Todd C. Miller [Sun, 9 Oct 2016 01:09:17 +0000 (19:09 -0600)]
Use a seccomp filter on Linux to disable execve(2) and execveat(2).
This still relies on LD_PRELOAD to work so it has the same issues
as the existing mether with respect to running 32-bit binaries on
a 64-bit kernel.
Todd C. Miller [Mon, 19 Sep 2016 12:19:49 +0000 (06:19 -0600)]
Fix matching when no sudoRunAsUser is present in a sudoRole.
If only a sudoRunAsGroup is present, match on the invoking user
if the -g option was specified and the group matched.
If no sudoRunAsGroup is present and the -g option was specified,
allow it if it matches the passwd gid of the runas user.
This matches the behavior of the sudoers backend.
Todd C. Miller [Thu, 15 Sep 2016 15:37:53 +0000 (09:37 -0600)]
Update check for whether or not the runas user was set in the ldap
and sssd backends to match the sudoers file backend. Introduces
the runas_user_set() macro to improve readability. Previously,
runas_pw was set late, now it is set before checking sudoers.
Todd C. Miller [Tue, 13 Sep 2016 15:06:25 +0000 (09:06 -0600)]
Move valid domain name check into a new valid_domain() function.
Fix memory leak if getdomainname(2) fails and avoid using heap
garbage for the domain name matching in this case.
Todd C. Miller [Thu, 8 Sep 2016 22:38:08 +0000 (16:38 -0600)]
Be consistent with the naming of the variable used to store the
function return value. Previously, some code used "rval", some
used "ret". This standardizes on "ret" and uses "rc" for temporary
return codes.
Todd C. Miller [Fri, 2 Sep 2016 14:05:07 +0000 (08:05 -0600)]
Don't disable large file support for Linux, just SVR4-style /proc.
Otherwise, stat(2) may fail on Linux when running a 32-bit sudo
on a 64-bit machine. Bug #755
Todd C. Miller [Tue, 30 Aug 2016 19:42:42 +0000 (13:42 -0600)]
Add match_group_by_gid Defaults option to allow sites with slow
group lookups and a small number of groups in sudoers to match
groups by group ID instead of by group name.
Todd C. Miller [Wed, 17 Aug 2016 13:22:51 +0000 (07:22 -0600)]
Make the behavior when we cannot write to a log or audit file
configurable. File log failures are ignored by default for consistency
with syslog. Audit errors are ignored by default to allow the admin
to fix the issue. I/O log file errors are still fatal by default
since if I/O logging is activated it is usually to have an audit trail.
Bug #751
Todd C. Miller [Sun, 14 Aug 2016 03:12:22 +0000 (21:12 -0600)]
Separate out the supplemental group ID checks from the supplemental
group name checks in user_in_group(). We now call sudo_get_gidlist()
only when the group name in sudoers begins with a '#' (which is
seldom used).
Todd C. Miller [Sat, 13 Aug 2016 22:27:44 +0000 (16:27 -0600)]
Cache the user's group IDs and group names separately and only
resolve group IDs -> names when needed. If the sudoers file doesn't
contain groups we will no longer try to resolve all the user's group
IDs to names, which can be expensive on some systems.
Todd C. Miller [Fri, 12 Aug 2016 22:41:51 +0000 (16:41 -0600)]
Remove the "op" parameter from all the store_foo() functions except
store_list() where it is actually needed. For the others, a NULL
value indicates the setting was negated. This unconfuses static
analyzers (and perhaps humans too).
Todd C. Miller [Fri, 12 Aug 2016 16:37:41 +0000 (10:37 -0600)]
Refactor the error parts of set_default_entry() so the switch() is
mostly just calls to store_foo() functions. Avoids a lot of
duplicated error checking and silences a cppcheck false positive.
Todd C. Miller [Wed, 10 Aug 2016 16:56:05 +0000 (10:56 -0600)]
Set runas_pw early and adjust runaslist_matches() to deal. Since
we now set runas_default early there is no need to call update_defaults
with SETDEF_RUNAS after sudoers has been parsed.
Todd C. Miller [Mon, 8 Aug 2016 23:04:20 +0000 (17:04 -0600)]
Instead of deferring setting early defaults until we have traversed
the entire defaults list, just defer running the callbacks. Otherwise,
if the last early default setting we see has a bad value we won't
set any defaults of that type even if there was an earlier one that
was valid.