Todd C. Miller [Wed, 27 Jan 2016 16:28:08 +0000 (09:28 -0700)]
fn_free_result() (aka sss_sudo_free_result() in sss_sudo.c) handles
a NULL poiner so there's no need to check before calling it. Add
missing initialization of sss_sudo_result to NULL in sudo_sss_setdefs().
Todd C. Miller [Wed, 27 Jan 2016 16:20:04 +0000 (09:20 -0700)]
Add missing return when user is not found in sudo_sss_result_get().
Previously we fell through to the default case which just logged a
debug message and returned so this just avoids the extra (generic)
debug message.
Todd C. Miller [Sat, 23 Jan 2016 00:04:58 +0000 (17:04 -0700)]
When calling setauthdb(), save the old registry value so we can
restore it properly. Previously we were setting the registry to
unrestricted instead of actually restoring it.
Todd C. Miller [Thu, 21 Jan 2016 14:43:25 +0000 (07:43 -0700)]
When parsing debug entries, don't make a lower value override a
higher one. For example, for "pcomm@debug,all@warn" the "all@warn"
should not set pcomm to "warn" when it is already at "debug".
Todd C. Miller [Wed, 20 Jan 2016 22:36:20 +0000 (15:36 -0700)]
If the user runs "sudoedit /" we will receive ENOENT from openat(2)
and sudoedit will try to create a file with the null string. If
path is empty, open the cwd instead so sudoedit can give a sensible
error message.
Todd C. Miller [Tue, 19 Jan 2016 17:32:33 +0000 (10:32 -0700)]
Add a SET_FLAG macro to simplify parsing command details boolean
flags. Previously, flags were only set and never cleared even if
the boolean value was false. This was not a problem as there were
no default flags for the plugin to enable. That will change in the
future.
Todd C. Miller [Mon, 18 Jan 2016 17:45:47 +0000 (10:45 -0700)]
Use faccessat(2) for directory writability instead of doing the
checks manually where possible. This also allows us to remove the
#ifdef __linux__ bits since we no longer use fstat(2) on Linux with
an O_PATH fd.
Todd C. Miller [Mon, 11 Jan 2016 18:15:42 +0000 (11:15 -0700)]
No need to check whether the fd we opened is really a directory in
sudo_edit_open_nonwritable() since if not, the openat() will fail
with ENOTDIR anyway.
Todd C. Miller [Mon, 11 Jan 2016 01:31:29 +0000 (18:31 -0700)]
Rewritten sudoedit_checkdir support that checks all the dirs in the
path and refuses to follow symlinks in writable directories.
This is a better fix for CVE-2015-5602.
Adapted from a diff by Ben Hutchings. Bug #707
Todd C. Miller [Wed, 16 Dec 2015 22:08:01 +0000 (15:08 -0700)]
Refactor code to set LD_PRELOAD (or the equivalent) in the environment
into a preload_dso() function. Also avoid allocating a new copy
of the environment array if the size of the array does not change.
Todd C. Miller [Wed, 2 Dec 2015 21:06:37 +0000 (14:06 -0700)]
When checking the query results, don't set user_matches in the
netgroup pass unless sudo_ldap_check_non_unix_group() returns true.
This was preventing the mail_no_user sudoOption from being effective.
Todd C. Miller [Wed, 2 Dec 2015 17:43:41 +0000 (10:43 -0700)]
In list mode, we always want to clear FLAG_NO_USER and FLAG_NO_HOST
regardless of whether or not there was an actual match. Otherwise,
warning mail may be sent which is not what we want in list mode.
This is consistent with what the sudoers file backend does.
Todd C. Miller [Sun, 22 Nov 2015 16:19:12 +0000 (09:19 -0700)]
Use yy_size_t for digest_len since newer flex uses yy_size_t for
yyleng. Old flex uses int for yyleng so we need to use a cast to
avoid a sign compare warning.
Todd C. Miller [Fri, 30 Oct 2015 16:11:55 +0000 (10:11 -0600)]
Don't use CPPFLAGS for the -fstack-protector check. Otherwise on
systems with _FORTIFY_SOURCE support we'll get an error due to the
lack of optimization flags. Bug #725
Todd C. Miller [Thu, 29 Oct 2015 20:06:21 +0000 (14:06 -0600)]
Preserve LDFLAGS when checking for stack protector as they may include
rpath settings to allow the stack protector lib to be found. Avoid
using existing CFLAGS since we don't want the compiler to optimize
away the stack variable.
Todd C. Miller [Sun, 25 Oct 2015 20:28:38 +0000 (14:28 -0600)]
Set errno to EISDIR instead of ENOTDIR if directory is writable
since ENOTDIR can be a legitimate errno. This avoids a bogus
"directory is writable" error in that case.
Todd C. Miller [Tue, 6 Oct 2015 21:21:41 +0000 (15:21 -0600)]
Ignore the SUDO_CONV_PROMPT_ECHO_OK flag when echo is enabled.
This was preventing a match of SUDO_CONV_PROMPT_ECHO_ON which
resulted in a masked password instead of an echoed one.
Todd C. Miller [Fri, 2 Oct 2015 17:24:01 +0000 (11:24 -0600)]
It is possible for WIFSTOPPED to be true even if waitpid() is not
given WUNTRACED if the child is ptraced. Don't exit the waitpid()
loop if WIFSTOPPED is true, just in case.
Todd C. Miller [Tue, 29 Sep 2015 03:20:37 +0000 (21:20 -0600)]
There's no point in trying to interpose protected versions of the
exec family of functions. Many modern C libraries use hidden symbols
for the functions and syscalls defined in libc such that they cannot
be overridden inside libc itself. We have to just wrap all the exec
variants plus system and popen.