Todd C. Miller [Mon, 18 Dec 2017 17:35:37 +0000 (10:35 -0700)]
Trivial test for process start time. We don't try to check the
resulting timespec as it differs by platform. On most it is wallclock
time, on others it is relative to boot time (Linux).
Todd C. Miller [Sat, 16 Dec 2017 21:50:14 +0000 (14:50 -0700)]
Fix debug_decl(), it should be SUDOERS_DEBUG_UTIL
Add debugging for the successful case
For Linux, don't NUL out *ep before parsing with strtoull().
* * *
Add missing debug info for the System V /proc version.
Todd C. Miller [Sat, 16 Dec 2017 12:53:05 +0000 (05:53 -0700)]
In the timestamp record, include the start time of the terminal
session leader for tty-based timestamps or the start time of the
parent process for ppid-based timestamps. Idea from Duncan Overbruck.
Todd C. Miller [Sat, 16 Dec 2017 04:08:38 +0000 (21:08 -0700)]
If the lock record doesn't match the expected record size we need
to seek to the end of the record as we otherwise may have gone too
far (or not far enough). Fixes interop problems when the time stamp
record changes size.
Todd C. Miller [Sun, 10 Dec 2017 12:56:22 +0000 (05:56 -0700)]
Treat a blank line in a commit message as a line break. There
doesn't appear to be a way to make perl's format use a blank field
but at least the line break happens now.
Todd C. Miller [Fri, 1 Dec 2017 20:43:06 +0000 (13:43 -0700)]
When the command completes, make the monitor the foreground process
group before informing the main sudo process of the command's exit
status. This will prevent processes started by the command (which
runs in a different process group) from receiving SIGHUP since the
kernel sends SIGHUP to the foreground process group associated with
the terminal session. The monitor has a SIGHUP handler installed
so the signal is effectively ignored.
Todd C. Miller [Thu, 30 Nov 2017 16:53:21 +0000 (09:53 -0700)]
Don't loop over read/write, recv/send or tcgetpgrp/tcsetpgrp trying
to handle EINTR. We now use SA_RESTART with signals so this is not
needed and is potentially dangerous if it is possible to receive
SIGTTIN or SIGTTOU (which it currently is not).
Todd C. Miller [Wed, 29 Nov 2017 19:06:12 +0000 (12:06 -0700)]
Handle receipt of SIGTTIN/SIGTTOU when reading/writing from/to the tty.
We can't use a signal event for these since that would restart the
system call after the signal was handled and the callback would not
get a chance to run. Fixes running a command in the background that
write to the tty when the TOSTOP terminal flag is set.
Todd C. Miller [Wed, 29 Nov 2017 19:06:12 +0000 (12:06 -0700)]
We don't need to be the foreground process to be able to write to
the terminal in most cases. If the background process tries to
modify the terminal flags it will receive SIGTTOU which is relayed
to the sudo front-end. This currently mishandles terminals with
the TOSTOP local flag set.
Todd C. Miller [Tue, 28 Nov 2017 18:28:44 +0000 (11:28 -0700)]
Avoid a double free when ipa_hostname is set in sssd.conf and it
is an unqualified host name. From Daniel Kopecek.
Also move the "unable to allocate memory" warning into get_ipa_hostname()
itself to make it easier to see where the allocation failed in the
debug log.
Todd C. Miller [Tue, 28 Nov 2017 16:48:43 +0000 (09:48 -0700)]
When running a command as the invoking user we cannot use the gid
list from the front-end since it may not correspond to the user's
aux group vector as defined by the group database.
Todd C. Miller [Wed, 15 Nov 2017 22:06:45 +0000 (15:06 -0700)]
In list (-l) or verify (-v) mode, if we have a match but authentication
is required, clear FLAG_NOPASSWD so that when listpw/verifypw is
set to "all" and there are multiple sudoers sources a password will
be required unless none of the entries in all sources require
authentication. From Radovan Sroka of RedHat
Todd C. Miller [Wed, 15 Nov 2017 19:27:39 +0000 (12:27 -0700)]
When checking the results for "sudo -l" and "sudo -v", keep checking
even after we get a match since the value of doauth may depend on
evaluating all the results. From Radovan Sroka of RedHat.
Todd C. Miller [Tue, 14 Nov 2017 20:58:35 +0000 (13:58 -0700)]
If passwd_tries is less than 1, check_user() will always return
false (since the user didn't authenticate). The normal reason for
this is an authentication error but in this case no authentication
was tries so no warning message has been displayed to the user. If
the user wasn't given a chance to authenticate, set inform_user to
true when calling log_denial() from sudoers_policy_main().
An alternate approach would be for check_user() to return true
in this case but seems more confusing.
Todd C. Miller [Thu, 7 Sep 2017 20:59:37 +0000 (14:59 -0600)]
More accurately describe the use_pty option now that its behavior
has changed with respect to interposition with a pipe.
Also describe some caveats with log_input.
Todd C. Miller [Thu, 7 Sep 2017 17:32:30 +0000 (11:32 -0600)]
If /dev/tty is not available and no I/O logging plugins are configured,
fall back on exec_nopty() even if the policy plugin requested a pty.
We never allocate a pty when sudo is not run from a terminal anyway.
Todd C. Miller [Wed, 6 Sep 2017 21:59:37 +0000 (15:59 -0600)]
Set SIGCHLD handler to SIG_DFL before forking the askpass command
and restore after. Otherwise, SIGCHLD will end up in the list of
pending signals and sudo_execute() will not execute the command.
Todd C. Miller [Wed, 6 Sep 2017 18:29:36 +0000 (12:29 -0600)]
The read and write sides of signal_pipe[] were swapped, resulting
in EBADF reading from and writing to the signal pipe on Linux and
probably others. On systems with bidirectional pipes this was not
an issue.
Todd C. Miller [Fri, 1 Sep 2017 17:36:15 +0000 (11:36 -0600)]
The fix for matching when no sudoRunAsUser is present in a sudoRole
was incomplete. If no -g option was specified on the command line
but sudoRunAsGroup is present in a sudoRole, we need to treat the
group match as failed instead of missing.
Todd C. Miller [Thu, 31 Aug 2017 17:29:19 +0000 (11:29 -0600)]
Go back to returning true from display_privs() on non-error. This
results in "sudo -U otheruser -l" exiting with a status of 0 even
when otheruser is not allowed to run commands. This is appropriate
since the "sudo -l" command was successful. This does not change
the exit value when otheruser runs "sudo -l" themselves, the exit
status will be 1 since that user is not allowed to run commands.
Requested by Radovan Sroka.
Todd C. Miller [Thu, 31 Aug 2017 17:05:48 +0000 (11:05 -0600)]
Fix the pass2 ldap query string when no search filter is defined.
Due to the addition of "(sudoUser=*)" to the query we always need
the AND operator, even if no search filter is present.
Todd C. Miller [Tue, 29 Aug 2017 14:58:14 +0000 (08:58 -0600)]
Don't forward SIGINFO to the child when it is send by the kernel
(not another user process). This is consistent with the handling
of other keyboard-generated signals such as SIGINT, SIGQUIT and
SIGTSTP. Bug #796
Todd C. Miller [Thu, 3 Aug 2017 13:32:24 +0000 (07:32 -0600)]
Allow the user to specify a list of environment variables to preserve.
This adds an option paramter to the --preserve-env option, a
comma-separated list of variable names.
Todd C. Miller [Tue, 1 Aug 2017 22:14:54 +0000 (16:14 -0600)]
Replace tty_tickets option with timestamp_type which can be
global, ppid or tty. Defaults to tty (no change in behavior).
Some users want the ppid behavior.