Todd C. Miller [Thu, 20 Jun 2019 17:40:47 +0000 (11:40 -0600)]
Don't describe env_editor as a security hole.
Users that are able to edit sudoers can grant themselves permissions
so the fact that visudo runs the editor as root is not a security issue.
Todd C. Miller [Thu, 20 Jun 2019 17:05:15 +0000 (11:05 -0600)]
Fix details of how EDITOR, VISUAL and SUDO_EDITOR are (or are not) preserved.
The description in the editor option was incorrect and didn't mention env_keep.
Reported by Sander Bos
Todd C. Miller [Thu, 20 Jun 2019 16:11:26 +0000 (10:11 -0600)]
Modern visudo locks the actual sudoers file, not the sudoers.tmp file.
Refer to sudoers.tmp as a temporary file, not a lock file.
Reported by Sander Bos
Todd C. Miller [Thu, 20 Jun 2019 02:32:22 +0000 (20:32 -0600)]
In tty_present(), check for /dev/tty if sudo was unable to get the tty name.
For requiretty it is enough to check that /dev/tty is available.
If sudo can't get the tty from the kernel (missing /proc?) that is OK.
Todd C. Miller [Thu, 20 Jun 2019 02:29:08 +0000 (20:29 -0600)]
Don't refuse to use the tty unless /dev/tty is unavailable.
We don't care whether sudo was able to get the tty name from the kernel.
All that really matters is whether we are able to disable echo as needed.
Todd C. Miller [Wed, 19 Jun 2019 20:29:25 +0000 (14:29 -0600)]
Better description of secure_path.
The secure_path option affects the resolution of unqualified commands
as well as the environment that commands run with.
Todd C. Miller [Wed, 19 Jun 2019 20:02:16 +0000 (14:02 -0600)]
Fix a few typos and awkward wording.
Use the singular "they" instead of he/she.
Add back missing text in description of variables starting with ().
Based on changes from Sander Bos.
Todd C. Miller [Wed, 29 May 2019 21:26:57 +0000 (15:26 -0600)]
Use the runhost for "User foo is not allowed to run sudo on bar."
Otherwise, if the -h option is specified sudo will print the local
host name instead of the host specified via -h.
Todd C. Miller [Sun, 26 May 2019 22:29:08 +0000 (16:29 -0600)]
When using AIX auth, don't display the AIX password incorrect message.
Avoids a "3004-300 You entered an invalid login name or password"
message in addition to sudo's own "Sorry, try again" message.
Todd C. Miller [Sun, 28 Apr 2019 13:26:45 +0000 (07:26 -0600)]
Filter out last login messages on HP-UX unless running a shell.
HP-UX in trusted mode will display last login messages as part of
the PAM account management module by libpam_comsec. There is no
way to suppress these messages from the PAM configuration in trusted
mode so we need to filter them in the conversation function. In
regular mode, similar (but different) messages may be produced by
libpam_hpsec.
Todd C. Miller [Sat, 20 Apr 2019 23:28:45 +0000 (17:28 -0600)]
Keep debug fds open in send_mail() to aid in debugging.
Adds closefrom_nodebug() which acts like closefrom(3) but doesn't
close debug fds for use by send_mail().
Also moves the code to exec the mailer to its own function.
Todd C. Miller [Mon, 8 Apr 2019 14:50:03 +0000 (08:50 -0600)]
Restrict the PAM_TTY kludge to Solaris and Linux-PAM.
Setting PAM_TTY to the empty string causes problems with some modules
on HP-UX so restrict it to systems where it is fixes known issues.
Todd C. Miller [Thu, 7 Mar 2019 03:13:40 +0000 (20:13 -0700)]
Ignore EOVERFLOW from pstat_getproc(), it is not a fatal error.
It just means that one of the fields in pstat lacks the precision to
store a value. That's not an issue for pst_highestfd.
Todd C. Miller [Wed, 6 Feb 2019 13:30:00 +0000 (06:30 -0700)]
On RedHat/CentOS get the OS major version from /etc/redhat-release.
We cannot determine this from the output of "pp --probe" since it
doesn't contain a period to separate the major and minor numbers.
Todd C. Miller [Fri, 25 Jan 2019 17:39:57 +0000 (10:39 -0700)]
Use $ac_cv_search_FUNCTION instead of $ac_lib and $ac_res.
Fixes a problem where libcrypt is not used with autoconf caching.
Adapted from a diff from Adam Labbe.
Todd C. Miller [Sun, 20 Jan 2019 14:49:48 +0000 (07:49 -0700)]
Minor snprintf() usage tweaks:
1) don't assume snprintf() returns -1 on error, check for <0
2) when comparing return value of sizeof(foo), cast the sizeof, not the len
3) cast return value to void in cases where snprintf cannot fail
Todd C. Miller [Mon, 7 Jan 2019 16:50:40 +0000 (09:50 -0700)]
Use PAM_SILENT to prevent pam_lastlog from printing last login
information on RedHat except when explicitly running a shell.
Adapted from a patch from Nir Soffer. Bug #867
Todd C. Miller [Mon, 7 Jan 2019 16:38:03 +0000 (09:38 -0700)]
Fix the default nofiles and stack hard limits.
The table of default hard limits in /etc/security/limits was out
of date with respect to the current documentation. The default
hard limit for nofiles should be unlimited, not 8196. The default
hard limit for stack should be 4194304 blocks (which fits in an
unsigned long on 32-bit platforms).
Todd C. Miller [Fri, 7 Dec 2018 16:51:34 +0000 (09:51 -0700)]
The fix for bug #843 was incomplete and caused pam_end() to be called early.
sudo_pam_approval() must not set the global pam status to an error
value if it returns AUTH_SUCCESS. Otherwise, sudo_pam_cleanup()
will call pam_end() before sudo_pam_begin_session(). This resulted
in a NULL PAM handle being used in sudo_pam_begin_session().
Todd C. Miller [Wed, 5 Dec 2018 17:43:14 +0000 (10:43 -0700)]
Don't run the command in a pty if no I/O plugins are logging anything.
That way an I/O plugin that doesn't actually log anything won't cause
the command to be run in a pty.
Todd C. Miller [Tue, 27 Nov 2018 20:15:08 +0000 (13:15 -0700)]
Fix section in the .TH line of *.man.in file.
The substitution for @mansectsu@ and @mansectform@ was broken.
No longer need to strip out OpenBSD from the header line.
Todd C. Miller [Tue, 27 Nov 2018 15:14:15 +0000 (08:14 -0700)]
Use roff conditionals in the manuals instead of post-processing.
We still need to process the resulting .man.in files to add back
the conditionals but this should be easier to debug as the changes
are visible in the .in file.
Some minor postprocessing is still used to make the manuals HP-UX
friendly and to change "0 seconds" -> unlimited after substitution.
Todd C. Miller [Sat, 24 Nov 2018 15:39:09 +0000 (08:39 -0700)]
Sudo plugin manual updates and clarification from Guillem Jover:
- Add missing return information for show_version().
- Fix prototypes for several function pointers.
- Update SUDO_API_VERSION_MINOR.
- Add missing references to log_suspend() and change_winsize().
- Add missing "array.".
- Clarify that argc can be zero on sudo -V.
- Clarify size requirements for conversation array arguments.
- Clarify timeout zero value for struct sudo_conv_message.
- Clarify initial and final state of reply in struct sudo_conv_reply.
Todd C. Miller [Sat, 24 Nov 2018 15:34:03 +0000 (08:34 -0700)]
Revert changes to give arguments to the .Bx macro.
This is intended for things like .Bx 4.3 to generate "4.3BSD" so
the argument ends up before the BSD, not after. Just go back to
using "BSD authentication" and "BSD login classes" so fixmdoc.sh
can operate correctly. Bug #861