Todd C. Miller [Fri, 17 Aug 2018 03:07:36 +0000 (21:07 -0600)]
Add CHECK_SYMBOLS_LDFLAGS to check_symbols target. Non-ELF HP-UX
executables don't support SHLIB_PATH or LD_LIBRARY_PATH unless ld
is passed the +s flag. This lets the check_symbols test pass on
systems where the ldap libraries aren't installed in the standard
location.
Todd C. Miller [Tue, 7 Aug 2018 16:03:05 +0000 (10:03 -0600)]
Fix ambiguity when talking about Aliases. We can't use User_Alias
in the grammar as both the definition of the Alias as well as its
name. This adds {User,Runas,Host,Cmnd}_Alias_Spec to help differentiate
between the name of the alias and its definition. Bug #834
Todd C. Miller [Thu, 2 Aug 2018 20:45:00 +0000 (14:45 -0600)]
For ldap/sssd, include defaults in the generate privilege unless
we are listing in short mode (in which case we convert them to tags
if possible). Fixes a problem where sudoOptions were not being
applied to the command.
Todd C. Miller [Thu, 26 Jul 2018 21:12:33 +0000 (15:12 -0600)]
o Move userspecs, defaults and aliases into a new struct sudoers_parse_tree.
o The parse tree is now passed to the alias, match and defaults functions.
o The nss API has been changed so that the nss parse() function returns
a pointer to a struct sudoers_parse_tree which will be filled in
by the getdefs() and query() functions.
Todd C. Miller [Thu, 26 Jul 2018 21:12:26 +0000 (15:12 -0600)]
Don't need to preallocate 4 x NGROUP_MAX on AIX or BSD/Linux.
For BSD/Linux, getgrouplist(3) will tell us the number of groups if
we don't have enough. For AIX, we can count the entries in the
group set before allocating the group vector.
Todd C. Miller [Mon, 23 Jul 2018 16:36:08 +0000 (10:36 -0600)]
Add missing aix_restoreauthdb() call to match the aix_setauthdb()
added in b8a011be9af7. Fixes issues on AIX where local users/groups
may not be resolved when some NIS/AD/LDAP is used for users.
Todd C. Miller [Fri, 20 Jul 2018 16:17:51 +0000 (10:17 -0600)]
When both a .o and .lo file was used in a Makefile, we used to make
the .o depend on the .lo. Unfortunately, this creates a race
condition for parallel make since libtool is not atomic (it creates
a .o and then renames it when building PIC objects for shared libs).
We always link with libtool so the only reason to prefer the .o
over the .lo file is to avoid mixing .o and .lo in the dependencies.
That's not a good enough reason so change mkdep.pl to warn when
both a .o and .lo are referenced in a Makefile and do nothing else.
Todd C. Miller [Fri, 15 Jun 2018 20:05:13 +0000 (14:05 -0600)]
Add sudo_getgrouplist2() to dynamically allocate the group vector.
This allows us to avoid repeatedly calling getgrouplist() with
a statically sized vector on macOS, Solaris, HP-UX, and AIX.
Todd C. Miller [Wed, 13 Jun 2018 17:19:33 +0000 (11:19 -0600)]
Add SUDO_CONV_PREFER_TTY flag for conversation function to tell
sudo to try writing to /dev/tty first. Can be used in conjunction
with SUDO_CONV_INFO_MSG and SUDO_CONV_ERROR_MSG.
Todd C. Miller [Tue, 5 Jun 2018 21:37:16 +0000 (15:37 -0600)]
FreeBSD wordexp() returns WRDE_SYNTAX if it can't write to the shell
process. Since we've prevented execve() from succeeding this is
the error we get back from wordexp() on FreeBSD.
Todd C. Miller [Fri, 25 May 2018 03:04:23 +0000 (21:04 -0600)]
Import arc4random() from libressl. This takes an all-in-one approach
instead of the one-file-per-OS approach that libressl takes.
The fallback code does not have as many OS-specific bits as libressl.
Todd C. Miller [Wed, 16 May 2018 16:27:28 +0000 (10:27 -0600)]
When building up the cmndspec, add the actual command member last.
This simplifies the logic regarding the SETENV tag and alsomakes
"out of memory" cleanup simpler.
Todd C. Miller [Wed, 16 May 2018 15:10:43 +0000 (09:10 -0600)]
Only set MODE_PRESERVE_ENV when preserving the entire environment.
Fixes a problem introduced in 1.8.23 where "sudo -i" could not be
used in conjunction with --preserve-env=VARIABLE. Bug #835
Todd C. Miller [Tue, 15 May 2018 15:53:46 +0000 (09:53 -0600)]
Depending on the bos level, AIX 6.1 may or may not include
getline/getdelim and AIX 7.1 may or may not include memset_s.
Since we need to build packages that will work on all AIX 6.1 and
7.1 machines, use our getline() and memset_s emulation.
Todd C. Miller [Mon, 14 May 2018 15:05:04 +0000 (09:05 -0600)]
Let the main sudoers lookup code check the host name. We still
check the user name so it is possible to use a single userspec
but this may change in the future.
Todd C. Miller [Mon, 14 May 2018 15:05:03 +0000 (09:05 -0600)]
Simplify the nss interface such that each sudoers provider fills
in a per-nss list of userspecs and defaults instead of using separate
lookup and list functions. This makes it possible to have a single
implementation of the code for sudoers lookup and listing.
Todd C. Miller [Fri, 11 May 2018 03:17:03 +0000 (21:17 -0600)]
Fix a format-truncation warning in newer gcc by avoiding using %0x
and %0X in the test. We are formatting a single byte so just do
it one nybble at a time.