Todd C. Miller [Wed, 12 Jul 2017 11:47:28 +0000 (05:47 -0600)]
Clear input, output, control and local flags before copying them
from the source terminal. Otherwise, flags that are disabled
in the source terminal may still be enabled in the destination.
Todd C. Miller [Wed, 12 Jul 2017 11:45:46 +0000 (05:45 -0600)]
Remove pointless subshells in targets that simply change the directory
and execute a command. The command is already run in a shell so
there is no need to execute a subshell in this case.
Todd C. Miller [Thu, 15 Jun 2017 18:59:46 +0000 (12:59 -0600)]
When copying terminal settings from one tty to another only copy a
subset of the flags. Sudo now copies the same set of flags that
OpenSSH uses, which should be safe.
Todd C. Miller [Thu, 15 Jun 2017 13:51:00 +0000 (07:51 -0600)]
Better handling of SIGCONT from in command in the monitor. It is
useful to know when the command continued but we don't want to
inform the parent or store the wait status in this case. Fixes a
hang after multiple suspends on Linux.
Todd C. Miller [Mon, 5 Jun 2017 13:11:09 +0000 (07:11 -0600)]
sudo_edit() must return a wait status but if there is an error, or
even if no changes were made to the file, it was returning 1 instead
which would be interpreted as the command having received SIGHUP.
Use the W_EXITCODE() to construct a proper wait status in the error
case too.
Todd C. Miller [Sat, 3 Jun 2017 14:45:29 +0000 (08:45 -0600)]
Avoid sign extension when assigning the value of tty_nr in
/proc/self/stat on Linux. It is an unsigned int value that
is printed as a signed int but dev_t is unsigned long long.
We need to cast to unsigned int before assigning to a dev_t.
Todd C. Miller [Sat, 3 Jun 2017 14:43:32 +0000 (08:43 -0600)]
Instead of hard-coding a check for bash functions in env_should_delete(),
use a "*=()* " pattern in initial_badenv_table[] to match them instead.
This allows the user to remove the check via env_delete.
Todd C. Miller [Wed, 31 May 2017 15:14:31 +0000 (09:14 -0600)]
A command name may also contain newline characters so read
/proc/self/stat until EOF. It is not legal for /proc/self/stat to
contain embedded NUL bytes so treat the file as corrupt if we see
any. With help from Qualys.
This is not exploitable due to the /dev traversal changes in sudo
1.8.20p1 (thanks Solar!).
Todd C. Miller [Tue, 30 May 2017 16:44:11 +0000 (10:44 -0600)]
Add a new "devsearch" Path setting to sudo.conf for configuring the
/dev paths to traverse instead of hard-coding a list in ttyname.c
The default value can be set at configure time.
Todd C. Miller [Mon, 29 May 2017 20:32:53 +0000 (14:32 -0600)]
Fix for CVE-2017-1000367, parsing of /proc/pid/stat on Linux when
the process name contains spaces. Since the user has control over
the command name this could be used by a user with sudo access to
overwrite an arbitrary file.
Thanks to Qualys for investigating and reporting this bug.
Also stop performing a breadth-first traversal of /dev when looking
for the device. Only the directories specified in search_devs[]
are checked.
Todd C. Miller [Fri, 12 May 2017 16:02:17 +0000 (10:02 -0600)]
Add SIGCHLD to the list of signals we install sudo_handler() for.
Otherwise, it is possible for the command to exit before the SIGCHLD
handler is installed. POSIX says that signals that are ignored by
default are still ignored even if the signal mask would block them.
We need to have a handler installed for SIGCHLD before the fork().
Todd C. Miller [Fri, 12 May 2017 16:02:17 +0000 (10:02 -0600)]
Activate the sigevents inside the signal pipe callback itself
and call signal_pipe_cb() directly if the backend returns EINTR
and the signal_caught flag is set. This has the side effect of
processing signal events in the current pass of the event loop
instead of the next one.
Todd C. Miller [Mon, 8 May 2017 19:55:02 +0000 (13:55 -0600)]
Be clear that #includedir diverts control to the files in the
specified directory and, when parsing of those files is complete,
returns control to the original file. Bug #775
Todd C. Miller [Fri, 5 May 2017 20:27:42 +0000 (14:27 -0600)]
If any of std{in,out,err} are not hooked up to a tty only interpose
ourselves with a pipe if the plugin will actually log the data.
This avoids a problem with non-interactive commands where no tty
is present where sudo will consume stdin even when log_input is not
enabled in sudoers.
Todd C. Miller [Thu, 4 May 2017 18:25:51 +0000 (12:25 -0600)]
In check_input() when switch()ing on the return value of read(),
use the default label instead of 1 for the success case. It is
only reading a single byte so the two are equivalent but it reads
better using default.
Todd C. Miller [Thu, 4 May 2017 17:00:22 +0000 (11:00 -0600)]
Add io_open() wrapper for open(2) that retries with PERM_IOLOG if
open(2) fails with EACCES. Use io_open() instead of duplicate
copies of the same fallback code.
Todd C. Miller [Fri, 28 Apr 2017 18:12:00 +0000 (12:12 -0600)]
Fix exponential behavior in glob() with respect to multiple '*'.
See https://research.swtch.com/glob
Adapted from https://perl5.git.perl.org/perl.git/commit/33252c318625f3c6c89b816ee88481940e3e6f95
Todd C. Miller [Fri, 28 Apr 2017 16:32:15 +0000 (10:32 -0600)]
We no longer need to write to the tty if the command was killed by
a signal. Sudo will terminate itself with the same signal the
command died from. Unfortunately, we lose the "core dumped" bit
since sudo itself will not dump core, but there doesn't appear to
be a way around that.
Todd C. Miller [Thu, 27 Apr 2017 16:34:30 +0000 (10:34 -0600)]
If the command terminated due to a signal, sudo will send that same
signal to itself so the parent shell knows the command died from
a signal. However, we don't want sudo itself to dump core.
Todd C. Miller [Thu, 27 Apr 2017 02:17:34 +0000 (20:17 -0600)]
The fix for Bug #722 contained a typo/thinko that resulted in the
exit status being 0 when a command was killed by a signal other
than SIGINT. This fixes the signal handler setup so sudo will
terminate with the same signal as the command. Bug #784.
Todd C. Miller [Wed, 26 Apr 2017 20:49:05 +0000 (14:49 -0600)]
Don't install the rc.d link when installing to a DESTDIR.
DESTDIR is generally only set when installing to a temporary
directory for packaging in which case the link should be
made in a post-install script.
Todd C. Miller [Wed, 26 Apr 2017 19:52:49 +0000 (13:52 -0600)]
In "make install", install sample sudoers file as /etc/sudoers.dist
and copy it to /etc/sudoers if there is no existing /etc/sudoers.
Packages either contain /etc/sudoers (RPM and Debian) or /etc/sudoers.dist
(everything else).
Todd C. Miller [Thu, 20 Apr 2017 22:13:14 +0000 (16:13 -0600)]
Use the standard idiom for popping all entries from a tail queue.
The llvm checker gets confused by TAILQ_REMOVE and generate
use-after-free false positives.
Todd C. Miller [Wed, 19 Apr 2017 15:39:55 +0000 (09:39 -0600)]
Avoid unused variable when getgrouplist_2() is available.
It would be nicer to just provide getgrouplist_2() (or the equivalent)
and avoid the ugly #ifdefs.
Todd C. Miller [Tue, 11 Apr 2017 22:56:04 +0000 (16:56 -0600)]
Try to make it clear that when match_group_by_gid is enabled, groups
in sudoers are looked up by group name instead of group ID. This
doesn't usually cause problems, but if there are conflicting group
entries (for example, from a local /etc/group file and an LDAP or
AD group database), whether the group is resolved by name or ID can
be used to work around conflicts.