Todd C. Miller [Fri, 28 Apr 2017 16:32:15 +0000 (10:32 -0600)]
We no longer need to write to the tty if the command was killed by
a signal. Sudo will terminate itself with the same signal the
command died from. Unfortunately, we lose the "core dumped" bit
since sudo itself will not dump core, but there doesn't appear to
be a way around that.
Todd C. Miller [Thu, 27 Apr 2017 16:34:30 +0000 (10:34 -0600)]
If the command terminated due to a signal, sudo will send that same
signal to itself so the parent shell knows the command died from
a signal. However, we don't want sudo itself to dump core.
Todd C. Miller [Thu, 27 Apr 2017 02:17:34 +0000 (20:17 -0600)]
The fix for Bug #722 contained a typo/thinko that resulted in the
exit status being 0 when a command was killed by a signal other
than SIGINT. This fixes the signal handler setup so sudo will
terminate with the same signal as the command. Bug #784.
Todd C. Miller [Wed, 26 Apr 2017 20:49:05 +0000 (14:49 -0600)]
Don't install the rc.d link when installing to a DESTDIR.
DESTDIR is generally only set when installing to a temporary
directory for packaging in which case the link should be
made in a post-install script.
Todd C. Miller [Wed, 26 Apr 2017 19:52:49 +0000 (13:52 -0600)]
In "make install", install sample sudoers file as /etc/sudoers.dist
and copy it to /etc/sudoers if there is no existing /etc/sudoers.
Packages either contain /etc/sudoers (RPM and Debian) or /etc/sudoers.dist
(everything else).
Todd C. Miller [Thu, 20 Apr 2017 22:13:14 +0000 (16:13 -0600)]
Use the standard idiom for popping all entries from a tail queue.
The llvm checker gets confused by TAILQ_REMOVE and generate
use-after-free false positives.
Todd C. Miller [Wed, 19 Apr 2017 15:39:55 +0000 (09:39 -0600)]
Avoid unused variable when getgrouplist_2() is available.
It would be nicer to just provide getgrouplist_2() (or the equivalent)
and avoid the ugly #ifdefs.
Todd C. Miller [Tue, 11 Apr 2017 22:56:04 +0000 (16:56 -0600)]
Try to make it clear that when match_group_by_gid is enabled, groups
in sudoers are looked up by group name instead of group ID. This
doesn't usually cause problems, but if there are conflicting group
entries (for example, from a local /etc/group file and an LDAP or
AD group database), whether the group is resolved by name or ID can
be used to work around conflicts.
Todd C. Miller [Mon, 27 Mar 2017 20:45:24 +0000 (14:45 -0600)]
Make check_digest test sudo_filedigest() itself instead of the
underlying SHA2 functions. That way we can test it regardless of
whether we use sudo's SHA2 functions or a library version.
Todd C. Miller [Thu, 23 Mar 2017 23:00:27 +0000 (17:00 -0600)]
Only retry mkdir or create with PERM_IOLOG if errno is EACCES.
Also always use PERM_IOLOG for mkdtemp() since we cannot retry
if it fails. Since we are guaranteed to create a new directory
there's no real need to try w/o PERM_IOLOG in this case.
Todd C. Miller [Tue, 14 Mar 2017 15:11:56 +0000 (09:11 -0600)]
Make it clear that I/O logs will be complete even if the command
run by sudo is terminated by a signal. The I/O log buffering just
prevents the logs from being displayed in real-time as the command
is running.
Todd C. Miller [Tue, 7 Mar 2017 19:29:21 +0000 (12:29 -0700)]
Add tcsetpgrp_nobg() which acts like tcsetpgrp() but returns -1
for a background process. This is safer than blocking SIGTTOU
which would cause tcsetpgrp() to succeed in the background.
Todd C. Miller [Mon, 6 Mar 2017 20:05:17 +0000 (13:05 -0700)]
Prevent sudo from receiving SIGTTOU when it tries to restore the
controlling terminal. There appears to be a race with the shell
(bash) which we may lose.
Todd C. Miller [Fri, 3 Mar 2017 17:35:11 +0000 (10:35 -0700)]
Reorganize the command execution code to separate out the pty and
non-pty code paths into their own event loops. The non-pty exec
code is now contained in exec_nopty.c and the pty exec code is split
between exec_pty.c (parent process) and exec_monitor.c (session leader).
This results in a small bit of duplicated code but improves readability.
Some of the duplicated code will fall out in future changes to the
event subsystem (the signal pipe).
Todd C. Miller [Fri, 24 Feb 2017 22:14:56 +0000 (15:14 -0700)]
Set the child pid to -1 after we've waited for it and take care to
avoid killing pid -1. This makes it a bit more explicit and removes
the need for a separate variable to track the child's status.
Sudo already stops processing signals after it receives SIGCHLD so
it is not vulnerable to CVE-2017-2616.
Todd C. Miller [Mon, 20 Feb 2017 23:44:12 +0000 (16:44 -0700)]
Move the file digest code out of match.c and into filedigest.c.
Inspired by RedHat changes that used libgcrypt.
Also add digest_type_to_name() to map a sudo digest type (int)
to a name (string) and use it.
Todd C. Miller [Tue, 14 Feb 2017 22:56:34 +0000 (15:56 -0700)]
Only inherit SELinux role/type and Solaris privilege sets if
the command does not include any. Previously, a command with
only a role would inherit a type from the previous command
which is not what was intended.
Todd C. Miller [Tue, 14 Feb 2017 22:56:34 +0000 (15:56 -0700)]
Merge command tags, SELinux type/role and Solaris privs settings
into "command options". This relaxes the order of things so tags
and other options can be interspersed.
Todd C. Miller [Mon, 13 Feb 2017 20:38:24 +0000 (13:38 -0700)]
Fix for including a sudoers file that begins with the letter 'i'.
The hack to determine whether we are parsing an include or includedir
is no longer safe now that relative include paths are permitted.
Bug #776.
Todd C. Miller [Fri, 27 Jan 2017 16:26:51 +0000 (09:26 -0700)]
Always set the close-on-exec bit on the fd used to generate the
digest (i.e. the command to run) on systems that lack fexecve(2).
That way we don't need to explicitly close it using #ifdefs.