plugins/sudoers/policy.c, plugins/sudoers/toke.c,
plugins/sudoers/toke.l:
Add "intercept" Defaults setting to allow interception of sub-
commands. This causes "intercept" to be set to true in
command_info[] which the sudo front-end will use to determine
whether or not to intercept attempts to run further commands, such
as from a shell. Also add "log_children" which will use the same
mechanism but only log (audit) further commands.
[f42e11c0fde9]
* INSTALL, configure, configure.ac, doc/sudo.conf.man.in,
doc/sudo.conf.mdoc.in, examples/sudo.conf.in, include/sudo_conf.h,
lib/util/sudo_conf.c, lib/util/util.exp.in, pathnames.h.in,
src/Makefile.in, src/exec.c, src/exec_common.c, src/selinux.c,
src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_exec.h:
Add support for loading the sudo_intercept.so DSO.
[47d84cc8a8ed]
* include/sudo_compat.h, src/exec.c, src/exec_common.c,
src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/selinux.c,
src/sesh.c, src/sudo_exec.h:
Allocate a socketpair to communicate with sudo_intercept.so over.
This is used for the intercept and log_children options.
[b40091760952]
* plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/pam.c,
plugins/sudoers/defaults.c, plugins/sudoers/defaults.h,
plugins/sudoers/file.c, plugins/sudoers/ldap.c,
plugins/sudoers/ldap_util.c, plugins/sudoers/policy.c,
plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sssd.c,
plugins/sudoers/sudo_ldap.h, plugins/sudoers/sudoers.c,
plugins/sudoers/sudoers.h:
Make it possible to call the sudoers policy check function multiple
times. We need to reset the Defaults values to their original state.
[3187e87d7fb6]
* plugins/sudoers/set_perms.c:
Allow set_perms(PERM_INITIAL) to be called more than once. If the
perm stack depth is non-zero when set_perms(PERM_INITIAL) is called,
rewind it first and re-initialize the stack depth to 0. Fixes a
user-after-free bug if set_perms(PERM_INITIAL) is called multiple
times.
[fdf9a2e07eb1]
* plugins/sudoers/audit.c, plugins/sudoers/logging.c,
plugins/sudoers/logging.h:
Use run_argv and run_envp passed into the audit plugin for event
logging. Previously we used NewArgv[] and env_get() but now that
logging is performed via an audit plugin we should use the values
passed in.
[d8e031fc2389]
* doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in,
include/log_server.pb-c.h, lib/logsrv/log_server.pb-c.c,
lib/logsrv/log_server.proto, logsrvd/logsrvd.c:
Allow multiple accept/reject messages during a logsrv conversation.
The log server now advertises a subcommands flag if it supports
logging subcommands (e.g. commands run from a sudo-spawned program
like a shell). The client should only log additional commands during
a session if this flag is set in the ServerHello message.
[5b88982604e8]
* MANIFEST, Makefile.in, configure, configure.ac,
lib/logsrv/Makefile.in, lib/logsrv/protobuf-c.c,
lib/protobuf-c/Makefile.in, lib/protobuf-c/protobuf-c.c:
Add separate convenience lib for protobuf-c We need to use it for
sudo <-> sudo_intercept.so communication.
[9529d7f9db18]
* MANIFEST, include/intercept.pb-c.h, src/Makefile.in,
src/intercept.pb-c.c, src/intercept.proto:
Define protocol for sudo <-> sudo_intercept.so communication. Uses
google protocol buffers.
[139ba292e226]
* src/exec.c, src/sudo.c, src/sudo.h:
Implement the sudo side of the sudo_intercept.so communication.
[4a7face9ed17]
* MANIFEST, src/Makefile.in, src/exec.c, src/exec_common.c,
src/sudo_exec.h, src/sudo_intercept.c, src/sudo_intercept_common.c:
Implement sudo_intercept.so. Uses protobuf to talk to main sudo
process over a socketpair.
[fc21ae0f663e]
* src/sudo.c, src/sudo.h:
Add return values for most of the plugin function wrappers that
returned void. Previously, they would just exit if there was an
error. Now the error is passed back up the stack so we can use them
in sudo_intercept.so.
[87cb4b0e7dff]
* src/sudo.c:
Reduce the number of function args passed to plugin wrappers. This
makes sudo_settings, user_info, submit_argv, submit_envp and
submit_optind global. This will be required for calling the wrapper
from outside of sudo.c where we may not have access to those
variables.
[525bffcf911c]
* src/exec.c, src/sudo.c, src/sudo.h:
Call the approval plugin after the policy plugin accepts a command.
Previously, for intercepted commands we only called the policy
plugin.
[4df18aaa8708]
* src/exec.c:
Take control of the tty and save its settings before doing a policy
check. Otherwise the policy plugin won't be able to read the
password.
[6a422974d472]
* MANIFEST, src/Makefile.in, src/exec_common.c, src/exec_preload.c,
src/sudo_exec.h, src/sudo_intercept.c, src/sudo_intercept_common.c:
Move preload_dso() to its own file and rename to sudo_preload_dso().
It now takes an intercept fd as an optional argument instead of a
list of extra variables to add. This lets us check whether it is
already set to the expected value (and add it if not).
sudo_intercept.so now uses sudo_preload_dso() to make sure that
LD_PRELOAD and SUDO_INTERCEPT_FD are set properly before executing.
[447e96378d01]
* src/exec_preload.c, src/sudo_intercept_common.c:
Add debug support to sudo_intercept.so
[586ea125cebb]
* src/exec.c, src/exec_nopty.c, src/exec_pty.c:
Make the log_children option only log and not check policy.
[0524c7e87174]
* plugins/sudoers/prompt.c:
expand_prompt: use correct strlcpy() size parameter The available
size passed to strlcpy() was computed incorrectly. Switch to
updating the length after writing to the new prompt instead of
computing it each time. The actual buffer size is computed and
allocated correctly so there is no real consequence to this bug.
Found by Qualys.
[c03f1c2f8f35]
2021-08-03 Todd C. Miller
* doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in,
examples/sudo_logsrvd.conf:
The tls_verify setting only affects server behavior, not the client.
Originally, there was a flag in the ServerHello message to indicate
that the client should verify the server cert, but this was removed
TLS was moved to a separate port. Client validation of the server
certificate is now configured in the sudoers file instead.
[344b51f3eee3]
2021-08-02 Todd C. Miller
* scripts/mkpkg:
On macOS, don't disable tty tickets and set password timeout to 0.
This more closely matches the options used by the macOS version of
sudo.
[bd21c492921c]
* plugins/sudoers/find_path.c:
Add some debugging info to find_path()
[dd7aebb432d6]
2021-07-30 Todd C. Miller
* lib/iolog/iolog_mkdtemp.c:
iolog_mkdtemp: umask must not be more restrictive than the file
modes. We need this even though we will be calling mkdtemp() since
the umask affects the mode of any parent directories.
[c545b3369eae]
2021-07-29 Todd C. Miller
* plugins/sudoers/visudo.c:
Plug memory leak in error path when sudoers cannot be opened.
[3df6b32149b8]
* plugins/sudoers/defaults.c:
Trying to use "+=" or "-=" operators on a non-list is an error.
Previously, they were simply treated as "=" for non-lists.
[3e0d47d0b4ea]
* src/regress/net_ifs/check_net_ifs.c:
Plug a memory leak in check_net_ifs found by address sanitizer.
[bff1ad993476]
* configure, configure.ac:
Prefix sanitizer and fuzzer options with -XCClinker in ASAN_LDFLAGS.
Otherwise libtool may ignore the options when linking.
[ed1120f3813d]
2021-07-27 Todd C. Miller
* logsrvd/tls_init.c:
Display the correct error message if X509_verify_cert() fails. We
must use X509_STORE_CTX_get_error() and
X509_verify_cert_error_string() instead of the generic OpenSSL error
functions.
[778bbbe68e28]
* lib/eventlog/eventlog.c:
In new_logline check for NULL args->reason for EVLOG_RAW. This can't
happen in practice since we never set EVLOG_RAW without passing in a
reason. Coverity CID 237142 237143
[83f9038151db]
* lib/eventlog/eventlog.c:
format_json: don't dereference evlog if it is NULL. Also silence a
PVS Studio false positive.
[150039f65d26]
2021-07-26 Todd C. Miller
* configure, configure.ac:
Bump version to 1.9.7p2
[388bf6af8434]
* NEWS:
Sudo 1.9.7p2
[153a6c96a8ec]
* config.h.in, configure, configure.ac, include/sudo_compat.h,
logsrvd/tls_client.c, logsrvd/tls_init.c,
plugins/sudoers/log_client.c:
Use TLS_method() instead of TLS_client_method() throughout. OpenSSL
returns an error for SSL_accept() if TLS_client_method() was used to
generate the context (LibreSSL doesn't care).
Prior to sudo 1.9.7, TLS_client_method() and TLS_server_method()
were used in the TLS client and server initialization code
respectively. This was refactored in sudo 1.9.7 to allow the code to
be shared. Bug #988
[1ca00726b4d6]
* plugins/sudoers/regress/fuzz/fuzz_policy.c:
Only replace getaddrinfo for
FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION. This works around an issue
on SCO which uses inline functions in the header files which call
the actual, versioned, library function.
[64cbf884b7f9]
2021-07-26 MertsA
* src/utmp.c:
Rewind utmp file pointer after searching for entry (#108)
getutline() advances the file pointer until it matches or reaches
EOF. pututline() starts from the current position in utmp. This
rewinds the file pointer to the beginning to avoid allocating
additional spurious utmp entries.
[142555f7a47e]
2021-07-25 Todd C. Miller
* configure, configure.ac, m4/sudo.m4:
Use AC_CACHE_CHECK in place of AC_MSG_CHECKING + AC_CACHE_VAL where
possible.
[7b0fb8de8276]
* config.h.in, configure, configure.ac, include/sudo_compat.h:
Add configure check for va_copy instead of using #ifdef This
prevents the va_copy compat #define from being used if sudo_compat.h
is somehow included before stdarg.h.
[fcfd53b859ac]
2021-07-23 Todd C. Miller
* src/limits.c:
Avoid using RLIM_INFINITY for the nofile soft limit to prevent
closefrom_fallback() from closing too many file descriptors.
[e807ca9bfb6a]
* plugins/sudoers/logging.c:
Include signal.h for SIG2STR_MAX and sig2str().
[ad17a1be07e2]
2021-07-15 Todd C. Miller
* include/sudo_eventlog.h, lib/eventlog/eventlog.c,
logsrvd/iolog_writer.c, plugins/sudoers/logging.c,
plugins/sudoers/policy.c, plugins/sudoers/sudoers.h:
Create a UUID and log it in the JSON version of the event log.
[8a1ad98fac51]
* include/sudo_eventlog.h, lib/eventlog/eventlog.c,
logsrvd/logsrvd_local.c, plugins/sudoers/logging.c:
Remove unused info_cb and info arguments from eventlog_exit()
[c614ef1afa12]
2021-07-09 Todd C. Miller
* include/sudo_eventlog.h, lib/eventlog/eventlog.c:
Add support for logging exit status events. For sudo-formatted logs,
this is a record with "EXIT=number" and potentially "SIGNAL=name"
after the command. For JSON-format logs, a new "exit" record is
logged which contains an "exit_value" and potentially "signal" and
"core_dumped". JSON-format logs now incude a UUID to associate the
"exit" record with the "accept" record.
[52e40ae4b79a]
* doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c,
plugins/sudoers/def_data.h, plugins/sudoers/def_data.in,
plugins/sudoers/logging.c, plugins/sudoers/logging.h,
plugins/sudoers/policy.c,
plugins/sudoers/regress/fuzz/fuzz_policy.c:
Add log_exit_status sudoers option to log when a command exits. This
option defaults to off.
[cac3ca7ad193]
* doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in,
examples/sudo_logsrvd.conf, logsrvd/logsrvd.h,
logsrvd/logsrvd_conf.c, logsrvd/logsrvd_local.c:
Add log_exit setting in the sudo_logsrvd.conf eventlog stanza This
causes sudo_logsrvd to log a record with the exit status or
terminating signal in response to an ExitMessage.
[1a15f676974a]
2021-07-08 Todd C. Miller
* plugins/python/python_plugin_common.c:
Check that the python module we actually loaded is what we intended.
This is intended to provide a more useful error message if the user
defines a module which conflicts with a system python module. For
example, a module called test.py would conflicts with the system
python test module.
[0676191e4741]
2021-07-02 Todd C. Miller
* doc/CONTRIBUTORS:
Mention that xkcd inspired the sandwich logo.
[c7839328e21f]
* doc/HISTORY:
Mention log server and fuzzers under Quest contributions.
[f4a081f75cd0]
2021-06-26 Todd C. Miller
* src/sesh.c, src/sudo.c, src/sudo_edit.c:
Don't assume that the number of groups returned by getgroups() is
static. On systems where getgroups() returns results based on more
than just the per-process group vector in the kernel it is possible
for the number of groups to change in between invocations. Based on
GitHub PR #106 from Pierre-Olivier Martel.
[dbc7a173a7b8]
* doc/Makefile.in:
Use "mandoc -Tlint -Wwarning" instead of -Wstyle. The style checks
now include "referenced manual not found" warnings which is not
helpful.
[251757f22498]
2021-06-22 Todd C. Miller
* logsrvd/Makefile.in, src/Makefile.in:
regen
[c6a21b385d57]
2021-06-21 Todd C. Miller
* lib/fuzzstub/fuzzstub.c:
Change ms from size_t to long. Avoids a spurious test failure on
Solaris 9
[c26f8d233ea9]
* plugins/sudoers/interfaces.c, src/net_ifs.c:
Move definition of INADDR_NONE from interfaces.c to net_ifs.c. Fixes
compilation on Solaris 9.
[9da2276cf944]
2021-06-19 Todd C. Miller
* logsrvd/logsrvd.c:
Fix dead store found by clang analyzer.
[5c85aeef651e]
* logsrvd/logsrvd_conf.c:
Fix prefix skipping when the prefix is embedded and not separate.
This doesn't currently matter since the progname and the ": " are
stored in separate messages. Found by clang analyzer.
[321e90e1b347]
* logsrvd/logsrvd_relay.c:
Remove dead store found by clang analyzer.
[5fd56f26e1ba]
2021-06-16 Todd C. Miller
* plugins/audit_json/audit_json.c:
Make sure we store an octal number (like umask) as a string. JSON
doesn't (portably) support octal numbers with a leading zero.
[3ac37bb42f1e]
* logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c,
logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
Replace logsrvd_is_early() with logsrvd_warn_stderr(). This is now
defined in logsrvd_conf.c which removes a dependency on another
compilation unit for the fuzzer.
[3594cf3ec397]
2021-06-15 Todd C. Miller
* logsrvd/logsrvd_local.c:
Silence a compiler warning on Solaris.
[fd9ba461b601]
* logsrvd/logsrvd.c:
Reduce scope of errstr variable so it is only declared for OpenSSL.
[eebe09a17f4b]
* plugins/sudoers/po/sudoers.pot, po/sudo.pot:
regen
[05b8391c6d13]
* logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c,
logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c,
logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c,
logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_init.c:
Use sudo_warnx?() instead of sudo_debug_printf for errors. We now
hook the warn functions so the messages are logged. The messages
still show up in the debug log too.
[9e25dc71b4cc]
2021-06-14 Todd C. Miller
* MANIFEST, config.h.in, configure, configure.ac,
include/sudo_compat.h, lib/util/Makefile.in,
lib/util/regress/vsyslog/vsyslog_test.c, lib/util/vsyslog.c,
scripts/mkdep.pl:
Remove vsyslog(3) emulation, it is no longer used.
[7d1b78c2037a]
2021-06-13 Todd C. Miller
* logsrvd/logsrvd_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
If logsrvd_config not set fall back to using stderr for warnings.
Also fix fuzz_logsrvd_conf link error.
[eeaafe1b3e09]
* doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in,
examples/sudo_logsrvd.conf, logsrvd/logsrvd.c, logsrvd/logsrvd.h,
logsrvd/logsrvd_conf.c:
Add support for logging server warning/error messages. We can use
sudo_warn_set_conversation() to set a conversation function that
either writes to a log file or calls syslog().
[5d8e13f053d0]
2021-06-11 Todd C. Miller
* NEWS, configure, configure.ac:
Sudo 1.9.7p1
[29f478993ef3]
2021-06-09 Todd C. Miller
* plugins/audit_json/audit_json.c:
Check arrays that are passed in for NULL before using them.
[925ba5b0f2cb]
* configure, configure.ac:
Disable nss_search()-based group lookups on HP-UX for now. There is
a crash when "group: compat" is used in /etc/nsswitch.conf that I
haven't been able to debug. Since HP-UX doesn't ship the appropriate
headers it is likely that there is a mismatch between
include/compat/nss_dbdefs.h and what HP actually uses.
[28b00005c785]
2021-06-08 Todd C. Miller
* logsrvd/logsrvd.c, logsrvd/logsrvd.h:
Remove logsrvd closure ERROR state and use a boolean flag instead.
Fixes a bug where we would not insert a journal file that failed to
relay into the queue because its state was changed from CONNECTING
to ERROR after failing to connect.
[638285a4bedb]
* include/compat/nss_dbdefs.h, lib/util/getgrouplist.c:
Add NSS_TRYAGAIN and correct buflen in struct nss_XbyY_buf_t. Add
some function argument names. Also use struct nss_db_state * instead
of void * in nss_db_root_t. We don't define struct nss_db_state but
since it is a pointer all we need is a forward declaration.
[bc848fb97671]
2021-06-07 Todd C. Miller
* lib/fuzzstub/fuzzstub.c, lib/iolog/Makefile.in,
lib/util/Makefile.in, logsrvd/Makefile.in:
Make sure we link with libsudo_util *after* libfuzzstub. This only
affects builds with a static libsudo_util. Also fix a warning on HP-
UX about main not being public.
[18ff1f108c4e]
* MANIFEST, lib/util/Makefile.in,
lib/util/regress/getgrouplist/getgids.c:
Add getgids utility to simular "id -G" using sudo_getgrouplist2()
[aed11065818d]
* lib/util/getgrouplist.c:
Make sure we don't read or write past the end of the group buffer.
We need to leave room for the terminating NULL in gr_mem. It is
possible for gbm->numgids > gbm->maxgids if we ran out of room.
[25a3ee849fd4]
2021-06-04 Todd C. Miller
* lib/util/getgrouplist.c:
Add some debugging to sudo_getgrouplist2().
[4d79e92c8ee8]
2021-06-02 Todd C. Miller
* src/load_plugins.c:
Fix some debug_decl typos and remove an unneeded cast.
[fafa91ac3def]
* plugins/sudoers/defaults.h:
T_TIMEOUT is not a bitwise flag so doesn't need to be a power of 2.
[66019af6d642]
2021-05-28 Todd C. Miller
* src/load_plugins.c:
sudo_stat_plugin(): set errno but do not warn if plugin path too
long. The caller will display the warning (using errno) so there is
no need to do it twice.
[c8614b374a35]
2021-05-26 Todd C. Miller
* doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in:
sudoreplay does not parse sudoers to find the value of iolog_dir.
The default value for the I/O log directory is set at build time.
[3cf72612e992]
* plugins/sudoers/policy.c:
Fix group list ref leak in sudoers_policy_store_result() on error
path.
[34785448a275]
2021-05-24 Todd C. Miller
* plugins/sudoers/policy.c:
Update comment to match reality.
[ec3e0a40d1ec]
2021-05-13 Todd C. Miller
* configure, configure.ac, scripts/ltmain.sh, src/Makefile.in:
Build sudo_noexec.so as a module on systems other then Darwin. On
Darwin, shared modules and shared libraries are not interchangable
and since we preload sudo_noexec.so via DYLD_INSERT_LIBRARIES it
must be a library, not a module. We must relax the requirement that
libraries begin with a "lib" prefix to work around this difference.
This does mean you must use sudo's libtool on Darwin (macOS) but
that is already a requirement on other systems (notably HP-UX and
SCO) due to a number of libtool patches we require that haven't be
accepted upstream. This is a different fix for PR #102.
[2e5454c56d3c]
* configure, configure.ac:
Use -Wno-deprecated-declarations on macOS This quiets warnings about
LDAP and audit libraries being deprecated. We will use them until
they are removed in a future version of macOS.
[6fbdf644865c]
2021-05-12 Todd C. Miller
* scripts/mkpkg:
Use /usr/bin/cc on FreeBSD and macOS.
[7d6bcea0e544]
* plugins/sudoers/log_client.c:
Don't include errno in "unable to connect to log server" message.
There should be a more specific message, usually with an error
string, displayed earlier.
[e599f9b0fd1c]
* src/ttyname.c:
Fix compiler warning on FreeBSD.
[2c6fc866fb5b]
* lib/iolog/hostcheck.c:
Explicitly include netinet/in.h for struct sockaddr_in and
sockaddr+_in6. Fixes a compilation problem on FreeBSD.
[2277c8f37c34]
2021-05-10 Todd C. Miller
* plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po:
Updated translations from translationproject.org
[3d6d49097b98]
* plugins/sudoers/log_client.c:
Better warning when close function is passed a non-terminal signal.
[8b8628249e4d]
* logsrvd/logsrvd_local.c:
Remove line causing store_suspend_local() to return false on
success. This is something that should have been removed as part of
the local I/O logging refactor.
[e8ae1e61b8b2]
* src/exec_pty.c:
Don't set the command status in the closure when the command is
suspended. This should only be set for signals that terminate the
process. Fixes a bug where the sudo front-end could call the plugin
close function with a non-terminal signal argument.
[a95024bfb6e8]
2021-05-07 Todd C. Miller
* plugins/python/pyhelpers.c, plugins/python/python_plugin_policy.c:
Quiet -Wshadow warnings from gcc.
[7ff2985ba650]
* NEWS, doc/sudoers.man.in, doc/sudoers.mdoc.in:
The -g option may also be used with any group the target user
belongs to. The description in the Runas_Spec section incorrectly
stated that the -g option could not be used if no runas group was
set. Bug #975.
[67d1948d1aa8]
* configure, configure.ac:
Remove redundant "configuring Sudo version X.YY" line. We now
display this along with the summary info at the end.
[0d7c908f8d4c]
* configure, configure.ac:
Don't check for -Wl,-z,relro twice.
[a30dce71fb26]
2021-05-06 Todd C. Miller
* plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po,
plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po,
plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po,
plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po,
plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po,
plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po,
plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po:
Updated translations from translationproject.org
[9303a20fe480]
* scripts/mkpkg:
Build python plugin for RHEL 6 as well.
[edaa6ec0e255]
* configure, configure.ac:
Remove shell-style quotes in configure warning/error/notice
messages. Square bracket quotes are used, no need for shell-style
double quotes.
[e6de284df511]
* NEWS, configure, configure.ac:
Summarize configure settings after all tests have run. This makes it
a lot easier to see what features have been enabled.
[12ea96affed5]
2021-05-04 Todd C. Miller
* INSTALL, configure, configure.ac:
Remove --with-efence option, there are better options available.
[78fd5ceb2c52]
* NEWS:
Move misplaced changes into the 1.9.7 section where they belong.
[1519f7a4669b]
* lib/util/regress/sudo_conf/conf_test.c:
Awful hack to pass on macOS where group_source=dynamic by default.
[b038bfab8c34]
* plugins/sudoers/po/ca.mo, plugins/sudoers/po/ca.po,
plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po,
plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po,
plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po,
plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po,
plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po,
plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po,
plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po,
plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po,
plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, po/ca.mo,
po/ca.po, po/it.mo, po/it.po, po/sr.mo, po/sr.po:
Updated translations from translationproject.org
[7b156da85d13]
* NEWS:
Document late stage 1.9.7 changes.
[28756df7dcb4]
* doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in,
logsrvd/sendlog.c, logsrvd/sendlog.h:
sudo_sendlog: rename -m (max-time) to -s (stop-after).
[4f016111b242]
* logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_journal.c:
Update closure->elapsed_time in journal_seek(). Otherwise the commit
point messages won't be accurate when restarting.
[6cd4db44b8ee]
* doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in,
logsrvd/sendlog.c, logsrvd/sendlog.h:
Add "-m elapsed" option to specify the max elapsed time of records
to send. Useful for testing the ability of the server to handle
restarted log transfers.
[cd9c9235e320]
2021-05-03 Todd C. Miller
* logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c:
Disable reading from client or relay when sending error to client.
We treat an error from the relay as fatal and must stop processing
data from both client and relay to make sure we don't get out of
sync.
[258f9691b3d9]
* logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd_local.c:
Fix I/O log restart of locally-store logs. This got broken a while
ago when evlog in struct connection_closure was changed to a
pointer.
[8b59122891f9]
* scripts/pp:
Fix detection of the volatile flag when other flags are present.
Otherwise flags fields like "volatile,ignore-other" will be ignored
by the Debian and BSD back ends.
[0d120b9eab71]
* src/limits.c:
Fix debug message when prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) fails.
GitHub issue #101
[7d266c174457]
* logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_client.c,
logsrvd/tls_common.h, plugins/sudoers/log_client.c:
Don't hard-code the TLS connect timeout, use normal connect timeout.
For sudo_logsrvd, this is the relay connect_timeout setting. For
sudoers, this is the log_server_timeout setting.
[49e29f187f5a]
2021-05-02 Todd C. Miller
* logsrvd/logsrvd_queue.c:
Add missing closedir(3) in logsrvd_queue_scan(). Coverity CID 221591
[e9745c64a721]
* NEWS:
Mention "log_server_verify" bug fix.
[a70060c34e7a]
* configure, configure.ac, doc/sudo_logsrvd.conf.man.in,
doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf,
m4/sudo.m4, pathnames.h.in:
Rename logsrvd log dir to /var/log/sudo_logsrvd.
[fb979be9927e]
* doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in,
examples/sudo_logsrvd.conf, logsrvd/logsrvd.h,
logsrvd/logsrvd_conf.c, logsrvd/logsrvd_queue.c:
Make the failed relay retry interval configurable. This is the
amount of time to wait before trying to resend a journal to the
relay server after a connection error.
[cbc04201a63e]
2021-05-01 Todd C. Miller
* MANIFEST, logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd.h,
logsrvd/logsrvd_journal.c, logsrvd/logsrvd_queue.c,
logsrvd/logsrvd_relay.c:
Send outgoing messages to the relay server on startup. Also attempt
to retry messages that could not be relayed periodically.
[7ed12983af85]
* lib/util/fatal.c:
Avoid clobbering errno in warning().
[3282a7db7f51]
* logsrvd/logsrvd_relay.c:
Set relay name string to NULL after dropping the reference.
Otherwise it is possible to decrement the reference more than once.
[245d4e60ea21]
2021-04-30 Todd C. Miller
* plugins/sudoers/iolog.c:
Fix cut & pasto that prevented the verify_server option from being
set. The "log_server_verify" setting passed from the policy plugin
was applied to the "keepalive" option instead of "verify_server".
From Krisztian Kovacs.
[06f716981ad0]
2021-04-29 Todd C. Miller
* doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in,
logsrvd/logsrvd.c:
Write client and server information to debug file on SIGUSR1 This
can be used to debug client problems such as a connection not being
closed as expected.
[e6e3a4ba02f4]
* doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in:
Document journal file directories in store_first mode.
[a08de0c20127]
* logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_journal.c:
Create journal files in an incoming directory, move to outgoing when
complete. This will make it possible to process completed journal
files periodically if the relay server is down.
[5ced00c6eb7e]
* logsrvd/logsrvd_relay.c:
Add missing connection_close() call for relay-only connections. For
an immediate relay we will close the connection when the client
disconnects (or there is a timeout). However, for store-and-forward
mode the client has already disconnected at the time we are
relaying.
[e51e98489c6d]
2021-04-27 Todd C. Miller
* plugins/sudoers/po/sudoers.pot:
regen
[4aa3f848b223]
* logsrvd/logsrvd_conf.c:
Replace non-ascii characters in warning string.
[5e99ac170a15]
* lib/util/regress/getgrouplist/getgrouplist_test.c,
lib/util/regress/tailq/hltq_test.c,
plugins/sudoers/regress/check_symbols/check_symbols.c,
plugins/sudoers/regress/editor/check_editor.c,
plugins/sudoers/regress/exptilde/check_exptilde.c,
plugins/sudoers/regress/parser/check_base64.c,
plugins/sudoers/regress/parser/check_fill.c,
plugins/sudoers/regress/parser/check_gentime.c,
plugins/sudoers/regress/parser/check_hexchar.c,
plugins/sudoers/regress/starttime/check_starttime.c,
plugins/sudoers/regress/unescape/check_unesc.c:
Quiet clang analyzer false positive in regress tests.
[190ad1f287d8]
* MANIFEST, logsrvd/Makefile.in, logsrvd/iolog_writer.c,
logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_local.c:
Move local iolog log functions to logsrvd_local.c
[e16e2a1d8209]
* logsrvd/logsrvd_relay.c:
Better client error reporting on relay server connection error. More
detailed error messages may be found in the debug log.
[d0807790327d]
* logsrvd/logsrvd.c:
Update debug pid string when sudo_logsrvd becomes a daemon.
[33069e2da7d5]
2021-04-26 Todd C. Miller