Todd C. Miller [Mon, 21 May 2012 18:24:27 +0000 (14:24 -0400)]
If sudoers_mode is group-readable but the actual sudoers file is
not, open the file as uid 0, not uid 1. This fixes a problem when
sudoers has a more restrictive mode than what sudo expects to find.
In older versions, sudo would silently chmod the file to add the
group-readable bit.
Todd C. Miller [Thu, 17 May 2012 16:09:56 +0000 (12:09 -0400)]
Relax the user/group/mode checks on sudoers files. As long as the
file is owned by the right user, not world-writable and not writable
by a group other than the one specified at configure time (gid 0
byile is considered OK. Note that visudo will still
set the mode to the value specified at configure time.
Todd C. Miller [Thu, 17 May 2012 16:07:18 +0000 (12:07 -0400)]
Relax the user/group/mode checks on sudoers files. As long as the
file is owned by the right user, not world-writable and not writable
by a group other than the one specified at configure time (gid 0
byile is considered OK. Note that visudo will still
set the mode to the value specified at configure time.
Todd C. Miller [Thu, 17 May 2012 15:23:54 +0000 (11:23 -0400)]
Instead of treating ^C from tgetpass() specially, always
return AUTH_INTR if tgetpass() returned NULL.
Treat PAM_AUTHINFO_UNAVAIL like PAM_AUTH_ERR which Mac OS X
returns this when there is no tty.
Todd C. Miller [Thu, 17 May 2012 14:58:44 +0000 (10:58 -0400)]
Split global and per-connection LDAP options into separate arrays.
Set global LDAP options before calling ldap_initialize() or ldap_init().
After we have an LDAP handle, set the per-connection options.
Fixes a problem with OpenLDAP using the nss crypto backend; bug #342
Todd C. Miller [Fri, 30 Mar 2012 17:53:19 +0000 (13:53 -0400)]
Remove the NO_EXIT flag to log_error() and add a log_fatal() function
that exits and is marked no_return. Fixes false positives from
static analyzers and is easier for humans to read too.
Todd C. Miller [Fri, 30 Mar 2012 17:34:19 +0000 (13:34 -0400)]
When initializing the environment for env_reset, start out with the
contents of /etc/environment on AIX and login.conf on BSD. Also
apply environment in login.conf for "sudo -i".
Todd C. Miller [Tue, 27 Mar 2012 16:39:11 +0000 (12:39 -0400)]
If there is nothing to read from the askpass program, set errno to
EINTR. This makes the cancel button behave like the user entered
^C at the password prompt when PAM is used.
Todd C. Miller [Wed, 1 Feb 2012 17:12:53 +0000 (12:12 -0500)]
Error out if user specified --with-pam but we can't find the headers
or library. Also throw an error if the headers are present but the
library is not and vice versa.
Todd C. Miller [Thu, 26 Jan 2012 21:34:49 +0000 (16:34 -0500)]
We need to init the auth system regardless of whether we need a
password since we will be closing the PAM session in the monitor
process. Fixes a crash in the monitor on Solaris; bugzilla #533
Todd C. Miller [Wed, 25 Jan 2012 21:33:15 +0000 (16:33 -0500)]
The change in a1e7e31519ec that caused to exit when the monitor
dies created a race condition between the monitor exiting and the
status being read. All we really want to do is make sure that
select() notifies us that there is a status change when the monitor
dies unexpectedly so shutdown the socketpair connected to the monitor
for writing when it dies. That way we can still read the status
that is pending on the socket and select() on Linux will tell us
that the fd is ready.
Todd C. Miller [Fri, 20 Jan 2012 15:53:12 +0000 (10:53 -0500)]
Add custom version of AC_CHECK_LIB that uses the extra libs in the
cache value name. With this we no longer need to rely on a modified
version of autoconf.
Todd C. Miller [Tue, 17 Jan 2012 17:20:28 +0000 (12:20 -0500)]
When not logging I/O, use a signal handler that only forwards SIGINT,
SIGQUIT and SIGHUP when they are user-generated signals. Fixes a
race in the non-I/O logging path where the command may receive two
keyboard-generated signals; one from the kernel and one from the
sudo process.
Todd C. Miller [Fri, 13 Jan 2012 14:50:03 +0000 (09:50 -0500)]
Include parent directories in case they don't already exist. This
fixes a directory permissions problem with the AIX package when the
/usr/local directories don't already exist.
Todd C. Miller [Thu, 12 Jan 2012 20:21:36 +0000 (15:21 -0500)]
Do not include GLOB_MARK in the flags we pass to glob(3). Fixes a
bug where a pattern like "/usr/*" include /usr/bin/ in the results,
which would be incorrectly be interpreted as if the sudoers file had
specified a directory. From Vitezslav Cizek.
Todd C. Miller [Thu, 12 Jan 2012 20:17:30 +0000 (15:17 -0500)]
When trying to determine the tty, fall back on /proc/ppid/fd/{0,1,2}
if the main process's fds 0-2 are not hooked up to a tty.
On BSD, use the KERN_PROC_PID sysctl() instead.
Todd C. Miller [Thu, 12 Jan 2012 20:04:07 +0000 (15:04 -0500)]
When not logging I/O, put command in its own pgrp and make that the
controlling pgrp if the command is in the foreground. Fixes a race
in the non-I/O logging path where the command may receive two
keyboard-generated signals; one from the kernel and one from the
sudo process.
Todd C. Miller [Thu, 12 Jan 2012 19:54:18 +0000 (14:54 -0500)]
Handle different Unix domain socket (actually socketpair) semantics
in BSD vs. Linux. In BSD if one end of the socketpair goes away
select() returns the fd as readable and the read will fail with
ECONNRESET. This doesn't appear to happen on Linux so if we notice
that the monitor process has died when I/O logging is enabled,
behave like the command has exited. This means we log the wait
status of the monitor, not the command, but there is nothing else
we can do at that point. This should only be an issue if SIGKILL
is sent to the monitor process.
Todd C. Miller [Thu, 12 Jan 2012 19:52:07 +0000 (14:52 -0500)]
Catch common signals in the monitor process so they get passed to
the command. Fixes a problem when the entire login session is killed
when ssh is disconnected or the terminal window is closed.
Todd C. Miller [Thu, 12 Jan 2012 19:23:42 +0000 (14:23 -0500)]
Fetch the login class for the user we authenticate specifically
when using BSD authentication. That user may have a different login
class than what we will use to run the command. When setting the
login class for the command, use the target user's struct passwd,
not the invoking user's.