Todd C. Miller [Mon, 8 Aug 2016 23:04:20 +0000 (17:04 -0600)]
Instead of deferring setting early defaults until we have traversed
the entire defaults list, just defer running the callbacks. Otherwise,
if the last early default setting we see has a bad value we won't
set any defaults of that type even if there was an earlier one that
was valid.
Todd C. Miller [Sat, 30 Jul 2016 21:27:36 +0000 (15:27 -0600)]
Initialize sudo_user based on the SUDO_USER environment variable
if present. This allows things like :Defaults:username editor=foo"
to work when visudo is run via sudo.
Todd C. Miller [Thu, 28 Jul 2016 12:05:39 +0000 (06:05 -0600)]
Flag settings have a NULL value so we can't use that to test whether
an entry in struct early_default is set or not. Add a "set" member
and use that instead.
Todd C. Miller [Wed, 27 Jul 2016 22:17:41 +0000 (16:17 -0600)]
Explicitly check for a continued process with waitpid(2). Otherwise,
waitpid() will return 0 when the command is resumed after being
suspended, which we were treating the same as -1. Fixes suspend
and resume on Linux and probably others.
Todd C. Miller [Mon, 25 Jul 2016 16:41:33 +0000 (10:41 -0600)]
Repair symlink check in sudo_edit_openat_nofollow() on systems
without O_NOFOLLOW, it must be done relative to dfd. Previously
the lstat() would always fail, possibly leading to a false positive.
Also add an early symlink check like in sudo_edit() while here.
Todd C. Miller [Mon, 25 Jul 2016 16:26:54 +0000 (10:26 -0600)]
On systems that lack the O_NOFOLLOW open(2) flag, check in
sudo_edit_open() whether the path to be opened is symlink before
opening it. This is racey but we detect losing the last post-open
and it is better to fail early if possible. When editing a link
to a non-existent file, a zero-length file will be left behind but
it is too dangerous to try and remove it after the fact.
Bug #753
Todd C. Miller [Sat, 23 Jul 2016 15:10:48 +0000 (09:10 -0600)]
Split set_default_entry() out of set_default() so we can call it
from check_defaults() to validate the defaults value. In visudo,
suppress warnings from update_defaults() and rely on check_defaults()
to provide warnings.
Todd C. Miller [Fri, 22 Jul 2016 16:41:56 +0000 (10:41 -0600)]
Update defaults in visudo after sudoers has been edited so we pick
up locale changes. The init_defaults() function will now re-init
the sudoers locale.
Todd C. Miller [Wed, 20 Jul 2016 22:41:23 +0000 (16:41 -0600)]
Set the locale to the sudoers locale when parsing and restore the
user's locale afterward. Also set the warn/fatal locale helper
function so warning messages during a sudoers parse are displayed
in the user's own locale.
Todd C. Miller [Tue, 19 Jul 2016 20:58:06 +0000 (14:58 -0600)]
Only set early defaults once, regardless of how many times the
variable is set in sudoers. This avoids running an early callback
more than once. For example, we don't want to call cb_fqdn() if
sudo is compiled with FQDN set but sudoers has "Defaults !fqdn".
Todd C. Miller [Mon, 18 Jul 2016 17:37:32 +0000 (11:37 -0600)]
When updating defaults, process certain values fist since they can
influence how other defaults are parsed. Currently, runas_default
and sudoers_locale are processed early.
Todd C. Miller [Thu, 30 Jun 2016 18:40:19 +0000 (12:40 -0600)]
Set the sudoers locale before opening the sudoers file.
Previously the sudoers locale was used when evaluating sudoers
but not during the inital parse. Bug #748
Todd C. Miller [Mon, 27 Jun 2016 11:55:31 +0000 (05:55 -0600)]
Some versions of HP-UX 11.11 do not expose struct sockaddr_ext if
_XOPEN_SOURCE_EXTENDED is defined. Only define _XOPEN_SOURCE_EXTENDED
if we can still compile net/if.h.
Todd C. Miller [Thu, 9 Jun 2016 17:41:09 +0000 (11:41 -0600)]
When matching paths with glob(3), check returned matches against
user_cmnd first if it is fully-qualified. This avoids a lot of
needless stat(2) calls and avoids a mismatch between safe_cmnd and
argv[0] if there are multiple matches with the same inode/dev due
to links. Bug #746.
Todd C. Miller [Thu, 9 Jun 2016 16:50:58 +0000 (10:50 -0600)]
In handle_sigchld() fix the return value when we've already received
an exec error. We don't want to overwrite the error status but we
do need to indicate that the command is no longer running.
Fixes as hang on execve(2) error when running in a pty.
Todd C. Miller [Tue, 7 Jun 2016 19:06:27 +0000 (13:06 -0600)]
Fix setting of hard stack limit when stack_hard is not specified
in /etc/security/limits. When 64-bit resource limits are supported
we can use the default value of 8388608 512-byte blocks directly.
We should only resort to using RLIM_SAVED_MAX for 32-bit resource
limits.
Todd C. Miller [Thu, 2 Jun 2016 16:47:39 +0000 (10:47 -0600)]
SSSD doesn't handle netgroups, we have to ensure they are correctly filtered
in sudo. The rules may contain mixed sudoUser specification so we have to
check not only for netgroup membership but also for user and group matches.
Adapted from a patch from Daniel Kopecek.
Todd C. Miller [Wed, 25 May 2016 14:33:57 +0000 (08:33 -0600)]
Ignore PAM_SESSION_ERR from pam_open_session() since this can
apparently happen on systems using Solaris-derived PAM. Other
errors from pam_open_session() are treated as fatal. This avoids
the "policy plugin failed session initialization" error message
seen on some systems.