Todd C. Miller [Fri, 26 Feb 2016 16:32:08 +0000 (09:32 -0700)]
Fix the check for whether a user is allowed to lists another user's
privileges. The "matched" variable is not boolean, it can also
have the value UNSPEC so we need to check explicitly for true.
Bug #738
Todd C. Miller [Wed, 24 Feb 2016 23:00:08 +0000 (16:00 -0700)]
Don't check for posix_spawn() or posix_spawnp() if we were unable
to find spawn.h. This should only be a problem on systems with
broken headers. Bug #730
Todd C. Miller [Mon, 1 Feb 2016 18:08:58 +0000 (11:08 -0700)]
Add an administrative domain to the passwd/group cache key for
AIX which can have different name <-> ID mappings depending
on whether the database is local, LDAP, etc.
Todd C. Miller [Mon, 1 Feb 2016 18:07:10 +0000 (11:07 -0700)]
Fedora dropped "core" from the name some time ago so just match on
f[0-9] for the rpm distro name provided by pp. Since the version
numbers of Fedora and RHEL are so different switch to defining
variables to indicate which features should be enabled. Works for
Fedora 23.
Todd C. Miller [Fri, 29 Jan 2016 17:31:54 +0000 (10:31 -0700)]
When freeing the iobs after pty tear-down, also free the associated
event structures. Quiets a memory leak warnings from address
sanitizer and valgrind.
Todd C. Miller [Thu, 28 Jan 2016 21:53:48 +0000 (14:53 -0700)]
Simple garbage collection (really a to-be-freed list) for the sudoers
plugin. Almost identical to what sudo.c uses. Currenly only the
environment strings are collected at exit time which is enough to
quiet address sanitizer's leak detector.
Todd C. Miller [Wed, 27 Jan 2016 22:37:15 +0000 (15:37 -0700)]
Add support for garbage collecting info passed to the plugin before
exit to appease address sanitizer's leak detector (and valgrind's
leak checker). We can't free these sooner since the plugin may be
using the memory. For plugin API 2.0 it should be make clear that
the plugin must make a copy of the data in the arrays passed in to
the plugin's open() function. Only enabled if NO_LEAKS is defined.
Todd C. Miller [Wed, 27 Jan 2016 16:28:08 +0000 (09:28 -0700)]
fn_free_result() (aka sss_sudo_free_result() in sss_sudo.c) handles
a NULL poiner so there's no need to check before calling it. Add
missing initialization of sss_sudo_result to NULL in sudo_sss_setdefs().
Todd C. Miller [Wed, 27 Jan 2016 16:20:04 +0000 (09:20 -0700)]
Add missing return when user is not found in sudo_sss_result_get().
Previously we fell through to the default case which just logged a
debug message and returned so this just avoids the extra (generic)
debug message.
Todd C. Miller [Sat, 23 Jan 2016 00:04:58 +0000 (17:04 -0700)]
When calling setauthdb(), save the old registry value so we can
restore it properly. Previously we were setting the registry to
unrestricted instead of actually restoring it.
Todd C. Miller [Thu, 21 Jan 2016 14:43:25 +0000 (07:43 -0700)]
When parsing debug entries, don't make a lower value override a
higher one. For example, for "pcomm@debug,all@warn" the "all@warn"
should not set pcomm to "warn" when it is already at "debug".
Todd C. Miller [Wed, 20 Jan 2016 22:36:20 +0000 (15:36 -0700)]
If the user runs "sudoedit /" we will receive ENOENT from openat(2)
and sudoedit will try to create a file with the null string. If
path is empty, open the cwd instead so sudoedit can give a sensible
error message.
Todd C. Miller [Tue, 19 Jan 2016 17:32:33 +0000 (10:32 -0700)]
Add a SET_FLAG macro to simplify parsing command details boolean
flags. Previously, flags were only set and never cleared even if
the boolean value was false. This was not a problem as there were
no default flags for the plugin to enable. That will change in the
future.
Todd C. Miller [Mon, 18 Jan 2016 17:45:47 +0000 (10:45 -0700)]
Use faccessat(2) for directory writability instead of doing the
checks manually where possible. This also allows us to remove the
#ifdef __linux__ bits since we no longer use fstat(2) on Linux with
an O_PATH fd.
Todd C. Miller [Mon, 11 Jan 2016 18:15:42 +0000 (11:15 -0700)]
No need to check whether the fd we opened is really a directory in
sudo_edit_open_nonwritable() since if not, the openat() will fail
with ENOTDIR anyway.
Todd C. Miller [Mon, 11 Jan 2016 01:31:29 +0000 (18:31 -0700)]
Rewritten sudoedit_checkdir support that checks all the dirs in the
path and refuses to follow symlinks in writable directories.
This is a better fix for CVE-2015-5602.
Adapted from a diff by Ben Hutchings. Bug #707
Todd C. Miller [Wed, 16 Dec 2015 22:08:01 +0000 (15:08 -0700)]
Refactor code to set LD_PRELOAD (or the equivalent) in the environment
into a preload_dso() function. Also avoid allocating a new copy
of the environment array if the size of the array does not change.
Todd C. Miller [Wed, 2 Dec 2015 21:06:37 +0000 (14:06 -0700)]
When checking the query results, don't set user_matches in the
netgroup pass unless sudo_ldap_check_non_unix_group() returns true.
This was preventing the mail_no_user sudoOption from being effective.
Todd C. Miller [Wed, 2 Dec 2015 17:43:41 +0000 (10:43 -0700)]
In list mode, we always want to clear FLAG_NO_USER and FLAG_NO_HOST
regardless of whether or not there was an actual match. Otherwise,
warning mail may be sent which is not what we want in list mode.
This is consistent with what the sudoers file backend does.
Todd C. Miller [Sun, 22 Nov 2015 16:19:12 +0000 (09:19 -0700)]
Use yy_size_t for digest_len since newer flex uses yy_size_t for
yyleng. Old flex uses int for yyleng so we need to use a cast to
avoid a sign compare warning.