Todd C. Miller [Tue, 16 Jan 2018 17:27:58 +0000 (10:27 -0700)]
Add an approval function to the sudo auth API which is run after
the user's password has been verified. The approval function is
run even if no password is required. This is currently only used
for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
Todd C. Miller [Thu, 11 Jan 2018 17:49:20 +0000 (10:49 -0700)]
Add tsdump, a simple utility to dump a timestamp file. To build,
run "make tsdump" in the plugins/sudoers directory (it is not built
by default). In order to map the tty device number to a name,
sudo_ttyname_dev() has been moved into libsudo_util.
Todd C. Miller [Mon, 18 Dec 2017 17:35:37 +0000 (10:35 -0700)]
Trivial test for process start time. We don't try to check the
resulting timespec as it differs by platform. On most it is wallclock
time, on others it is relative to boot time (Linux).
Todd C. Miller [Sat, 16 Dec 2017 21:50:14 +0000 (14:50 -0700)]
Fix debug_decl(), it should be SUDOERS_DEBUG_UTIL
Add debugging for the successful case
For Linux, don't NUL out *ep before parsing with strtoull().
* * *
Add missing debug info for the System V /proc version.
Todd C. Miller [Sat, 16 Dec 2017 12:53:05 +0000 (05:53 -0700)]
In the timestamp record, include the start time of the terminal
session leader for tty-based timestamps or the start time of the
parent process for ppid-based timestamps. Idea from Duncan Overbruck.
Todd C. Miller [Sat, 16 Dec 2017 04:08:38 +0000 (21:08 -0700)]
If the lock record doesn't match the expected record size we need
to seek to the end of the record as we otherwise may have gone too
far (or not far enough). Fixes interop problems when the time stamp
record changes size.
Todd C. Miller [Sun, 10 Dec 2017 12:56:22 +0000 (05:56 -0700)]
Treat a blank line in a commit message as a line break. There
doesn't appear to be a way to make perl's format use a blank field
but at least the line break happens now.
Todd C. Miller [Fri, 1 Dec 2017 20:43:06 +0000 (13:43 -0700)]
When the command completes, make the monitor the foreground process
group before informing the main sudo process of the command's exit
status. This will prevent processes started by the command (which
runs in a different process group) from receiving SIGHUP since the
kernel sends SIGHUP to the foreground process group associated with
the terminal session. The monitor has a SIGHUP handler installed
so the signal is effectively ignored.
Todd C. Miller [Thu, 30 Nov 2017 16:53:21 +0000 (09:53 -0700)]
Don't loop over read/write, recv/send or tcgetpgrp/tcsetpgrp trying
to handle EINTR. We now use SA_RESTART with signals so this is not
needed and is potentially dangerous if it is possible to receive
SIGTTIN or SIGTTOU (which it currently is not).
Todd C. Miller [Wed, 29 Nov 2017 19:06:12 +0000 (12:06 -0700)]
Handle receipt of SIGTTIN/SIGTTOU when reading/writing from/to the tty.
We can't use a signal event for these since that would restart the
system call after the signal was handled and the callback would not
get a chance to run. Fixes running a command in the background that
write to the tty when the TOSTOP terminal flag is set.
Todd C. Miller [Wed, 29 Nov 2017 19:06:12 +0000 (12:06 -0700)]
We don't need to be the foreground process to be able to write to
the terminal in most cases. If the background process tries to
modify the terminal flags it will receive SIGTTOU which is relayed
to the sudo front-end. This currently mishandles terminals with
the TOSTOP local flag set.
Todd C. Miller [Tue, 28 Nov 2017 18:28:44 +0000 (11:28 -0700)]
Avoid a double free when ipa_hostname is set in sssd.conf and it
is an unqualified host name. From Daniel Kopecek.
Also move the "unable to allocate memory" warning into get_ipa_hostname()
itself to make it easier to see where the allocation failed in the
debug log.
Todd C. Miller [Tue, 28 Nov 2017 16:48:43 +0000 (09:48 -0700)]
When running a command as the invoking user we cannot use the gid
list from the front-end since it may not correspond to the user's
aux group vector as defined by the group database.
Todd C. Miller [Wed, 15 Nov 2017 22:06:45 +0000 (15:06 -0700)]
In list (-l) or verify (-v) mode, if we have a match but authentication
is required, clear FLAG_NOPASSWD so that when listpw/verifypw is
set to "all" and there are multiple sudoers sources a password will
be required unless none of the entries in all sources require
authentication. From Radovan Sroka of RedHat
Todd C. Miller [Wed, 15 Nov 2017 19:27:39 +0000 (12:27 -0700)]
When checking the results for "sudo -l" and "sudo -v", keep checking
even after we get a match since the value of doauth may depend on
evaluating all the results. From Radovan Sroka of RedHat.
Todd C. Miller [Tue, 14 Nov 2017 20:58:35 +0000 (13:58 -0700)]
If passwd_tries is less than 1, check_user() will always return
false (since the user didn't authenticate). The normal reason for
this is an authentication error but in this case no authentication
was tries so no warning message has been displayed to the user. If
the user wasn't given a chance to authenticate, set inform_user to
true when calling log_denial() from sudoers_policy_main().
An alternate approach would be for check_user() to return true
in this case but seems more confusing.
Todd C. Miller [Thu, 7 Sep 2017 20:59:37 +0000 (14:59 -0600)]
More accurately describe the use_pty option now that its behavior
has changed with respect to interposition with a pipe.
Also describe some caveats with log_input.
Todd C. Miller [Thu, 7 Sep 2017 17:32:30 +0000 (11:32 -0600)]
If /dev/tty is not available and no I/O logging plugins are configured,
fall back on exec_nopty() even if the policy plugin requested a pty.
We never allocate a pty when sudo is not run from a terminal anyway.
Todd C. Miller [Wed, 6 Sep 2017 21:59:37 +0000 (15:59 -0600)]
Set SIGCHLD handler to SIG_DFL before forking the askpass command
and restore after. Otherwise, SIGCHLD will end up in the list of
pending signals and sudo_execute() will not execute the command.
Todd C. Miller [Wed, 6 Sep 2017 18:29:36 +0000 (12:29 -0600)]
The read and write sides of signal_pipe[] were swapped, resulting
in EBADF reading from and writing to the signal pipe on Linux and
probably others. On systems with bidirectional pipes this was not
an issue.