]> granicus.if.org Git - sudo/log
sudo
6 years agosync with translationproject.org
Todd C. Miller [Sat, 21 Apr 2018 19:56:36 +0000 (13:56 -0600)]
sync with translationproject.org

6 years agoAdd tests for round-tripping cvtsudoers, sudoers -> LDIF -> sudoers
Todd C. Miller [Sat, 21 Apr 2018 12:23:02 +0000 (06:23 -0600)]
Add tests for round-tripping cvtsudoers, sudoers -> LDIF -> sudoers
and LDIF -> sudoers -> LDIF.

6 years agoTest the -b option when converting from LDIF.
Todd C. Miller [Thu, 19 Apr 2018 15:24:08 +0000 (09:24 -0600)]
Test the -b option when converting from LDIF.

6 years agoFix the -b option when converting from LDIF.
Todd C. Miller [Thu, 19 Apr 2018 15:23:45 +0000 (09:23 -0600)]
Fix the -b option when converting from LDIF.

6 years agosync with translationproject.org
Todd C. Miller [Thu, 19 Apr 2018 03:14:10 +0000 (21:14 -0600)]
sync with translationproject.org

6 years agoFix some more typos.
Todd C. Miller [Wed, 18 Apr 2018 20:25:11 +0000 (14:25 -0600)]
Fix some more typos.

6 years agomandoc now preserves the copyright notice, no need to do it ourselves
Todd C. Miller [Wed, 18 Apr 2018 20:24:51 +0000 (14:24 -0600)]
mandoc now preserves the copyright notice, no need to do it ourselves

6 years agoDescribe the special handling of LOGNAME, USER and USERNAME.
Todd C. Miller [Wed, 18 Apr 2018 20:14:47 +0000 (14:14 -0600)]
Describe the special handling of LOGNAME, USER and USERNAME.
Fix typos reported by aspell.

6 years agoFix a memory leak on the error path.
Todd C. Miller [Wed, 18 Apr 2018 16:09:22 +0000 (10:09 -0600)]
Fix a memory leak on the error path.

6 years agoDocument that the editor setting is also used by sudoedit.
Todd C. Miller [Wed, 18 Apr 2018 15:40:48 +0000 (09:40 -0600)]
Document that the editor setting is also used by sudoedit.

6 years agoPlug memory leak when an I/O plugin is specified in sudo.conf
Todd C. Miller [Tue, 17 Apr 2018 19:41:44 +0000 (13:41 -0600)]
Plug memory leak when an I/O plugin is specified in sudo.conf
but the I/O plugin is not configured.

6 years agoMonty Python insults from Philip Hudson
Todd C. Miller [Tue, 17 Apr 2018 13:10:43 +0000 (07:10 -0600)]
Monty Python insults from Philip Hudson

6 years agoadd examples
Todd C. Miller [Sun, 15 Apr 2018 23:06:26 +0000 (17:06 -0600)]
add examples

6 years agoUpdate copyright year and regen man pages.
Todd C. Miller [Sun, 15 Apr 2018 22:43:06 +0000 (16:43 -0600)]
Update copyright year and regen man pages.

6 years agosync with translationproject.org
Todd C. Miller [Sun, 15 Apr 2018 14:21:40 +0000 (08:21 -0600)]
sync with translationproject.org

6 years agocvtsudoers regress tests
Todd C. Miller [Sun, 15 Apr 2018 14:14:46 +0000 (08:14 -0600)]
cvtsudoers regress tests

6 years agoPrune alias contents when pruning and expanding aliases.
Todd C. Miller [Sun, 15 Apr 2018 14:14:46 +0000 (08:14 -0600)]
Prune alias contents when pruning and expanding aliases.
This abuses the userlist_matches_filter() and hostlist_matches_filter()
functions.  A better approach would be to call the correct function
from user_matches() and host_matches().

6 years agoFix typo
Todd C. Miller [Sun, 15 Apr 2018 01:54:54 +0000 (19:54 -0600)]
Fix typo

6 years agoFix cut & pasto that prevented "-d command" from working.
Todd C. Miller [Sat, 14 Apr 2018 12:13:44 +0000 (06:13 -0600)]
Fix cut & pasto that prevented "-d command" from working.

6 years agoFix a user after free crash as well as a memory leak when filtering
Todd C. Miller [Fri, 13 Apr 2018 16:49:05 +0000 (10:49 -0600)]
Fix a user after free crash as well as a memory leak when filtering
Defaults.

6 years agoDocument that a User_Alias or Host_Alias may be used in the match filter.
Todd C. Miller [Thu, 12 Apr 2018 12:29:41 +0000 (06:29 -0600)]
Document that a User_Alias or Host_Alias may be used in the match filter.

6 years agoDon't always expand aliases when formatting a host-based Defaults
Todd C. Miller [Thu, 12 Apr 2018 12:25:35 +0000 (06:25 -0600)]
Don't always expand aliases when formatting a host-based Defaults
line.  This was missed when expand_aliases support was added.

6 years agoAllow host and user aliases to be specified in match filters.
Todd C. Miller [Thu, 12 Apr 2018 12:21:20 +0000 (06:21 -0600)]
Allow host and user aliases to be specified in match filters.

6 years agoUpdate copyright year.
Todd C. Miller [Thu, 12 Apr 2018 11:13:49 +0000 (05:13 -0600)]
Update copyright year.

6 years agosync with translationproject.org
Todd C. Miller [Tue, 10 Apr 2018 22:07:42 +0000 (16:07 -0600)]
sync with translationproject.org

6 years agoWhen the -d option is used, remove aliases used by the non-converted
Todd C. Miller [Mon, 9 Apr 2018 17:13:33 +0000 (11:13 -0600)]
When the -d option is used, remove aliases used by the non-converted
Defaults settings if the aliases are not also referenced by userspecs.

6 years agoregen
Todd C. Miller [Thu, 5 Apr 2018 13:00:25 +0000 (07:00 -0600)]
regen

6 years agoupdate
Todd C. Miller [Thu, 5 Apr 2018 12:34:49 +0000 (06:34 -0600)]
update

6 years agoMention -p and -M options in the description of -m.
Todd C. Miller [Thu, 5 Apr 2018 12:34:22 +0000 (06:34 -0600)]
Mention -p and -M options in the description of -m.

6 years agoCheck sudoedit temporary directory for writability before using it.
Todd C. Miller [Thu, 5 Apr 2018 03:05:59 +0000 (21:05 -0600)]
Check sudoedit temporary directory for writability before using it.

6 years agoUse btime in /proc/stat to determine system start time instead of
Todd C. Miller [Wed, 4 Apr 2018 17:28:53 +0000 (11:28 -0600)]
Use btime in /proc/stat to determine system start time instead of
/proc/uptime.  Fixes the process start time test when run from a
container where /proc/uptime is the uptime of the container but the
process start time is relative to the host system boot time.
Bug #829

6 years agoAdd option to prune non-matching entries from cvtsudoers output with -m
Todd C. Miller [Wed, 4 Apr 2018 15:51:05 +0000 (09:51 -0600)]
Add option to prune non-matching entries from cvtsudoers output with -m
option is used.

6 years agoAllow defaults types and suppression list to be specified in
Todd C. Miller [Mon, 2 Apr 2018 13:41:56 +0000 (07:41 -0600)]
Allow defaults types and suppression list to be specified in
the config file.

6 years agoRefactor common alias code out of cvtsudoers and visudo and into alias.c.
Todd C. Miller [Mon, 2 Apr 2018 13:41:09 +0000 (07:41 -0600)]
Refactor common alias code out of cvtsudoers and visudo and into alias.c.

6 years agoAvoid NULL deref in an error path. CID 183467
Todd C. Miller [Fri, 30 Mar 2018 00:53:53 +0000 (18:53 -0600)]
Avoid NULL deref in an error path.  CID 183467

6 years agoNo need to initialize the last pointer passed to strtok_r().
Todd C. Miller [Fri, 30 Mar 2018 00:53:51 +0000 (18:53 -0600)]
No need to initialize the last pointer passed to strtok_r().
This was originally added to appease newer gcc but no longer
seems to be required.  CID 183466, CID 183468, CID 183469

6 years agoAvoid false positive NULL dereference by uses value.u.string
Todd C. Miller [Fri, 30 Mar 2018 00:53:50 +0000 (18:53 -0600)]
Avoid false positive NULL dereference by uses value.u.string
instead of name as the former is guaranteed not to be NULL.
Fixes CID 183465.

6 years agoregen
Todd C. Miller [Thu, 29 Mar 2018 16:20:26 +0000 (10:20 -0600)]
regen

6 years agoAdd a section on convertion from file-based sudoers.
Todd C. Miller [Thu, 29 Mar 2018 13:13:31 +0000 (07:13 -0600)]
Add a section on convertion from file-based sudoers.

6 years agoAdd support for "cvtsudoers -d all"
Todd C. Miller [Wed, 28 Mar 2018 23:43:58 +0000 (17:43 -0600)]
Add support for "cvtsudoers -d all"

6 years agoAdd -d option to control what type of Defaults entries are converted.
Todd C. Miller [Wed, 28 Mar 2018 14:33:07 +0000 (08:33 -0600)]
Add -d option to control what type of Defaults entries are converted.

6 years agoIn pty_close() we still need to check whether the pty master and
Todd C. Miller [Tue, 27 Mar 2018 22:00:08 +0000 (16:00 -0600)]
In pty_close() we still need to check whether the pty master and
slave fds are open before closing them.  When no tty is present but
we are I/O logging pty_close() will be called when there is no
actual pty in use.

6 years agoregen
Todd C. Miller [Tue, 27 Mar 2018 21:57:02 +0000 (15:57 -0600)]
regen

6 years agoignore *.ldif2sudo regress output
Todd C. Miller [Mon, 26 Mar 2018 16:36:29 +0000 (10:36 -0600)]
ignore *.ldif2sudo regress output

6 years agoIn pty_close() there is no need to remove events associated with
Todd C. Miller [Mon, 26 Mar 2018 12:28:23 +0000 (06:28 -0600)]
In pty_close() there is no need to remove events associated with
the pty slave as there are none.  We also don't need to check for
the pty fds being -1 since they are not closed elsewhere and
pty_close() is only called if pty_setup() succeeds.

6 years agoMove cvtsudoers to section 1.
Todd C. Miller [Sun, 25 Mar 2018 22:16:48 +0000 (16:16 -0600)]
Move cvtsudoers to section 1.

6 years agoIn pty_close() close the slave and remove any events associated
Todd C. Miller [Sun, 25 Mar 2018 12:03:19 +0000 (06:03 -0600)]
In pty_close() close the slave and remove any events associated
with it.  Fixes a potential hang when performing the final flush
on non-BSD systems.

6 years agoFix typo in strcmp(), we are comparing var not val.
Todd C. Miller [Fri, 23 Mar 2018 15:54:52 +0000 (09:54 -0600)]
Fix typo in strcmp(), we are comparing var not val.

6 years agosync
Todd C. Miller [Fri, 23 Mar 2018 12:56:49 +0000 (06:56 -0600)]
sync

6 years agosync
Todd C. Miller [Fri, 23 Mar 2018 12:46:38 +0000 (06:46 -0600)]
sync

6 years agoregen
Todd C. Miller [Thu, 22 Mar 2018 19:30:25 +0000 (13:30 -0600)]
regen

6 years agoAdd -M option to cvtsudoers to force the use of the local passwd
Todd C. Miller [Thu, 22 Mar 2018 19:24:41 +0000 (13:24 -0600)]
Add -M option to cvtsudoers to force the use of the local passwd
and group databases when matching.

6 years agoAdd cvtsudoers command line option to suppress certain parts of the
Todd C. Miller [Thu, 22 Mar 2018 17:38:39 +0000 (11:38 -0600)]
Add cvtsudoers command line option to suppress certain parts of the
security policy.  Can be used to suppress displaying of Defaults
entries, aliases or privileges.

6 years agoSilence a false positive from the clang static analyzer.
Todd C. Miller [Wed, 21 Mar 2018 21:03:17 +0000 (15:03 -0600)]
Silence a false positive from the clang static analyzer.

6 years agoSilence a false positive from the clang static analyzer.
Todd C. Miller [Wed, 21 Mar 2018 20:55:17 +0000 (14:55 -0600)]
Silence a false positive from the clang static analyzer.

6 years agoFix memory leak on error path.
Todd C. Miller [Wed, 21 Mar 2018 20:43:17 +0000 (14:43 -0600)]
Fix memory leak on error path.

6 years agoregen
Todd C. Miller [Wed, 21 Mar 2018 19:33:44 +0000 (13:33 -0600)]
regen

6 years agoMove cvtsudoers string functions into cvtsudoers.c
Todd C. Miller [Wed, 21 Mar 2018 19:29:47 +0000 (13:29 -0600)]
Move cvtsudoers string functions into cvtsudoers.c

6 years agoregen
Todd C. Miller [Wed, 21 Mar 2018 19:29:18 +0000 (13:29 -0600)]
regen

6 years agoInitial support filtering by user, group and host in cvtsudoers.
Todd C. Miller [Wed, 21 Mar 2018 18:24:11 +0000 (12:24 -0600)]
Initial support filtering by user, group and host in cvtsudoers.
Currently forces alias expansion when a filter is applied and the
entire matching user or host list is printed, even the non-matching
entries.  This effectively allows you to grep sudoers by user, group
and host.

6 years agoAdd free_default() to free a struct defaults pointer so we have a
Todd C. Miller [Wed, 21 Mar 2018 18:11:19 +0000 (12:11 -0600)]
Add free_default() to free a struct defaults pointer so we have a
single place where we free the defaults.  A pointer to the previous
Default's binding may be passed in to avoid freeing an already free
binding.

6 years agoDecrease bullet width to 1n.
Todd C. Miller [Wed, 21 Mar 2018 12:52:50 +0000 (06:52 -0600)]
Decrease bullet width to 1n.

6 years agoAdd aix_setauthdb() before the initial getpwuid() call.
Todd C. Miller [Sat, 17 Mar 2018 13:49:08 +0000 (07:49 -0600)]
Add aix_setauthdb() before the initial getpwuid() call.

6 years agofix compilation on Solaris
Todd C. Miller [Sun, 11 Mar 2018 03:16:20 +0000 (20:16 -0700)]
fix compilation on Solaris

6 years agoMake "sudoreplay -m 0" skip the pauses entirely.
Todd C. Miller [Thu, 8 Mar 2018 14:53:29 +0000 (07:53 -0700)]
Make "sudoreplay -m 0" skip the pauses entirely.

6 years agoDocument that a negative value for -m will elmininate the pauses.
Todd C. Miller [Thu, 8 Mar 2018 13:22:21 +0000 (06:22 -0700)]
Document that a negative value for -m will elmininate the pauses.

6 years agoUpdate copyright date, remove unneeded include and add a few comments.
Todd C. Miller [Tue, 6 Mar 2018 22:59:31 +0000 (15:59 -0700)]
Update copyright date, remove unneeded include and add a few comments.

6 years agoUse fmtsudoers functions in testsudoers.
Todd C. Miller [Tue, 6 Mar 2018 22:09:21 +0000 (15:09 -0700)]
Use fmtsudoers functions in testsudoers.

6 years agoAdd test for empty runas user list.
Todd C. Miller [Tue, 6 Mar 2018 21:39:11 +0000 (14:39 -0700)]
Add test for empty runas user list.

6 years agoDon't print an empty user list as ALL.
Todd C. Miller [Tue, 6 Mar 2018 21:38:17 +0000 (14:38 -0700)]
Don't print an empty user list as ALL.

6 years agoIn sudoers_format_userspecs make the separator optional and silence
Todd C. Miller [Tue, 6 Mar 2018 20:42:56 +0000 (13:42 -0700)]
In sudoers_format_userspecs make the separator optional and silence
a printf format warning.

6 years agoUse correct defines when checking for sysctl kinfo_proc support.
Todd C. Miller [Tue, 6 Mar 2018 19:05:07 +0000 (12:05 -0700)]
Use correct defines when checking for sysctl kinfo_proc support.

6 years agoFix crash when converting sudoers entry with a runas list that is
Todd C. Miller [Tue, 6 Mar 2018 19:00:37 +0000 (12:00 -0700)]
Fix crash when converting sudoers entry with a runas list that is
present but empty.

6 years agoLess confusing sysctl checks for kinfo_proc.
Todd C. Miller [Tue, 6 Mar 2018 00:35:02 +0000 (17:35 -0700)]
Less confusing sysctl checks for kinfo_proc.

6 years agoAdd case_insensitive_group and case_insensitive_user sudoers options,
Todd C. Miller [Mon, 5 Mar 2018 17:42:02 +0000 (10:42 -0700)]
Add case_insensitive_group and case_insensitive_user sudoers options,
which are enabled by default.

6 years agoKill dead store found by clang-analyzer.
Todd C. Miller [Sun, 4 Mar 2018 18:59:45 +0000 (11:59 -0700)]
Kill dead store found by clang-analyzer.

6 years agoAdd tests for round-tripping sudoers -> ldif -> sudoers
Todd C. Miller [Fri, 2 Mar 2018 18:30:19 +0000 (11:30 -0700)]
Add tests for round-tripping sudoers -> ldif -> sudoers

6 years agoInitial support for adding comments that will be emitted when
Todd C. Miller [Sun, 4 Mar 2018 14:03:43 +0000 (07:03 -0700)]
Initial support for adding comments that will be emitted when
sudoers is formatted.  Currently adds a comment for the source
sudoRole when converting from ldif -> sudoers.

6 years agoSpecial case comment lines in lbufs.
Todd C. Miller [Sun, 4 Mar 2018 14:03:41 +0000 (07:03 -0700)]
Special case comment lines in lbufs.

6 years agoWhen formatting as sudoers, flush the lbuf after each userspec.
Todd C. Miller [Sat, 3 Mar 2018 14:42:10 +0000 (07:42 -0700)]
When formatting as sudoers, flush the lbuf after each userspec.

6 years agoHandle escaped commas when skipping over the cn.
Todd C. Miller [Sun, 4 Mar 2018 14:03:38 +0000 (07:03 -0700)]
Handle escaped commas when skipping over the cn.

6 years agoAdd missing sudoOrder support to parse_ldif().
Todd C. Miller [Fri, 2 Mar 2018 18:27:01 +0000 (11:27 -0700)]
Add missing sudoOrder support to parse_ldif().

6 years agoAdd missing support for converting LOG_INPUT/LOG_OUTPUT tags and
Todd C. Miller [Fri, 2 Mar 2018 18:12:14 +0000 (11:12 -0700)]
Add missing support for converting LOG_INPUT/LOG_OUTPUT tags and
expand support for NOMAIL tags.

6 years agoDon't emit an empty sudoRole for global defaults if there are none.
Todd C. Miller [Fri, 2 Mar 2018 17:59:19 +0000 (10:59 -0700)]
Don't emit an empty sudoRole for global defaults if there are none.

6 years agoAvoid changing the order of non-negated hosts and commands.
Todd C. Miller [Fri, 2 Mar 2018 17:58:50 +0000 (10:58 -0700)]
Avoid changing the order of non-negated hosts and commands.
We still put negated hosts/commands at the end of the list.

6 years agoHandle parsing boolean options that have no explicit value.
Todd C. Miller [Fri, 2 Mar 2018 17:44:33 +0000 (10:44 -0700)]
Handle parsing boolean options that have no explicit value.

6 years agoRefactor the code that actually converts the role to sudoers format
Todd C. Miller [Fri, 2 Mar 2018 16:27:27 +0000 (09:27 -0700)]
Refactor the code that actually converts the role to sudoers format
into role_to_sudoers() now that it is more involved than just calling
sudo_ldap_role_to_priv().

6 years agoWhen merging two privileges, use the runas lists of the previous
Todd C. Miller [Fri, 2 Mar 2018 13:42:29 +0000 (06:42 -0700)]
When merging two privileges, use the runas lists of the previous
privilege when possible.  Otherwise, the generated sudoers line
will include a runas list for commands that is not necessary.

6 years agoUse a case-insensitive comparison when matching user and group names
Todd C. Miller [Fri, 2 Mar 2018 03:31:01 +0000 (20:31 -0700)]
Use a case-insensitive comparison when matching user and group names
in sudoers with the passwd or group database.  This can be necessary
when users and groups are stored in AD or LDAP.

6 years agoFix clean target for *.sudo regress files
Todd C. Miller [Thu, 1 Mar 2018 17:35:32 +0000 (10:35 -0700)]
Fix clean target for *.sudo regress files

6 years agoignore more binaries
Todd C. Miller [Thu, 1 Mar 2018 17:33:47 +0000 (10:33 -0700)]
ignore more binaries

6 years agoFix use of uninitialized variable (conf) if sudoers_debug_register()
Todd C. Miller [Thu, 1 Mar 2018 17:18:48 +0000 (10:18 -0700)]
Fix use of uninitialized variable (conf) if sudoers_debug_register()
happens to fail.

6 years agoSplit conversion code out of parse_ldif() and into ldif_to_sudoers().
Todd C. Miller [Wed, 28 Feb 2018 23:21:09 +0000 (16:21 -0700)]
Split conversion code out of parse_ldif() and into ldif_to_sudoers().

6 years agoQuiet a clang analyzer warning.
Todd C. Miller [Wed, 28 Feb 2018 21:44:54 +0000 (14:44 -0700)]
Quiet a clang analyzer warning.

6 years agorename ldap_common.c -> ldap_util.c
Todd C. Miller [Wed, 28 Feb 2018 21:24:33 +0000 (14:24 -0700)]
rename ldap_common.c -> ldap_util.c

6 years agoWhen converting from ldif to sudoers, sudoRole objects with the
Todd C. Miller [Wed, 28 Feb 2018 21:02:50 +0000 (14:02 -0700)]
When converting from ldif to sudoers, sudoRole objects with the
same user if possible.  If both user and host are the same, merge
into a single privilege.  This makes it possible to convert a
sudoers entry like:

    aaron shanty = NOEXEC: /usr/bin/vi, /usr/bin/more, EXEC: /bin/sh

to ldif and then back to sudoers as a single line.  Currently, the
ldif entries to be merged must have the same or adjacent sudoOrder
attributes.

6 years agoplug memory leaks
Todd C. Miller [Wed, 28 Feb 2018 21:02:11 +0000 (14:02 -0700)]
plug memory leaks

6 years agoRestore line to set MODE_PRESERVE_ENV in flags when the -E command
Todd C. Miller [Wed, 28 Feb 2018 14:05:36 +0000 (07:05 -0700)]
Restore line to set MODE_PRESERVE_ENV in flags when the -E command
line option is used.  The caller doesn't check MODE_PRESERVE_ENV
these days but parse_args uses it to detect usage errors when -E
is used along with a mutually excusive option.  Problem found by
Yuriy Vostrikov.

6 years agoAdd missing close parenthesis in "Including other files from within
Todd C. Miller [Tue, 27 Feb 2018 00:59:58 +0000 (17:59 -0700)]
Add missing close parenthesis in "Including other files from within
sudoers" section.  Bug #824

6 years agoWhen converting from LDAP to sudoers, put negated hosts and commands
Todd C. Miller [Sun, 25 Feb 2018 13:30:32 +0000 (06:30 -0700)]
When converting from LDAP to sudoers, put negated hosts and commands
at the end of the list.  Since LDAP doesn't guarantee attribute order
we need to make sure negated entries always override non-negated ones.