diff options
| author | Todd C. Miller <Todd.Miller@sudo.ws> | 2022-11-04 14:27:03 -0600 |
|---|---|---|
| committer | Todd C. Miller <Todd.Miller@sudo.ws> | 2022-11-04 14:27:03 -0600 |
| commit | 82f411f3a5142e5ece898d7167273baaf9f26685 (patch) | |
| tree | 014766cad9d1e552941e77f35515ba7085588ac5 | |
| parent | ea3f51a2d1188cca6be1a6820dd7d568dceed164 (diff) | |
| parent | f685f3d8c52b65aa03a9beab9f7adca9456ea3f9 (diff) | |
| download | sudo-SUDO_1_9_12p1.tar.gz | |
Merge sudo 1.9.12p1 from tip.SUDO_1_9_12p1
| -rw-r--r-- | NEWS | 13 | ||||
| -rw-r--r-- | aclocal.m4 | 4 | ||||
| -rwxr-xr-x | configure | 102 | ||||
| -rw-r--r-- | configure.ac | 30 | ||||
| -rw-r--r-- | lib/iolog/host_port.c | 1 | ||||
| -rw-r--r-- | plugins/sudoers/auth/API | 2 | ||||
| -rw-r--r-- | plugins/sudoers/auth/afs.c | 2 | ||||
| -rw-r--r-- | plugins/sudoers/auth/aix_auth.c | 2 | ||||
| -rw-r--r-- | plugins/sudoers/auth/bsdauth.c | 14 | ||||
| -rw-r--r-- | plugins/sudoers/auth/dce.c | 2 | ||||
| -rw-r--r-- | plugins/sudoers/auth/fwtk.c | 2 | ||||
| -rw-r--r-- | plugins/sudoers/auth/kerb5.c | 4 | ||||
| -rw-r--r-- | plugins/sudoers/auth/pam.c | 2 | ||||
| -rw-r--r-- | plugins/sudoers/auth/passwd.c | 15 | ||||
| -rw-r--r-- | plugins/sudoers/auth/rfc1938.c | 4 | ||||
| -rw-r--r-- | plugins/sudoers/auth/secureware.c | 2 | ||||
| -rw-r--r-- | plugins/sudoers/auth/securid5.c | 5 | ||||
| -rw-r--r-- | plugins/sudoers/auth/sia.c | 2 | ||||
| -rw-r--r-- | plugins/sudoers/auth/sudo_auth.h | 26 | ||||
| -rw-r--r-- | plugins/sudoers/match.c | 7 | ||||
| -rw-r--r-- | plugins/sudoers/pwutil.c | 42 | ||||
| -rw-r--r-- | plugins/sudoers/toke.c | 9 | ||||
| -rw-r--r-- | plugins/sudoers/toke.l | 9 | ||||
| -rw-r--r-- | src/exec_ptrace.c | 9 | ||||
| -rw-r--r-- | src/sudo.c | 2 |
25 files changed, 216 insertions, 96 deletions
@@ -1,3 +1,16 @@ +What's new in Sudo 1.9.12p1 + + * Sudo's configure script now does a better job of detecting when + the -fstack-clash-protection compiler option does not work. + GitHub issue #191. + + * Fixed CVE-2022-43995, a potential out-of-bounds write for passwords + smaller than 8 characters when passwd authentication is enabled. + This does not affect configurations that use other authentication + methods such as PAM, AIX authentication or BSD authentication. + + * Fixed a build error with some configurations compiling host_port.c. + What's new in Sudo 1.9.12 * Fixed a bug in the ptrace-based intercept mode where the current diff --git a/aclocal.m4 b/aclocal.m4 index d636ead69..ffabc7f24 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1,6 +1,6 @@ -# generated automatically by aclocal 1.16.3 -*- Autoconf -*- +# generated automatically by aclocal 1.16.5 -*- Autoconf -*- -# Copyright (C) 1996-2020 Free Software Foundation, Inc. +# Copyright (C) 1996-2021 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for sudo 1.9.12. +# Generated by GNU Autoconf 2.71 for sudo 1.9.12p1. # # Report bugs to <https://bugzilla.sudo.ws/>. # @@ -621,8 +621,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.9.12' -PACKAGE_STRING='sudo 1.9.12' +PACKAGE_VERSION='1.9.12p1' +PACKAGE_STRING='sudo 1.9.12p1' PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/' PACKAGE_URL='' @@ -1640,7 +1640,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.9.12 to adapt to many kinds of systems. +\`configure' configures sudo 1.9.12p1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1706,7 +1706,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.9.12:";; + short | recursive ) echo "Configuration of sudo 1.9.12p1:";; esac cat <<\_ACEOF @@ -1996,7 +1996,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.9.12 +sudo configure 1.9.12p1 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2653,7 +2653,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.9.12, which was +It was created by sudo $as_me 1.9.12p1, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -31899,42 +31899,40 @@ printf "%s\n" "$sudo_cv_var_stack_protector" >&6; } fi fi if test "$enable_hardening" != "no"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-clash-protection" >&5 -printf %s "checking whether the linker accepts -fstack-clash-protection... " >&6; } -if test ${ax_cv_check_ldflags___fstack_clash_protection+y} + # The gcc front-end may accept -fstack-clash-protection even if the + # machine-specific code does not support it. We use a test program + # with a large stack allocation to try to cause the compiler to + # insert the stack clash protection code, or fail if not supported. + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler supports -fstack-clash-protection" >&5 +printf %s "checking whether C compiler supports -fstack-clash-protection... " >&6; } +if test ${sudo_cv_check_cflags___fstack_clash_protection+y} then : printf %s "(cached) " >&6 else $as_nop - ax_check_save_flags=$LDFLAGS - LDFLAGS="$LDFLAGS -fstack-clash-protection" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fstack-clash-protection" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int -main (void) -{ + int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0'); return buf[argc]; } - ; - return 0; -} _ACEOF -if ac_fn_c_try_link "$LINENO" +if ac_fn_c_try_compile "$LINENO" then : - ax_cv_check_ldflags___fstack_clash_protection=yes + sudo_cv_check_cflags___fstack_clash_protection=yes else $as_nop - ax_cv_check_ldflags___fstack_clash_protection=no + sudo_cv_check_cflags___fstack_clash_protection=no fi -rm -f core conftest.err conftest.$ac_objext conftest.beam \ - conftest$ac_exeext conftest.$ac_ext - LDFLAGS=$ax_check_save_flags -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fstack_clash_protection" >&5 -printf "%s\n" "$ax_cv_check_ldflags___fstack_clash_protection" >&6; } -if test x"$ax_cv_check_ldflags___fstack_clash_protection" = xyes -then : +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext + CFLAGS="$_CFLAGS" +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_check_cflags___fstack_clash_protection" >&5 +printf "%s\n" "$sudo_cv_check_cflags___fstack_clash_protection" >&6; } + if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then + if test ${HARDENING_CFLAGS+y} then : @@ -32000,12 +31998,43 @@ else $as_nop fi + fi + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fcf-protection" >&5 +printf %s "checking whether C compiler accepts -fcf-protection... " >&6; } +if test ${ax_cv_check_cflags___fcf_protection+y} +then : + printf %s "(cached) " >&6 else $as_nop - : + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fcf-protection" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO" +then : + ax_cv_check_cflags___fcf_protection=yes +else $as_nop + ax_cv_check_cflags___fcf_protection=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext + CFLAGS=$ax_check_save_flags fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fcf_protection" >&5 +printf "%s\n" "$ax_cv_check_cflags___fcf_protection" >&6; } +if test x"$ax_cv_check_cflags___fcf_protection" = xyes +then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fcf-protection" >&5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fcf-protection" >&5 printf %s "checking whether the linker accepts -fcf-protection... " >&6; } if test ${ax_cv_check_ldflags___fcf_protection+y} then : @@ -32111,6 +32140,11 @@ else $as_nop : fi + +else $as_nop + : +fi + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5 printf %s "checking whether the linker accepts -Wl,-z,relro... " >&6; } if test ${ax_cv_check_ldflags___Wl__z_relro+y} @@ -33114,7 +33148,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.9.12, which was +This file was extended by sudo $as_me 1.9.12p1, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -33182,7 +33216,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -sudo config.status 1.9.12 +sudo config.status 1.9.12p1 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 103bc4fad..88b3304c5 100644 --- a/configure.ac +++ b/configure.ac @@ -18,7 +18,7 @@ dnl ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF dnl OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. dnl AC_PREREQ([2.70]) -AC_INIT([sudo], [1.9.12], [https://bugzilla.sudo.ws/], [sudo]) +AC_INIT([sudo], [1.9.12p1], [https://bugzilla.sudo.ws/], [sudo]) AC_CONFIG_HEADERS([config.h pathnames.h]) AC_CONFIG_SRCDIR([src/sudo.c]) AC_CONFIG_AUX_DIR([scripts]) @@ -4956,13 +4956,31 @@ if test "$enable_hardening" != "no" && test "$enable_ssp" != "no"; then fi fi if test "$enable_hardening" != "no"; then - AX_CHECK_LINK_FLAG([-fstack-clash-protection], [ + # The gcc front-end may accept -fstack-clash-protection even if the + # machine-specific code does not support it. We use a test program + # with a large stack allocation to try to cause the compiler to + # insert the stack clash protection code, or fail if not supported. + AC_CACHE_CHECK([whether C compiler supports -fstack-clash-protection], + [sudo_cv_check_cflags___fstack_clash_protection], + [ + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fstack-clash-protection" + AC_COMPILE_IFELSE([ + AC_LANG_SOURCE([[int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0'); return buf[argc]; }]]) + ], [sudo_cv_check_cflags___fstack_clash_protection=yes], [sudo_cv_check_cflags___fstack_clash_protection=no]) + CFLAGS="$_CFLAGS" + ] + ) + if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then AX_APPEND_FLAG([-fstack-clash-protection], [HARDENING_CFLAGS]) AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [HARDENING_LDFLAGS]) - ]) - AX_CHECK_LINK_FLAG([-fcf-protection], [ - AX_APPEND_FLAG([-fcf-protection], [HARDENING_CFLAGS]) - AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS]) + fi + + AX_CHECK_COMPILE_FLAG([-fcf-protection], [ + AX_CHECK_LINK_FLAG([-fcf-protection], [ + AX_APPEND_FLAG([-fcf-protection], [HARDENING_CFLAGS]) + AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS]) + ]) ]) AX_CHECK_LINK_FLAG([-Wl,-z,relro], [AX_APPEND_FLAG([-Wl,-z,relro], [LDFLAGS])]) AX_CHECK_LINK_FLAG([-Wl,-z,now], [AX_APPEND_FLAG([-Wl,-z,now], [LDFLAGS])]) diff --git a/lib/iolog/host_port.c b/lib/iolog/host_port.c index 0622f4c44..7fcc0b03f 100644 --- a/lib/iolog/host_port.c +++ b/lib/iolog/host_port.c @@ -30,6 +30,7 @@ #endif /* HAVE_STDBOOL_H */ #include <stdio.h> #include <string.h> +#include <time.h> #include "sudo_compat.h" #include "sudo_debug.h" diff --git a/plugins/sudoers/auth/API b/plugins/sudoers/auth/API index d75829915..36096709a 100644 --- a/plugins/sudoers/auth/API +++ b/plugins/sudoers/auth/API @@ -14,7 +14,7 @@ typedef struct sudo_auth { int (*init)(struct passwd *pw, sudo_auth *auth); int (*setup)(struct passwd *pw, char **prompt, sudo_auth *auth); - int (*verify)(struct passwd *pw, char *p, sudo_auth *auth, struct sudo_conv_callback *callback); + int (*verify)(struct passwd *pw, const char *p, sudo_auth *auth, struct sudo_conv_callback *callback); int (*approval)(struct passwd *pw, sudo_auth *auth); int (*cleanup)(struct passwd *pw, sudo_auth *auth, bool force); int (*begin_session)(struct passwd *pw, char **user_env[], struct sudo_auth *auth); diff --git a/plugins/sudoers/auth/afs.c b/plugins/sudoers/auth/afs.c index d6239168a..29e9dde97 100644 --- a/plugins/sudoers/auth/afs.c +++ b/plugins/sudoers/auth/afs.c @@ -45,7 +45,7 @@ #include "check.h" int -sudo_afs_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) +sudo_afs_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) { struct ktc_encryptionKey afs_key; struct ktc_token afs_token; diff --git a/plugins/sudoers/auth/aix_auth.c b/plugins/sudoers/auth/aix_auth.c index 8a6ec794e..239c8f96c 100644 --- a/plugins/sudoers/auth/aix_auth.c +++ b/plugins/sudoers/auth/aix_auth.c @@ -229,7 +229,7 @@ sudo_aix_change_password(const char *user) } int -sudo_aix_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback) +sudo_aix_verify(struct passwd *pw, const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback) { char *pass, *message = NULL; int result = 1, reenter = 0; diff --git a/plugins/sudoers/auth/bsdauth.c b/plugins/sudoers/auth/bsdauth.c index c34785a3b..2d972887d 100644 --- a/plugins/sudoers/auth/bsdauth.c +++ b/plugins/sudoers/auth/bsdauth.c @@ -104,7 +104,7 @@ bsdauth_init(struct passwd *pw, sudo_auth *auth) } int -bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback) +bsdauth_verify(struct passwd *pw, const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback) { char *pass; char *s; @@ -133,7 +133,7 @@ bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_con pass = auth_getpass(prompt, SUDO_CONV_PROMPT_ECHO_OFF, callback); } else { pass = auth_getpass(s, SUDO_CONV_PROMPT_ECHO_OFF, callback); - if (pass && *pass == '\0') { + if (pass != NULL && *pass == '\0') { if ((prompt = strrchr(s, '\n'))) prompt++; else @@ -141,12 +141,12 @@ bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_con /* * Append '[echo on]' to the last line of the challenge and - * reprompt with echo turned on. + * re-prompt with echo turned on. */ - len = strlen(prompt) - 1; - while (isspace(prompt[len]) || prompt[len] == ':') - prompt[len--] = '\0'; - if (asprintf(&s, "%s [echo on]: ", prompt) == -1) { + len = strlen(prompt); + while (len > 0 && (isspace((unsigned char)prompt[len - 1]) || prompt[len - 1] == ':')) + len--; + if (asprintf(&s, "%.*s [echo on]: ", (int)len, prompt) == -1) { log_warningx(0, N_("unable to allocate memory")); debug_return_int(AUTH_FATAL); } diff --git a/plugins/sudoers/auth/dce.c b/plugins/sudoers/auth/dce.c index f938c0c8d..bbee84236 100644 --- a/plugins/sudoers/auth/dce.c +++ b/plugins/sudoers/auth/dce.c @@ -59,7 +59,7 @@ static int check_dce_status(error_status_t, char *); int -sudo_dce_verify(struct passwd *pw, char *plain_pw, sudo_auth *auth, struct sudo_conv_callback *callback) +sudo_dce_verify(struct passwd *pw, const char *plain_pw, sudo_auth *auth, struct sudo_conv_callback *callback) { struct passwd temp_pw; sec_passwd_rec_t password_rec; diff --git a/plugins/sudoers/auth/fwtk.c b/plugins/sudoers/auth/fwtk.c index e9f6b72c7..a8092dcef 100644 --- a/plugins/sudoers/auth/fwtk.c +++ b/plugins/sudoers/auth/fwtk.c @@ -82,7 +82,7 @@ sudo_fwtk_init(struct passwd *pw, sudo_auth *auth) } int -sudo_fwtk_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback) +sudo_fwtk_verify(struct passwd *pw, const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback) { char *pass; /* Password from the user */ char buf[SUDO_CONV_REPL_MAX + 12]; /* General prupose buffer */ diff --git a/plugins/sudoers/auth/kerb5.c b/plugins/sudoers/auth/kerb5.c index b45421841..7992cf398 100644 --- a/plugins/sudoers/auth/kerb5.c +++ b/plugins/sudoers/auth/kerb5.c @@ -185,7 +185,7 @@ done: #ifdef HAVE_KRB5_VERIFY_USER int -sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) +sudo_krb5_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) { krb5_context sudo_context; krb5_principal princ; @@ -202,7 +202,7 @@ sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_con } #else int -sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) +sudo_krb5_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) { krb5_context sudo_context; krb5_principal princ; diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c index 4f6e89c85..693cef3d4 100644 --- a/plugins/sudoers/auth/pam.c +++ b/plugins/sudoers/auth/pam.c @@ -283,7 +283,7 @@ sudo_pam_init_quiet(struct passwd *pw, sudo_auth *auth) #endif /* _AIX */ int -sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback) +sudo_pam_verify(struct passwd *pw, const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback) { const char *envccname; const char *s; diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c index b2046eca2..636c07bab 100644 --- a/plugins/sudoers/auth/passwd.c +++ b/plugins/sudoers/auth/passwd.c @@ -61,9 +61,9 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth) #ifdef HAVE_CRYPT int -sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) +sudo_passwd_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) { - char sav, *epass; + char des_pass[9], *epass; char *pw_epasswd = auth->data; size_t pw_len; int matched = 0; @@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c /* * Truncate to 8 chars if standard DES since not all crypt()'s do this. - * If this turns out not to be safe we will have to use OS #ifdef's (sigh). */ - sav = pass[8]; pw_len = strlen(pw_epasswd); - if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) - pass[8] = '\0'; + if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) { + strlcpy(des_pass, pass, sizeof(des_pass)); + pass = des_pass; + } /* * Normal UN*X password check. @@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c * only compare the first DESLEN characters in that case. */ epass = (char *) crypt(pass, pw_epasswd); - pass[8] = sav; if (epass != NULL) { if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN) matched = !strncmp(pw_epasswd, epass, DESLEN); @@ -100,7 +99,7 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c } #else int -sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) +sudo_passwd_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) { char *pw_passwd = auth->data; int matched; diff --git a/plugins/sudoers/auth/rfc1938.c b/plugins/sudoers/auth/rfc1938.c index 2e4824c60..2065c52c0 100644 --- a/plugins/sudoers/auth/rfc1938.c +++ b/plugins/sudoers/auth/rfc1938.c @@ -126,11 +126,11 @@ sudo_rfc1938_setup(struct passwd *pw, char **promptp, sudo_auth *auth) } int -sudo_rfc1938_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) +sudo_rfc1938_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) { debug_decl(sudo_rfc1938_verify, SUDOERS_DEBUG_AUTH); - if (rfc1938verify((struct RFC1938 *) auth->data, pass) == 0) + if (rfc1938verify((struct RFC1938 *) auth->data, (char *)pass) == 0) debug_return_int(AUTH_SUCCESS); else debug_return_int(AUTH_FAILURE); diff --git a/plugins/sudoers/auth/secureware.c b/plugins/sudoers/auth/secureware.c index 6980b75dc..49a4b4ea9 100644 --- a/plugins/sudoers/auth/secureware.c +++ b/plugins/sudoers/auth/secureware.c @@ -71,7 +71,7 @@ sudo_secureware_init(struct passwd *pw, sudo_auth *auth) } int -sudo_secureware_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) +sudo_secureware_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) { char *pw_epasswd = auth->data; char *epass = NULL; diff --git a/plugins/sudoers/auth/securid5.c b/plugins/sudoers/auth/securid5.c index debf632a4..349a3117b 100644 --- a/plugins/sudoers/auth/securid5.c +++ b/plugins/sudoers/auth/securid5.c @@ -138,7 +138,7 @@ sudo_securid_setup(struct passwd *pw, char **promptp, sudo_auth *auth) * * Arguments in: * pw - struct passwd for username - * pass - UNUSED + * prompt - UNUSED * auth - sudo authentication structure for SecurID handle * * Results out: @@ -146,9 +146,10 @@ sudo_securid_setup(struct passwd *pw, char **promptp, sudo_auth *auth) * incorrect authentication, fatal on errors */ int -sudo_securid_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) +sudo_securid_verify(struct passwd *pw, const char *promp, sudo_auth *auth, struct sudo_conv_callback *callback) { SDI_HANDLE *sd = (SDI_HANDLE *) auth->data; + char *pass; int ret; debug_decl(sudo_securid_verify, SUDOERS_DEBUG_AUTH); diff --git a/plugins/sudoers/auth/sia.c b/plugins/sudoers/auth/sia.c index 4fc74592f..3327550ed 100644 --- a/plugins/sudoers/auth/sia.c +++ b/plugins/sudoers/auth/sia.c @@ -75,7 +75,7 @@ sudo_sia_setup(struct passwd *pw, char **promptp, sudo_auth *auth) } int -sudo_sia_verify(struct passwd *pw, char *prompt, sudo_auth *auth, +sudo_sia_verify(struct passwd *pw, const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback) { SIAENTITY *siah = auth->data; diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h index de41e6fdc..031810466 100644 --- a/plugins/sudoers/auth/sudo_auth.h +++ b/plugins/sudoers/auth/sudo_auth.h @@ -33,7 +33,7 @@ typedef struct sudo_auth { void *data; /* method-specific data pointer */ int (*init)(struct passwd *pw, struct sudo_auth *auth); int (*setup)(struct passwd *pw, char **prompt, struct sudo_auth *auth); - int (*verify)(struct passwd *pw, char *p, struct sudo_auth *auth, struct sudo_conv_callback *callback); + int (*verify)(struct passwd *pw, const char *p, struct sudo_auth *auth, struct sudo_conv_callback *callback); int (*approval)(struct passwd *pw, struct sudo_auth *auth, bool exempt); int (*cleanup)(struct passwd *pw, struct sudo_auth *auth, bool force); int (*begin_session)(struct passwd *pw, char **user_env[], struct sudo_auth *auth); @@ -60,44 +60,44 @@ extern sudo_conv_t sudo_conv; /* Prototypes for standalone methods */ int bsdauth_init(struct passwd *pw, sudo_auth *auth); -int bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); +int bsdauth_verify(struct passwd *pw, const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); int bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt); int bsdauth_cleanup(struct passwd *pw, sudo_auth *auth, bool force); int sudo_aix_init(struct passwd *pw, sudo_auth *auth); -int sudo_aix_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); +int sudo_aix_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); int sudo_aix_cleanup(struct passwd *pw, sudo_auth *auth, bool force); int sudo_fwtk_init(struct passwd *pw, sudo_auth *auth); -int sudo_fwtk_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); +int sudo_fwtk_verify(struct passwd *pw, const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); int sudo_fwtk_cleanup(struct passwd *pw, sudo_auth *auth, bool force); int sudo_pam_init(struct passwd *pw, sudo_auth *auth); int sudo_pam_init_quiet(struct passwd *pw, sudo_auth *auth); -int sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); +int sudo_pam_verify(struct passwd *pw, const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); int sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt); int sudo_pam_cleanup(struct passwd *pw, sudo_auth *auth, bool force); int sudo_pam_begin_session(struct passwd *pw, char **user_env[], sudo_auth *auth); int sudo_pam_end_session(struct passwd *pw, sudo_auth *auth); int sudo_securid_init(struct passwd *pw, sudo_auth *auth); int sudo_securid_setup(struct passwd *pw, char **prompt, sudo_auth *auth); -int sudo_securid_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); +int sudo_securid_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); int sudo_sia_setup(struct passwd *pw, char **prompt, sudo_auth *auth); -int sudo_sia_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); +int sudo_sia_verify(struct passwd *pw, const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); int sudo_sia_cleanup(struct passwd *pw, sudo_auth *auth, bool force); int sudo_sia_begin_session(struct passwd *pw, char **user_env[], sudo_auth *auth); /* Prototypes for normal methods */ -int sudo_afs_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); -int sudo_dce_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); +int sudo_afs_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); +int sudo_dce_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); int sudo_krb5_init(struct passwd *pw, sudo_auth *auth); int sudo_krb5_setup(struct passwd *pw, char **prompt, sudo_auth *auth); -int sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); +int sudo_krb5_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); int sudo_krb5_cleanup(struct passwd *pw, sudo_auth *auth, bool force); int sudo_passwd_init(struct passwd *pw, sudo_auth *auth); -int sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); +int sudo_passwd_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); int sudo_passwd_cleanup(struct passwd *pw, sudo_auth *auth, bool force); int sudo_rfc1938_setup(struct passwd *pw, char **prompt, sudo_auth *auth); -int sudo_rfc1938_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); +int sudo_rfc1938_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); int sudo_secureware_init(struct passwd *pw, sudo_auth *auth); -int sudo_secureware_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); +int sudo_secureware_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); int sudo_secureware_cleanup(struct passwd *pw, sudo_auth *auth, bool force); /* Fields: name, flags, init, setup, verify, approval, cleanup, begin_sess, end_sess */ diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c index 9801f3894..e5634c4da 100644 --- a/plugins/sudoers/match.c +++ b/plugins/sudoers/match.c @@ -357,6 +357,10 @@ host_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw, matched = !m->negated; break; } + sudo_debug_printf(SUDO_DEBUG_DEBUG, + "host %s (%s) matches sudoers host %s%s: %s", lhost, shost, + m->negated ? "!" : "", m->name ? m->name : "ALL", + matched == true ? "true" : "false"); debug_return_int(matched); } @@ -430,9 +434,6 @@ hostname_matches(const char *shost, const char *lhost, const char *pattern) } else { rc = !strcasecmp(host, pattern); } - sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, - "host %s matches sudoers pattern %s: %s", - host, pattern, rc ? "true" : "false"); debug_return_bool(rc); } diff --git a/plugins/sudoers/pwutil.c b/plugins/sudoers/pwutil.c index 88c7a4192..0ec718593 100644 --- a/plugins/sudoers/pwutil.c +++ b/plugins/sudoers/pwutil.c @@ -901,12 +901,44 @@ done: debug_return_ptr(item->d.grlist); } +static void +sudo_debug_group_list(const char *user, char * const *groups, int level) +{ + size_t i, len = 0; + debug_decl(sudo_debug_group_list, SUDOERS_DEBUG_NSS); + + if (!sudo_debug_needed(level)) + debug_return; + + for (i = 0; groups[i] != NULL; i++) { + len += strlen(groups[i]) + 1; + } + if (len != 0) { + char *groupstr = malloc(len); + if (groupstr != NULL) { + char *cp = groupstr; + for (i = 0; groups[i] != NULL; i++) { + size_t n = snprintf(cp, len, "%s%s", i ? "," : "", groups[i]); + if (n >= len) + break; + cp += n; + len -= n; + } + sudo_debug_printf(level, "%s: %s", user, groupstr); + free(groupstr); + } + } + debug_return; +} + int sudo_set_grlist(struct passwd *pw, char * const *groups) { struct cache_item key, *item; debug_decl(sudo_set_grlist, SUDOERS_DEBUG_NSS); + sudo_debug_group_list(pw->pw_name, groups, SUDO_DEBUG_DEBUG); + if (grlist_cache == NULL) { grlist_cache = rbcreate(cmp_pwnam); if (grlist_cache == NULL) { @@ -937,7 +969,11 @@ sudo_set_grlist(struct passwd *pw, char * const *groups) sudo_grlist_delref_item(item); debug_return_int(-1); } + } else { + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, + "groups for user %s are already cached", pw->pw_name); } + debug_return_int(0); } @@ -1008,6 +1044,8 @@ sudo_set_gidlist(struct passwd *pw, char * const *gids, unsigned int type) struct cache_item key, *item; debug_decl(sudo_set_gidlist, SUDOERS_DEBUG_NSS); + sudo_debug_group_list(pw->pw_name, gids, SUDO_DEBUG_DEBUG); + if (gidlist_cache == NULL) { gidlist_cache = rbcreate(cmp_gidlist); if (gidlist_cache == NULL) { @@ -1039,7 +1077,11 @@ sudo_set_gidlist(struct passwd *pw, char * const *gids, unsigned int type) sudo_gidlist_delref_item(item); debug_return_int(-1); } + } else { + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, + "gids for user %s are already cached", pw->pw_name); } + debug_return_int(0); } diff --git a/plugins/sudoers/toke.c b/plugins/sudoers/toke.c index 82c8423dc..10a7b97ec 100644 --- a/plugins/sudoers/toke.c +++ b/plugins/sudoers/toke.c @@ -5914,8 +5914,9 @@ sudoers_trace_print(const char *msg) sudo_lbuf_append(&trace_lbuf, "%s", msg); if (strchr(msg, '\n') != NULL) { + /* We already parsed the newline so sudolineno is off by one. */ sudo_debug_printf2(NULL, NULL, 0, SUDOERS_DEBUG_PARSER|SUDO_DEBUG_DEBUG, - "%s:%d: %s", sudoers, sudolineno, trace_lbuf.buf); + "sudoerslex: %s:%d: %s", sudoers, sudolineno - 1, trace_lbuf.buf); trace_lbuf.len = 0; } return 0; @@ -5933,6 +5934,7 @@ sudoers_input(char *buf, yy_size_t max_size) { char *cp; size_t avail = sudolinebuf.len - sudolinebuf.off; + debug_decl(sudoers_input, SUDOERS_DEBUG_PARSER); /* Refill line buffer if needed. */ if (avail == 0) { @@ -5977,6 +5979,9 @@ sudoers_eof: sudolinebuf.buf[avail] = '\0'; } + sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s:%d: %.*s", sudoers, sudolineno, + (int)(avail -1), sudolinebuf.buf); + sudolinebuf.len = avail; sudolinebuf.off = 0; sudolinebuf.toke_start = sudolinebuf.toke_end = 0; @@ -5987,6 +5992,6 @@ sudoers_eof: memcpy(buf, sudolinebuf.buf + sudolinebuf.off, avail); sudolinebuf.off += avail; - return avail; + debug_return_size_t(avail); } diff --git a/plugins/sudoers/toke.l b/plugins/sudoers/toke.l index c843162d3..2f062ff12 100644 --- a/plugins/sudoers/toke.l +++ b/plugins/sudoers/toke.l @@ -1367,8 +1367,9 @@ sudoers_trace_print(const char *msg) sudo_lbuf_append(&trace_lbuf, "%s", msg); if (strchr(msg, '\n') != NULL) { + /* We already parsed the newline so sudolineno is off by one. */ sudo_debug_printf2(NULL, NULL, 0, SUDOERS_DEBUG_PARSER|SUDO_DEBUG_DEBUG, - "%s:%d: %s", sudoers, sudolineno, trace_lbuf.buf); + "sudoerslex: %s:%d: %s", sudoers, sudolineno - 1, trace_lbuf.buf); trace_lbuf.len = 0; } return 0; @@ -1386,6 +1387,7 @@ sudoers_input(char *buf, yy_size_t max_size) { char *cp; size_t avail = sudolinebuf.len - sudolinebuf.off; + debug_decl(sudoers_input, SUDOERS_DEBUG_PARSER); /* Refill line buffer if needed. */ if (avail == 0) { @@ -1430,6 +1432,9 @@ sudoers_eof: sudolinebuf.buf[avail] = '\0'; } + sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s:%d: %.*s", sudoers, sudolineno, + (int)(avail -1), sudolinebuf.buf); + sudolinebuf.len = avail; sudolinebuf.off = 0; sudolinebuf.toke_start = sudolinebuf.toke_end = 0; @@ -1440,5 +1445,5 @@ sudoers_eof: memcpy(buf, sudolinebuf.buf + sudolinebuf.off, avail); sudolinebuf.off += avail; - return avail; + debug_return_size_t(avail); } diff --git a/src/exec_ptrace.c b/src/exec_ptrace.c index 81cd10bc2..208a75f88 100644 --- a/src/exec_ptrace.c +++ b/src/exec_ptrace.c @@ -282,16 +282,17 @@ set_sc_arg4(struct sudo_ptrace_regs *regs, unsigned long addr) static bool ptrace_getregs(int pid, struct sudo_ptrace_regs *regs, int compat) { + struct iovec iov; debug_decl(ptrace_getregs, SUDO_DEBUG_EXEC); + iov.iov_base = ®s->u; + iov.iov_len = sizeof(regs->u); + # ifdef __mips__ /* PTRACE_GETREGSET has bugs with the MIPS o32 ABI at least. */ - if (ptrace(PTRACE_GETREGS, pid, NULL, ®s->u) == -1) + if (ptrace(PTRACE_GETREGS, pid, NULL, iov.iov_base) == -1) debug_return_bool(false); # else - struct iovec iov; - iov.iov_base = ®s->u; - iov.iov_len = sizeof(regs->u); if (ptrace(PTRACE_GETREGSET, pid, (void *)NT_PRSTATUS, &iov) == -1) debug_return_bool(false); # endif /* __mips__ */ diff --git a/src/sudo.c b/src/sudo.c index 18beb1bd8..2888d23a5 100644 --- a/src/sudo.c +++ b/src/sudo.c @@ -209,7 +209,7 @@ main(int argc, char *argv[], char *envp[]) submit_envp = envp; sudo_mode = parse_args(argc, argv, &submit_optind, &nargc, &nargv, &sudo_settings, &env_add); - sudo_debug_printf(SUDO_DEBUG_DEBUG, "sudo_mode %d", sudo_mode); + sudo_debug_printf(SUDO_DEBUG_DEBUG, "sudo_mode 0x%x", sudo_mode); /* Print sudo version early, in case of plugin init failure. */ if (ISSET(sudo_mode, MODE_VERSION)) { |