summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Work around a macOS a kernel bug where tcsetpgrp() does not restart.HEADmasterTodd C. Miller2023-05-111-0/+7
| | | | I reported this bug to Apple over 12 years ago.
* run_command: run editor in foreground if visudo is the foreground processTodd C. Miller2023-05-111-61/+83
| | | | | | | | | | The command is now always run in its own process group. If visudo is run in the foreground, the command is run in the foreground too. Otherwise, run the command in the background. There is a race between the tcsetpgrp() call in the parent and the execve() in the child. If we lose the race and the command needs the controlling terminal, it will be stopped with SIGTTOU or SIGTTIN, which the waitpid() loop will handle.
* Accept carriage return for EOL in addition to newline.Todd C. Miller2023-05-111-3/+3
| | | | | | | | | Since visudo doesn't alter the terminal settings it is possible for the terminal to have the ONLCR bit set in the output control flags. In that case, we will get a CR, not a NL when the user presses enter/return. One way this can happen is if visudo is run in the background from a shell that supports line editing and the editor restores the (cbreak-style) terminal mode when it finishes.
* check_fill: sudoers_strict() is now a function, not a global variableTodd C. Miller2023-05-091-1/+7
|
* Move parser prototypes / externs from sudoers.h to parse.h or toke.h.Todd C. Miller2023-05-093-24/+22
|
* parse.h is already included by sudoers.h.Todd C. Miller2023-05-092-2/+0
|
* Rename parser_conf -> sudoers_conf in all but the parser itself.Todd C. Miller2023-05-093-26/+26
|
* Move sudoers search path to struct sudoers_parser_config.Todd C. Miller2023-05-0810-46/+42
| | | | | | That way we can avoid passing it to init_parser() directly. We still need sudoers_search_path to be shared between the lexer and the parser.
* Add struct sudoers_parser_config and pass it to init_parser().Todd C. Miller2023-05-0815-477/+604
| | | | | This struct contains parser configuration such as the sudoers file uid/gid/mode and parse flags such as verbose, strict and recovery.
* push_include_int: Avoid passing close(2) a negative value on error.Todd C. Miller2023-05-082-2/+4
| | | | Coverity CID 314108
* Eliminate dead store. Coverity CID 315032.Todd C. Miller2023-05-081-1/+0
|
* iolog_gets: change size parameter to int to match fgets/gzgetsTodd C. Miller2023-05-052-6/+6
| | | | Return an error, setting errno to EINVAL, for negative sizes.
* Rename force_umask to override_umask and make it private to sudoers.c.Todd C. Miller2023-05-043-5/+11
| | | | Add getter for policy.c.
* Make timestamp_uid and timestamp_gid private to timestamp.c.Todd C. Miller2023-05-046-14/+44
| | | | Add getter (for set_perms.c) and setter (for sudoers.c).
* Make login_style private to bsdauth.cTodd C. Miller2023-05-045-26/+41
| | | | Add a setter for policy.c to handle auth_type from the front-end.
* Back out last change, len must be int, not size_t, for %.*s.Todd C. Miller2023-05-031-2/+2
|
* Use a "%s" format instead of using a translated string as the format.Todd C. Miller2023-05-031-2/+2
|
* Merge pull request #260 from AtariDreams/size_tTodd C. Miller2023-05-033-5/+5
|\ | | | | | | Prefer size_t over int, as casting can take extra instructions
| * Prefer size_t over int, as casting can take extra instructionsRose2023-05-033-5/+5
|/
* Rename init_parser_ext() to init_parser() and remove old wrapper.Todd C. Miller2023-05-027-24/+11
| | | | | There was only one consumer of the init_parser() wrapper now that reset_parser() has been introduced.
* Add reset_parser() and use in place of init_parser(NULL).Todd C. Miller2023-05-025-6/+19
|
* Make path_ldap_conf and path_ldap_secret private to policy.c.Todd C. Miller2023-05-024-9/+23
| | | | Add getters for both so the ldap code can access them.
* Make sudoers_file private to policy.c and visudo.c.Todd C. Miller2023-05-026-114/+120
| | | | | | We just need a way for the policy (and visudo) to override the default sudoers path. This adds a getter to be used in file.c when sudoers is first opened.
* Support adminconfdir for relative include paths in sudoers.Todd C. Miller2023-05-029-239/+424
|
* Track the destination sudoers path for each parsed file.Todd C. Miller2023-05-021-54/+74
| | | | | | | When adminconfdir is enabled, the destination pathh may be different from the path we opened. We always store an edited file in the adminconfdir (if enabled). This makes it possible to use visudo when /etc/sudoers is located on a read-only file system.
* Add adminconfdir and --enable-adminconf to set it.Todd C. Miller2023-05-0219-64/+275
| | | | | | Configuration paths in sudo are now a colon-separated list of files with the adminconfdir instance first (if enabled), followed by a sysconfdir instance.
* Substitute for _PATH_SUDO* variables in pathnames.h.Todd C. Miller2023-02-085-50/+174
| | | | Previously these were hard-coded with Makefile overrides.
* Support sudoers_file being a colon-separated path of files.Todd C. Miller2023-05-0210-55/+131
| | | | The first file found is used.
* Convert config file paths to colon-separated path list.Todd C. Miller2023-05-0214-127/+258
| | | | | | This means that _PATH_SUDO_CONF, _PATH_SUDOERS, _PATH_SUDO_LOGSRVD_CONF, and _PATH_CVTSUDOERS_CONF can now specify multiple files. The first file that exists is used.
* Regenerate with latest autoconf from git.Todd C. Miller2023-05-012-344/+227
|
* No longer need to set AI_NUMERICSERV while fuzzing.Todd C. Miller2023-04-281-3/+0
| | | | | Now that getaddrinfo() is stubbed out while fuzzing we can remove the hack that set AI_NUMERICSERV.
* getaddrinfo stub: set sin_portTodd C. Miller2023-04-262-2/+4
|
* Avoid NULL deref in stub getaddrinfo() when nodename is NULL.Todd C. Miller2023-04-262-10/+47
| | | | | Also add support for parsing servname. We only need to support a subset of getaddrinfo() functionality in the fuzzer.
* Add missing stdio.h include for the _FORTIFY_SOURCE=2 check.Todd C. Miller2023-04-262-31/+4
| | | | | | Implementations of _FORTIFY_SOURCE require the header file to be included. Also remove the useless test of an empty program with _FORTIFY_SOURCE defined. Pointed out by Florian Weimer.
* Use ldap_msgfree() instead of ldap_init() for the lber.h test.Todd C. Miller2023-04-262-2/+2
| | | | | | | The ldap_init() function is marked as deprecated and not defined by default on some systems. This can cause an error for compilers that do not support implicit function declarations. From Florian Weimer.
* Include arpa/inet.h for inet_pton() prototype.Todd C. Miller2023-04-251-0/+1
|
* Add netdb.h for struct addrinfo and EAI_* error codes.Todd C. Miller2023-04-251-0/+1
|
* Stub out getaddrinfo() and freeaddrinfo().Todd C. Miller2023-04-251-0/+64
| | | | We may not be able have access to DNS in the fuzzing environment.
* Plug memory leaks in store_sudo_test found by LSAN.Todd C. Miller2023-04-251-0/+2
|
* disable_coredump: only change the soft limit, leave the hard limit as-isTodd C. Miller2023-04-241-20/+32
| | | | | | This should avoid problems on Linux in cases where sudo does not have CAP_SYS_RESOURCE which may be the case in an unprivileged container. GitHub issue #42
* Add basic support for remote power on/off via net-snmp.Todd C. Miller2023-04-191-14/+116
|
* More accurate description of what happens for "sudo -b".Todd C. Miller2023-04-191-1/+5
|
* Avoid calling isatty()/ttyname() on std{in,out,err} if not a char dev.Todd C. Miller2023-04-185-26/+59
| | | | | The user controls these fds so we should avoid calling ioctl(2) on them unless they correspond to actual character device files.
* Better support for "sudo -b" when running the command in a pty.Todd C. Miller2023-04-191-6/+20
| | | | | | | | When a command is run via "sudo -b" it has no access to terminal input. In non-pty mode, the command runs in an orphaned process group and reads from the controlling terminal fail with EIO. We cannot do the same while running in a pty but if we set stdin to a half-closed pipe, reads from it will get EOF. That is close enough.
* Hard-code usage() and help() for an 80-column terminal.Todd C. Miller2023-04-182-58/+76
| | | | | | | Trying to tailor the help and usage output to the terminal width is simply not worth it and could be abused to mark a socket as "trusted" on Linux if there are additional kernel bugs like CVE-2023-2002.
* Move CONFIGURE_ARGS from sudo_usage.h.in to config.h.in.Todd C. Miller2023-04-185-10/+19
|
* get_user_info: call sudo_get_ttysize() even if no /dev/ttyTodd C. Miller2023-04-172-7/+7
| | | | | We still want to initialize rows and cols based on the environment if possible.
* Get the tty size using stdout, not stderr, when printing help output.Todd C. Miller2023-04-161-1/+1
| | | | While usage() prints to stderr, help() prints to stdout.
* get_user_info: pass sudo_get_ttysize() the fd of /dev/tty, not stderr.Todd C. Miller2023-04-161-1/+1
| | | | | Both the plugin API and the main event loop expect lines/cols to refer to the user's terminal, so using /dev/tty is better here.
* Add an fd argument to sudo_get_ttysize() instead of always using stderr.Todd C. Miller2023-04-166-10/+18
| | | | | For sudoreplay we open /dev/tty, so use that instead of stderr when determining the terminal size.
View Lorry Controller Status