Todd C. Miller [Mon, 6 Mar 2017 20:05:17 +0000 (13:05 -0700)]
Prevent sudo from receiving SIGTTOU when it tries to restore the
controlling terminal. There appears to be a race with the shell
(bash) which we may lose.
Todd C. Miller [Fri, 3 Mar 2017 17:35:11 +0000 (10:35 -0700)]
Reorganize the command execution code to separate out the pty and
non-pty code paths into their own event loops. The non-pty exec
code is now contained in exec_nopty.c and the pty exec code is split
between exec_pty.c (parent process) and exec_monitor.c (session leader).
This results in a small bit of duplicated code but improves readability.
Some of the duplicated code will fall out in future changes to the
event subsystem (the signal pipe).
Todd C. Miller [Fri, 24 Feb 2017 22:14:56 +0000 (15:14 -0700)]
Set the child pid to -1 after we've waited for it and take care to
avoid killing pid -1. This makes it a bit more explicit and removes
the need for a separate variable to track the child's status.
Sudo already stops processing signals after it receives SIGCHLD so
it is not vulnerable to CVE-2017-2616.
Todd C. Miller [Mon, 20 Feb 2017 23:44:12 +0000 (16:44 -0700)]
Move the file digest code out of match.c and into filedigest.c.
Inspired by RedHat changes that used libgcrypt.
Also add digest_type_to_name() to map a sudo digest type (int)
to a name (string) and use it.
Todd C. Miller [Tue, 14 Feb 2017 22:56:34 +0000 (15:56 -0700)]
Only inherit SELinux role/type and Solaris privilege sets if
the command does not include any. Previously, a command with
only a role would inherit a type from the previous command
which is not what was intended.
Todd C. Miller [Tue, 14 Feb 2017 22:56:34 +0000 (15:56 -0700)]
Merge command tags, SELinux type/role and Solaris privs settings
into "command options". This relaxes the order of things so tags
and other options can be interspersed.
Todd C. Miller [Mon, 13 Feb 2017 20:38:24 +0000 (13:38 -0700)]
Fix for including a sudoers file that begins with the letter 'i'.
The hack to determine whether we are parsing an include or includedir
is no longer safe now that relative include paths are permitted.
Bug #776.
Todd C. Miller [Fri, 27 Jan 2017 16:26:51 +0000 (09:26 -0700)]
Always set the close-on-exec bit on the fd used to generate the
digest (i.e. the command to run) on systems that lack fexecve(2).
That way we don't need to explicitly close it using #ifdefs.
Todd C. Miller [Tue, 17 Jan 2017 17:10:47 +0000 (10:10 -0700)]
Fix documentation bug, the contents of env_file have never been
subject to env_keep or env_check. However, variables are only added
if they have not already been preserved.
Todd C. Miller [Tue, 17 Jan 2017 15:55:40 +0000 (08:55 -0700)]
Safer example for rule that can change non-root passwords. GNU
getopts allows options to follow arguments so we need to be able
to deny things like "passwd root -q". From Paul "Joey" Clark.
Bug #772
Todd C. Miller [Thu, 5 Jan 2017 13:22:58 +0000 (06:22 -0700)]
Avoid using the system strnlen/strndup on AIX < 6. Even if configure
correctly detects it is working on the build machine, the sudo
package may be run on a system with an old libc were it is broken.
Todd C. Miller [Thu, 1 Dec 2016 17:52:05 +0000 (10:52 -0700)]
Ignore a boot time that is in the future, which can happen when the
clock is corrected down after boot. Otherwise, the timestamp file
will be unlinked each time sudo is run and a password is always
required.
Todd C. Miller [Wed, 30 Nov 2016 02:46:25 +0000 (19:46 -0700)]
Fix the "all" setting for verifypw and listpw; nopass would never
be true even if all the user's entries had the NOPASSWD tag.
Regression introduce in sudo 1.8.17. Bug #762
Todd C. Miller [Mon, 21 Nov 2016 16:37:23 +0000 (06:37 -1000)]
Add SUDO_DEBUG_INSTANCE_ERROR return value for sudo_debug_register()
and check for it in places where we check the return value of
sudo_debug_register().