Todd C. Miller [Thu, 3 Aug 2017 13:32:24 +0000 (07:32 -0600)]
Allow the user to specify a list of environment variables to preserve.
This adds an option paramter to the --preserve-env option, a
comma-separated list of variable names.
Todd C. Miller [Tue, 1 Aug 2017 22:14:54 +0000 (16:14 -0600)]
Replace tty_tickets option with timestamp_type which can be
global, ppid or tty. Defaults to tty (no change in behavior).
Some users want the ppid behavior.
Todd C. Miller [Fri, 28 Jul 2017 19:52:55 +0000 (13:52 -0600)]
Add support for --enable-sasl and --disable-sasl to make it possible
to enable/disable support for LDAP with SASL authentication. Sudo
compiles in support for SASL authentiation by default if the
ldap_sasl_interactive_bind_s() function is detected.
Bug #788
Todd C. Miller [Thu, 27 Jul 2017 20:10:44 +0000 (14:10 -0600)]
Terminate the command if an I/O log function returns 0 or -1. This
was mistakenly removed by 25b7fd056614 in Sudo 1.8.18 with the
removal of the ignore_iolog_errors variable.
Todd C. Miller [Fri, 21 Jul 2017 15:07:00 +0000 (09:07 -0600)]
Don't set passprompt_override when SUDO_PROMPT is present.
This effectively reverts ed77d255f383.
We treat the SUDO_PROMPT environment variable similar to passprompt
in sudoers: it will only override a PAM prompt if the PAM prompt
is either "Password:" or "username's Password:".
Todd C. Miller [Thu, 20 Jul 2017 22:06:47 +0000 (16:06 -0600)]
When deciding which prompt to use (PAM's or sudo's) treat the PAM
prompt "username's Password:" as equivalent to "Password:".
Some PAM modules (on AIX at least) use this prompt.
Todd C. Miller [Mon, 17 Jul 2017 15:42:42 +0000 (09:42 -0600)]
Call install_sudoers() even when doedit is false. If a file in a
#includedir has a syntax error it will still have been edited and
we need to install the edited temp file.
Todd C. Miller [Wed, 12 Jul 2017 11:47:28 +0000 (05:47 -0600)]
Clear input, output, control and local flags before copying them
from the source terminal. Otherwise, flags that are disabled
in the source terminal may still be enabled in the destination.
Todd C. Miller [Wed, 12 Jul 2017 11:45:46 +0000 (05:45 -0600)]
Remove pointless subshells in targets that simply change the directory
and execute a command. The command is already run in a shell so
there is no need to execute a subshell in this case.
Todd C. Miller [Thu, 15 Jun 2017 18:59:46 +0000 (12:59 -0600)]
When copying terminal settings from one tty to another only copy a
subset of the flags. Sudo now copies the same set of flags that
OpenSSH uses, which should be safe.
Todd C. Miller [Thu, 15 Jun 2017 13:51:00 +0000 (07:51 -0600)]
Better handling of SIGCONT from in command in the monitor. It is
useful to know when the command continued but we don't want to
inform the parent or store the wait status in this case. Fixes a
hang after multiple suspends on Linux.
Todd C. Miller [Mon, 5 Jun 2017 13:11:09 +0000 (07:11 -0600)]
sudo_edit() must return a wait status but if there is an error, or
even if no changes were made to the file, it was returning 1 instead
which would be interpreted as the command having received SIGHUP.
Use the W_EXITCODE() to construct a proper wait status in the error
case too.
Todd C. Miller [Sat, 3 Jun 2017 14:45:29 +0000 (08:45 -0600)]
Avoid sign extension when assigning the value of tty_nr in
/proc/self/stat on Linux. It is an unsigned int value that
is printed as a signed int but dev_t is unsigned long long.
We need to cast to unsigned int before assigning to a dev_t.
Todd C. Miller [Sat, 3 Jun 2017 14:43:32 +0000 (08:43 -0600)]
Instead of hard-coding a check for bash functions in env_should_delete(),
use a "*=()* " pattern in initial_badenv_table[] to match them instead.
This allows the user to remove the check via env_delete.
Todd C. Miller [Wed, 31 May 2017 15:14:31 +0000 (09:14 -0600)]
A command name may also contain newline characters so read
/proc/self/stat until EOF. It is not legal for /proc/self/stat to
contain embedded NUL bytes so treat the file as corrupt if we see
any. With help from Qualys.
This is not exploitable due to the /dev traversal changes in sudo
1.8.20p1 (thanks Solar!).
Todd C. Miller [Tue, 30 May 2017 16:44:11 +0000 (10:44 -0600)]
Add a new "devsearch" Path setting to sudo.conf for configuring the
/dev paths to traverse instead of hard-coding a list in ttyname.c
The default value can be set at configure time.
Todd C. Miller [Mon, 29 May 2017 20:32:53 +0000 (14:32 -0600)]
Fix for CVE-2017-1000367, parsing of /proc/pid/stat on Linux when
the process name contains spaces. Since the user has control over
the command name this could be used by a user with sudo access to
overwrite an arbitrary file.
Thanks to Qualys for investigating and reporting this bug.
Also stop performing a breadth-first traversal of /dev when looking
for the device. Only the directories specified in search_devs[]
are checked.
Todd C. Miller [Fri, 12 May 2017 16:02:17 +0000 (10:02 -0600)]
Add SIGCHLD to the list of signals we install sudo_handler() for.
Otherwise, it is possible for the command to exit before the SIGCHLD
handler is installed. POSIX says that signals that are ignored by
default are still ignored even if the signal mask would block them.
We need to have a handler installed for SIGCHLD before the fork().
Todd C. Miller [Fri, 12 May 2017 16:02:17 +0000 (10:02 -0600)]
Activate the sigevents inside the signal pipe callback itself
and call signal_pipe_cb() directly if the backend returns EINTR
and the signal_caught flag is set. This has the side effect of
processing signal events in the current pass of the event loop
instead of the next one.
Todd C. Miller [Mon, 8 May 2017 19:55:02 +0000 (13:55 -0600)]
Be clear that #includedir diverts control to the files in the
specified directory and, when parsing of those files is complete,
returns control to the original file. Bug #775
Todd C. Miller [Fri, 5 May 2017 20:27:42 +0000 (14:27 -0600)]
If any of std{in,out,err} are not hooked up to a tty only interpose
ourselves with a pipe if the plugin will actually log the data.
This avoids a problem with non-interactive commands where no tty
is present where sudo will consume stdin even when log_input is not
enabled in sudoers.
Todd C. Miller [Thu, 4 May 2017 18:25:51 +0000 (12:25 -0600)]
In check_input() when switch()ing on the return value of read(),
use the default label instead of 1 for the success case. It is
only reading a single byte so the two are equivalent but it reads
better using default.