Todd C. Miller [Thu, 4 May 2017 17:00:22 +0000 (11:00 -0600)]
Add io_open() wrapper for open(2) that retries with PERM_IOLOG if
open(2) fails with EACCES. Use io_open() instead of duplicate
copies of the same fallback code.
Todd C. Miller [Fri, 28 Apr 2017 18:12:00 +0000 (12:12 -0600)]
Fix exponential behavior in glob() with respect to multiple '*'.
See https://research.swtch.com/glob
Adapted from https://perl5.git.perl.org/perl.git/commit/33252c318625f3c6c89b816ee88481940e3e6f95
Todd C. Miller [Fri, 28 Apr 2017 16:32:15 +0000 (10:32 -0600)]
We no longer need to write to the tty if the command was killed by
a signal. Sudo will terminate itself with the same signal the
command died from. Unfortunately, we lose the "core dumped" bit
since sudo itself will not dump core, but there doesn't appear to
be a way around that.
Todd C. Miller [Thu, 27 Apr 2017 16:34:30 +0000 (10:34 -0600)]
If the command terminated due to a signal, sudo will send that same
signal to itself so the parent shell knows the command died from
a signal. However, we don't want sudo itself to dump core.
Todd C. Miller [Thu, 27 Apr 2017 02:17:34 +0000 (20:17 -0600)]
The fix for Bug #722 contained a typo/thinko that resulted in the
exit status being 0 when a command was killed by a signal other
than SIGINT. This fixes the signal handler setup so sudo will
terminate with the same signal as the command. Bug #784.
Todd C. Miller [Wed, 26 Apr 2017 20:49:05 +0000 (14:49 -0600)]
Don't install the rc.d link when installing to a DESTDIR.
DESTDIR is generally only set when installing to a temporary
directory for packaging in which case the link should be
made in a post-install script.
Todd C. Miller [Wed, 26 Apr 2017 19:52:49 +0000 (13:52 -0600)]
In "make install", install sample sudoers file as /etc/sudoers.dist
and copy it to /etc/sudoers if there is no existing /etc/sudoers.
Packages either contain /etc/sudoers (RPM and Debian) or /etc/sudoers.dist
(everything else).
Todd C. Miller [Thu, 20 Apr 2017 22:13:14 +0000 (16:13 -0600)]
Use the standard idiom for popping all entries from a tail queue.
The llvm checker gets confused by TAILQ_REMOVE and generate
use-after-free false positives.
Todd C. Miller [Wed, 19 Apr 2017 15:39:55 +0000 (09:39 -0600)]
Avoid unused variable when getgrouplist_2() is available.
It would be nicer to just provide getgrouplist_2() (or the equivalent)
and avoid the ugly #ifdefs.
Todd C. Miller [Tue, 11 Apr 2017 22:56:04 +0000 (16:56 -0600)]
Try to make it clear that when match_group_by_gid is enabled, groups
in sudoers are looked up by group name instead of group ID. This
doesn't usually cause problems, but if there are conflicting group
entries (for example, from a local /etc/group file and an LDAP or
AD group database), whether the group is resolved by name or ID can
be used to work around conflicts.
Todd C. Miller [Mon, 27 Mar 2017 20:45:24 +0000 (14:45 -0600)]
Make check_digest test sudo_filedigest() itself instead of the
underlying SHA2 functions. That way we can test it regardless of
whether we use sudo's SHA2 functions or a library version.
Todd C. Miller [Thu, 23 Mar 2017 23:00:27 +0000 (17:00 -0600)]
Only retry mkdir or create with PERM_IOLOG if errno is EACCES.
Also always use PERM_IOLOG for mkdtemp() since we cannot retry
if it fails. Since we are guaranteed to create a new directory
there's no real need to try w/o PERM_IOLOG in this case.
Todd C. Miller [Tue, 14 Mar 2017 15:11:56 +0000 (09:11 -0600)]
Make it clear that I/O logs will be complete even if the command
run by sudo is terminated by a signal. The I/O log buffering just
prevents the logs from being displayed in real-time as the command
is running.
Todd C. Miller [Tue, 7 Mar 2017 19:29:21 +0000 (12:29 -0700)]
Add tcsetpgrp_nobg() which acts like tcsetpgrp() but returns -1
for a background process. This is safer than blocking SIGTTOU
which would cause tcsetpgrp() to succeed in the background.
Todd C. Miller [Mon, 6 Mar 2017 20:05:17 +0000 (13:05 -0700)]
Prevent sudo from receiving SIGTTOU when it tries to restore the
controlling terminal. There appears to be a race with the shell
(bash) which we may lose.
Todd C. Miller [Fri, 3 Mar 2017 17:35:11 +0000 (10:35 -0700)]
Reorganize the command execution code to separate out the pty and
non-pty code paths into their own event loops. The non-pty exec
code is now contained in exec_nopty.c and the pty exec code is split
between exec_pty.c (parent process) and exec_monitor.c (session leader).
This results in a small bit of duplicated code but improves readability.
Some of the duplicated code will fall out in future changes to the
event subsystem (the signal pipe).
Todd C. Miller [Fri, 24 Feb 2017 22:14:56 +0000 (15:14 -0700)]
Set the child pid to -1 after we've waited for it and take care to
avoid killing pid -1. This makes it a bit more explicit and removes
the need for a separate variable to track the child's status.
Sudo already stops processing signals after it receives SIGCHLD so
it is not vulnerable to CVE-2017-2616.
Todd C. Miller [Mon, 20 Feb 2017 23:44:12 +0000 (16:44 -0700)]
Move the file digest code out of match.c and into filedigest.c.
Inspired by RedHat changes that used libgcrypt.
Also add digest_type_to_name() to map a sudo digest type (int)
to a name (string) and use it.