Todd C. Miller [Thu, 9 Jun 2016 17:41:09 +0000 (11:41 -0600)]
When matching paths with glob(3), check returned matches against
user_cmnd first if it is fully-qualified. This avoids a lot of
needless stat(2) calls and avoids a mismatch between safe_cmnd and
argv[0] if there are multiple matches with the same inode/dev due
to links. Bug #746.
Todd C. Miller [Thu, 9 Jun 2016 16:50:58 +0000 (10:50 -0600)]
In handle_sigchld() fix the return value when we've already received
an exec error. We don't want to overwrite the error status but we
do need to indicate that the command is no longer running.
Fixes as hang on execve(2) error when running in a pty.
Todd C. Miller [Tue, 7 Jun 2016 19:06:27 +0000 (13:06 -0600)]
Fix setting of hard stack limit when stack_hard is not specified
in /etc/security/limits. When 64-bit resource limits are supported
we can use the default value of 8388608 512-byte blocks directly.
We should only resort to using RLIM_SAVED_MAX for 32-bit resource
limits.
Todd C. Miller [Thu, 2 Jun 2016 16:47:39 +0000 (10:47 -0600)]
SSSD doesn't handle netgroups, we have to ensure they are correctly filtered
in sudo. The rules may contain mixed sudoUser specification so we have to
check not only for netgroup membership but also for user and group matches.
Adapted from a patch from Daniel Kopecek.
Todd C. Miller [Wed, 25 May 2016 14:33:57 +0000 (08:33 -0600)]
Ignore PAM_SESSION_ERR from pam_open_session() since this can
apparently happen on systems using Solaris-derived PAM. Other
errors from pam_open_session() are treated as fatal. This avoids
the "policy plugin failed session initialization" error message
seen on some systems.
Todd C. Miller [Fri, 20 May 2016 16:17:23 +0000 (10:17 -0600)]
In del_io_events(), avoid reading from the pty master in blocking
mode. We now do two passes, one with SUDO_EVLOOP_NONBLOCK and
another that could block if stdin is a pipe. This ensures we consume
the pipe until EOF.
Todd C. Miller [Fri, 20 May 2016 14:12:46 +0000 (08:12 -0600)]
In pty_close(), call del_io_events with the SUDO_EVLOOP_ONCE flag
so the event loop will exit after a single run through. Otherwise,
we may hang at exit on non-BSD systems.
Todd C. Miller [Tue, 17 May 2016 14:31:23 +0000 (08:31 -0600)]
Bump I/O buffer size to 64K. We don't use PIPE_BUF or _PC_PIPE_BUF
for this because that corresponds to the value for atomic pipe
writes. The actual pipe buffer is much larger on modern systems
and 64K is what BSD and Linux support for large pipe buffers.
Todd C. Miller [Tue, 17 May 2016 14:16:43 +0000 (08:16 -0600)]
Don't use SUDO_EVLOOP_NONBLOCK when flushing buffers at pty close
time, only when the user suspends sudo. Fixes a problem where all
buffers might not get flushed at exit when logging I/O. Reproducible
via "sudo tar cf - foo | (cd /tmp && sudo tar xf -)" on OpenBSD.
Todd C. Miller [Mon, 16 May 2016 17:12:54 +0000 (11:12 -0600)]
Do not need to open /dev/tty with O_NONBLOCK, it doesn't block on
first open like a physical terminal. By definition, if you have a
controlling tty, the first open (which might block) has already
occurred.
Todd C. Miller [Thu, 12 May 2016 16:07:59 +0000 (10:07 -0600)]
Use EOVERFLOW, not ENOMEM for overflow conditions.
For snprintf() and vsnprintf(), POSIX says we should return -1 and
set errno to EOVERFLOW if the size param is > INT_MAX; also zero
out the string in this case (not mandated by POSIX) for safety.
Todd C. Miller [Wed, 11 May 2016 15:40:31 +0000 (09:40 -0600)]
Remove sudo_mkpwcache() and sudo_mkgrcache(). We now create the
caches as needed on demand. Also remove calls to sudo_freepwcache()
and sudo_freegrcache() that are immediately followed by execve(),
they are not needed.
Todd C. Miller [Wed, 11 May 2016 13:06:45 +0000 (07:06 -0600)]
Eliminate use of setpwent()/endpwent() and setgrent()/endgrent().
Sudo never iterates over the passwd or group file.
Rename sudo_set{pw,gr}ent() -> sudo_mk{pw,gr}cache() and
use sudo_free{pw,gr}cache() instead of sudo_end{pw,gr}ent().
Todd C. Miller [Tue, 10 May 2016 12:32:55 +0000 (06:32 -0600)]
Remove unnecessary NULL checks in the RUNAS_CHANGED macro. The
only place where the pointers could be NULL is in visudo_json.c but
we already check for "next" being NULL there. Quiets a cppcheck
warning.
Todd C. Miller [Mon, 9 May 2016 20:27:33 +0000 (14:27 -0600)]
Add io_log_read() and io_log_gets() to hide differences between
gzread/fread and gzgets/fgets. Check for premature EOF and error
from io_log_read(). Also sanity check the index in the timing file.
Coverity CID 104630.
Todd C. Miller [Sat, 7 May 2016 20:51:37 +0000 (14:51 -0600)]
In io_callback() make sure we clear SUDO_EV_READ if we close the
fd. It should not be possible for SUDO_EV_READ to be set when
revent is non-NULL but this makes static analyzers happier.
Coverity CID 104124.
Todd C. Miller [Fri, 6 May 2016 20:30:46 +0000 (14:30 -0600)]
Newer versions of Ubuntu have switched from using the "admin" group
to the "sudo" group to align with Debian. create_admin_success_flag()
now accepts either one.
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1387347
Todd C. Miller [Fri, 6 May 2016 20:12:08 +0000 (14:12 -0600)]
Instead of using stat(2) to see if the admin flag file exists and
creating it if not, just try to create the file and treat EEXIST
as a non-error. Coverity CID 104121.