Todd C. Miller [Wed, 17 Aug 2016 13:22:51 +0000 (07:22 -0600)]
Make the behavior when we cannot write to a log or audit file
configurable. File log failures are ignored by default for consistency
with syslog. Audit errors are ignored by default to allow the admin
to fix the issue. I/O log file errors are still fatal by default
since if I/O logging is activated it is usually to have an audit trail.
Bug #751
Todd C. Miller [Sun, 14 Aug 2016 03:12:22 +0000 (21:12 -0600)]
Separate out the supplemental group ID checks from the supplemental
group name checks in user_in_group(). We now call sudo_get_gidlist()
only when the group name in sudoers begins with a '#' (which is
seldom used).
Todd C. Miller [Sat, 13 Aug 2016 22:27:44 +0000 (16:27 -0600)]
Cache the user's group IDs and group names separately and only
resolve group IDs -> names when needed. If the sudoers file doesn't
contain groups we will no longer try to resolve all the user's group
IDs to names, which can be expensive on some systems.
Todd C. Miller [Fri, 12 Aug 2016 22:41:51 +0000 (16:41 -0600)]
Remove the "op" parameter from all the store_foo() functions except
store_list() where it is actually needed. For the others, a NULL
value indicates the setting was negated. This unconfuses static
analyzers (and perhaps humans too).
Todd C. Miller [Fri, 12 Aug 2016 16:37:41 +0000 (10:37 -0600)]
Refactor the error parts of set_default_entry() so the switch() is
mostly just calls to store_foo() functions. Avoids a lot of
duplicated error checking and silences a cppcheck false positive.
Todd C. Miller [Wed, 10 Aug 2016 16:56:05 +0000 (10:56 -0600)]
Set runas_pw early and adjust runaslist_matches() to deal. Since
we now set runas_default early there is no need to call update_defaults
with SETDEF_RUNAS after sudoers has been parsed.
Todd C. Miller [Mon, 8 Aug 2016 23:04:20 +0000 (17:04 -0600)]
Instead of deferring setting early defaults until we have traversed
the entire defaults list, just defer running the callbacks. Otherwise,
if the last early default setting we see has a bad value we won't
set any defaults of that type even if there was an earlier one that
was valid.
Todd C. Miller [Sat, 30 Jul 2016 21:27:36 +0000 (15:27 -0600)]
Initialize sudo_user based on the SUDO_USER environment variable
if present. This allows things like :Defaults:username editor=foo"
to work when visudo is run via sudo.
Todd C. Miller [Thu, 28 Jul 2016 12:05:39 +0000 (06:05 -0600)]
Flag settings have a NULL value so we can't use that to test whether
an entry in struct early_default is set or not. Add a "set" member
and use that instead.
Todd C. Miller [Wed, 27 Jul 2016 22:17:41 +0000 (16:17 -0600)]
Explicitly check for a continued process with waitpid(2). Otherwise,
waitpid() will return 0 when the command is resumed after being
suspended, which we were treating the same as -1. Fixes suspend
and resume on Linux and probably others.
Todd C. Miller [Mon, 25 Jul 2016 16:41:33 +0000 (10:41 -0600)]
Repair symlink check in sudo_edit_openat_nofollow() on systems
without O_NOFOLLOW, it must be done relative to dfd. Previously
the lstat() would always fail, possibly leading to a false positive.
Also add an early symlink check like in sudo_edit() while here.
Todd C. Miller [Mon, 25 Jul 2016 16:26:54 +0000 (10:26 -0600)]
On systems that lack the O_NOFOLLOW open(2) flag, check in
sudo_edit_open() whether the path to be opened is symlink before
opening it. This is racey but we detect losing the last post-open
and it is better to fail early if possible. When editing a link
to a non-existent file, a zero-length file will be left behind but
it is too dangerous to try and remove it after the fact.
Bug #753
Todd C. Miller [Sat, 23 Jul 2016 15:10:48 +0000 (09:10 -0600)]
Split set_default_entry() out of set_default() so we can call it
from check_defaults() to validate the defaults value. In visudo,
suppress warnings from update_defaults() and rely on check_defaults()
to provide warnings.
Todd C. Miller [Fri, 22 Jul 2016 16:41:56 +0000 (10:41 -0600)]
Update defaults in visudo after sudoers has been edited so we pick
up locale changes. The init_defaults() function will now re-init
the sudoers locale.
Todd C. Miller [Wed, 20 Jul 2016 22:41:23 +0000 (16:41 -0600)]
Set the locale to the sudoers locale when parsing and restore the
user's locale afterward. Also set the warn/fatal locale helper
function so warning messages during a sudoers parse are displayed
in the user's own locale.
Todd C. Miller [Tue, 19 Jul 2016 20:58:06 +0000 (14:58 -0600)]
Only set early defaults once, regardless of how many times the
variable is set in sudoers. This avoids running an early callback
more than once. For example, we don't want to call cb_fqdn() if
sudo is compiled with FQDN set but sudoers has "Defaults !fqdn".
Todd C. Miller [Mon, 18 Jul 2016 17:37:32 +0000 (11:37 -0600)]
When updating defaults, process certain values fist since they can
influence how other defaults are parsed. Currently, runas_default
and sudoers_locale are processed early.
Todd C. Miller [Thu, 30 Jun 2016 18:40:19 +0000 (12:40 -0600)]
Set the sudoers locale before opening the sudoers file.
Previously the sudoers locale was used when evaluating sudoers
but not during the inital parse. Bug #748
Todd C. Miller [Mon, 27 Jun 2016 11:55:31 +0000 (05:55 -0600)]
Some versions of HP-UX 11.11 do not expose struct sockaddr_ext if
_XOPEN_SOURCE_EXTENDED is defined. Only define _XOPEN_SOURCE_EXTENDED
if we can still compile net/if.h.
Todd C. Miller [Thu, 9 Jun 2016 17:41:09 +0000 (11:41 -0600)]
When matching paths with glob(3), check returned matches against
user_cmnd first if it is fully-qualified. This avoids a lot of
needless stat(2) calls and avoids a mismatch between safe_cmnd and
argv[0] if there are multiple matches with the same inode/dev due
to links. Bug #746.
Todd C. Miller [Thu, 9 Jun 2016 16:50:58 +0000 (10:50 -0600)]
In handle_sigchld() fix the return value when we've already received
an exec error. We don't want to overwrite the error status but we
do need to indicate that the command is no longer running.
Fixes as hang on execve(2) error when running in a pty.
Todd C. Miller [Tue, 7 Jun 2016 19:06:27 +0000 (13:06 -0600)]
Fix setting of hard stack limit when stack_hard is not specified
in /etc/security/limits. When 64-bit resource limits are supported
we can use the default value of 8388608 512-byte blocks directly.
We should only resort to using RLIM_SAVED_MAX for 32-bit resource
limits.