Sudo
GitHub Blog Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

ChangeLog

2024-10-05 Todd C. Miller
  • plugins/sudoers/auth/pam.c:
    sudo_pam_verify: move PAM_USER after getpass_error check

    Move it into the PAM_SUCCESS case of the switch *pam_status switch. [6aa4d591afd7] [tip]

2024-10-02 Marco Trevisan (Treviño)
  • plugins/sudoers/auth/pam.c:
    plugins/pam: Check the user didn’t change during PAM transaction

    PAM modules can change the user during their execution, in such case, sudo would still use the user that has been provided giving potentially access to another user with the credentials of another one.

    So prevent this to happen, by ensuring that the final PAM user is matching the one which started the transaction [f92dac8249ec]

2024-09-28 Célestin Matte
  • plugins/sudoers/sudoers.in:
    Fix typo in sudoer file comment [76eff2fe253e]
2024-09-21 Todd C. Miller
  • INSTALL.md:
    Document “–with-secure-path-value=no” [b34d043d306a]
2024-09-17 Andy Fiddaman
  • configure.ac, plugins/sudoers/sudoers.in:
    Allow –secure-path-value=no

    This adds support for –with-secure-path-value=no to allow packagers to ship the sudoers configuration file with the secure path line commented out if required. [b8056ecccf22]

2024-09-13 Todd C. Miller
  • .github/workflows/main.yml:
    Update CIFuzz GitHub action [42d9f793924c]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y:
    alias_error: display the file and line info for the duplicate alias

    Having the file and line of the previous alias definition should make it easier to fix duplicate alias errors. [d4d8f3edeaca]

2024-09-11 Todd C. Miller
  • src/ttyname.c:
    On AIX, psinfo.pr_ttydev is 0 when a process has no terminal. On most other systems, psinfo.pr_ttydev is -1 for processes with no associated terminal. GitHub issue #408 [f06249487180]
2024-09-10 Ferdinand Bachmann
  • plugins/sudoers/sudoers.in:
    Add pam_silent setting to sudoers example config [456873661f91]
2024-09-09 Ferdinand Bachmann
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Fix version typo for pam_silent option in sudoers man page [8de684d1172e]
2024-09-06 Todd C. Miller
  • lib/eventlog/eventlog.c, logsrvd/logsrvd_local.c, plugins/sudoers/logging.c:
    Fix the date written used by the exit record in sudo-format log files

    The change to always get the current time when building a struct evlog in sudoers broke the data and time written for exit records. This only affected file-based logs, not syslog. GitHub issue #405. [969e326eab50]

2024-09-04 Arjen Lentz
2024-09-02 Todd C. Miller
  • configure, configure.ac:
    Better test for cross-compiling when checking for C99 snprintf

    We want to avoid calling AX_FUNC_SNPRINTF entirely if cross- compiling since it is not possible to undo the setting of PREFER_PORTABLE_SNPRINTF. The previous attempt to do this failed to take into account that PREFER_PORTABLE_SNPRINTF would still be defined. GitHub issue #969 [71e3f5a288e1]

2024-08-17 Rose
  • plugins/sudoers/strvec_join.c, plugins/sudoers/sudoers.h:
    Put restrict qualifers in strvec_join function pointer [e646803c1669]
2024-08-15 Todd C. Miller
  • plugins/sudoers/policy.c:
    Make a ttydev parse error non-fatal for now

    This is new for sudo 1.9.16 so we don’t want to break sudo if there ends up being a bug in formatting dev_t from the front-end. [84f38b553ef7]

2024-08-14 Todd C. Miller
  • docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in:
    Document that ttydev is formatted as a long long. [888ebc218c13]
  • config.h.in, configure, configure.ac, src/regress/ttyname/check_ttyname.c, src/sudo.c:
    Format ttydev as (signed) long long, not unsigned.

    Now that we parse ttydev as a long long it makes more sense to format it the same way. This completely avoids the sign extension issue on systems where dev_t is signed. [d4e61663685c]

2024-08-13 Todd C. Miller
  • src/sudo.c:
    Fix sign compare warning

    Store the result of asprintf() in an int, not size_t. [8b784b3da399]

  • config.h.in, configure, configure.ac, src/regress/ttyname/check_ttyname.c, src/sudo.c:
    Fix formatting of ttydev on systems with signed 32-bit dev_t

    If dev_t is 32-bit and signed, formatting as an unsigned long long may result in a bogus value due to sign extension. [a00cd79a0805]

  • src/regress/ttyname/check_ttyname.c:
    get_process_ttyname() now returns a dev_t, not a string. [ba9be5ea56be]
  • plugins/sudoers/policy.c:
    Use sudo_strtonum() instead of strtoull().

    Fixes building on systems that lack strtoull(). While dev_t is unsigned on most systems, we can still use sudo_strtonum() here as long as we allow the full range of values [LLONG_MIN,LLONG_MAX]. We don’t use strtoul() here since some 32-bit systems have 64-bit dev_t. [c53bcb633bb1]

  • include/sudo_compat.h:
    Include time.h if missing utimensat() or futimens().

    Now that we declare these as taking a timespec array we cannot get away with a simple forward declaration. [50fb0feb77cb]

2024-08-13 Rose
  • src/load_plugins.c:
    Replace sudo_stat_plugin with sudo_qualify_plugin, as sudo_stat_plugin does not exist

    sudo_qualify_plugin was probably meant instead. [34f9a3d7544a]

  • include/sudo_util.h, lib/util/multiarch.c:
    Restrict-qualify stat_multiarch [4560116cc24c]
  • include/compat/glob.h, lib/util/glob.c:
    Restrict-qualify glob and its functions

    glob is restrict-qualified in the standard [073d9c8a836c]

  • include/sudo_util.h, lib/util/hexchar.c:
    Restrict-qualify sudo_hexchar_v1

    sudo_hexchar_v1 requires an array of at least size-2, and is not aliased. [45b46285386a]

2024-08-13 Todd C. Miller
  • plugins/sudoers/regress/parser/check_base64.c:
    Sync base64_encode and base64_decode prototypes with parse.h. [78753e5c0986]
2024-08-13 Rose
  • include/sudo_util.h, lib/util/uuid.c:
    Use static declaration for array sizes to uuid functions [170398a514af]
2024-08-12 Rose Silicon
  • plugins/sudoers/parse.h:
    Restrict-qualify dst in base64_decode

    Definition restrict qualifies but not declaration in header. [f2331447dbdb]

2024-08-12 Rose
  • include/sudo_compat.h, lib/util/fstatat.c, lib/util/gmtime_r.c, lib/util/inet_pton.c, lib/util/localtime_r.c, lib/util/utimens.c:
    Use the full definition of the emulated function that is missing [be203a3c16d0]
  • plugins/sudoers/b64_decode.c, plugins/sudoers/b64_encode.c, plugins/sudoers/parse.h:
    Add restrict qualifiers to base64_decode and base64_encode [9efa1d67d12b]
  • include/sudo_util.h, lib/util/uuid.c:
    Use restrict to optimize sudo_uuid_to_string_v1 [b3c62ffc4b5d]
  • include/sudo_iolog.h, plugins/sudoers/iolog_path_escapes.c:
    Restrict-qualify iolog_path_escapes like we do with check_iolog_path

    Also add it to the function pointer definition to act as a hint to use restrict in the various copy functions. [549ebf72051a]

  • include/sudo_util.h, lib/util/uuid.c:
    sudo_uuid_to_string_v1’s first argument should be const

    uuid is not modified. [feb62b110dbd]

2024-08-02 Todd C. Miller
  • plugins/sudoers/sudoers.c:
    Use FD_CLOEXEC instead of just 1 [adfb8e81f872]
2024-07-28 Todd C. Miller
  • NEWS:
    Mention –with-secure-path-value configure option [5eb0179bc97b]
  • INSTALL.md, configure, configure.ac:
    Add –with-secure-path-value option

    This can be used by package maintainers to set the value of secure_path that is substituted into the default sudoers file. [e31490007b92]

  • docs/sudo_logsrvd.man.in, docs/sudo_sendlog.man.in, docs/sudoers.man.in:
    regen [21176573dc75]
  • configure, configure.ac, docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Rename secure_path_set -> secure_path_status [d81c73260a8d]
2024-07-27 Todd C. Miller
  • plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, po/fr.mo, po/fr.po:
    Updated translations from translationproject.org [23df3ee904ca]
2024-07-14 Todd C. Miller
  • docs/sudo_logsrvd.mdoc.in, docs/sudo_sendlog.mdoc.in, docs/sudoers.mdoc.in:
    Add sudo_logsrv.proto manual cross-reference. [f8c6bc110415]
2024-07-07 Todd C. Miller
2024-07-02 Todd C. Miller
  • configure, configure.ac:
    If cross-compiling with a C99 compiler, assume snprintf is compliant.

    This is a better default than assuming it is not compliant (the previous behavior) when cross-compiling. These days it is rare for sudo to be built on pre-C99 systems. GitHub issue #969 [0037c70db352]

2024-06-25 Todd C. Miller
  • docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in:
    Reference schema.IBM_LDAP. [52ec640462f0]
  • MANIFEST, plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/id.mo, plugins/sudoers/po/id.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/ru.mo, plugins/sudoers/po/ru.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/hr.mo, po/hr.po, po/id.mo, po/id.po, po/ja.mo, po/ja.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo, po/ro.po, po/ru.mo, po/ru.po, po/sv.mo, po/sv.po, po/uk.mo, po/uk.po, po/zh_CN.mo, po/zh_CN.po:
    Updated translations from translationproject.org [f72ae022e1fb]
  • MANIFEST, README.LDAP.md, docs/schema.IBM_LDAP:
    Add schema for IBM Directory Server in LDIF format.

    GitHub issue #384 [5b7fe088a994]

2024-06-16 Todd C. Miller
  • NEWS:
    Remove an errant line that should have been removed. [4e1d495e0d56]
2024-06-15 Todd C. Miller
2024-06-11 Todd C. Miller
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Improve the description of secure_path. [6eb51ab0b84f]
2024-06-10 Todd C. Miller
  • INSTALL.md, configure, configure.ac, docs/sudoers.mdoc.in, plugins/sudoers/sudoers.in:
    Enable secure_path in default sudoers file.

    It is still disabled by default in the sudo binary. [564699389bb8]

  • configure, configure.ac, plugins/sudoers/sudoers.in:
    Preserve SUDO_EDITOR, EDITOR, and VISUAL for visudo. [fa4746fb1caf]
2024-06-08 Todd C. Miller
  • plugins/sudoers/po/sudoers.pot, po/sudo.pot:
    Update .pot files for 1.9.16 [181210704ac8]
  • INSTALL.md, configure, configure.ac:
    Compile in support for insults by default.

    Insults are still disabled by default but can be enabled in the sudoers file. To completely disable insult support, use the –without-insults configure option. [d753f92cc7cb]

2024-06-07 Todd C. Miller
  • plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/regress/cvtsudoers/test41.out.ok, plugins/sudoers/regress/cvtsudoers/test41.sh:
    Treat unresolvable User_Alias/Host_Alias as non-aliases in JSON output.

    This matches the behavior of the sudoers parser. There is no way to tell for sure if an upper case word is an alias or a user or host name. An unresolvable command alias is never a command since it doesn’t start with a ‘/’. GitHub issue #381 [c1bac476f593]

  • lib/util/json.c:
    Set need_comma when closing an array or object.

    This fixes an issue where an empty array or object would not have a comma after it. GitHub issue #381 [f43cbdff918f]

2024-05-28 Todd C. Miller
  • docs/Makefile.in:
    Add comment that the .mdoc files are generated from .mdoc.in [fcf5c893ce58]
  • docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
    Sync BUGS section with the bugs section of README.md.

    Also mention how to report security issues based on SECURITY.md. GitHub issue #377. [3efcd5725175]

2024-05-26 Todd C. Miller
  • plugins/sudoers/regress/sudoers/test24.in, plugins/sudoers/regress/sudoers/test24.json.ok, plugins/sudoers/regress/sudoers/test24.ldif.ok, plugins/sudoers/regress/sudoers/test24.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test24.out.ok, plugins/sudoers/regress/sudoers/test24.toke.ok, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Allow the path in Chdir_Spec | Chroot_Spec to be double-quoted.

    The other values of an Option_Spec could already be quoted but path names are treated specially. [4249e3de7959]

2024-05-21 Todd C. Miller
  • docs/cvtsudoers.man.in, docs/sudo.conf.man.in, docs/sudo.man.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.man.in, docs/sudo_plugin.man.in, docs/sudo_plugin_python.man.in, docs/sudo_sendlog.man.in, docs/sudoers.ldap.man.in, docs/sudoers.man.in, docs/sudoers_timestamp.man.in, docs/sudoreplay.man.in, docs/visudo.man.in:
    regen [592d85185e9e]
  • docs/Makefile.in:
    Include the name of the original .mdoc.in file in the .man.in file.

    This should make it more obvious which is the authoritative file. [0d2b135ba7a6]

2024-05-18 Todd C. Miller
  • scripts/pp:
    Fix a syntax error in the systemd sudo-logsrvd.postinst script:
    sudo-logsrvd.postinst: 120: [: -eq: unexpected operator [108d20c4a419]
  • src/exec_monitor.c, src/exec_pty.c, src/sudo.h:
    When revoking the pty, kill the foreground process from the parent sudo.

    There’s no need to send messages back and forth to the monitor when the main process can just do it. GitHub issue #367. [c900ae4e24d6]

  • scripts/mkpkg:
    Fix check for libaudit package on Debian-based systems.

    Newer systems only have /usr/lib with /lib as a symbolic link. [5e3ec90ad10c]

2024-05-17 Todd C. Miller
  • docs/schema.ActiveDirectory:
    Add double quotes around #schemaNamingContext in example.

    GitHub issue #376 [220ca840fb59]

2024-05-15 Robert Manner
  • logsrvd/logsrvd.c, logsrvd/tls_client.c, plugins/sudoers/log_client.c:
    logsrvd,plugins/sudoers: add debug log on TLS verification error [0febc8521ac7]
2024-05-06 Todd C. Miller
  • plugins/sudoers/lookup.c:
    apply_cmndspec: plug potential memory leak

    If apply_cmndspec() is called where the cmndspec defines an apparmor profile or Solaris privileges, and then is called again with a cmndspec that does not have those set we would leak the original value. [e16977b54b3b]

  • plugins/sudoers/policy.c, src/parse_args.c, src/sudo.h:
    We do not pass apparmor_profile from the front-end to the policy.

    There is no command line option to specify a profile, it is only passed from the policy to the front-end. [eb44161484c8]

2024-05-03 Todd C. Miller
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.dict:
    Sync fuzz_sudoers dictionary with def_data.in. [d5e5fe67b687]
  • plugins/sudoers/lookup.c:
    apply_cmndspec: plug apparmor_profile leak

    Also override existing Solaris privs if specified. [988c0c1281b9]

  • plugins/sudoers/gram.c, plugins/sudoers/gram.y:
    free_cmndspec: plug apparmor_profile leak [bf0c3a2cb1c3]
2024-05-02 Todd C. Miller
  • plugins/python/regress/testhelpers.c:
    Python 3.12 backtraces use ‘~’ in addition to ‘^’ when underlining. GitHub issue #374 [e0241596c632]
2024-05-01 Todd C. Miller
  • plugins/sudoers/regress/sudoers/test31.in, plugins/sudoers/regress/sudoers/test31.json.ok, plugins/sudoers/regress/sudoers/test31.ldif.ok, plugins/sudoers/regress/sudoers/test31.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test31.out.ok, plugins/sudoers/regress/sudoers/test31.toke.ok:
    Add test for parsing SELinux, AppArmor and Solaris privileges. [b42890f216f8]
  • plugins/sudoers/check.c, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/display.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap_util.c, plugins/sudoers/lookup.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_ctx_free.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Unifdef parser support for SELinux, AppArmor and Solaris privileges. [86e2a47837ba]
2024-04-30 Todd C. Miller
  • plugins/sudoers/display.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap_util.c:
    Add some missing AppArmor bits.

    o Display ApparmorProfile in “long list” format. o Propagate apparmor_profile setting to commands in a list. o Support apparmor_profile in an LDAP sudoOption. [5f21bbd855af]

  • src/exec_monitor.c:
    Quiet compiler warning on Solaris 10 [ae794b45287f]
  • configure, configure.ac, plugins/sudoers/regress/harness.in:
    Check JSON output with jq if present. [b661df83a15c]
  • plugins/sudoers/cvtsudoers_json.c:
    Format SELinux, AppArmor and Solaris privileges as Options.

    Previously these were output as separate arrays without an enclosing object. GitHub issue #373 [35f090b7c0cf]

2024-04-29 Todd C. Miller
  • docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.mdoc.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.mdoc.in, etc/codespell.exclude, lib/util/lbuf.c, logsrvd/logsrvd_journal.c, plugins/sudoers/parse_ldif.c, src/exec_intercept.c:
    Pass “make spell” with updated codespell. [20339782866b]
  • src/exec_monitor.c:
    mon_handle_revoke: only send SIGHUP to the foreground process group.

    There’s no need to signal both the foreground process group and the command itself (if different). This matches the behavior of the session leader exiting, which is what we want to simulate. [2f5f7666c8b1]

2024-04-28 Todd C. Miller
  • src/exec_monitor.c, src/exec_pty.c, src/sudo.h:
    Avoid using ioctl(TIOCNOTTY) in the monitor.

    We don’t need to revoke the terminal in the monitor, just signal the foreground process group. This is more portable and has the same effect as ioctl(TIOCNOTTY) would on Linux. Since we now signal the command from the monitor, there is no reason to forward SIGHUP from the kernel. GitHub issue #367. [45dbbe36e3da]

  • plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/regress/sudoers/test24.json.ok:
    Fix copy and paste error in the fix for GitHub issue #369 Fixes GitHub issue #371 [f8eb25025dbd]
2024-04-27 Todd C. Miller
  • src/exec_monitor.c, src/exec_pty.c, src/sudo.h:
    If user’s tty goes away, tell monitor to revoke the tty in its session.

    Previously, we would simply close the pty leader in the main sudo process. This had the effect of revoking the pty, but the foreground process would not necessarily receive SIGHUP. By using TIOCNOTTY in the monitor, the running command has a better chance of getting SIGHUP. Once the monitor has revoked the pty, the main sudo process will close the pty leader, invalidating the pty. GitHub issue #367. [3d5708b425df]

2024-04-26 Todd C. Miller
  • docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in:
    Commands with multiple digests of the same type are stored in an array. [0eefa91fd695]
2024-04-25 Todd C. Miller
  • plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/regress/sudoers/test14.json.ok:
    Store mulitple command digests of the same type as an array.

    Otherwise, we end up with duplicated keys in the object. GitHub issue #370 [b5005381fa87]

2024-04-22 Todd C. Miller
  • plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/ins_2001.h, plugins/sudoers/ins_classic.h, plugins/sudoers/ins_csops.h, plugins/sudoers/ins_goons.h, plugins/sudoers/ins_python.h:
    Call gettext() on insults when displayed, not when declared. [db2415febdda]
2024-04-19 Todd C. Miller
  • plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/regress/sudoers/test24.json.ok:
    When converting CWD and CHROOT tags, store them as objects. Fixes GitHub issue #369 [bf7c37a8477c]
2024-04-17 Todd C. Miller
  • docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/auth/pam.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c:
    Add pam_silent sudoers option. Inspired by PR #368 GitHub issue #216 [767f06c8f2cd]
2024-04-01 alberic89
  • plugins/sudoers/ins_2001.h, plugins/sudoers/ins_classic.h, plugins/sudoers/ins_csops.h, plugins/sudoers/ins_goons.h, plugins/sudoers/ins_python.h:
    Make insults translatable [75e3a8130abc]
2024-03-18 Todd C. Miller
  • INSTALL.md, config.h.in, configure, configure.ac, plugins/sudoers/ins_classic.h, plugins/sudoers/ins_csops.h:
    Remove offensive insults that were disabled by default anyway. Bug #1058 [1dc8bd05e7b4]
2024-03-09 Todd C. Miller
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_conf.c, plugins/sudoers/logging.c, plugins/sudoers/sudoers.c:
    Remove EVLOG_JSON, callers must use EVLOG_JSON_COMPACT or EVLOG_JSON_PRETTY [ce2530f471e7]
  • docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_conf.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/logging.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_cb.c:
    Add “json_pretty” log format, currently the same as “json”.

    In a future version, “json” will be an alias for “json_compact” instead. GitHub issue #357. [3bc19566a59d]

2024-03-08 Todd C. Miller
  • docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_conf.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/logging.c, plugins/sudoers/sudoers_cb.c:
    Add json_compact log type for compact/minified JSON.

    The “json_compact” log type logs one event per line in compact/minified JSON format. GitHub issue #357. [d5f74fbe0529]

  • docs/sudo.man.in, docs/sudo.mdoc.in, plugins/sudoers/env.c:
    Set SUDO_HOME to the invoking user’s home directory. GitHub issue #358 [07353b9b45c9]
2024-03-02 Martin
2024-02-29 Todd C. Miller
  • plugins/sudoers/Makefile.in:
    Explicitly link check_symbols with zlib.

    Fixes a test failure on some systems when using sudo’s built-in zlib. [be0e77798f08]

2024-02-22 Fabrice Fontaine
  • m4/openssl.m4:
    m4/openssl.m4: fix cross-compilation with wolfssl

    Do not append -I/usr/include/wolfssl when cross-compiling

    Signed-off-by: Fabrice Fontaine <fontaine.fabrice@…> [369865095dea]

2024-02-21 Todd C. Miller
  • lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/protobuf-c/Makefile.in, lib/ssl_compat/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
    Regenerate dependencies [00ed81bc1e04]
  • lib/util/Makefile.in, scripts/mkdep.pl:
    Using $< in a non-suffix rule context is a GNU make extension. [011aaca5f363]
  • lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/protobuf-c/Makefile.in, lib/ssl_compat/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
    Use $(CPP) instead if $(CC) -E when buiding .i files from .c. [5b5ce9a47757]
2024-02-18 Todd C. Miller
  • configure.ac:
    Check if ac_cv_sys_file_offset_bits is “64”, not “yes”

    This is used for determining whether to set _TIME_BITS with autoconf versions before 2.72. [b5fc00b41b7f]

2024-02-17 Yann E. MORIN
  • lib/util/Makefile.in:
    lib/utils: detect failure to generate signals list and names

    Currently, we generate the signal list and names by running cpp on our header, and piping the result into sed.

    However, when cpp fails [0], we do not catch that failure, as the error code of the LHS of a pipe is lost, with the pipe returning the RHS-most return code.

    Fix that by introducing two new intermediate rules, each to generate the preprocessed .i files, and use those as dependencies and input to the rule that generates the headers. Those two .i files will be cleaned up by the existing *.i glob.

    [0] a failure happens on recent hosts, due to inconsistency with time64_t and large-file support (lines elided and wrapped for readability):

    /usr/bin/cpp […] ./sys_signame.h \ | /usr/bin/sed -e ‘1,/^int sudo_end_of_headers;/d’ -e ‘/^#/d’ > mksigname.h In file included from /usr/include/features.h:394, from /usr/include/sys/types.h:25, from ./sys_signame.h:4: /usr/include/features-time64.h:26:5: error:
    #error “_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64” 26 | # error “_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64” | ^~~~~ /usr/bin/gcc […] ./mksigname.c -o mksigname In file included from /usr/include/features.h:394, from /usr/include/bits/libc-header-start.h:33, from /usr/include/stdlib.h:26, from ./mksigname.c:27:
    /usr/include/features-time64.h:26:5: error: #error “_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64” 26 | # error “_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64” | ^~~~~ make[2]: *** [Makefile:263: mksigname] Error 1

    In that case, we were lucky that the subsequent gcc call also failed, and for the same reason. That time64_t and lfs issue should be fixed (at least investigated), but that does not mean we should not be more robust when parsing the header either.

    Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> [8a8b019b4c14]

  • src/exec_ptrace.c:
    src/exec_ptrace: fix build without precess_vm_readv()

    Commit 32f4b98f6b4a (sudo frontend: silence most -Wconversion warnings.) broke the build on C libraries that miss process_vm_readv(), like uClibc-ng.

    Indeed, the ssize_t nwritten is declared guarded by HAVE_PROCESS_VM_READV, but is then re-assigned and used a few lines below, outside any guard.

    Fix that by always declaring the object, as it is always needed.

    Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> [d910c4d9bc54]

2024-01-31 Todd C. Miller
  • docs/HISTORY.md:
    Quest no longer sponsors sudo development. [a9cb1edcb8fd]
2024-01-23 Todd C. Miller
  • LICENSE.md, lib/zlib/deflate.c, lib/zlib/deflate.h, lib/zlib/gzguts.h, lib/zlib/gzlib.c, lib/zlib/inflate.c, lib/zlib/inftrees.c, lib/zlib/inftrees.h, lib/zlib/trees.c, lib/zlib/zconf.h.in, lib/zlib/zlib.h, lib/zlib/zutil.h:
    Update embedded copy of zlib to version 1.3.1. [0f2a995be814]
2024-01-18 Todd C. Miller
  • etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
    Update copyright data in the package files. [0c7a31bc825c]
2024-01-13 Rose
  • plugins/sudoers/iolog_path_escapes.c:
    Add restrict qualifiers to strlcpy_no_slash

    It’s just strlcpy except it replaces ‘/’ with ‘_’. [c357706bb1f5]

2024-01-12 Rose
  • lib/util/glob.c, plugins/sudoers/tsdump.c:
    Prefer putchar over fputc where possible

    putchar is easier to understand than fputc and printf and does less work than those two do. [25b05cac7581]

2024-01-10 Todd C. Miller
  • plugins/sudoers/logging.c:
    Only log “a password is required” for “sudo -n” if a command is specified. This means that it is not logged for “sudo -nv” and “sudo -nl”. We only log this message when sudo’s -n flag is specified (and not when the user presses ^C at the password prompt) so that there is a record of failed non-interactive commands. [80bef089b555]
2024-01-08 Todd C. Miller
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Document side-effects of enabling the use_pty option. [255a6563d27c]
  • plugins/sudoers/sudoers.in:
    Update “!use_pty” example to only disable it for non-root users.

    Also add a commented out entry for “exec_background” which can also be used to prevent sudo from consuming tty input. Related to GitHub issue #338 [bc8530773486]

2024-01-01 Todd C. Miller
  • src/sudo_edit.c:
    sudo_edit_mktemp: remove useless cast [636d4b873903]
  • lib/util/regress/mktemp/mktemp_test.c:
    Add check for sysconf(_SC_PAGESIZE) failure. [c632a57c20e2]
2023-12-31 Todd C. Miller
2023-12-30 Todd C. Miller
  • scripts/mkpkg:
    Restore the ability to override default configure settings.

    The user-specified options must go last… [6b33cb2d4fba]

2023-12-29 Todd C. Miller
2023-12-28 Todd C. Miller
  • plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/pwutil_impl.c:
    Properly handle sysconf(_SC_LOGIN_NAME_MAX) returning -1 on failure.

    The cast to size_t needs to be outside the MAX() macro or the -1 will get cast to unsigned. [8917f7d6a464]

2023-12-22 Todd C. Miller
  • config.h.in, configure, configure.ac, plugins/sudoers/timestamp.c:
    Automatically migrate lecture file path from name-based to uid- based.

    GitHub issue #342. [9fcfdf6e8882]

2023-12-21 Todd C. Miller
  • lib/iolog/regress/iolog_path/check_iolog_path.c:
    Add missing checks for strdup() failure. [d5d20569c6aa]
2023-12-19 Todd C. Miller
  • plugins/sudoers/ldap_conf.c:
    Disable netgroup_query when netgroup_base is not set.

    The logic was inverted when support for netgroup_query was added. This supercedes PR #341. [76765198ff73]

  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    In the NOEXEC example make it clear that “shanty” is a host. Bug #1064 [a8acf089535e]
2023-12-18 Todd C. Miller
  • lib/eventlog/eventlog.c:
    closefrom_nodebug: skip fds < 0

    This can only happen if lowfd < 0, which is never the case. Quiets a static analyzer warning. [222886d48308]

2023-12-16 Todd C. Miller
  • plugins/sudoers/defaults.c:
    Fix printing of warning when a Defaults setting is missing a value.

    This is a bug in parse_default_entry() introduced in sudo 1.8.19 when support for using the default syslog facility was added at the wrong place in a switch(). [b9fec7aa7319]

2023-12-15 Todd C. Miller
  • plugins/sudoers/defaults.c, plugins/sudoers/defaults.h:
    Sprinkle some more const in defaults.c. [e1ef878f08b3]
  • plugins/sudoers/defaults.c:
    Fix evaluation of a tuple used in “true” boolean context.

    Previously, a tuple in boolean context was always treated as a negated entry, which doesn’t match the documentation. We assume that there are at least two tuple entries where the first maps to boolean false and the second maps to boolean true. [4be36c6cab1c]

  • plugins/sudoers/lookup.c:
    sudoers_lookup_pseudo: init match to UNSPEC for sudo_nss_can_continue().

    Otherwise, processing will stop after the first sudoers nsswitch service specification where [SUCCESS=return] is present. [cac08bcb42f7]

2023-12-13 Todd C. Miller
2023-12-11 Todd C. Miller
  • plugins/sudoers/policy.c:
    Pass back Solaris privs as “runas_privs” and “runas_limitprivs”.

    The “runas_” prefix got inadvertantly removed in the big sudoers_context refactor. [304fe94b7f00]

2023-12-09 Todd C. Miller
  • include/sudo_util.h, lib/util/term.c, lib/util/ttysize.c, lib/util/util.exp.in, src/sudo.h, src/ttyname.c:
    sudo_term_is_raw: only try to lock the fd if it is a tty

    This moves sudo_isatty() to libsudo_util so sudo_term_is_raw() can use it. Fixes GitHub issue #335 [aa4c13345801]

2023-12-07 Todd C. Miller
  • plugins/sudoers/sudoreplay.c:
    setup_terminal: fix an editing error introduced in 1.9.15. [a49d25d2c3ea]
2023-12-06 Todd C. Miller
  • plugins/sudoers/match_command.c:
    command_matches_regex: retry with canonicalized path if possible

    If ctx->user.cmnd doesn’t match, use ctx->user.cmnd_dir (if present) to construct a canonicalized path and match on that. [c24a4083224b]

2023-12-04 Todd C. Miller
  • plugins/sudoers/match_command.c:
    command_matches_fnmatch: retry with canonicalized path if possible

    If ctx->user.cmnd doesn’t match, use ctx->user.cmnd_dir (if present) to construct a canonicalized path and match on that. [88563830f0c5]

  • lib/util/gethostname.c:
    If sysconf(_SC_HOST_NAME_MAX) returns 0, just use 255.

    This should not actually be possible. [770391d1b7a9]

  • plugins/sudoers/sethost.c:
    Fall back to “localhost” if gethostname() fails.

    GitHub issue #332 [37dff0fc09fe]

  • plugins/sudoers/match_command.c:
    command_matches_glob: fix comparison of canonicalized parent directories

    Bug #1062 [e7545a3736c6]

2023-12-01 Todd C. Miller
  • plugins/sudoers/cvtsudoers_csv.c:
    Add missing print_member_list_csv() return value check. [289474dabf3a]
  • plugins/sudoers/tsdump.c:
    Check sudoers_debug_register() return value. [d41cd0e91271]
2023-11-30 Todd C. Miller
  • configure, scripts/config.guess, scripts/config.sub:
    Regenerate with the autoconf 2.72d snapshot. [d155689bd4d1]
2023-11-28 Todd C. Miller
  • plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in:
    Add cmddenial_message to def_data.in [5da99b926451]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Reword the description of cmddenial_message. [2542c62dc70e]
  • docs/sudoreplay.man.in:
    Regenerate from sudoreplay.mdoc.in [469fc2ca26e1]
2023-11-28 THE-Spellchecker
  • INSTALL.md, docs/UPGRADE.md, lib/util/event.c, lib/util/fatal.c, lib/util/fnmatch.c, lib/util/lbuf.c, lib/util/snprintf.c, lib/util/sudo_dso.c, plugins/python/example_io_plugin.py, plugins/python/example_policy_plugin.py, plugins/sample/sample_plugin.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.in, plugins/sudoers/ldap.c, plugins/sudoers/lookup.c, plugins/sudoers/parse.h, plugins/sudoers/parse_ldif.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.h, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, src/exec.c, src/exec_monitor.c, src/exec_ptrace.c, src/exec_pty.c:
    Typographical and Grammatical fixes [e38efca3fdca]
2023-11-26 Todd C. Miller
  • lib/util/ttyname_dev.c:
    No need to include sys/param.h here. [aa51309bbbf1]
  • plugins/sudoers/tsdump.c:
    tsdump: quiet compiler warnings on some platforms.

    Quiet a -Wshadow warning from gcc. Cast major() and minor() to unsigned int when printing. [f684294d67cc]

  • plugins/sudoers/tsdump.c:
    tsdump: display both the terminal path and device number.

    If no terminal device can be found, print “major, minor” device numbers instead. [11bc7d9447b6]

  • docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in:
    Sync time stamp defines with sudoers timestamp.h

    The types and flags are now explicitly unsigned. [b879cc9adcb2]

  • docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in:
    Mention the tsdump utility [8f175644a965]
  • plugins/sudoers/Makefile.in:
    Build tsdump by default so it does not suffer bit rot. [3c5f70c4eb28]
  • include/sudo_debug.h:
    Add sudo_debug_exit_dev_t stub for fuzzing. [3a7f59a57c03]
  • lib/util/chacha_private.h, lib/util/inet_pton.c:
    Avoid using the u_int type, which is not portable. [7dbfe37f8687]
  • plugins/sudoers/tsdump.c:
    tsdump: update to use a uid-based path by default

    This matches the changes in sudo 1.9.15 to the sudoers policy module. [cab576f101c7]

2023-11-25 Todd C. Miller
  • plugins/python/regress/testdata/check_multiple_approval_plugin_and_a rguments.stdout:
    Update for plugin version 1.22. [6abaf23b44b5]
  • docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, include/sudo_plugin.h:
    Document ttydev and bump plugin version to 1.22 [9cee78e466c6]
  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c:
    Add ttydev to sudoers_user_context and use for timestamp file.

    GitHub issue #329 [2378fa73b48d]

  • include/sudo_debug.h, src/sudo.c, src/sudo.h, src/ttyname.c:
    Pass tty device number from front-end to policy module.

    GitHub issue #329 [d383c81bb3a6]

2023-11-23 Todd C. Miller
  • plugins/sudoers/audit.c, plugins/sudoers/log_client.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
    log_server_alert: struct timespec argument was not actually used

    The struct timespec argument is used to initialize the command start time, which is not used for an alert message. [2f0c4dd9b41e]

  • plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c:
    log_server_alert: use fmt_alert_message not fmt_reject_message

    Only affects intercepted commands. [1a3defb146dc]

  • plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c:
    log_server_open: always pass in awake time, not wallclock time.

    The timespec passed to log_server_open() should be from sudo_gettime_awake() since it is used to build the command run time. [c68a03d4695c]

  • plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h:
    Replace submit_time in struct sudoers_context with start_time.

    We need to track the (monotonic) command start time to be able to generate an accurate run time. Instead of setting submit time when the policy initializes (and using that time for logging purposes), set evlog->submit_time to the current wallclock time when we need to perform logging. This is more consistent with how sudo logging was performed in the past. Fixes GitHub issues #327. [e57f9145945b]

  • plugins/sudoers/audit.c, plugins/sudoers/logging.c:
    We can use evlog.submit_time in the call to eventlog_alert().

    This is set to the current wallclock time by sudoers_to_eventlog(). [f16ff52d85bd]

  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, lib/eventlog/parse_json.c, lib/iolog/iolog_legacy.c, lib/iolog/iolog_loginfo.c, logsrvd/iolog_writer.c, logsrvd/logsrvd_local.c, logsrvd/sendlog.c, plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/logging.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoreplay.c:
    Rename submit_time -> event_time in struct eventlog. [fdd5cf4716f8]
2023-11-20 Guillaume Destuynder
  • docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/logging.c, plugins/sudoers/regress/sudoers/test26.in, plugins/sudoers/regress/sudoers/test26.json.ok, plugins/sudoers/regress/sudoers/test26.ldif.ok, plugins/sudoers/regress/sudoers/test26.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test26.out.ok, plugins/sudoers/regress/sudoers/test26.toke.ok:
    Add support for a custom message when the command execution is denied. [fe85c9713bcf]
2023-11-11 Todd C. Miller
  • plugins/sudoers/cvtsudoers_csv.c:
    cvtsudoers_csv.c: remove most sudo_fatal() calls.

    Errors are now propagated up the call stack. [de66055c58a0]

  • plugins/sudoers/cvtsudoers_ldif.c:
    No need for sudo_fatalx() here, just pass back an error. [e27822406648]
  • plugins/sudoers/cvtsudoers_ldif.c:
    cvtsudoers_ldif: display warning on write error [aa4b6e791808]
  • plugins/sudoers/cvtsudoers_merge.c:
    cvtsudoers_merge.c: remove sudo_fatal() calls.

    Errors are now propagated up the call stack. [2ae3ed90c650]

2023-11-10 Todd C. Miller
  • plugins/sudoers/cvtsudoers_merge.c:
    Make new_member() return NULL on failure and adjust callers. [de40dd7b70b2]
  • plugins/sudoers/cvtsudoers_ldif.c:
    Pass return values back instead of using sudo_fatal(). [b2b363922d27]
  • plugins/sudoers/cvtsudoers_ldif.c:
    Add printf_attribute_ldif() to printf-format an LDIF attribute.

    This replaces multiple sequences of asprintf() and print_attribute_ldif(). [a7cc31ef064a]

2023-11-09 Todd C. Miller
  • plugins/sudoers/cvtsudoers_json.c:
    cvtsudoers_json.c: check sudo_json_* return values.

    Previously, we set memfatal to true in sudo_json_init() instead. This also gets rid of a number of sudo_fatalx() calls. [cf5ab9602976]

  • plugins/audit_json/audit_json.c:
    add_timestamp: check sudo_json_* return values. [65cebaa3a1ec]
  • plugins/sudoers/alias.c, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/parse.h, plugins/sudoers/testsudoers.c:
    alias_apply: change return type to bool

    We can use the rbapply() return value to detect failure. [e5bf4f575eae]

  • src/sudo.c:
    Always disable core dumps when sudo sends itself a fatal signal.

    When a command exits due to a fatal signal, sudo will re-send that signal to itself so the shell does not ignore keyboard-generated signals. However, now that sudo disables core dumps by default for the command, we cannot rely on WCOREDUMP() telling us whether or not the signal will lead to a core dump. It is safest to always disable core dumps before sending the signal to ourself. [0383034bc54e]

2023-11-08 Todd C. Miller
  • lib/util/term.c:
    sudo_term_restore: don’t check c_cflag on systems with TCSASOFT.

    If TCSASOFT is present, tcsetattr() will ignore c_cflag. Fixes a bug where sudo_term_restore() would refuse to change the terminal settings back if the PARENB control flag was set. GitHub issue #326. [bcd3c9f5736a]

  • scripts/mkpkg:
    Quote $osversion since it may include whitespace. [fb4aac7003c6]
2023-11-07 Todd C. Miller
  • plugins/sudoers/sudoers.h:
    Use C99 designated struct initializers.

    This is less error-prone and would have avoided GitHub issue #325. [f7fad7f54d1b]

  • plugins/sudoers/sudoers.h:
    Correct the order of the strings in SUDOERS_CONTEXT_INITIALIZER.

    Fixes GitHub issue #325, a bug introduced in sudo 1.9.15. [0266ed6c95f9]

2023-11-06 Todd C. Miller
  • NEWS:
    In the sudo 1.9.14p3 section, “Python python” should be “Python plugin”. [dee39187deda]
  • docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Document special cases for AIX-style shared libraries.

    The shared object is a member of an archive file that is specified in parentheses. [bb9a50249072]

2023-11-04 Todd C. Miller
  • docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in:
    Add sudoers plugin Debug example and x-ref sudoers man page for details. [ef23f00ac8ad]
  • docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in:
    The HP-UX getgrouplist() code has been disabled due to bugs. [0bc060c69389]
2023-11-03 Todd C. Miller
  • lib/util/sudo_conf.c:
    sudo_conf_debug_files: special handling of DSO members for AIX

    When matching debug files for AIX-style DSOs like sudoers.a(sudoers.so) we want to match on the full name, the name without the member and on the member itself. This makes it possible to use the existing examples in the sudo.conf fiile on AIX. [2ec138dbc507]

  • plugins/sudoers/pwutil.c:
    sudo_set_grlist and sudo_set_gidlist: set auth registry based on username

    Previously we used the global registry but since we have the user’s passwd info we should use that when storing the group and gid lists. [71b6647d4cb0]

2023-11-02 Todd C. Miller
  • plugins/sudoers/parse_ldif.c:
    role_to_sudoers: only try to reuse a privilege if one is present [91207af2554c]
  • plugins/sudoers/defaults.c:
    store_plugin: avoid potential NULL deref in boolean context

    Coverity CID 330466 [5c7ebbaf83c4]

  • plugins/sudoers/sudoreplay.c, src/conversation.c:
    Avoid passing sudo_term_is_raw() -1 for the fd.

    Coverity CID 330472 Coverity CID 330468 [b28a472152ab]

  • logsrvd/sendlog.c:
    fmt_info_messages: bump info_msgs_size for submitenv [e36bfd74abb9]
  • NEWS:
    Better log message when rejecting a setid command in intercept mode. [06d161998e22]
  • plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Move the check for running setid commands in intercept mode to later.

    Checking for setid commands in intercept mode after command matching allows us to log a proper error message. Previously, we simply ignored setid commands when matching and the only indication of why was in the debug logs. [b07b8fcff911]

  • plugins/sudoers/timestamp.c:
    timestamp_open: add some debugging [dc7070cbadd9]
2023-10-31 Todd C. Miller
  • plugins/sudoers/auth/sia.c:
    sudo_sia_begin_session: add missing struct sudoers_context * arg. [4caf619af53b]
  • plugins/sudoers/auth/kerb5.c:
    verify_krb_v5_tgt: auth name must be const to match struct sudo_auth. [e4d6a0b15003]
  • .circleci/config.yml:
    Disable PAM before enabling Kerberos V. [55523956e9ff]
  • .circleci/config.yml, docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
    Add Kerberos V build and test to CI. [7cf8ab128064]
2023-10-31 Renato Botelho
  • plugins/sudoers/auth/kerb5.c:
    Add missing sudoers_context to verify_krb_v5_tgt()

    Commit 244017495421 added ctx variable to log_warningx() call but that variable was not declared in that context, breaking the build. [7b89c1b61e19]

2023-10-30 Todd C. Miller
  • plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po:
    Updated translations from translationproject.org [2a5a4f1350ee]
2023-10-27 Todd C. Miller
  • logsrvd/logsrvd.c:
    Set the open file descriptor limit to the maximum allowed value.

    Each connection can require up to 9 descriptors. [72b6593b631d]

2023-10-23 Todd C. Miller
  • NEWS:
    Mention new Indonesian translation and sudo_logsrvd fd limit change. [753002967fc0]
  • plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/ru.mo, plugins/sudoers/po/ru.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/hr.mo, po/hr.po, po/ja.mo, po/ja.po, po/sr.mo, po/sr.po, po/zh_CN.mo, po/zh_CN.po:
    Updated translations from translationproject.org [619098603afe]
  • MANIFEST, po/id.mo, po/id.po:
    New Indonesian translation from translationproject.org [568e33cb694c]
2023-10-22 Todd C. Miller
  • plugins/sudoers/env.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Avoid a double-free in fuzz_policy caused by the early env_init(NULL).

    This adds an env_free() function to explicitly free both the old and new copies of the environment. It is really only needed by fuzz_policy, which calls the policy module multiple times. [9cb4400fe76c]

  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, lib/eventlog/eventlog_free.c, lib/eventlog/parse_json.c, logsrvd/iolog_writer.c, logsrvd/sendlog.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
    Store submitenv in eventlog and pass it to sudo_logsrvd. [3ef684a6f888]
2023-10-21 Todd C. Miller
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, lib/eventlog/eventlog_free.c, lib/eventlog/parse_json.c, lib/iolog/iolog_loginfo.c, logsrvd/iolog_writer.c, logsrvd/sendlog.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/logging.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c:
    struct eventlog: rename argv/env to runargv/runenv.

    This matches the JSON logs. [df2ac695bcf7]

  • plugins/sudoers/logging.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    struct sudoers_user_context: rename env_vars to env_add [f57859bca061]
  • plugins/sudoers/audit.c, plugins/sudoers/logging.c:
    Only log the run environment for commands that are allowed.

    It may not be available otherwise and unless the command is being run it has no real meaning. [98b79f16e06e]

  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
    Free the private copy of the environment in sudoers_check_cmnd().

    This reverts 5118eb5797fb, which had the side-effect of the PAM session code running with the run environment instead of the invoking user’s environment. Issue #318 [6b4abada2e55]

2023-10-19 Todd C. Miller
  • lib/iolog/iolog_swapids.c:
    iolog_swapids: short circuit if effective ids match iolog ids. [6871a2a50eae]
  • lib/iolog/iolog_mkdirs.c, logsrvd/iolog_writer.c:
    logsrvd: display error string in message if iolog_mkpath() fails [4a601c7e1248]
  • plugins/sudoers/po/sudoers.pot, po/sudo.pot:
    Update .pot files for 1.9.15 [39ac757a80c9]
2023-10-18 Todd C. Miller
  • plugins/sudoers/sudoers.in:
    Add example for disabling intercept/log_subcmds for certain commands. [52d01bcd6e3a]
  • lib/util/mksiglist.c, lib/util/mksigname.c:
    Use NSIG instead of nitems(array) for the loop bound.

    This matches the sudo_sys_siglist[] and sudo_sys_signame[] declarations. [d515abb232ae]

  • plugins/sudoers/tsdump.c:
    tsdump: fix compiler warnings [4e5d80f29845]
2023-10-17 Todd C. Miller
  • lib/eventlog/regress/logwrap/check_wrap.c, lib/util/mksiglist.c, lib/util/mksigname.c, logsrvd/sendlog.c, plugins/python/regress/iohelpers.c, plugins/sudoers/tsdump.c:
    Avoid using %zu or %zd with printf() and fprintf().

    This prevents problems on systems where the system printf(3) is not C99-compliant. We use our own snprintf() on such systems so that is safe. [7ff250c66e05]

  • plugins/sudoers/sudo_printf.c, src/conversation.c:
    Use vsnprintf() instead of vfprintf() for sudo_printf() to avoid problems on systems where the system printf(3) is not C99-compliant. We use our own snprintf() on such systems. [053c94c3db03]
  • include/sudo_compat.h, lib/util/getdelim.c, lib/util/realpath.c, lib/util/regress/getdelim/getdelim_test.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    strlcpy_expand_host, sudo_getdelim, sudo_realpath: add restrict qualifier [8669d4d9b4d9]
2023-10-16 Todd C. Miller
  • lib/util/term.c:
    Better handling of multiple sudo processes modifying terminal settings. 1. Lock the terminal before tcgetattr/tcsetattr 2. Don’t restore terminal settings if changed by another process 3. Don’t set terminal to raw mode if it is already raw GitHub issue #312 [8d5664300c7e]
2023-10-16 Rose
  • plugins/sudoers/prompt.c, plugins/sudoers/strlcpy_unesc.c, plugins/sudoers/sudoers.h:
    Add restrict to strlcpy and expand_prompt [b26d50f82d2f]
2023-10-16 Todd C. Miller
2023-10-15 Rose
  • lib/util/regress/hexchar/hexchar_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/sudo_conf.c:
    Swap calloc arguments to use them properly. [1d4877da5233]
2023-10-14 Todd C. Miller
  • src/exec_ptrace.c:
    ptrace_intercept_execve: make flags unsigned to match command_details [97ee796e74ec]
2023-10-13 Rose
  • include/sudo_util.h, src/exec_ptrace.h:
    Specify 1U over 1 for bitmaps [8eaecce2e3c6]
2023-10-12 Todd C. Miller
  • plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/parse.h, plugins/sudoers/sudoers.h:
    Fix spelling: resistent -> resistant [df6b986b8d31]
2023-10-05 Todd C. Miller
  • .gitignore, .hgignore:
    Add plugins/sudoers/tsgetusershell.c to ignore files. [5e9538b2aaae]
2023-10-02 Todd C. Miller
  • plugins/sudoers/mkdefaults:
    Fix compatibility with older versions of (new) awk.

    Do not rely on awk supporting “-f -” to read the program from stdin. Avoid using POSIX character classes in regular expressions. [0e67e9ba4ddf]

2023-10-02 Alexander F. Rødseth
  • plugins/sudoers/visudo.c:
    Add Orbiton (“o”) to the list of editors that supports +lineno [28e192d4be9b]
  • plugins/sudoers/visudo.c:
    Sort the list of editors that supports +lineno [6467309f5ac3]
2023-09-28 Todd C. Miller
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Mention potential problems with log_subcmds and intercept. [9c93f9315924]
  • src/sudo.c:
    Add more user info to the list of objects to be garbage-collected at exit. [caeb35967cd2]
2023-09-27 Todd C. Miller
  • plugins/python/pyhelpers.c, plugins/python/pyhelpers.h:
    Use long, not long long, when getting/setting numeric attributes.

    We use int or long, not long long, in the Python plugin. [d1008ce69cf6]

  • plugins/sudoers/file.c:
    sudo_file_open: initialize parser before calling open_sudoers().

    Otherwise, the parser_conf settings in the context passed to sudo_file_open() will not be honored by open_sudoers(). Affected settings include ignore_perms, sudoers mode, uid and gid. [21e56d49521a]

  • lib/eventlog/parse_json.c, lib/iolog/iolog_legacy.c, lib/iolog/iolog_timing.c, logsrvd/iolog_writer.c, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/sendlog.c, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c:
    Add casts when storing values in a struct timespec.

    Fixes -Wconversion warnings on some 32-bit systems where time_t is still 32-bit. [b090ed40a1d0]

2023-09-27 Rose
  • lib/util/roundup.c:
    Use U, not UL, for 32-bit platforms

    size_t is an unsigned int on 32-bit platforms, not an unsigned long. [9f4a9b73c954]

2023-09-26 Todd C. Miller
  • plugins/sudoers/match_digest.c:
    digest_matches: actually use fd2 in place of fd as needed. [9db51e4a8521]
  • plugins/sudoers/match_digest.c:
    digest_matches: if fd argument is -1, try to open path before failing [5b323859cbd0]
  • plugins/sudoers/regress/cvtsudoers/test31.sh, plugins/sudoers/regress/cvtsudoers/test32.sh, plugins/sudoers/regress/cvtsudoers/test35.sh, plugins/sudoers/regress/cvtsudoers/test36.sh, plugins/sudoers/regress/cvtsudoers/test39.sh, plugins/sudoers/regress/testsudoers/test20.sh, plugins/sudoers/regress/testsudoers/test21.sh, plugins/sudoers/regress/testsudoers/test22.sh, plugins/sudoers/regress/testsudoers/test23.sh, plugins/sudoers/regress/testsudoers/test24.sh, plugins/sudoers/regress/testsudoers/test25.sh, plugins/sudoers/regress/testsudoers/test26.sh, plugins/sudoers/regress/testsudoers/test27.sh, plugins/sudoers/regress/testsudoers/test28.sh, plugins/sudoers/regress/testsudoers/test29.sh, plugins/sudoers/regress/testsudoers/test30.sh, plugins/sudoers/regress/testsudoers/test31.sh:
    Add missing execute bit on some test scripts. [07af3341fc1a]
2023-09-25 Todd C. Miller
  • plugins/sudoers/sudoers.h:
    max_groups in sudoers_plugin_settings is no longer used. [99848d0ee951]
  • include/sudo_conf.h, include/sudo_debug.h, include/sudo_event.h, include/sudo_eventlog.h, include/sudo_fatal.h, include/sudo_json.h, include/sudo_util.h, lib/eventlog/eventlog.c, lib/eventlog/eventlog_conf.c, lib/eventlog/eventlog_free.c, lib/eventlog/logwrap.c, lib/eventlog/parse_json.c, lib/eventlog/parse_json.h, lib/eventlog/regress/eventlog_store/store_json_test.c, lib/eventlog/regress/eventlog_store/store_sudo_test.c, lib/eventlog/regress/logwrap/check_wrap.c, lib/eventlog/regress/parse_json/check_parse_json.c, lib/fuzzstub/fuzzstub.c, lib/iolog/host_port.c, lib/iolog/hostcheck.c, lib/iolog/iolog_clearerr.c, lib/iolog/iolog_close.c, lib/iolog/iolog_conf.c, lib/iolog/iolog_eof.c, lib/iolog/iolog_filter.c, lib/iolog/iolog_flush.c, lib/iolog/iolog_gets.c, lib/iolog/iolog_json.c, lib/iolog/iolog_legacy.c, lib/iolog/iolog_loginfo.c, lib/iolog/iolog_mkdirs.c, lib/iolog/iolog_mkdtemp.c, lib/iolog/iolog_mkpath.c, lib/iolog/iolog_nextid.c, lib/iolog/iolog_open.c, lib/iolog/iolog_openat.c, lib/iolog/iolog_path.c, lib/iolog/iolog_read.c, lib/iolog/iolog_seek.c, lib/iolog/iolog_swapids.c, lib/iolog/iolog_timing.c, lib/iolog/iolog_util.c, lib/iolog/iolog_write.c, lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/iolog/regress/host_port/host_port_test.c, lib/iolog/regress/iolog_filter/check_iolog_filter.c, lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_timing/check_iolog_timing.c, lib/logsrv/log_server.pb-c.c, lib/protobuf-c/protobuf-c.c, lib/ssl_compat/ssl_compat.c, lib/util/aix.c, lib/util/arc4random.c, lib/util/arc4random_buf.c, lib/util/arc4random_uniform.c, lib/util/basename.c, lib/util/cfmakeraw.c, lib/util/closefrom.c, lib/util/digest.c, lib/util/digest_gcrypt.c, lib/util/digest_openssl.c, lib/util/dup3.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/explicit_bzero.c, lib/util/fatal.c, lib/util/fchmodat.c, lib/util/fchownat.c, lib/util/fnmatch.c, lib/util/freezero.c, lib/util/fstatat.c, lib/util/getaddrinfo.c, lib/util/getdelim.c, lib/util/getentropy.c, lib/util/getgrouplist.c, lib/util/gethostname.c, lib/util/getopt_long.c, lib/util/gettime.c, lib/util/getusershell.c, lib/util/gidlist.c, lib/util/glob.c, lib/util/gmtime_r.c, lib/util/hexchar.c, lib/util/inet_ntop.c, lib/util/inet_pton.c, lib/util/isblank.c, lib/util/json.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/localtime_r.c, lib/util/locking.c, lib/util/logfac.c, lib/util/logpri.c, lib/util/memrchr.c, lib/util/mkdir_parents.c, lib/util/mkdirat.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/mktemp.c, lib/util/mmap_alloc.c, lib/util/multiarch.c, lib/util/nanosleep.c, lib/util/openat.c, lib/util/parseln.c, lib/util/pipe2.c, lib/util/pread.c, lib/util/progname.c, lib/util/pw_dup.c, lib/util/pwrite.c, lib/util/rcstr.c, lib/util/reallocarray.c, lib/util/regex.c, lib/util/regress/closefrom/closefrom_test.c, lib/util/regress/digest/digest_test.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, lib/util/regress/getdelim/getdelim_test.c, lib/util/regress/getgrouplist/getgids.c, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/hexchar/hexchar_test.c, lib/util/regress/json/json_test.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/regress/multiarch/multiarch_test.c, lib/util/regress/open_parent_dir/open_parent_dir_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/regex/regex_test.c, lib/util/regress/strsig/strsig_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/strtofoo/strtobool_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/regress/strtofoo/strtomode_test.c, lib/util/regress/strtofoo/strtonum_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/uuid/uuid_test.c, lib/util/roundup.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/sha2.c, lib/util/sig2str.c, lib/util/snprintf.c, lib/util/str2sig.c, lib/util/strlcat.c, lib/util/strlcpy.c, lib/util/strndup.c, lib/util/strnlen.c, lib/util/strsignal.c, lib/util/strsplit.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/sudo_dso.c, lib/util/sys_siglist.h, lib/util/sys_signame.h, lib/util/term.c, lib/util/timegm.c, lib/util/ttyname_dev.c, lib/util/ttysize.c, lib/util/unlinkat.c, lib/util/utimens.c, lib/util/uuid.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, logsrvd/regress/logsrvd_conf/logsrvd_conf_test.c, logsrvd/sendlog.c, logsrvd/sendlog.h, logsrvd/tls_client.c, logsrvd/tls_common.h, logsrvd/tls_init.c, plugins/audit_json/audit_json.c, plugins/group_file/getgrent.c, plugins/group_file/group_file.c, plugins/group_file/plugin_test.c, plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_plugin_common.c, plugins/python/regress/check_python_examples.c, plugins/python/regress/iohelpers.h, plugins/python/regress/testhelpers.h, plugins/python/sudo_python_debug.c, plugins/python/sudo_python_debug.h, plugins/sample/sample_plugin.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/b64_decode.c, plugins/sudoers/b64_encode.c, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/canon_path.c, plugins/sudoers/check.c, plugins/sudoers/check_aliases.c, plugins/sudoers/check_util.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/digestname.c, plugins/sudoers/display.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/env_pattern.c, plugins/sudoers/exptilde.c, plugins/sudoers/file.c, plugins/sudoers/filedigest.c, plugins/sudoers/find_path.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/fmtsudoers_cvt.c, plugins/sudoers/gc.c, plugins/sudoers/gentime.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/getspwuid.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/insults.h, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/ldap_innetgr.c, plugins/sudoers/ldap_util.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h, plugins/sudoers/parse_ldif.c, plugins/sudoers/parser_warnx.c, plugins/sudoers/pivot.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/redblack.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/serialize_list/check_serialize_list.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/regress/unescape/check_unesc.c, plugins/sudoers/resolve_cmnd.c, plugins/sudoers/serialize_list.c, plugins/sudoers/set_perms.c, plugins/sudoers/sethost.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/sssd.c, plugins/sudoers/starttime.c, plugins/sudoers/strlcpy_unesc.c, plugins/sudoers/strlist.c, plugins/sudoers/strvec_join.c, plugins/sudoers/stubs.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_printf.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_cb.c, plugins/sudoers/sudoers_ctx_free.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoers_debug.h, plugins/sudoers/sudoers_hooks.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/testsudoers_pwutil.c, plugins/sudoers/testsudoers_pwutil.h, plugins/sudoers/timeout.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestr.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/tsdump.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/unesc_str.c, plugins/sudoers/visudo.c, plugins/sudoers/visudo_cb.c, plugins/system_group/system_group.c, src/apparmor.c, src/conversation.c, src/copy_file.c, src/edit_open.c, src/env_hooks.c, src/exec.c, src/exec_common.c, src/exec_intercept.c, src/exec_iolog.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_preload.c, src/exec_ptrace.c, src/exec_pty.c, src/get_pty.c, src/hooks.c, src/intercept.pb-c.c, src/limits.c, src/load_plugins.c, src/openbsd.c, src/parse_args.c, src/preload.c, src/preserve_fds.c, src/regress/net_ifs/check_net_ifs.c, src/regress/noexec/check_noexec.c, src/regress/ttyname/check_ttyname.c, src/selinux.c, src/sesh.c, src/signal.c, src/solaris.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_intercept.c, src/sudo_intercept_common.c, src/sudo_noexec.c, src/suspend_parent.c, src/tgetpass.c, src/ttyname.c, src/utmp.c:
    Use #include <foo.h> instead of #include “foo.h” in most cases.

    We rely on the include path to find many of these headers. It especially doesn’t make sense to use #include “foo.h” for headers in the top-level include directory. [4a7d27e429e9]

2023-09-24 Todd C. Miller
  • plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/mkdefaults:
    Add support for “plugin” defaults type. [423dc640d220]
  • plugins/sudoers/mkdefaults:
    Support multiple input files. [1fff41f962f5]
2023-09-22 Todd C. Miller
  • src/exec_monitor.c, src/exec_pty.c:
    No need to loop reading from/writing to a blocking socketpair.

    This removes some infinite loops that can cause static analyzer warnings. The fds are not in non-blocking mode and we use restartable system calls so there is no need to loop. [132aad609392]

  • plugins/sudoers/check.c:
    check_user: fix return value for intercept mode

    Also use early return on error to quiet a PVS-Studio warning. [ecd721208013]

2023-09-21 Todd C. Miller
  • src/exec_pty.c:
    Set ec->term_raw to false even if sudo_term_restore() fails.

    Either the fd is not a terminal or we don’t have the controlling terminal. Either way, we can’t know the current status of the terminal and will need to set to raw mode again (if possible). Also make sure to set ec->term_raw to false if sudo_term_raw() fails. [6287218771a9]

2023-09-20 Todd C. Miller
  • pathnames.h.in, plugins/sudoers/env.c, plugins/sudoers/sudoers.c:
    Only define _PATH_ENVIRONMENT on systems where we use /etc/environment. [5a3752401dc9]
  • config.h.in, configure, configure.ac:
    Sudo assumes that a uid_t can be cast to unsigned int without problems.

    Add a configure check and error out if sizeof(uid_t) > 4. [4b7657e4ce3d]

  • docs/UPGRADE.md:
    Mention the time stamp and lecture file name changes in 1.9.15. [8c23b36928ad]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Replace ‘/’ with ‘_’ in paths using the user, group or host name. [2862df9bcab7]
2023-09-19 Todd C. Miller
  • config.h.in, configure, configure.ac, m4/sudo.m4, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/env.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/policy.c, src/sudo.c, src/sudo_edit.c:
    Replace MAX_UID_T_LEN with calls to STRLEN_MAX_UNSIGNED. [f2f1ee9c5a16]
  • include/sudo_util.h, lib/eventlog/eventlog.c, lib/iolog/iolog_timing.c, lib/util/json.c, lib/util/lbuf.c, lib/util/sudo_debug.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/display.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/logging.c, src/exec_preload.c, src/limits.c:
    Add macros to determine the length of an integer type in string form.

    Adapted from answer #6 in:
    https://stackoverflow.com/questions/10536207/ansi-c-maximum-number- of-characters-printing-a-decimal-int [e62734abe89c]

2023-09-18 Todd C. Miller
  • plugins/sudoers/visudo.c:
    visudo: use verbose and strict in parser_conf

    Where the sudoers_context is available we can use the values of verbose and strict instead of passing around quiet and strict flags. [bc7a60ce0e36]

  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/callbacks.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_cb.c:
    Rename callbacks.c -> sudoers_cb.c. [558d6896ebfa]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/visudo.c, plugins/sudoers/visudo_cb.c:
    Add a separate file for visudo callbacks. [72e491607a4e]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/check_aliases.c, plugins/sudoers/defaults.c, plugins/sudoers/parse.h, plugins/sudoers/parser_warnx.c:
    Add parser_warnx() and parser_vwarnx() that displays file:line:col

    Used by defaults.c and check_aliases.c. [1b4eff914e92]

  • plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c:
    Promote strict field in sudoers_parser_config from bool to int.

    This will be used by visudo to indicate when “visudo -s” is run. [d0f6c8c37e4a]

  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/find_path.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/resolve_cmnd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Add resolve_cmnd(), a wrapper around find_path().

    This is a convenience function that sets PERM_RUNAS and calls find_path(). If the command is not found it will retry with PERM_USER instead. [c7831c462fb9]

  • src/exec_monitor.c:
    Wait on a socketpair for the parent to grant child the controlling tty.

    This upgrades the error pipe to a bi-directional socketpair that the parent will write to after it has granted the child process the controlling terminal. That fixes an issue where the child could end up in a tight CPU loop waiting on the parent which may not be scheduled immediately. [36e87999dae1]

2023-09-15 Todd C. Miller
  • plugins/sudoers/sudoers.h:
    Undefine AUTH_{SUCCESS,FAILURE,ERROR} before defining them.

    Quiets a warning on AIX where usersec.h defines AUTH_SUCCESS and AUTH_FAILURE. We avoided this problem in the past because the old values for AUTH_SUCCESS and AUTH_FAILURE match what AIX defines. [c37c51f861f1]

  • config.h.in, configure, configure.ac, lib/util/term.c, m4/sudo.m4, src/exec_pty.c:
    Only cast TIOCSWINSZ to int on systems that might require it (AIX).

    Otherwise we end up with a -Wconversion warning on systems where the ioctl() request argument is unsigned long. [a467e228981f]

  • plugins/sudoers/display.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Promote verbose flag to int for display_privs and display_cmnd.

    A negative verbosity will prevent non-error output from being displayed. [c7646497b580]

2023-09-13 Todd C. Miller
  • plugins/sudoers/stubs.c:
    No need to include cvtsudoers.h here. [d838f2ed5483]
  • plugins/sudoers/match_command.c, plugins/sudoers/pivot.c, plugins/sudoers/pivot.h, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/stubs.c, plugins/sudoers/testsudoers.c:
    Remove pivot_get_root() and pivot_get_cwd().

    They are unnecessary since struct sudoers_pivot is not opaque. The implementation details are private to match_command.c. [ca522bffdf37]

  • plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/parser/check_fill.c:
    Quiet some -Wconversion warnings in the tests. [ebe02fc397e7]
  • plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/editor.c, plugins/sudoers/find_path.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.h:
    Make flag in union sudo_defs_val bool to match how it is used.

    Adjust find_path()’s ignore_dot function argument to match. [52d5311ca360]

  • plugins/sudoers/audit.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/bsm_audit.h, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h:
    Parse euid and egid from sudo front-end.

    These are needed by bsm_audit.c. [ca240f519b46]

  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c:
    Parse pid and ppid from sudo front-end.

    We can now use the stored ppid in ts_init_key(). [4955c478f849]

  • plugins/sudoers/match_command.c, plugins/sudoers/pivot.c, plugins/sudoers/pivot.h, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c:
    Use struct sudoers_pivot instead of defining sudoers_pivot_t.

    We want to pass around a pointer, not the struct itself. [8c6806cee428]

2023-09-11 Todd C. Miller
  • MANIFEST, plugins/sudoers/pivot.h:
    Don’t expose the implementation of the pivot_root state. [1d1696c7ad78]
  • plugins/sudoers/match_command.c, plugins/sudoers/pivot.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
    Don’t expose the implementation of the pivot_root state. [efaa8955cbf0]
  • src/exec_ptrace.c:
    Only call ptrace_verify_post_exec() for intercept, not log_subcmds.

    This fixes a logic goof introduced in sudo 1.9.14. [49df34bb0494]

  • docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, plugins/sudoers/check.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestamp.h:
    Use the user-ID instead of user-name for the timestamp and lecture file.

    This avoids problems if the user name itself contains a path separator. [c93459e59f30]

2023-09-10 Todd C. Miller
  • plugins/sudoers/Makefile.in:
    tsgetusershell.c: don’t rely on GNU sed extensions. [65e7d8099122]
  • plugins/sudoers/testsudoers.c:
    testsudoers: add -S option to specify /etc/shells path. [2efe9b01120a]
  • Makefile.in, lib/util/getusershell.c, plugins/sudoers/Makefile.in, plugins/sudoers/pwutil_impl.c, plugins/sudoers/tsgetgrpw.h:
    Add testsudoers_setshellfile() and use it in testsudoers. [4065e0f1c9ac]
  • lib/util/Makefile.in, lib/util/getusershell.c:
    Remove unnecessary sudo_gettext.h include and add missing const. [ca4266370ff6]
2023-09-09 Todd C. Miller
  • plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.h:
    Return AUTH_* flags from check_user() instead of 1/0/-1. [824e8943fa47]
  • plugins/sudoers/cvtsudoers.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/testsudoers_pwutil.h:
    Wrap valid_shell and add to sudo_pwutil_set_backend().

    This will make it possible to support a different getusershell() implementation for testsudoers in the future. [03da23d61efe]

  • plugins/sudoers/check_util.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
    Move check_user_shell() to pwutil.c as user_shell_valid()

    This will make it possible to support a different backend which may be used by testsudoers in the future. [44a7540fb761]

  • plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c, plugins/sudoers/timestamp.h:
    Merge check_user() and check_user_interactive(), move getpass callbacks.

    The getpass callbacks are now defined in sudo_auth.c, which implements auth_getpass(). As a result, struct getpass_closure is now public and defined in timestamp.h. [1babbb56de42]

  • plugins/sudoers/Makefile.in, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/timestamp.h:
    Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}. [54471c0a890d]
  • plugins/sudoers/ldap.c, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/sssd.c:
    Make all match functions return ALLOW/DENY not true/false. [d22f1dc85b40]
  • plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/parse.h:
    Try to make sudo less vulnerable to ROWHAMMER attacks.

    We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC.

    Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545 [df81a335db65]

  • plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l:
    Honor ignore_perms plugin argument for @include and @includedir. [55307bdf721d]
2023-09-06 Todd C. Miller
  • plugins/sudoers/check.c:
    Don’t set on_suspend and on_resume twice. [f1db05f66740]
2023-09-02 Todd C. Miller
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/policy.c, plugins/sudoers/sethost.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
    sudoers_sethost: refactor code to set host names in sudoers_context.

    The sudoers_sethost() function can be shared by the sudoers plugin, visudo, cvtsudoers and testsudoers. [6cece4f67add]

2023-09-01 Todd C. Miller
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    sudoers_trace_print: use debug_decl_vars instead of doing it by hand. [0baf94e3e380]
  • include/sudo_compat.h:
    sudo_realpath() returns char *, not void *. [96746a992f65]
2023-08-31 Todd C. Miller
  • plugins/sudoers/sudoers.c:
    Only print “no valid sudoers sources found, quitting” for multiple sources.

    If there is only a single source (usually the sudoers file), the open function provide enough of an error message. Printing two error messages is just confusing. [99a282277084]

2023-08-30 Todd C. Miller
  • plugins/sudoers/pwutil.c:
    user_in_group: the user’s group vector already includes the primary group.

    There’s no need to look up the name of user’s primary group (pw_gid), we always include the primary group ID in the group vector. [53f36984ebc8]

2023-08-29 Todd C. Miller
  • plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_debug.h:
    Move sudoers_debug.c prototypes to sudoers_debug.h. [3d4c971912a3]
  • plugins/sudoers/sudoers.h:
    sudo_conv, sudo_printf and plugin_event_alloc live in policy.c. [52bced1bff2a]
  • include/sudo_iolog.h, plugins/sudoers/defaults.c:
    Move default value for “iolog_file” to sudo_iolog.h. [489101c36995]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/callbacks.c, plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/set_perms.c, plugins/sudoers/starttime.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c, plugins/sudoers/timestamp.h, plugins/sudoers/tsdump.c:
    Rename check.h -> timestamp.h and add remaining timestamp.c prototypes. [402c837776df]
  • plugins/sudoers/auth/API, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h:
    Restore AUTH_INTR support, it is still needed.

    We still need AUTH_INTR to know when to break out of the password prompt loop. [618807782033]

  • docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Add ignore_perms plugin argument to skip the sudoers file security checks.

    This is not intended to be used in a production environment. [92ae0335ee5b]

2023-08-28 Todd C. Miller
  • configure, m4/sudo.m4:
    Fix test for unsetenv() returning void with clang 16.

    Clang has dropped support for K&R function definitions so rewrite the test to require a unsetenv() prototype in stdlib.h. Fixes GitHub issue #302. [1a0ce3a79ee2]

  • plugins/sudoers/defaults.c:
    Disable fast_glob and fdexec if SUDOERS_NAME_MATCH is defined.

    We use SUDOERS_NAME_MATCH for fuzzing when we want to avoid searching the file system for commands. [2e6bc1f8fb22]

2023-08-26 Todd C. Miller
  • plugins/sudoers/auth/API, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h:
    Rename AUTH_FATAL -> AUTH_ERROR. [1da161db2f0f]
  • plugins/sudoers/cvtsudoers.c, plugins/sudoers/match.c:
    Do not rely on the definition of ALLOW/DENY being true/false.

    We now explicitly check for ALLOW and DENY when checking return values and negating values. [1e4420b64b5d]

  • plugins/sudoers/auth/API, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h:
    Replace AUTH_INTR return with AUTH_FAILURE.

    The two were treated identically by the caller. [e54b06561de1]

2023-08-25 Todd C. Miller
  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Move tty_present() into policy.c as sudoers_tty_present().

    This function is policy-dependent. For the modern sudo front-end it will simply check tcpgid and/or ttypath. [36a5ece4027a]

  • plugins/sudoers/callbacks.c:
    Only set I/O logging callbacks if SESSID_MAX is defined. [3cec54b1fe9a]
  • plugins/sudoers/defaults.c:
    Don’t set defaults values for features that are not present.

    This means that lecture_status_dir and timestampdir are only set if _PATH_SUDO_LECTURE_DIR and _PATH_SUDO_TIMEDIR respectively are set. Also, the log server defaults are only set when SUDOERS_LOG_CLIENT is defined. [bb328fffe142]

  • plugins/sudoers/audit.c:
    Call log_allowed() even when “log_allowed” is disabled.

    Otherwise, sudo will not send mail if “mail_always” or “mail_all_cmnds” is set. [71d3f06fbee5]

2023-08-24 Todd C. Miller
2023-08-23 Todd C. Miller
  • lib/util/event_poll.c, lib/util/getentropy.c, plugins/sudoers/ldap.c:
    Silence a few remaining -Wconversion warnings. [8f1180e72c0b]
  • plugins/sudoers/sudoers.c:
    No need to inclue auth/sudo_auth.h [61ec4a47c885]
  • configure, m4/sudo.m4:
    –enable-pvs-studio: check for license file in the default location [35e596d1fdb7]
2023-08-23 ken
  • plugins/sudoers/timestamp.c:
    modify ret type from int to bool (#298)
  • modify ret type from int to bool
  • change debug_return_int to debug_return_bool
2023-08-22 Todd C. Miller
  • plugins/sudoers/callbacks.c, plugins/sudoers/check.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c:
    Move timestampowner sudoers callback to timestamp.c. [34520a083145]
  • plugins/sudoers/set_perms.c:
    Quiet a PVS-Studio false positive about possible NULL dereference.

    set_perms() is only called with a NULL ctx for PERM_ROOT, PERM_SUDOERS and PERM_TIMESTAMP. [0ec4b81df902]

2023-08-21 Todd C. Miller
  • plugins/sudoers/set_perms.c:
    set_perms: ctx may be NULL for PERM_ROOT, PERM_SUDOERS, PERM_TIMESTAMP. [299c5cacb05a]
  • plugins/sudoers/audit.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_ctx_free.c:
    Move a few fields from sudoers_user_contect to sudoers_context.

    They are not really specific to the user or user-specified. [0e166cff8c3b]

  • plugins/sudoers/policy.c:
    Remove dead code dealing with unknown user and MODE_INVALIDATE.

    The timestamp unlink code does not need the user’s struct passwd pointer, just the user name (which we already have). Found by PVS- Studio. [dd41395692e5]

  • lib/iolog/iolog_read.c, lib/iolog/iolog_write.c, lib/util/sudo_dso.c:
    Suppress some other PVS-Studio false positives. [36d0f8d41e6e]
  • plugins/sudoers/set_perms.c:
    Quiet a PVS-Studio false positive about possible NULL dereference.

    set_perms() is only called with a NULL ctx for PERM_ROOT, PERM_SUDOERS and PERM_TIMESTAMP. [a6f38a82c80c]

  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.h:
    MODE_KILL is never set in the sudoers plugin, remove it. [5a64ba098c4f]
  • plugins/sample/sample_plugin.c, plugins/sudoers/editor.c, plugins/sudoers/group_plugin.c, plugins/sudoers/policy.c, plugins/sudoers/sudoreplay.c, src/exec_ptrace.c:
    Cast int to size_t before adding instead of casting the result.

    Quiets PVS-Studio warning V1028. [39b9d54ae277]

  • plugins/sudoers/audit.c:
    Fix log_server_accept() definition for –disable-log-client builds. [9ef55e556801]
  • src/exec_pty.c:
    Use a global static struct exec_closure for the cleanup hook.

    This is safer than storing a pointer to a stack variable in the cleanup function since we don’t need to worry about it ever going out of scope. Quiets a clang 15 analyzer warning. [bfb06721d43f]

  • lib/eventlog/eventlog.c, plugins/sudoers/testsudoers.c:
    Eliminate some clang analyzer false positives. [ded09455af48]
  • plugins/sudoers/logging.c:
    Plug memory leak if journal_parse_error() fails.

    Found by the clang 15 analyzer. [0d7e0567187e]

  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Move sudoedit_nfiles into struct sudoers_context. [0f67b3c5c5b2]
  • plugins/sudoers/audit.c, plugins/sudoers/auth/pam.c, plugins/sudoers/check.c, plugins/sudoers/env.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/lookup.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
    Move sudo_mode into struct sudoers_context. [649e74125300]
  • plugins/sudoers/audit.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_ctx_free.c:
    Move NewArgv, NewArgc and saved_argv into struct sudoers_context. [46db0662eaf7]
  • plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
    Add struct sudoers_conf to struct sudoers_plugin_context.

    There’s now no need to pass this directly to init_parser() since we already pass in a pointer to a sudoers_context struct. [4a60e7b19a1a]

  • plugins/sudoers/cvtsudoers.c, plugins/sudoers/group_plugin.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/sudo_ldap_conf.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
    Store policy paths in struct sudoers_context.

    This removes the need for the getters in policy.c. [8ff3016dc8ad]

  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_ctx_free.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
    Add sudoers_ctx_free() and use it for freeing struct sudoers context.

    This replaces sudoers_user_ctx_free() and sudoers_runas_ctx_free(). [ba25344753c3]

  • plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/callbacks.c, plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/display.c, plugins/sudoers/env.c, plugins/sudoers/file.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/set_perms.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/solaris_audit.h, plugins/sudoers/sssd.c, plugins/sudoers/stubs.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/testsudoers_pwutil.h, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/visudo.c:
    Make struct sudoers_context private to sudoers.c.

    We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary. [534d55781084]

2023-08-20 Todd C. Miller
  • plugins/sudoers/audit.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/sia.c, plugins/sudoers/callbacks.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/defaults.c, plugins/sudoers/display.c, plugins/sudoers/env.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/set_perms.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/sssd.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c:
    Add a sudoers_context struct that embeds the user and runas structs. [7c72e0c26dc0]
2023-08-18 Todd C. Miller
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y:
    free_parse_tree: clear the nss pointer when freeing. [658fef1bd3c0]
  • plugins/sudoers/parse_ldif.c:
    sudoers_parse_ldif: do not free parse_tree before using

    The user is expected to pass in an initialized and empty parse_tree so there is no need to free it first. [4d6371e98087]

  • lib/zlib/adler32.c, lib/zlib/compress.c, lib/zlib/crc32.c, lib/zlib/deflate.c, lib/zlib/deflate.h, lib/zlib/gzclose.c, lib/zlib/gzguts.h, lib/zlib/gzlib.c, lib/zlib/gzread.c, lib/zlib/gzwrite.c, lib/zlib/infback.c, lib/zlib/inffast.c, lib/zlib/inffast.h, lib/zlib/inflate.c, lib/zlib/inftrees.c, lib/zlib/inftrees.h, lib/zlib/trees.c, lib/zlib/uncompr.c, lib/zlib/zconf.h.in, lib/zlib/zlib.h, lib/zlib/zutil.c, lib/zlib/zutil.h:
    Update embedded copy of zlib to version 1.3. [bfd6de199f8a]
2023-08-15 Todd C. Miller
  • plugins/sudoers/pwutil_impl.c:
    We still need to clamp ngids if getgrouplist2() returns -1.

    Otherwise, we end up with ngids set to the number of gids the user belongs to which may be larger than what the front-end specified. Fixes a regression introduced in the last commit here. [4a2aeaf67236]

2023-08-14 Todd C. Miller
  • plugins/sudoers/policy.c:
    No need to clear errno when using sudo_strtonum(). [f62f2580c6a5]
  • plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/sudoers.h:
    Move max_groups out of sudoers_user_context and into pwutil.c.

    It is only used by the local password pwutil implementation. [c33497cc3291]

  • plugins/sudoers/check_util.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
    Pass in directory to check_user_runchroot() and check_user_runcwd().

    This way we do not rely on the runas_ctx global. [f70888bdedf6]

  • plugins/sudoers/regress/exptilde/check_exptilde.c:
    check_exptilde: don’t need runas_ctx here [520483cdb2ae]
  • plugins/sudoers/match.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
    Move RUNAS_{USER,GROUP}_SPECIFIED flags into struct sudoers_runas_context. [2024629414ed]
2023-08-13 Todd C. Miller
  • plugins/sudoers/group_plugin.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
    Make path_plugin_dir private to policy.c and add getter. [2bf12c839083]
  • plugins/sudoers/cvtsudoers.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
    Move list_pw global into struct runas_context. [32faa515c324]
2023-08-12 Todd C. Miller
  • plugins/sudoers/auth/bsdauth.c, plugins/sudoers/callbacks.c, plugins/sudoers/check.c, plugins/sudoers/check_util.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/display.c, plugins/sudoers/env.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
    Add struct sudoers_runas_context and move runas-specific bits into it. [d6a5f5b3c136]
  • plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/sia.c, plugins/sudoers/callbacks.c, plugins/sudoers/check.c, plugins/sudoers/check_util.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/display.c, plugins/sudoers/env.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/set_perms.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/sssd.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c:
    Expand the user_* (and more) macros to user_ctx.foo. [b62e24d53e3f]
  • plugins/sudoers/check.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/timestamp.c:
    Pass explicit struct passwd * to create_admin_success_flag(). [120bb08f53bb]
  • plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Make sudoers_user_ctx_free() private to sudoers.c [ed512916a444]
  • plugins/sudoers/audit.c, plugins/sudoers/callbacks.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/defaults.c, plugins/sudoers/display.c, plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c:
    Rename struct sudo_user -> struct sudo_user_context.

    Also rename the sudo_user global to user_ctx. [d4b68657a430]

  • src/exec.c:
    fd_matches_tty: only zero out fd_sb if fstat(2) fails.

    We need to preserve the contents of the struct stat if the fd is some other type so the check for piped output works correctly. Bug #1057 [ac80d75699d1]

2023-08-10 Todd C. Miller
  • plugins/sudoers/callbacks.c:
    Leave the I/O log callbacks in iolog.c

    Otherwise, check_iolog_plugin will not link. [4e2304f22e89]

  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/callbacks.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
    Move sudoers parser callbacks to callbacks.c. [396d1dcdb35a]
2023-08-09 Todd C. Miller
  • logsrvd/sendlog.c:
    Bump info_msgs_size to make room for the source. [627f659fc180]
  • .circleci/config.yml:
    Update Xcode version from 13.2.1 to 13.4.1. [6c32e86975be]
  • include/sudo_event.h, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/util.exp.in:
    Use int, not short for events in the event API.

    This fixes some -Wconversion warnings and fixes an inconsistency between the libsudo_util event API and the plugin event API. The actual struct internals still use shorts to avoid changing the ABI. [2d7fcd66f7e7]

  • plugins/sudoers/display.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/fmtsudoers_cvt.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c:
    Use const pointers where possible in the display code. [87fd1def96b6]
  • docs/sudo.man.in, docs/sudo.mdoc.in:
    Document “sudo -ll command” output. [3e837165e978]
  • plugins/sudoers/display.c, plugins/sudoers/lookup.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c:
    Add verbose version of “sudo -l command” by using an extra -l.

    The output of “sudo -ll command” consists of the matching sudoers rule (in long form) with the addition of a “Matched” entry that shows the fully-qualfied path along with any arguments. [038d8555e50c]

  • plugins/sudoers/display.c:
    Move code to display a cmndspec in long form to display_cmndspec_long(). [a9887101de7c]
  • plugins/sudoers/display.c:
    sudo -ll: display the sudoers file the rule came from. [ca6d31966f5c]
2023-08-08 Todd C. Miller
  • lib/ssl_compat/ssl_compat.c, logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c:
    Fix checking of SSL_{read,write}_ex() return value.

    These have a boolean-style return value. However, our emulated versions can return -1 on error, which we need to preserve for older versions of SSL_get_error() which expect it. [4e812f2456f1]

  • plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Store the source of the matching rule and store in the event log.

    The JSON logs will store the matching rule source. [c7ee4ab87610]

  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, lib/eventlog/eventlog_free.c, lib/eventlog/parse_json.c, lib/eventlog/regress/eventlog_store/test1.json.in, lib/eventlog/regress/eventlog_store/test1.json.out.ok, lib/eventlog/regress/eventlog_store/test2.json.in, lib/eventlog/regress/eventlog_store/test2.json.out.ok, lib/eventlog/regress/eventlog_store/test3.json.in, lib/eventlog/regress/eventlog_store/test3.json.out.ok, lib/eventlog/regress/eventlog_store/test4.json.in, lib/eventlog/regress/eventlog_store/test4.json.out.ok, logsrvd/iolog_writer.c, logsrvd/sendlog.c:
    Log source in JSON logs

    This makes it possible to tell which rule resulted in a match. [a2573ce8ce3f]

2023-08-07 Todd C. Miller
  • plugins/sudoers/lookup.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c:
    Use a single callback for sudoers_lookup() and add a closure pointer.

    The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output. [547d0256f22a]

  • lib/util/regress/digest/digest_test.c:
    Fix printf format string mismatch now that ‘i’ is size_t. [366084860303]
  • include/sudo_digest.h, lib/util/digest.c, lib/util/digest_gcrypt.c, lib/util/digest_openssl.c, lib/util/getentropy.c, lib/util/regress/digest/digest_test.c, lib/util/util.exp.in, plugins/sudoers/filedigest.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    sudo_digest_getlen: return size_t, and 0 on error instead of -1

    This is an API change, sudo_digest_getlen_v1 remains for binary compatibility. [5866df2f4aab]

  • logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c:
    ERR_get_error() returns unsigned long, not int. [94b2d963f279]
  • plugins/sudoers/log_client.c:
    We now must pass “err” SSL_get_error(), not “nread”. [b4cc206a2cf8]
2023-08-06 Todd C. Miller
  • include/hostcheck.h, lib/iolog/hostcheck.c:
    Move compat definition of ASN1_STRING_get0_data to hostcheck.c. It is not used anywhere else. [39984513eb00]
2023-08-05 Todd C. Miller
  • include/hostcheck.h, include/sudo_compat.h, include/sudo_ssl_compat.h:
    Move OpenSSL compat defines to sudo_ssl_compat.h [ad6b8bc3f054]
  • MANIFEST, Makefile.in, configure, configure.ac, include/sudo_ssl_compat.h, lib/ssl_compat/Makefile.in, lib/ssl_compat/ssl_compat.c, logsrvd/Makefile.in, logsrvd/tls_common.h, m4/openssl.m4, plugins/sudoers/Makefile.in, plugins/sudoers/log_client.h, src/Makefile.in:
    Add implementation of SSL_read_ex/SSL_write_ex for those without. [9456c3c5c91c]
  • config.h.in, configure, logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, m4/openssl.m4, plugins/sudoers/log_client.c:
    Use SSL_read_ex() and SSL_write_ex() instead of SSL_read() and SSL_write(). [5ac82bf78109]
2023-08-01 Todd C. Miller
  • etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
    Don’t use sudo when building AIX packages

    PolyPkg uses “sudo installp -l” to list the built package by default but we may not have sudo privileges on the build host. [e8ed6064193d]

  • scripts/mkpkg:
    Add –configure-only option to quit after the configure run.

    This will be used to avoid building the entire package when we just want the 32 or 64 bit sudo_intercept.so and sudo_noexec.so. [22c7cec5a6a1]

  • scripts/mkpkg:
    Parse –disable-python in mkpkg and don’t override -m32 for Solaris.

    We want to be able to build without python and to specify the memory model when building 32-bit .so’s for Solaris. [bf21f6e67ff5]

2023-07-31 Todd C. Miller
  • INSTALL.md, Makefile.in, configure, configure.ac:
    Add –enable-postinstall, an optional phase when building packages.

    This makes it possible to run an arbitrary script between “make install” and the polypkg run. This will be used to copy different word size versions of sudo_intercept.so and sudo_noexec.so. [d4e84fa16ccf]

  • INSTALL.md, config.h.in, configure, configure.ac, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, src/exec_preload.c:
    Add basic support for 32-bit and 64-bit LD_PRELOAD equivalents.

    The noexec and intercept DSO settings may now include both a 32-bit DSO and a 64-bit DSO specified by a colon. For example: /usr/libexe c/sudo/sudo_intercept.so:/usr/libexec/sudo/sudo_intercept_64.so. [9489d8625acb]

  • lib/util/term.c, src/exec_pty.c:
    Cast TIOCSWINSZ to int to avoid overflow warning on 64-bit AIX. [20919db351c1]
2023-07-28 Todd C. Miller
  • src/sudo_intercept_common.c:
    Read path section of sudo.conf for sudo_conf_intercept_path(). [d5748f68b9cb]
2023-07-27 Todd C. Miller
  • docs/visudo.man.in, docs/visudo.mdoc.in:
    visudo: document that a new file is only created if the editor writes it.

    If visudo is used to create a new file, the file will only be created if the user writes to the file via the editor. Simply running visudo and exiting the editor will no longer cause the file to be created. There is an exception for file created due to the addition of a @include directive, which need to be present for the sudoers file to parse properly. GitHub issue #294. [21e4d5cc5f43]

  • plugins/sudoers/visudo.c:
    visudo: do not create a new file if the user made no changes

    This prevents visudo from creating a new zero-length sudoers file if the user exited the editor without making any changes. Files created via a @include directive are preserved, even if empty, to avoid a parse error. GitHub issue #294. [4f086bb7ecdd]

  • README.md, docs/CONTRIBUTING.md:
    Make the sections on bug reporting consistent with each other.

    GitHub issue #292 [d02253b4533d]

2023-07-26 Todd C. Miller
  • src/exec.c:
    Remove unused variable introduced in last commit. [94e0708ad331]
  • src/exec.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h:
    Don’t assume that if std{in,out,err} is a tty, it is the user’s tty.

    Previously, sudo only checked that the fd was a terminal, not that it matched sudo’s idea of the user’s terminal. This matters when input or output is redirected to a different terminal. In that case we want to interpose the fd with a pipe even if it refers to a terminal. Bug #1056. [42838100b526]

  • MANIFEST, plugins/sudoers/regress/testsudoers/test29.out.ok, plugins/sudoers/regress/testsudoers/test29.sh, plugins/sudoers/regress/testsudoers/test30.out.ok, plugins/sudoers/regress/testsudoers/test30.sh, plugins/sudoers/regress/testsudoers/test31.out.ok, plugins/sudoers/regress/testsudoers/test31.sh:
    testsudoers: add -L, -l and -v tests [250e9abba14e]
  • plugins/sudoers/regress/testsudoers/test1.out.ok, plugins/sudoers/regress/testsudoers/test10.out.ok, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/regress/testsudoers/test15.out.ok, plugins/sudoers/regress/testsudoers/test16.out.ok, plugins/sudoers/regress/testsudoers/test17.out.ok, plugins/sudoers/regress/testsudoers/test18.out.ok, plugins/sudoers/regress/testsudoers/test19.out.ok, plugins/sudoers/regress/testsudoers/test2.out.ok, plugins/sudoers/regress/testsudoers/test20.out.ok, plugins/sudoers/regress/testsudoers/test21.out.ok, plugins/sudoers/regress/testsudoers/test22.out.ok, plugins/sudoers/regress/testsudoers/test23.out.ok, plugins/sudoers/regress/testsudoers/test24.out.ok, plugins/sudoers/regress/testsudoers/test25.out.ok, plugins/sudoers/regress/testsudoers/test26.out.ok, plugins/sudoers/regress/testsudoers/test27.out.ok, plugins/sudoers/regress/testsudoers/test28.out.ok, plugins/sudoers/regress/testsudoers/test3.out.ok, plugins/sudoers/regress/testsudoers/test4.out.ok, plugins/sudoers/regress/testsudoers/test5.out.ok, plugins/sudoers/regress/testsudoers/test6.out.ok, plugins/sudoers/regress/testsudoers/test7.out.ok, plugins/sudoers/regress/testsudoers/test8.out.ok, plugins/sudoers/regress/testsudoers/test9.out.ok, plugins/sudoers/testsudoers.c:
    testsudoers: display when a password is required [bf540275b47d]
  • plugins/sudoers/testsudoers.c:
    testsudoers: add -L, -l and -v options.

    This makes it possible to test “sudo -l” and “sudo -v” using testsudoers. [871563fd71f0]

2023-07-25 Todd C. Miller
  • plugins/sudoers/lookup.c:
    sudoers_lookup_pseudo: sync with sudoers_lookup_check

    This makes sudoers_lookup_pseudo(), which is used for pseudo-command like “list” and “validate” a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the “pwcheck == all” case. [534b5e02dc34]

  • plugins/sudoers/logging.c:
    Fix user warning message for “sudo -l command” when not allowed. Reported by the sudo-rs project.

    There was a missing space between “list” and the actual command. This also changes the output to include the command as specified by the user, not the path found in the path. Previously, if the command did not exist it would not be included in the message. [f509188ce041]

  • plugins/python/python_convmessage.c, plugins/python/python_loghandler.c, plugins/python/python_plugin_common.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h:
    Add free function for sudo Python module.

    This reduces the amount of memory leaked on unload. [71e459d071be]

2023-07-24 Todd C. Miller
  • plugins/python/python_loghandler.c, plugins/python/python_plugin_common.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h:
    Merge sudo_module_register_loghandler and sudo_module_set_default_loghandler.

    We now create the LogHandler class for each interpreter in python_plugin_init() instead of just once in sudo_module_init(). This fixes the crash seen in Py_EndInterpreter() with Python 3.12 and significantly reduces the number of leaked objects tracked by MemorySanitizer. [d257e01240c1]

  • plugins/python/python_convmessage.c:
    sudo_module_register_conv_message: fix copy pasta in debug_decl [de399cdf465c]
2023-07-22 Todd C. Miller
  • plugins/python/python_baseplugin.c, plugins/python/python_convmessage.c, plugins/python/python_loghandler.c, plugins/python/sudo_python_module.c:
    sudo_module_register_loghandler: clear sudo_type_LogHandler on error Also add comments about PyModule_AddObject stealing a ref on success. [cd6ffb5ec1be]
  • plugins/python/pyhelpers.c:
    Use Py_XDECREF instead of manual NULL check + Py_DECREF [9dababbb90ab]
2023-07-21 Todd C. Miller
  • plugins/python/python_loghandler.c:
    Work around a crash with Python 3.12.

    In sudo_module_set_default_loghandler() if we don’t leak the reference to py_loghandler we get a crash in Py_EndInterpreter() with Python 3.12. This probably indicates a reference counting bug elsewhere. [89fb0311367c]

  • plugins/python/regress/check_python_examples.c:
    Unbuffer stdout so we don’t miss output during a crash. [07222dfccfe2]
  • plugins/python/python_loghandler.c:
    Use PyObject_CallNoArgs() where possible. [5a1bef07358a]
  • plugins/python/python_convmessage.c, plugins/python/python_loghandler.c, plugins/python/sudo_python_module.h:
    Make sudo_type_ConvMessage and sudo_type_LogHandler static.

    They are not used outside their respective compilation units. [9ec37d3a2f64]

2023-07-20 Todd C. Miller
  • lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in:
    Pass TEST_VERBOSE to all test programs. [39c17a66b02e]
  • lib/iolog/regress/host_port/host_port_test.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/serialize_list/check_serialize_list.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/regress/unescape/check_unesc.c:
    All test programs should accept the -v option, even if it is ignored. [d4cb95054f73]
  • plugins/python/python_plugin_common.c:
    Revert last change, wrong diff committed. [d266c05853ce]
  • plugins/python/regress/testhelpers.c:
    Adapt to changed formatting of a rejected result in Python 3.12 [138957911238]
  • plugins/python/python_plugin_common.c:
    _python_plugin_new_interpreter switches to the new interpreter

    No need to do PyThreadState_Swap in the caller. [c848e20f3e93]

  • plugins/python/example_audit_plugin.py, plugins/python/pyhelpers.c, p lugins/python/regress/testdata/check_example_audit_plugin_receives_a ccept.stdout, plugins/python/regress/testdata/check_example_audit_pl ugin_receives_error.stdout, plugins/python/regress/testdata/check_ex ample_audit_plugin_receives_reject.stdout, plugins/python/regress/te stdata/check_example_audit_plugin_version_display.stdout, plugins/py thon/regress/testdata/check_example_audit_plugin_workflow_multiple.s tdout, plugins/python/regress/testdata/check_example_debugging_c_cal ls@diag.log, plugins/python/regress/testdata/check_example_debugging _c_calls@info.log, plugins/python/regress/testdata/check_example_gro up_plugin_is_able_to_debug.log, plugins/python/regress/testdata/chec k_example_policy_plugin_validate_invalidate.log:
    Remove trailing whitespace from test output. [38f03683001d]
2023-07-19 Todd C. Miller
  • plugins/python/python_plugin_common.c:
    We can rely on Py_FinalizeEx() to free sub-interpreters. [0c84c411a6a0]
  • plugins/python/python_plugin_common.c:
    Call PyImport_AppendInittab after pre-initialization.

    Also remove redundant PyConfig settings. [e4f463e1094a]

2023-07-18 Todd C. Miller
  • plugins/python/python_plugin_common.c:
    Use Py_InitializeFromConfig() not Py_InitializeEx() for Python >= 3.8.

    Avoids deprecation warnings on Python 3.12. [56e4c7111744]

2023-07-18 Rose
  • lib/eventlog/regress/logwrap/check_wrap.c, lib/util/glob.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/regress/glob/globtest.c, logsrvd/sendlog.c, plugins/group_file/plugin_test.c, plugins/python/regress/check_python_examples.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/sudoreplay.c, plugins/sudoers/tsdump.c:
    Prefer fputs over fprintf where possible

    fprintf does extra work and meant for formatting strings. [c31cdbe6f23f]

2023-07-18 Todd C. Miller
  • NEWS:
    The sudoers option is “use_pty”, not “log_pty”

    GitHub issue #291 [31cf599c73d5]

2023-07-17 Todd C. Miller
  • lib/util/term.c:
    Quiet a warning false positive with older versions of gcc. [8556d6c1cd37]
  • plugins/sudoers/sudoers.c:
    sudoers_check_common: MODE_PRESERVE_ENV is not valid with MODE_CHECK.

    We should only check for MODE_PRESERVE_ENV when running a command. [8fc6f392cc43]

2023-07-15 Todd C. Miller
  • MANIFEST, plugins/sudoers/match.c, plugins/sudoers/regress/testsudoers/test28.out.ok, plugins/sudoers/regress/testsudoers/test28.sh:
    runas_userlist_matches: fix matching a Runas_Spec with an empty runas user.

    We should only match a rule with an empty runas user if a group was specified on the command line (sudo -g) without a user (no -u option) or the user specified their own name on the command line. GitHub issue #290 [ba9da369370e]

2023-07-14 Todd C. Miller
  • src/exec_pty.c:
    Pass SUDO_TERM_OFLAG to sudo_term_raw() when sudo output is piped.

    This fixes a problem with “stair-stepped” output when the sudo-run command’s output is piped to another program and the command reads input from the terminal. [faa06b1e8913]

  • src/exec_monitor.c, src/exec_pty.c:
    Simplify the exec_monitor() foreground flag.

    Add cmnd_foreground flag that is only true if sudo is the foreground process and the CD_EXEC_BG flag is not set and pass it to exec_monitor(). This means exec_monitor() no longer needs to check for CD_EXEC_BG. [65ac52524254]

  • include/sudo_util.h, lib/util/term.c, plugins/sudoers/sudoreplay.c:
    sudo_term_raw: change the isig argument into a flags field

    There are current two flags: SUDO_TERM_ISIG (enable terminal signals) and SUDO_TERM_OFLAG (preserve output flags). [09eced2fb202]

2023-07-12 Todd C. Miller
  • src/exec_ptrace.c:
    Fix a crash in intercept mode running a command with NULL argv[0].

    Newer Linux kernels replace a NULL argv[0] with the empty string, we should as well. [d1cb1882d7e8]

  • src/conversation.c:
    sudo_conversation_printf: simplify \n -> \r\n handling [de2ddc08f262]
  • src/conversation.c:
    sudo_conversation: zero out reply even if no password is requested.

    This avoids a potential invalid free in the err label and provides more predictable behavior when mixing message types in a conversation. [79cc9efe3dbf]

2023-07-11 Todd C. Miller
  • plugins/sudoers/log_client.c:
    fmt_info_messages: don’t include ttyname if it is NULL

    The NULL check was commented out for testing but should have been restored. Fixes a potential protocol error message from sudo_logsrvd. [c983428b3ad8]

  • logsrvd/iolog_writer.c:
    evlog_new: store a new copy of peeraddr, not a pointer to a buffer.

    Starting in sudo 1.9.14, eventlog_free() will free the peeraddr member too so it needs to be dynamically allocated. [846cf82b8eab]

2023-07-10 Todd C. Miller
  • config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/realpath.c:
    realpath.c: include limits.h and use sysconf(_SC_SYMLOOP_MAX)

    This is more portable and eliminates the need to check for SYMLOOP_MAX (and provide it if missing) in configure. Also quiet some -Wconversion warnings. [beabc1e73e11]

  • plugins/sudoers/ldap_conf.c:
    sudo_krb5_ccname_path: avoid gcc false positive for ccname being NULL

    The callers all verify that they don’t pass a NULL ccname so I’m not sure how the compiler is getting confused (and why now?). [93043879e7f2]

  • include/sudo_debug.h:
    Work around unused variable warning when fuzzing in enabled. [ac4bd3bfeb71]
  • plugins/sudoers/check_util.c, plugins/sudoers/regress/testsudoers/test25.out.ok, plugins/sudoers/regress/testsudoers/test25.sh, plugins/sudoers/regress/testsudoers/test26.out.ok, plugins/sudoers/regress/testsudoers/test26.sh:
    Only allow the user to specify -D or -R for the special “*” value.

    The sudoers file must now explicitly allow the user to specify a directory (sudo -D) or chroot (sudo -R) by setting cwd or chroot to “*”. If a specific cwd or chroot value is set in sudoers, the user may not use the -D or -R options, even if they match the value in sudoers. [790d60c6ed4b]

  • docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in:
    Add restrict keyword to sudo_printf_t in plugin docs. [46c15d2647cc]
  • include/sudo_debug.h, lib/util/sudo_debug.c:
    Convert sudo_debug_enter and sudo_debug_exit into macros.

    In most cases, these simply expand to a call to sudo_debug_printf2(). We need to keep the function versions around in libsudo_util for backwards compatibility. [b76b35e12afa]

  • lib/util/sudo_debug.c:
    Fix sudo_debug_exit_uint_v1 declaration for fuzzers. [d4edc2fb3299]
  • lib/util/sudo_debug.c:
    Add missing sudo_debug_exit_uint_v1 stub for fuzzers. [71a4a37fbc90]
  • src/conversation.c, src/edit_open.c, src/exec_common.c, src/parse_args.c, src/selinux.c, src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_edit.h, src/sudo_exec.h, src/tgetpass.c:
    sudo frontend: make more bit flags unsigned. [f353bc889b26]
  • plugins/sudoers/auth/API, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/lookup.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
    sudoers plugin: make more bit flags unsigned. [77a583ebe2e7]
  • include/sudo_debug.h, include/sudo_event.h, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/sudo_debug.c, lib/util/util.exp.in:
    libsudo_util: make more bit flags unsigned. [005d0be694f5]
2023-07-08 Todd C. Miller
  • plugins/sudoers/timeout.c:
    parse_timeout: move overflow check to the correct location

    It was not covering all cases in its original location. Fixes oss- fuzz issue 60454 with fuzz_sudoers. [e40119f18e83]

2023-07-07 Todd C. Miller
  • Merge pull request #287 from AtariDreams/restrict

    Give every printf-like function restrict qualifiers [4945ab27d6c4]

  • src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h:
    struct exec_closure: make rows and cols int, not short

    There’s no real space saved by using short and using int avoids a few casts. [8385add04ed2]

  • plugins/sudoers/testsudoers.c:
    testsudoers: avoid extern definitions where possible [ef4bed9a6a41]
  • include/sudo_json.h, include/sudo_lbuf.h, lib/util/closefrom.c, lib/util/digest.c, lib/util/event_poll.c, lib/util/fatal.c, lib/util/getentropy.c, lib/util/getgrouplist.c, lib/util/gidlist.c, lib/util/json.c, lib/util/lbuf.c, lib/util/mkdir_parents.c, lib/util/parseln.c, lib/util/regex.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, lib/util/regress/hexchar/hexchar_test.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/sig2str.c, lib/util/str2sig.c, lib/util/strlcat.c, lib/util/strlcpy.c, lib/util/strtoid.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/ttysize.c:
    libsudo_util: silence most -Wconversion warnings. [420705f9796a]
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, lib/eventlog/eventlog_conf.c, lib/eventlog/logwrap.c, lib/eventlog/parse_json.c, lib/eventlog/regress/eventlog_store/store_json_test.c, lib/eventlog/regress/eventlog_store/store_sudo_test.c, lib/eventlog/regress/logwrap/check_wrap.c, lib/eventlog/regress/parse_json/check_parse_json.c:
    libevent: silence -Wconversion warnings. [f00cb5679a19]
  • lib/fuzzstub/fuzzstub.c:
    libfuzzstub: silence -Wconversion warnings. [164d2412d209]
  • include/sudo_iolog.h, lib/iolog/hostcheck.c, lib/iolog/iolog_filter.c, lib/iolog/iolog_legacy.c, lib/iolog/iolog_mkdirs.c, lib/iolog/iolog_mkdtemp.c, lib/iolog/iolog_read.c, lib/iolog/iolog_timing.c, lib/iolog/iolog_write.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_timing/check_iolog_timing.c:
    libiolog: silence -Wconversion warnings. [d8c1a0869ef4]
  • logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, logsrvd/sendlog.c:
    sudo_logsrvd: silence most -Wconversion warnings. [bf3f40ec4645]
  • plugins/sudoers/alias.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/b64_encode.c, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/display.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/filedigest.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/fmtsudoers_cvt.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/ldap_innetgr.c, plugins/sudoers/ldap_util.c, plugins/sudoers/linux_audit.c, plugins/sudoers/log_client.c, plugins/sudoers/logging.c, plugins/sudoers/match_addr.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.h, plugins/sudoers/parse_ldif.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/starttime.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timeout.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c:
    sudoers plugin: silence most -Wconversion warnings. [074179cbc3a8]
  • plugins/python/pyhelpers.c, plugins/python/python_convmessage.c, plugins/python/regress/iohelpers.c, plugins/python/regress/testhelpers.c, plugins/python/sudo_python_module.c:
    python plugin: silence -Wconversion warnings. [a59d980f2793]
  • plugins/sample/sample_plugin.c, src/conversation.c, src/copy_file.c, src/env_hooks.c, src/exec.c, src/exec_common.c, src/exec_intercept.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_preload.c, src/exec_ptrace.c, src/exec_pty.c, src/net_ifs.c, src/parse_args.c, src/preserve_fds.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_exec.h, src/sudo_intercept.c, src/sudo_intercept_common.c, src/tgetpass.c, src/ttyname.c:
    sudo frontend: silence most -Wconversion warnings. [0dbece7ccb47]
  • config.h.in, configure, configure.ac:
    Add configure check for restrict keyword. [f02ab280d8df]
  • plugins/sudoers/sudoers.c:
    sudoers_check_common: remove extraneous return statement. [0df4297873b9]
2023-07-07 Rose
  • include/sudo_compat.h, include/sudo_debug.h, include/sudo_fatal.h, include/sudo_lbuf.h, include/sudo_plugin.h, include/sudo_util.h, lib/eventlog/logwrap.c, lib/util/fatal.c, lib/util/inet_ntop.c, lib/util/lbuf.c, lib/util/snprintf.c, lib/util/strlcat.c, lib/util/strlcpy.c, lib/util/sudo_debug.c, lib/util/ttyname_dev.c, logsrvd/iolog_writer.c, logsrvd/logsrvd_journal.c, plugins/audit_json/audit_json.c, plugins/group_file/plugin_test.c, plugins/python/pyhelpers.c, plugins/python/regress/iohelpers.c, plugins/python/regress/iohelpers.h, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h, plugins/sudoers/audit.c, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/defaults.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap_util.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudo_ldap.h, plugins/sudoers/sudo_printf.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/conversation.c, src/exec_preload.c, src/parse_args.c, src/sudo_plugin_int.h:
    Give every printf-like function restrict qualifiers

    The format value has to be a string literal, every time.

    Otherwise, you are not using these functions correctly. To reinforce this fact, I putrestrict over every non-contrib example of this I could find. [e0f8bc0d596a]

2023-07-06 Todd C. Miller
  • include/sudo_digest.h, lib/util/digest.c, lib/util/digest_gcrypt.c, lib/util/digest_openssl.c, lib/util/regress/digest/digest_test.c:
    Make the remaining instances of digest_type unsigned. [409adc30cce2]
2023-07-05 Todd C. Miller
  • plugins/sudoers/iolog_path_escapes.c:
    Copy, don’t append group ID in fill_group() and fill_runas_group()

    This only affects the case where a group ID cannot be resolved. [74cc29b9f7f0]

  • lib/iolog/Makefile.in:
    Remove regress corpus directories correctly [406b862a7f2f]
  • include/sudo_debug.h, include/sudo_util.h, lib/util/strtomode.c, lib/util/sudo_debug.c, lib/util/util.exp.in:
    Change sudo_strtomode() to return mode_t. [5dc42fb5c2ad]
2023-07-04 Todd C. Miller
  • plugins/sudoers/cvtsudoers.c, plugins/sudoers/sudoreplay.c:
    Rename print_usage() to display_usage() [9e8390bb1ed0]
  • logsrvd/logsrvd.c, logsrvd/sendlog.c:
    Move display of usage text into display_usage() so usage() always exits. [ded72aceb6f4]
  • lib/util/parseln.c, logsrvd/logsrvd_journal.c:
    Fix some indentation. [bb84e5596d9c]
  • plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/testsudoers.c:
    Include testsudoers_pwutil.h for testsudoers_pwutil.c prototypes. [8f494aca5cd9]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/pwutil_impl.c, plugins/sudoers/testsudoers_pwutil.c, plugins/sudoers/testsudoers_pwutil.h, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/tsgetgrpw.h:
    Fix wrapping of libc getpwnam/getpwuid/getgrnam/getgrgid on NetBSD. [be23d201add2]
  • MANIFEST, aclocal.m4, config.h.in, configure, configure.ac, lib/util/roundup.c, m4/ax_gcc_builtin.m4:
    Add configure tests for __builtin_clz/__builtin_clzl [d7b341700a0a]
  • lib/util/roundup.c:
    Add fallback for compilers without __builtin_clz/__builtin_clzl [d9f23c7a8fc0]
  • lib/util/roundup.c:
    sudo_pow2_roundup: fix 64-bit version when shifting 31 or more places

    Shift 1UL instead of 1 to avoid overflowing an int. [4d45af829af0]

  • Merge pull request #286 from AtariDreams/one-more

    Optimize sudo_pow2_roundup_v1 [5cff0594a45c]

2023-07-03 Rose
  • lib/util/roundup.c:
    Optimize sudo_pow2_roundup_v1

    No need to call sudo_pow2_roundup_v2. [0bcd411174c0]

2023-07-03 Todd C. Miller
  • lib/util/roundup.c:
    Merge pull request #285 from AtariDreams/bug

    Remove comment about algorithm being from bit-twiddling hacks [869552550451]

2023-07-03 Rose
  • lib/util/roundup.c:
    Remove comment about algorithm being from bit-twiddling hacks

    Said comment no longer applies. [e2fc0106c79f]

2023-07-03 Todd C. Miller
  • Merge pull request #284 from AtariDreams/fix

    Fix fuzzing errors [4abff6645036]

  • Merge pull request #283 from AtariDreams/bug

    Fixed even more signedness and conversion issues [bbf1887a5132]

2023-07-03 Rose
  • lib/util/parseln.c, lib/util/roundup.c, logsrvd/logsrvd_journal.c:
    Fix fuzzing errors

    We should be checking for integer overflow, rather than checking if size is 0.

    Additionally, we should set errno to ENOMEM when this overflow happens.

    Finally, the most efficient implementation of the round-up-to-2 algorithm involves the clz intrinsic. [db08a808004d]

2023-07-03 Todd C. Miller
  • lib/util/lbuf.c:
    sudo_lbuf_expand: limit allocation to UINT_MAX [1cb5a458baaa]
  • lib/util/parseln.c:
    sudo_parseln: use sudo_pow2_roundup() instead of hand-rolling it. [0582d18df65a]
  • logsrvd/logsrv_util.c, logsrvd/logsrv_util.h, logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h:
    Promote length/size/offset in struct connection_buffer to size_t. [5e5a2a39c8e5]
  • include/sudo_util.h, lib/util/lbuf.c, lib/util/roundup.c, lib/util/util.exp.in, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, plugins/sudoers/log_client.c:
    Make sudo_pow2_roundup() operate on size_t. [cbae7a651a94]
2023-07-03 Rose
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/timestamp.c, plugins/sudoers/tsgetgrpw.c, src/sudo.c:
    Fixed even more signedness and conversion issues

    This should be the last of them. [ccd65d72c6ac]

2023-07-01 Todd C. Miller
  • include/sudo_debug.h, lib/util/sudo_debug.c, plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_loghandler.c, plugins/python/sudo_python_debug.c, plugins/python/sudo_python_debug.h:
    Make the debug subsystem unsigned.

    It was already unsigned in sudoers but not in the front-end or the python plugin. Making this consistent resolves a lot of -Wconversion warnings. Also clean up some other -Wconversion warnings in sudo_debug.c. [c6d20404141c]

  • lib/eventlog/eventlog.c, lib/eventlog/regress/eventlog_store/store_json_test.c, lib/eventlog/regress/eventlog_store/store_sudo_test.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/exec_monitor.c, src/sudo.c:
    Fix up indentation. [d4ed4eaf46bd]
  • Merge pull request #280 from AtariDreams/bug

    Mark functions not returning as sudo_noreturn [eaa69a6d85c6]

2023-07-01 Rose
  • lib/eventlog/eventlog.c, lib/eventlog/regress/eventlog_store/store_json_test.c, lib/eventlog/regress/eventlog_store/store_sudo_test.c, lib/eventlog/regress/logwrap/check_wrap.c, lib/eventlog/regress/parse_json/check_parse_json.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/regress/hexchar/hexchar_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/sudo_conf/conf_test.c, logsrvd/logsrvd.c, logsrvd/regress/logsrvd_conf/logsrvd_conf_test.c, logsrvd/sendlog.c, plugins/group_file/plugin_test.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/sesh.c, src/sudo.c:
    Mark functions not returning as sudo_noreturn

    We also put NOTREACHED where it applies. [d688d55f3c4c]

2023-07-01 Todd C. Miller
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l, src/limits.c:
    Avoid passing debug_return_size_t() a negative number. [7876d918030c]
  • Merge pull request #279 from AtariDreams/bison

    Regenerate toke.c using updated flex [3fc1517ec05d]

2023-06-30 Todd C. Miller
  • plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/testsudoers.c:
    Fix a few memory leaks in the tests. [c76134b329b3]
  • MANIFEST, plugins/sudoers/regress/testsudoers/group, plugins/sudoers/regress/testsudoers/passwd, plugins/sudoers/regress/testsudoers/test27.out.ok, plugins/sudoers/regress/testsudoers/test27.sh, plugins/sudoers/testsudoers.c:
    Add test for runas_check_shell and check_user_shell() [8e220e34840d]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/testsudoers/test25.out.ok, plugins/sudoers/regress/testsudoers/test25.sh, plugins/sudoers/regress/testsudoers/test26.out.ok, plugins/sudoers/regress/testsudoers/test26.sh, plugins/sudoers/testsudoers.c:
    testsudoers: add -D and -R options to set cwd and chroot like sudo [a34c5ca239ca]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/check.c, plugins/sudoers/check_util.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Move check_user_* functions to check_util.c so testsudoers can use them. [109830a316ee]
2023-06-29 Todd C. Miller
  • plugins/sudoers/testsudoers.c:
    testsudoers: make lbuf private to dump_sudoers()

    It is no longer used directly in main. [c2c5e7b3db6b]

  • plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/regress/testsudoers/test4.out.ok, plugins/sudoers/regress/testsudoers/test5.out.ok, plugins/sudoers/testsudoers.c:
    testsudoers: display “Parse error” if there was a parse error.

    Previously, we just printed “Command unmatched” which makes it harder to see that an error occurred. [099360b56cc6]

  • plugins/sudoers/regress/testsudoers/test1.out.ok, plugins/sudoers/regress/testsudoers/test10.out.ok, plugins/sudoers/regress/testsudoers/test15.out.ok, plugins/sudoers/regress/testsudoers/test16.out.ok, plugins/sudoers/regress/testsudoers/test17.out.ok, plugins/sudoers/regress/testsudoers/test18.out.ok, plugins/sudoers/regress/testsudoers/test19.out.ok, plugins/sudoers/regress/testsudoers/test2.out.ok, plugins/sudoers/regress/testsudoers/test20.out.ok, plugins/sudoers/regress/testsudoers/test21.out.ok, plugins/sudoers/regress/testsudoers/test22.out.ok, plugins/sudoers/regress/testsudoers/test23.out.ok, plugins/sudoers/regress/testsudoers/test24.out.ok, plugins/sudoers/regress/testsudoers/test3.out.ok, plugins/sudoers/regress/testsudoers/test6.out.ok, plugins/sudoers/regress/testsudoers/test7.out.ok, plugins/sudoers/regress/testsudoers/test8.out.ok, plugins/sudoers/regress/testsudoers/test9.out.ok, plugins/sudoers/testsudoers.c:
    testsudoers: use allowed/denied/unmatched instead of just matched/unmatched

    This makes it possible to tell whether an entry was rejected due to a negative match (explicitly denied) as opposed to a non-match. Also fixes a bug where the runas status was only printed for positive matches. [3e9fc5fd7bb9]

  • plugins/sudoers/Makefile.in, plugins/sudoers/regress/testsudoers/test20.out.ok, plugins/sudoers/testsudoers.c:
    testsudoers: use sudoers_lookup() instead of a custom loop. [a0ca73d81fa4]
  • plugins/sudoers/lookup.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c:
    Add callbacks to sudoers_lookup() so we can use it in testsudoers.

    Also pass in the time to be used for NOTBEFORE/NOTAFTER checks. [bcd59528055a]

2023-06-29 Rose
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Regenerate toke.c using updated flex

    Use the current version of flex to generate toke.c [118d001d189c]

2023-06-29 Todd C. Miller
  • plugins/sudoers/testsudoers.c:
    Merge pull request #278 from AtariDreams/types

    Avoid compiler casting warnings Part 2 [894767f88afa]

  • plugins/sudoers/sudoers.c:
    check_user_runcwd: only allow sudo’s -D option if sudoers specifies a runcwd.

    Previously, the user could specify the runas user’s home dir for “sudo -i” or the user’s existing cwd when -i is not specified. This behavior was never documented and is inconsistent with how the -R option is handled. [e79eddc35325]

  • MANIFEST, plugins/sudoers/regress/testsudoers/test24.out.ok, plugins/sudoers/regress/testsudoers/test24.sh, plugins/sudoers/testsudoers.c:
    testsudoers: add support for NOTBEFORE and NOTAFTER

    Also adds -T option to set the value of “now”. [b2d95b4a131d]

  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/lookup.c, plugins/sudoers/parse.c:
    Rename parse.c -> lookup.c now that it only contains sudoers_lookup. [141000ce5f24]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/display.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h:
    Split display_privs() and display_cmnd() out of parse.c into display.c [d654dd871e43]
  • lib/util/snprintf.c:
    No need to round up to page size with sudo_mmap_alloc(). [a57803434010]
  • logsrvd/logsrvd.c:
    Merge pull request #265 from AtariDreams/types

    Avoid compiler casting warnings by assigning to variables of the same type where possible [16d8e7383e3e]

  • Merge pull request #277 from AtariDreams/debug_return_int(1);

    We should be returning 0, not 1, when logservd finishes without errors [19289d607981]

2023-06-28 Rose
  • logsrvd/logsrvd.c:
    We should be returning 0, not 1, when logservd finishes without errors

    1 is for failure, 0 is for no failure, and this does not look like a failure. [7a0d2f4bf5d3]

2023-06-28 Todd C. Miller
  • config.h.in, configure, configure.ac, src/sudo_intercept.c, src/sudo_intercept_common.c:
    Fix undefined symbol on macOS for intercept mode and log_subcmds.

    macOS does not support direct access to the environ pointer from a shared object. We need to redirect through _NSGetEnviron() instead. Fixes GitHub issue #276. [2cbebcb8082c]

  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
    check_user_runcwd: allow -D option if it matches the cwd in sudoers

    Previously, check_user_runcwd() would return true if the runcwd matched the user’s cwd, even if sudoers specified a different one. The user-specified runcwd was ignored but it is better to error out in this case. It is now also possible to use “sudo -D” with the directory specified in sudoers. [d32e07966e0e]

2023-06-26 Todd C. Miller
  • Merge pull request #275 from AtariDreams/emergency

    Set command_info to NULL once it is freed [6d1e55f4e7b9]

2023-06-26 Rose
  • plugins/sudoers/policy.c:
    Set command_info to NULL once it is freed

    The lack of setting to NULL is a holdover from when command_info was a local variable and not a global one. However, we given how other global variables are set to NULL, it is best that we do the same here to avoid potential issues should sudoers_policy_store_result be called again after the first time failed, otherwise we could get a double-free. [a1a462a52a98]

2023-06-25 Todd C. Miller
  • Merge pull request #274 from bin-ly/main

    Modify the is_script function for match_command.c [05675d16bd52]

2023-06-25 binlingyu
  • plugins/sudoers/match_command.c:
    Modify the is_script function for match_command.c [ce944a838c33]
2023-06-21 Todd C. Miller
2023-06-20 Todd C. Miller
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Reference SETENV-related settings in the command environment section.

    Based on GitHub PR #273 from Ilya Kulakov. [f8b5ef533800]

  • INSTALL.md:
    Sudo requires a C99 compiler due to the use of flexible array members. [bb80666c7382]
  • Merge pull request #266 from AtariDreams/c99

    Do variable length arrays the C99 way [690561b17683]

2023-06-19 Todd C. Miller
  • Merge pull request #269 from trackers-lover/main

    correct the return value type of function alias_find_used [30dc3eb4a59a]

2023-06-18 Todd C. Miller
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Clarify that use_pty is on by default starting with 1.9.14. [984048215229]
  • docs/sudo.man.in, docs/sudo.mdoc.in:
    Sudo runs the command in a pty by default in 1.9.14 and above. [92ec41fdf7c9]
  • plugins/sudoers/sudoers.in:
    Add commented out example for disabling use_pty. [9a59b831f363]
2023-06-15 Todd C. Miller
  • .circleci/config.yml:
    Update Xcode version from 13.2.1 to 13.4.1. [10bbb25b415e]
2023-06-14 Todd C. Miller
  • MANIFEST:
    Add plugins/sudoers/regress/testsudoers/passwd to MANIFEST. [016644afd8ae]
  • plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, po/eo.mo, po/eo.po, po/pl.mo, po/pl.po:
    Updated translations from translationproject.org [97167b63ffbd]
  • MANIFEST, plugins/sudoers/regress/testsudoers/group, plugins/sudoers/regress/testsudoers/passwd, plugins/sudoers/regress/testsudoers/test22.out.ok, plugins/sudoers/regress/testsudoers/test22.sh, plugins/sudoers/regress/testsudoers/test23.out.ok, plugins/sudoers/regress/testsudoers/test23.sh:
    Add tests to exercise recent runas user and group bug fixes. [20f19831ed34]
  • MANIFEST, plugins/sudoers/regress/testsudoers/passwd, plugins/sudoers/regress/testsudoers/test21.out.ok, plugins/sudoers/regress/testsudoers/test21.sh:
    Add test to exercise the bug that prevented the group specified via “sudo -g” from matching when a Runas_Alias was used in the user or group portion of a Runas_Spec. [16c0668b5c4b]
2023-06-13 Todd C. Miller
  • plugins/sudoers/match.c:
    runaslist_matches: split out user_list and group_list matching.

    This makes it possible to call the appropriate runas user or group list match function when resolving aliases instead of calling runaslist_matches() itself. Fixes a bug that prevented the group specified via “sudo -g” from matching when a Runas_Alias was used in the user or group portion of a Runas_Spec. [3e0885e96418]

  • plugins/sudoers/match.c:
    runaslist_matches: remove special case to handle “sudo -g group”

    Now that we are guaranteed to have a runas user list for all sudoers rules that contain a runas list, we can remove support for the special case where user_matched is set in the runas group matching conditional. This fixes a bug where “sudo -u myuser -g mygroup” was permitted by a rule like “myuser ALL = (root) ALL”. [d80e907efe77]

  • plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/sudoers/test27.json.ok, plugins/sudoers/regress/sudoers/test27.ldif.ok, plugins/sudoers/regress/sudoers/test27.out.ok:
    Populate runasusers even when only a grouplist is specified.

    When a sudoers rule permits the user to run commands as a group, not a user, we should set the runasusers to single member with the special MYSELF token. This guarantees that the only time runasusers will be NULL is when no runaslist is present. [25c293ae5053]

  • plugins/sudoers/match.c:
    runaslist_matches: fix bug when no runas list is specified in sudoers.

    If a sudoers rule has no runas list, a user-specified runas group should only be allowed if it matches a group that the default runas user belongs to. Instead, a missing group check allowed the user run commands as the default runas user with an arbitrary group.

    This means that a rule like “somebody host = ALL”, which should be equivalent to “somebody host = (root) ALL”, had the same effect as “somebody host = (root:ALL) ALL”. [eeb075b3b79c]

2023-06-11 Todd C. Miller
  • plugins/python/pyhelpers.h:
    Python may be built with 32-bit time_t support on 32-bit platforms. We need to undef the SIZEOF_TIME_T from pyconfig.h so it does not conflict with our own. [c8bf985eb777]
2023-06-10 Todd C. Miller
  • Merge pull request #272 from millert/main

    Avoid use of variable length arrays and add ctype(3) casts. [806b2266f6ab]

  • lib/util/lbuf.c:
    Avoid use of variable length arrays and add ctype(3) casts. [d8c80d4905b3]
  • Merge pull request #270 from moehanabi/main

    Add %n$s support for sudo_lbuf_append_v1 [53ad2cdaaabe]

2023-06-09 Brilliant Hanabi
  • lib/util/lbuf.c:
    Add %n$s support for sudo_lbuf_append_v1 [f48fa0250fdc]
2023-06-09 bianguangze
  • plugins/sudoers/alias.c:
    correct the return value type of function alias_find_used [f689f55fef3f]
2023-06-07 Todd C. Miller
  • plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/ru.mo, plugins/sudoers/po/ru.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ko.mo, po/ko.po, po/ro.mo, po/ro.po, po/ru.mo, po/ru.po, po/sr.mo, po/sr.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po:
    Updated translations from translationproject.org [966147718ed3]
  • plugins/sudoers/po/sudoers.pot, po/sudo.pot:
    Update .pot files for 1.9.14 [b79b44520c46]
  • docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/sudo_ldap_conf.h:
    Add NETGROUP_QUERY option for servers that can’t match nisNetgroupTriple. This can be used to support netgroup queries on systems that lack the innetgr() function and where the LDAP server cannot query the nisNetgroup by nisNetgroupTriple. [98b293bee424]
2023-06-06 Todd C. Miller
  • plugins/sudoers/defaults.c, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/parse.h:
    sudo_ldap_check_non_unix_group: pass nss pointer to netgr_matches() This allows us to use the LDAP-specific version of innetgr() when possible. Also enable “use_netgroups” by default even on systems without innetgr() since we can now query netgroups directly via LDAP. [a443919be48c]
2023-06-05 Todd C. Miller
  • src/exec_ptrace.c:
    Only call ptrace_verify_post_exec() for intercept, not log_subcmds. [9f55dcdd66cd]
2023-06-04 Todd C. Miller
  • plugins/sudoers/visudo.c:
    run_command: back out changes to run editor in its own process group. It unnecessarily complicates things to work around bugs in an OS almost no one runs. [8790d32a4f99]
  • MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/suspend_parent.c, lib/util/util.exp.in, plugins/sudoers/Makefile.in, src/Makefile.in, src/sudo_exec.h, src/suspend_parent.c:
    Make suspend_parent.c out of lib/util and into src. Nothing else uses it now. [69eda3d690e4]
2023-06-03 Todd C. Miller
  • plugins/sudoers/digestname.c, plugins/sudoers/filedigest.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Initialize digest_type to SUDO_DIGEST_INVALID, not -1 and make it unsigned. This makes the digest type consistently unsigned instead of a mix of signed (for the -1 value in the tokenizer) and unsigned. [49ef7c33450f]
2023-05-25 Todd C. Miller
  • docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, etc/codespell.exclude, etc/codespell.ignore, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/pivot.c, plugins/sudoers/visudo.c:
    Fix typos and update excluded/ignored codespell lists. [bdb70620b4e4]
2023-05-19 Todd C. Miller
  • plugins/sudoers/visudo.c:
    run_command: check that ttyfd is not -1 before using it [990cbd169a37]
2023-05-18 Rose
  • include/sudo_event.h, lib/util/event.c, lib/util/rcstr.c, plugins/sudoers/canon_path.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/sudo_ldap_conf.h:
    Do variable length arrays the C99 way

    Variable length arrays are supported by C99, but having it denoted as “1” confused the compiler and is not defined.

    Note that because we don’t get the inferred NULL terminator, we have to increase the malloc size by one. [4e33419e940e]

  • lib/eventlog/eventlog.c, lib/eventlog/eventlog_free.c, lib/eventlog/parse_json.c, lib/iolog/hostcheck.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/event.c, lib/util/explicit_bzero.c, lib/util/fatal.c, lib/util/getaddrinfo.c, lib/util/getentropy.c, lib/util/hexchar.c, lib/util/inet_ntop.c, lib/util/json.c, lib/util/lbuf.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/multiarch.c, lib/util/progname.c, lib/util/sig2str.c, lib/util/snprintf.c, lib/util/sudo_conf.c, lib/util/term.c, lib/util/uuid.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/audit_json/audit_json.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/editor.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/iolog.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestr.c, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, src/conversation.c, src/exec_monitor.c, src/limits.c, src/parse_args.c, src/sesh.c, src/sudo.c, src/sudo.h:
    Avoid compiler casting warnings by assigning to the same type where possible

    This saves instructions that are related to casting as well as compiler warnings. [d47033551fca]

  • lib/util/mktemp.c, lib/util/regress/tailq/hltq_test.c, lib/util/sudo_debug.c, lib/util/ttyname_dev.c, plugins/group_file/plugin_test.c, plugins/sudoers/editor.c, plugins/sudoers/filedigest.c, plugins/sudoers/match_addr.c, plugins/sudoers/match_digest.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, src/exec_monitor.c, src/limits.c, src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_edit.c:
    Avoid compiler casting warnings Part 2

    This saves instructions that are related to casting as well as compiler warnings. [685a954b019f]

2023-05-11 Todd C. Miller
  • plugins/sudoers/visudo.c:
    Work around a macOS a kernel bug where tcsetpgrp() does not restart.

    I reported this bug to Apple over 12 years ago. [77871464e563]

  • plugins/sudoers/visudo.c:
    run_command: run editor in foreground if visudo is the foreground process

    The command is now always run in its own process group. If visudo is run in the foreground, the command is run in the foreground too. Otherwise, run the command in the background. There is a race between the tcsetpgrp() call in the parent and the execve() in the child. If we lose the race and the command needs the controlling terminal, it will be stopped with SIGTTOU or SIGTTIN, which the waitpid() loop will handle. [e8e14e0024da]

  • plugins/sudoers/visudo.c:
    Accept carriage return for EOL in addition to newline.

    Since visudo doesn’t alter the terminal settings it is possible for the terminal to have the ONLCR bit set in the output control flags. In that case, we will get a CR, not a NL when the user presses enter/return. One way this can happen is if visudo is run in the background from a shell that supports line editing and the editor restores the (cbreak-style) terminal mode when it finishes. [14538e74fd02]

2023-05-09 Todd C. Miller
  • plugins/sudoers/regress/parser/check_fill.c:
    check_fill: sudoers_strict() is now a function, not a global variable [8b8e72d283df]
  • plugins/sudoers/parse.h, plugins/sudoers/sudoers.h, plugins/sudoers/toke.h:
    Move parser prototypes / externs from sudoers.h to parse.h or toke.h. [79a52390c46b]
  • plugins/sudoers/file.c, plugins/sudoers/sudoers.c:
    parse.h is already included by sudoers.h. [f6faa3f782a2]
  • plugins/sudoers/policy.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
    Rename parser_conf -> sudoers_conf in all but the parser itself. [61614621341e]
2023-05-08 Todd C. Miller
  • plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
    Move sudoers search path to struct sudoers_parser_config.

    That way we can avoid passing it to init_parser() directly. We still need sudoers_search_path to be shared between the lexer and the parser. [5e6c6a08aded]

  • plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c:
    Add struct sudoers_parser_config and pass it to init_parser().

    This struct contains parser configuration such as the sudoers file uid/gid/mode and parse flags such as verbose, strict and recovery. [ed8042e7a49a]

  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    push_include_int: Avoid passing close(2) a negative value on error. Coverity CID 314108 [bbbdfa87543e]
  • plugins/sudoers/ldap.c:
    Eliminate dead store. Coverity CID 315032. [6b48998e4db1]
2023-05-05 Todd C. Miller
  • include/sudo_iolog.h, lib/iolog/iolog_gets.c:
    iolog_gets: change size parameter to int to match fgets/gzgets

    Return an error, setting errno to EINVAL, for negative sizes. [27534bcb58a7]

2023-05-05 Rose
  • plugins/sudoers/sudoers_hooks.c:
    Redundant cast removal in sudoers_hooks

    def_sudoers_locale is already a char* [2f79add9136d]

2023-05-04 Todd C. Miller
  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Rename force_umask to override_umask and make it private to sudoers.c.

    Add getter for policy.c. [1c8a56c767f3]

  • plugins/sudoers/check.h, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c:
    Make timestamp_uid and timestamp_gid private to timestamp.c.

    Add getter (for set_perms.c) and setter (for sudoers.c). [ad49d0ee7e6f]

  • plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.h:
    Make login_style private to bsdauth.c

    Add a setter for policy.c to handle auth_type from the front-end. [962af1d3d0fd]

2023-05-03 Todd C. Miller
  • lib/util/sudo_debug.c:
    Back out last change, len must be int, not size_t, for %.*s. [a82bbd86fa29]
  • src/exec_pty.c:
    Use a “%s” format instead of using a translated string as the format. [1a73a1b4fa94]
  • Merge pull request #260 from AtariDreams/size_t

    Prefer size_t over int, as casting can take extra instructions [c0fd1027e105]

2023-05-03 Rose
  • lib/eventlog/parse_json.c, lib/util/sudo_debug.c, plugins/sudoers/fmtsudoers.c:
    Prefer size_t over int, as casting can take extra instructions [96fc138b2009]
2023-05-02 Todd C. Miller
  • plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
    Rename init_parser_ext() to init_parser() and remove old wrapper.

    There was only one consumer of the init_parser() wrapper now that reset_parser() has been introduced. [4be1b8965ce6]

  • plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c:
    Add reset_parser() and use in place of init_parser(NULL). [f85227ac1182]
  • plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h:
    Make path_ldap_conf and path_ldap_secret private to policy.c.

    Add getters for both so the ldap code can access them. [90a2107d6ec7]

  • plugins/sudoers/file.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c:
    Make sudoers_file private to policy.c and visudo.c.

    We just need a way for the policy (and visudo) to override the default sudoers path. This adds a getter to be used in file.c when sudoers is first opened. [657aa80f3af8]

  • plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c:
    Support adminconfdir for relative include paths in sudoers. [7ebdbd46b47b]
  • plugins/sudoers/visudo.c:
    Track the destination sudoers path for each parsed file.

    When adminconfdir is enabled, the destination pathh may be different from the path we opened. We always store an edited file in the adminconfdir (if enabled). This makes it possible to use visudo when /etc/sudoers is located on a read-only file system. [de896a012d81]

  • INSTALL.md, Makefile.in, configure, configure.ac, docs/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, m4/sudo.m4, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
    Add adminconfdir and –enable-adminconf to set it. Configuration paths in sudo are now a colon-separated list of files with the adminconfdir instance first (if enabled), followed by a sysconfdir instance. [be1f672878ae]
  • configure, configure.ac, include/sudo_util.h, lib/util/Makefile.in, lib/util/secure_path.c, lib/util/sudo_conf.c, lib/util/util.exp.in, logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/sudoers.c, src/Makefile.in:
    Convert config file paths to colon-separated path list. This means that _PATH_SUDO_CONF, _PATH_SUDOERS, _PATH_SUDO_LOGSRVD_CONF, and _PATH_CVTSUDOERS_CONF can now specify multiple files. The first file that exists is used. [902d9da6a941]
  • plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c:
    Support sudoers_file being a colon-separated path of files. The first file found is used. [bebe005e2d32]
2023-05-01 Todd C. Miller
  • config.h.in, configure:
    Regenerate with latest autoconf from git. [0996570205bf]
2023-04-28 Todd C. Miller
  • logsrvd/logsrvd_conf.c:
    No longer need to set AI_NUMERICSERV while fuzzing.

    Now that getaddrinfo() is stubbed out while fuzzing we can remove the hack that set AI_NUMERICSERV. [8e3deb584c1c]

2023-04-26 Todd C. Miller
  • logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c:
    getaddrinfo stub: set sin_port [019eb2da9944]
  • logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c:
    Avoid NULL deref in stub getaddrinfo() when nodename is NULL. Also add support for parsing servname. We only need to support a subset of getaddrinfo() functionality in the fuzzer. [a605cc43bbaf]
  • configure, m4/hardening.m4:
    Add missing stdio.h include for the _FORTIFY_SOURCE=2 check. Implementations of _FORTIFY_SOURCE require the header file to be included. Also remove the useless test of an empty program with _FORTIFY_SOURCE defined. Pointed out by Florian Weimer. [511b9bdddbdc]
  • configure, m4/ldap.m4:
    Use ldap_msgfree() instead of ldap_init() for the lber.h test. The ldap_init() function is marked as deprecated and not defined by default on some systems. This can cause an error for compilers that do not support implicit function declarations. From Florian Weimer. [1b1ce2072403]
2023-04-25 Todd C. Miller
  • logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
    Include arpa/inet.h for inet_pton() prototype. [50d3b09376f7]
  • logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
    Add netdb.h for struct addrinfo and EAI_* error codes. [92d33c6f8a23]
  • logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
    Stub out getaddrinfo() and freeaddrinfo(). We may not be able have access to DNS in the fuzzing environment. [b3d2e6c04076]
  • lib/eventlog/regress/eventlog_store/store_sudo_test.c:
    Plug memory leaks in store_sudo_test found by LSAN. [5f1d68d01c0c]
2023-04-24 Todd C. Miller
  • src/limits.c:
    disable_coredump: only change the soft limit, leave the hard limit as-is This should avoid problems on Linux in cases where sudo does not have CAP_SYS_RESOURCE which may be the case in an unprivileged container. GitHub issue #42 [4e65c3923119]
2023-04-19 Todd C. Miller
  • scripts/build_pkgs:
    Add basic support for remote power on/off via net-snmp. [ca021941fd58]
  • src/exec.c:
    More accurate description of what happens for “sudo -b”. [a9158169fcac]
  • src/exec_pty.c:
    Better support for “sudo -b” when running the command in a pty.

    When a command is run via “sudo -b” it has no access to terminal input. In non-pty mode, the command runs in an orphaned process group and reads from the controlling terminal fail with EIO. We cannot do the same while running in a pty but if we set stdin to a half-closed pipe, reads from it will get EOF. That is close enough. [a284611a18fd]

2023-04-18 Todd C. Miller
  • src/exec_nopty.c, src/exec_pty.c, src/selinux.c, src/sudo.h, src/ttyname.c:
    Avoid calling isatty()/ttyname() on std{in,out,err} if not a char dev.

    The user controls these fds so we should avoid calling ioctl(2) on them unless they correspond to actual character device files. [745430b563db]

  • src/parse_args.c, src/sudo_usage.h.in:
    Hard-code usage() and help() for an 80-column terminal.

    Trying to tailor the help and usage output to the terminal width is simply not worth it and could be abused to mark a socket as “trusted” on Linux if there are additional kernel bugs like CVE-2023-2002. [d06fa6322ffb]

  • config.h.in, configure, configure.ac, src/sudo.c, src/sudo_usage.h.in:
    Move CONFIGURE_ARGS from sudo_usage.h.in to config.h.in. [e3149b6f4392]
2023-04-17 Todd C. Miller
  • lib/util/ttysize.c, src/sudo.c:
    get_user_info: call sudo_get_ttysize() even if no /dev/tty We still want to initialize rows and cols based on the environment if possible. [4f3801c2f264]
2023-04-16 Todd C. Miller
  • src/parse_args.c:
    Get the tty size using stdout, not stderr, when printing help output. While usage() prints to stderr, help() prints to stdout. [0bdf411ebc7f]
  • src/sudo.c:
    get_user_info: pass sudo_get_ttysize() the fd of /dev/tty, not stderr. Both the plugin API and the main event loop expect lines/cols to refer to the user’s terminal, so using /dev/tty is better here. [2e7ba199f4c7]
  • include/sudo_util.h, lib/util/ttysize.c, lib/util/util.exp.in, plugins/sudoers/sudoreplay.c, src/parse_args.c, src/sudo.c:
    Add an fd argument to sudo_get_ttysize() instead of always using stderr.

    For sudoreplay we open /dev/tty, so use that instead of stderr when determining the terminal size. [4afc292d3cf4]

  • lib/util/ttysize.c:
    Check whether stderr is a tty before trying TIOCGWINSZ. [4a0d367e49c6]
2023-04-14 Todd C. Miller
  • configure, configure.ac:
    Use -no-undefined on macOS to avoid “-undefined dynamic_lookup” warnings.

    Starting with macOS 13, the linker warns when “-undefined dynamic_lookup” is used. This is added by libtool by default on macOS but we can suppress it by passing -no-undefined to libtool. [afeb9acd894c]

2023-04-08 Todd C. Miller
  • docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
    Add make to Dockerfile and sort packages. [fa937cbf8a23]
2023-04-06 Todd C. Miller
  • docs/UPGRADE.md, docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/defaults.c:
    Enable the use_pty option by default for sudo 1.9.14.

    GitHub issue #258 [86a1a6da1878]

2023-04-05 Todd C. Miller
  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Split up the monolithic sudoers_policy_main() function.

    This splits the code to find the command, perform a sudoers lookup, ask for a password as needed, and perform post-lokup checks out into sudoers_check_common(). The old sudoers_policy_main() has been replaced by sudoers_check_cmnd() (called by sudoers_policy_check()), sudoers_validate_user() (called by sudoers_policy_validate()) and sudoers_list() (called by sudoers_policy_list()). The list_user lookup is now performed in sudoers_list(). [59e0b245c776]

  • plugins/sudoers/sudoers.c:
    Move the root_sudo check until after we apply per-command Defaults.

    It is possible, though unlikely, for “root_sudo” to be used in a per-command Defaults statement. [ca1903576e0d]

2023-04-01 Todd C. Miller
  • plugins/sudoers/sudoers.c:
    sudoers_policy_main: restore locale if sudoers_lookup() fails.

    Previously, if sudoers_lookup() set VALIDATE_ERROR, the sudoers locale would still be in effect instead of the original locale. [24df4eebbfc8]

  • plugins/sudoers/parse.c:
    sudoers_lookup_pseudo: remove validated function argument

    This was always set to FLAG_NO_USER|FLAG_NO_HOST which are cleared at the top of the fuction. Make validated a local variables, initialized to 0, instead. No change in behavior. [72e6207850fc]

2023-03-31 Todd C. Miller
  • plugins/sudoers/audit.c, plugins/sudoers/iolog.c:
    The I/O log file name is not just the basename of the full iolog_path. The audit plugin already has the correct value for iolog_file, don’t overwrite it with basename(iolog_path). In the future we may wish to pass in iolog_file and iolog_dir in addition to iolog_path. Fixes Bug #1046. [f272de885273]
2023-03-29 Todd C. Miller
  • plugins/sudoers/sudoers.c:
    Warn with “unknown user” not “unknown uid” if user cannot be resolved. Prior to sudo 1.8 this was after a getpwuid() but now we use getpwnam(). [9a523881df41]
  • plugins/sudoers/sudoers.c:
    Set timestamp_uid and timestamp_gid via a callback. This also makes it possible to include the location of the line in the sudoers file in the warning message (and mail). [5588cf3cb55b]
2023-03-28 Todd C. Miller
  • docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in:
    Fix display of escape sequencees in ldapsearch example. [08dc98162160]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    White space is not allowed between Defaults and ‘@’, ‘:’, ‘!’, ‘>’. The EBNF made it appear that this is allowed when it really is not. [74bba755afaf]
2023-03-27 Todd C. Miller
  • src/edit_open.c, src/exec.c, src/exec_intercept.c, src/exec_intercept.h, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_edit.h, src/sudo_exec.h, src/tgetpass.c:
    Make struct {command,user}_details pointers const where possible. [dcfa95a24789]
  • src/sudo.c, src/sudo.h, src/sudo_edit.c, src/tgetpass.c:
    Make user_details private to main. [43477263455b]
  • src/exec.c, src/exec_nopty.c, src/exec_pty.c, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_exec.h, src/tgetpass.c:
    Make user_details private to sudo.c. [fec5df7605dc]
  • configure, scripts/config.sub:
    Regenerate with the autoconf 2.72c snapshot. [6dda0f9323b1]
2023-03-25 Todd C. Miller
  • src/parse_args.c:
    Use sudo_get_ttysize() in help() and usage(). This eliminates a dependency on the user_details global. [ecbc8afc1630]
  • src/exec.c, src/sudo.c, src/sudo.h:
    Store submitcwd (from user_details) in struct command_details. This eliminates use of the user_details global from exec_setup(). [ed37b2a451f8]
2023-03-24 Todd C. Miller
  • src/utmp.c:
    utmp_fill: user is now always non-NULL, no need for user_details. [76bdecaaad07]
  • src/parse_args.c, src/sudo.c, src/sudo.h:
    Remove list_user global. [fd397db04688]
  • src/conversation.c:
    No need to declare tgetpass_flags, it is already in sudo.h. [c7e1b8ef75c8]
  • src/sudo.c:
    No need for sudo_mode to be global anymore. [f746eba12bd9]
  • src/exec_iolog.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h:
    Make iobufs private to exec_iolog.c. [80861a209ddd]
  • src/sudo_exec.h:
    Remove ttymode and its associated values. [efb4e04097ab]
  • src/exec.c, src/exec_pty.c, src/get_pty.c, src/sudo.h, src/sudo_exec.h:
    Move ptyname to struct exec_closure [d4080a4262bd]
  • src/exec_monitor.c, src/exec_pty.c, src/sudo_exec.h:
    Move pty_make_controlling() to exec_monitor.c where it is called. We can use details->tty to access the pty follower path. [9875f0b136f4]
  • src/exec_pty.c, src/sudo.c:
    Eliminate utmp_user global, just use the value in struct command details. [95b28adcb0f3]
  • src/exec_iolog.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h:
    Replace tty_mode global with term_raw flag in struct exec_closure.

    The pty_cleanup hook needs access to the closure so add pty_cleanup_init() to store a pointer to the closure for use by pty_cleanup_hook(). [cc01f0da46d9]

  • src/exec_monitor.c, src/exec_pty.c, src/sudo_exec.h:
    Register pty cleanup function in exec_pty(), not exec_cmnd_pty(). We want it to execute in the main sudo process, not the monitor. [279e370adc01]
  • src/exec_iolog.c:
    Make ttyblock private to exec_iolog.c [61243eba350d]
2023-03-23 Todd C. Miller
  • src/exec_pty.c, src/sudo_exec.h:
    exec_pty.c: move foreground flag to struct exec_closure. Also make pipeline flag private to exec_pty() and remove the unneeded check_foreground() prototype. [dd25f1d91008]
  • src/exec_pty.c:
    On resume, always sync the pty terminal settings with /dev/tty.

    Changes made to the terminal settings while the command is suspended are now reflected in the pty when the command is resumed. This is more consistent with the non-pty behavior and allows for the removal of the “tty_initialized” global. One downside to this change is that if a terminal-based program using the pty is stopped with SIGSTOP it may have the wrong terminal settings on resume. However, this is no different from the non-pty case. [3e59765dea31]

  • lib/util/suspend_parent.c, lib/util/term.c:
    Correct a comment. [393a4d472507]
2023-03-22 Todd C. Miller
  • config.h.in, configure, configure.ac:
    Use built-in tests for bit types instead of using AC_CHECK_TYPES. This should be more portable as it handles the quirks of some older systems. [7e471f2a914d]
  • plugins/sudoers/visudo.c, src/regress/intercept/test_ptrace.c:
    Quiet compiler warnings on systems where pid_t is not an int. Historically, pid_t was a long on some 32-bit systems like Solaris. [c31393da893d]
  • plugins/sudoers/visudo.c:
    Silence “used uninitialized” false positives with older gcc versions. [40f0ee142249]
  • src/exec_pty.c:
    exec_pty: always copy the terminal settings from /dev/tty the pty. Previously, we only did this when running in the foreground but this can cause problems when running a program that reads the terminal settings or window size in the background. If sudo is running in the background, the terminal settings will be updated if it transitions to the foreground process. Based on a suggestion from From Duncan Overbruck. [51a70eadc7fc]
  • src/exec_pty.c:
    check_foreground: use SFD_LEADER not SFD_FOLLOWER (which was closed). Also use SFD_LEADER for sudo_term_copy() in exec_pty() for consistency. From Duncan Overbruck. [172962b90aa6]
  • src/exec_pty.c:
    suspend_sudo_pty: fix cut & pasto in last commit to catch SIGCONT. Also set sa.sa_handler to SIG_DFL instead of SIG_IGN. There is no difference for SIGCONT but it means we can re-use sa as-is later. [e07725c8c939]
2023-03-21 Todd C. Miller
  • src/exec_pty.c:
    Catch SIGCONT and restore terminal settings on resume from SIGSTOP. While we cannot catch SIGSTOP, we can catch SIGCONT and set /dev/tty to raw mode when running in the foreground. Ignore SIGCONT in suspend_sudo_pty() so we don’t call resume_terminal() twice. [b5b2d739e44d]
  • src/exec_monitor.c, src/exec_pty.c:
    Only convert a signal number to a name if we are going to use it. It is mostly used for debug logging. [225c3630ffff]
  • src/exec_monitor.c, src/exec_pty.c, src/sudo.h:
    Move updating of the window size back to the main sudo process. We can use the leader file descriptor with TIOCGWINSZ to set the window size of the pty. Thanks to Duncan Overbruck for the hint. [6e3f7622038a]
  • plugins/sudoers/visudo.c:
    visudo: restore controlling terminal after running the editor. Otherwise, visudo will get SIGTTOU if it tries to write to the terminal after the editor finishes. Also avoid races by setting the process group ID in both the parent and child, and grant the controlling terminal in the parent, not the child. [c0f339a84be8]
2023-03-20 Todd C. Miller
  • docs/visudo.man.in, docs/visudo.mdoc.in, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l:
    Warn about ignored files in sudoers.d in visudo. [61f8def2d666]
  • plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c:
    Replace sudoers_warnings with sudoers_verbose. This is now an int, with values > 1 reserved for visudo. [d1d7b559b904]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l:
    Split push_include() into push_include() and push_includedir(). This moves the “isdir” function argument to the internal version. [d454beb6eebf]
2023-03-17 Todd C. Miller
  • plugins/sudoers/file.c, plugins/sudoers/ldap.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_nss.h:
    Pass around const struct sudo_nss pointers where possible. [d13437078d19]
  • plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/fmtsudoers.c, plugins/sudoers/fmtsudoers_cvt.c, plugins/sudoers/match.c, plugins/sudoers/parse.h:
    Pass around const struct sudoers_parse_tree pointers where possible. [1aa8b9069b39]
  • plugins/sudoers/sudo_ldap.h, plugins/sudoers/sudo_ldap_conf.h:
    Move non-config-related macros to from sudo_ldap_conf.h to sudo_ldap.h. [16e67a765a30]
2023-03-16 Todd C. Miller
  • MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/getcwd.c, scripts/mkdep.pl:
    Remove portable getcwd.c, nothing uses it anymore. Any operating system supported by sudo already includes getcwd(3). [8f0584066f6f]
  • src/Makefile.in:
    Use LIBPROTOBUF_C and LIBUTIL variables and use them. [062142fa5ae8]
2023-03-15 Todd C. Miller
  • include/sudo_util.h:
    Remove now-unused sudo_timeval* macros. [3448dce21b9c]
  • lib/util/nanosleep.c:
    nanosleep: clear remainder on successful completion Also switch to doing everything in terms of struct timespec except for the actual select(2) call. [d67451eb618e]
  • lib/eventlog/Makefile.in, lib/iolog/Makefile.in:
    Add lib dependencies for fuzzer and test targets. [60605bcc3905]
  • lib/eventlog/eventlog_free.c:
    eventlog_free: free peeraddr [42670e45e57f]
  • plugins/sudoers/ldap_innetgr.c:
    sudo_ldap_netgroup_match_str: “-” in a netgroup can never match. We already check for a NULL value above so “str == NULL” is always false. Found by PVS-Studio. [c9cfdd013e92]
2023-03-14 Todd C. Miller
  • lib/eventlog/eventlog_free.c, lib/eventlog/parse_json.c:
    Add support for parsing all fields of struct eventlog. [3828e55bdaff]
2023-03-13 Todd C. Miller
  • MANIFEST, lib/eventlog/Makefile.in, lib/eventlog/regress/eventlog_store/store_json_test.c, lib/eventlog/regress/eventlog_store/store_sudo_test.c, lib/eventlog/regress/eventlog_store/test1.json.in, lib/eventlog/regress/eventlog_store/test1.json.out.ok, lib/eventlog/regress/eventlog_store/test1.sudo.out.ok, lib/eventlog/regress/eventlog_store/test2.json.in, lib/eventlog/regress/eventlog_store/test2.json.out.ok, lib/eventlog/regress/eventlog_store/test2.sudo.out.ok, lib/eventlog/regress/eventlog_store/test3.json.in, lib/eventlog/regress/eventlog_store/test3.json.out.ok, lib/eventlog/regress/eventlog_store/test3.sudo.out.ok, lib/eventlog/regress/eventlog_store/test4.json.in, lib/eventlog/regress/eventlog_store/test4.json.out.ok, lib/eventlog/regress/eventlog_store/test4.sudo.out.ok, lib/eventlog/regress/parse_json/check_parse_json.c:
    Add tests for JSON and sudo-style log output. [3a923f86fff2]
  • plugins/sudoers/match.c:
    Declare domain even if the system lacks innetgr(). Fixes a build error on musl-based systems like Alpine. [34cfa5ad4cdc]
  • lib/eventlog/Makefile.in:
    Add missing definition of $(SED). [9a614b90c852]
  • MANIFEST, include/sudo_eventlog.h, lib/eventlog/Makefile.in, lib/eventlog/parse_json.c, lib/eventlog/parse_json.h, lib/eventlog/regress/parse_json/check_parse_json.c, lib/eventlog/regress/parse_json/test1.in, lib/eventlog/regress/parse_json/test2.in, lib/eventlog/regress/parse_json/test2.out.ok, lib/eventlog/regress/parse_json/test3.in, lib/eventlog/regress/parse_json/test3.out.ok, lib/iolog/Makefile.in, lib/iolog/iolog_json.c, lib/iolog/iolog_json.h, lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/iolog/regress/iolog_json/test1.in, lib/iolog/regress/iolog_json/test2.in, lib/iolog/regress/iolog_json/test2.out.ok, lib/iolog/regress/iolog_json/test3.in, lib/iolog/regress/iolog_json/test3.out.ok:
    Move JSON log parsing from libsudo_iolog.la to libsudo_eventlog.la It will be used in the upcoming log output tests. [1a8dd741b666]
  • lib/eventlog/eventlog.c:
    Add missing " ; " separator between environment variables and command. This is a regression introduced in sudo 1.9.13. GitHub issue #254. [a3c09b724b7a]
2023-03-12 Todd C. Miller
  • docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in:
    Add example to verify support for searching by nisNetgroupTriple. [090ffa785e56]
2023-03-11 Todd C. Miller
  • plugins/sudoers/gc.c:
    Remove unused sudoers_gc_init() function. [b2ee61f8f11d]
2023-03-10 Todd C. Miller
  • docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in:
    Sudo now does its own netgroup lookups if NETGROUP_BASE is set. Previously, it only performed netgroup queries to determine the list of netgroups a user was a member of. [932613f6868a]
  • plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c:
    sudoers_cleanup: free cached environment before running g/c. Avoids a double free in fuzz_policy. [e616d4a038b6]
  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
    sudoers_cleanup: run the garbage collector at the end [cbc28a012f8b]
  • plugins/sudoers/sudoers.c:
    Plugin a memory leak in intercept mode. [f63fb51ff972]
  • src/exec_intercept.c:
    Sync non-intercept version of intercept_cleanup() declaration. [712ff6c2f6bd]
  • plugins/sudoers/ldap_innetgr.c:
    Plug memory leak if ldap_get_option() fails with LDAP_NO_MEMORY. [0be36e3e9473]
  • src/exec.c, src/exec_intercept.c, src/sudo_exec.h:
    Plug a memory leak with ptrace-based intercept. [3b411be9fe37]
  • src/exec_intercept.c:
    Plug memory leak when log_subcmds is enabled. [1d5b21665ced]
  • lib/util/suspend_parent.c:
    Pass closure to callback, not the callback pointer itself. [a4e433840f16]
  • MANIFEST, configure, m4/ldap.m4, plugins/sudoers/Makefile.in, plugins/sudoers/ldap.c, plugins/sudoers/ldap_innetgr.c, plugins/sudoers/sudo_ldap.h, scripts/mkdep.pl:
    Add LDAP-specific innetgr() implementation. Wheh netgroup_base is set we now do out own netgroup lookups using LDAP. Previously, LDAP was queried directly to get a list of the netgroups the user belongs to but other netgroups queries went through innetgr(3). This makes it possible to use netgroups in LDAP sudoers on systems that don’t have an innetgr() function. GitHub issue #251. [aa7304a533e0]
  • plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/ldap_util.c, plugins/sudoers/sudo_ldap.h:
    Move some functions from ldap.c to ldap_util.c. These will be used by the LDAP innetgr() implementation. [70fd74041c5d]
2023-03-08 Todd C. Miller
  • Merge pull request #252 from bin-ly/main

    fix typo in uninstall target [4a1d3542345c]

2023-03-09 bin-ly
  • lib/util/Makefile.in:
    fix command error for lib/util/Makefile.in [7dd4e9e6d976]
2023-03-08 Todd C. Miller
  • plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.h:
    Add per-source innetgr function pointer and use it in netgr_matches(). This will be used to implement LDAP-specific netgroup lookups when netgroup_base is set in ldap.conf. [f7c89d6e8d6b]
2023-03-07 Todd C. Miller
  • MANIFEST, lib/util/Makefile.in, lib/util/regress/digest/digest_test.c:
    Add tests for SHA2 digest support. This uses the NIST byte-oriented short message test vectors. [06e01abf7943]
2023-03-04 Todd C. Miller
2023-03-03 Todd C. Miller
  • plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h:
    A user with “list” privs for root may not list all users. A user with “sudo ALL” for root is allowed to list any user. [fe758ae9d0bb]
  • plugins/sudoers/policy.c:
    sudoers_policy_list: do not set runas_pw to list_pw when listing This change introduced in sudo 1.9.13 is not actually needed. The “list” pseudo-command checks are performed via runas_matches_pw() which does not use runas_pw. GitHub issue #248 [94c1f6d9bc6d]
  • plugins/sudoers/logging.c, plugins/sudoers/parse.c, plugins/sudoers/sudoers.c:
    Fix “sudo -l command args”, broken in sudo 1.9.13. The value of user_args should not contain the command to be run in “sudo -l command args”, only the arguments of the command being checked. This restores the pre-1.9.13 behavior. GitHub issue #249 [2773b6d91cf1]
2023-03-01 Todd C. Miller
  • logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_journal.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c:
    Check for sudo_pow2_roundup() overflow. Calling sudo_pow2_roundup(INT_MAX+2) will return since there is no power of 2 larger than INT_MAX+1 that fits in an unsigned int. This is not an issue in practice since we restrict messages to 2Mib. [d76de48704d0]
  • src/exec_nopty.c, src/exec_pty.c:
    write_callback: only enable /dev/tty reader if the command is running This fixes a hang when there is /dev/tty data in a buffer to be flushed by the final call to del_io_events(). We do not want to re-enable the reader when flushing the buffers as part of pty_finish(). See PR #247 for analysis of the problem and how to reproduce it. [2cf041ccbd98]
2023-02-28 Todd C. Miller
  • plugins/sudoers/regress/testsudoers/test12.out.ok, plugins/sudoers/regress/testsudoers/test12.sh:
    Test non-fully qualified path name. [b653458b1758]
  • plugins/sudoers/Makefile.in:
    Fix removal of y.tab.[ch] when generating gram.[ch]. [9c5f5be26ad0]
  • MANIFEST, plugins/sudoers/regress/sudoers/test30.in, plugins/sudoers/regress/sudoers/test30.json.ok, plugins/sudoers/regress/sudoers/test30.ldif.ok, plugins/sudoers/regress/sudoers/test30.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test30.out.ok, plugins/sudoers/regress/sudoers/test30.sudo.ok, plugins/sudoers/regress/sudoers/test30.toke.ok:
    Add test for using “list” as user, runas and host. [712c96af942d]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Move handling of the “list” pseudo-command from lexer to parser. The special handling of “list” in the lexer meant it could not be used as a user, group or host, which was unintentional. GitHub issue #246. [d36f1d686343]
2023-02-27 Todd C. Miller
  • include/sudo_compat.h:
    Make the check for HAVE_DECL_NSIG consistent with other decl checks. [4e6e627062af]
  • plugins/sudoers/match_command.c:
    Plug memory leak with multiple matching CHROOT= entries. Found by oss-fuzz. [a4982b468985]
2023-02-25 Todd C. Miller
2023-02-23 Todd C. Miller
  • plugins/sudoers/logging.c:
    Include error string when formatting a SLOG_PARSE_ERROR message if present. [b4254bf84300]
  • lib/util/lbuf.c:
    sudo_lbuf_expand: check for overflow when rounding to the nearest power of 2. Problem deteced by oss-fuzz using the fuzz_sudoers fuzzer. [7d433e75c858]
  • src/load_plugins.c:
    Fix –enable-static-sudoers, broken in sudo 1.9.13. sudo_qualify_plugin() should not try to fully-qualify the path to a statically-compiled plugin. GitHub issue #245 [f323e3f0a5c0]
2023-02-22 Todd C. Miller
  • plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c:
    Add sudoers open errors to the list of parse errors sent via mail. Previously there would be one email for the open failure and a separate one describing the parse error. Now a single email message contains everything. [b81299ccdad8]
  • plugins/sudoers/visudo.c:
    visudo: quiet a compiler warning on Solaris 10. Also explicitly close /dev/tty fd instead of relying on closefrom() in case the fd ends up being a value 0-2. [d839cc458245]
  • Merge pull request #244 from ffontaine/main

    configure.ac: fix openssl static build [af40f67e9771]

  • configure, configure.ac, lib/util/Makefile.in:
    Replace LIBMD with LIBCRYPTO display crypto/tls libs in summary. We can only have one of either -lmd, -lgcrypt or -lcrypto so there is no need to have more than one variable. [da65125af8c6]
2023-02-22 Fabrice Fontaine
  • m4/openssl.m4:
    configure.ac: fix openssl static build

    Do not use AX_APPEND_FLAG as it will break static builds by removing duplicates such as -lz or -latomic which are needed by -lssl and -lcrypto. This will fix the following build failure with sparc which needs -latomic:

    Checking for X509_STORE_CTX_get0_cert configure:21215:
    /home/thomas/autobuild/instance-3/output-1/host/bin/sparc-buildroot- linux-uclibc-gcc -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -g0 -static -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -DZLIB_CONST -static conftest.c -L/home/thomas/autobuild/instance-3/output-1/host/bin/../sparc- buildroot-linux-uclibc/sysroot/usr/lib -lssl -lz -pthread -latomic -lcrypto >&5 /home/thomas/autobuild/instance-3/output-1/host/lib/gcc/sparc- buildroot-linux-uclibc/10.4.0/../../../../sparc-buildroot-linux- uclibc/bin/ld:
    /home/thomas/autobuild/instance-3/output-1/host/bin/../sparc- buildroot-linux-uclibc/sysroot/usr/lib/libcrypto.a(x509cset.o): in function X509_CRL_up_ref': x509cset.c:(.text+0x108): undefined reference to __atomic_fetch_add_4’

    […]

    In file included from ./hostcheck.c:38:
    ../../include/sudo_compat.h:342:41: error: conflicting types for ‘ASN1_STRING_data’ 342 | # define ASN1_STRING_get0_data(x) ASN1_STRING_data(x) | ^~~~~~~~~~~~~~~~

    Fixes:

    Signed-off-by: Fabrice Fontaine <fontaine.fabrice@…> [487cfc17c742]

2023-02-21 Todd C. Miller
  • MANIFEST, plugins/sudoers/match_command.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/testsudoers/test20.out.ok, plugins/sudoers/regress/testsudoers/test20.sh, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
    Fix potential double free for rules that include a CHROOT= option. If a rule with a CHROOT= option matches the user, host and runas, the user_cmnd variable could be freed twice. [a988ae0045a2]
  • plugins/sudoers/visudo.c:
    Check tcsetpgrp() return value. [5d9bdb2fea15]
  • MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/suspend_parent.c, lib/util/util.exp.in, plugins/sudoers/visudo.c, src/Makefile.in, src/exec_iolog.c, src/exec_nopty.c, src/regress/intercept/test_ptrace.c, src/sudo.h, src/sudo_exec.h, src/suspend_nopty.c, src/tcsetpgrp_nobg.c:
    Run the editor in its own process group. This fixes suspending the editor on GNU Hurd which doesn’t seem to have proper process group signal handling. [210e058101af]
  • plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/stubs.c, plugins/sudoers/testsudoers.c:
    Stub out pivot_root() and unpivot_root() for all but the sudoers module. [967f706e6bff]
  • plugins/sudoers/match_command.c:
    Fix build when SUDOERS_NAME_MATCH is defined. [79e4613fbd85]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/pivot.c, plugins/sudoers/sudoers.h:
    Add pivot_root() and unpivot_root() to switch the root dir and restore it. This will be used to more accurately handling command resolution and path matching when a new root directory is specified. [77300a0e1537]
  • plugins/sudoers/editor.c, plugins/sudoers/find_path.c, plugins/sudoers/goodpath.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    set_cmnd_path: apply runchroot if set when finding the command path Previously we would prepend runchroot to the path we were checking but that does not properly handle symbolic links. [3fb7ca4631c0]
  • plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h:
    match_command: apply runchroot if set when matching the command Previously we would prepend runchroot to the path we were checking but that does not properly handle symbolic links. [41dc8f445f78]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/canon_path.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Add canon_path(), a realpath() wrapper that performs caching. This also adds a new user_cmnd_dir variable that stores the canonicalized parent directory of the command to be run. [6065f5e76387]
  • plugins/sudoers/match_command.c:
    Match using canonicalized directories where possible. [020d4ad53d07]
  • src/exec_ptrace.c:
    ptrace_intercept_execve: preserve old argv[0] after policy check. We have to replace argv[0] with the pathname for the policy check but want to restore it afterwards if the policy has not changed the command’s path name to avoid a mismatch later on. [5dcd96a5c369]
  • configure, configure.ac:
    Move initial values into AC_SUBST() where possible. [3db7feb16577]
  • configure, configure.ac:
    No need to AC_SUBST() standard autoconf variables. [48ce145c9e40]
2023-02-19 Todd C. Miller
  • INSTALL.md:
    Document –disable-largefile and –disable-year2038. [424d17d1b83d]
  • configure, configure.ac:
    Fix indentation of intercept file in summary output. [3cf0104bd2e5]
  • plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/starttime.c:
    get_starttime: add support for GNU Hurd using the mach task_info call. This is currently Hurd-specific but could be made Mach-generic as long as the equivalent of pid2task() is available. [a81de7fb1f83]
2023-02-18 Todd C. Miller
  • plugins/sudoers/regress/starttime/check_starttime.c:
    Only test get_starttime() on platforms where we support it. Fixes a test failure on systems where we have no way to determine a process’s start time. [bf8dbe59b2c6]
2023-02-16 Todd C. Miller
  • configure.ac:
    Use m4_bmatch, m4_case does not support shell-style globbing. [b7a743baf22e]
  • configure, configure.ac:
    Allow configure.ac to be processed by autoconf 2.69. AC_PROG_CC_STDC is deprecated in autoconf 2.70 and above but it is necessary for autoconf 2.69. [324ba83acd63]
  • configure.ac:
    Only use AC_SYS_YEAR2038 if it is defined. Otherwise, use the method from 1.9.12. GitHub issue #242 [16fcec5264cc]
2023-02-15 Todd C. Miller
  • scripts/mkpkg:
    Sudo-specific executables moved to /usr/libexec/sudo starting in Debian 12 (Bookworm) and Ubuntu 22.04 (Jammy Jellyfish). Previously, they were stored in /usr/lib/sudo. [a2aa15b72312]
  • lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
    Handle “locale -a” returning both C.UTF-8 and C.utf8. It is possible to have mutiple matches from the output of “locale -a”. Just take the first one. Fixes GitHub issue #241. [aeba71610439]
  • lib/util/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
    Add some missing files to the clean and distclean targets. [5dedbe519db1]
  • Merge pull request #240 from thesamesam/c23

    sudo_fatal: Fix build where compiler recognises [[noreturn]] attribut… [22ae0d4402ac]

2023-02-15 Sam James
  • include/sudo_fatal.h:
    sudo_fatal: Fix build where compiler recognises [[noreturn]] attribute (C23)

    If the compiler supports [[noreturn]] as a attribute as in C23, then we define sudo_noreturn to be it. When that’s the case, we must place it at the beginning of the declaration, before any other extension attributes (__attribute(…)).

    A bug has been filed with GCC regarding rejecting/accepting mixed attribute styles.

    sudo_dso_public is always an extension attribute, while sudo_noreturn only might be, so put it first.

    This only shows up with GCC 13 so far (see the linked GCC bug for a bit more exploration). Clang 16 does support the attribute but doesn’t let you use it for earlier language versions (need to pass explicit -std=c2x, unlike with GCC here).

    This is essentially a followup to e707ffe58b3ccfe5c72f54c38eac1d7069d5021e.

    Tested with GCC 13.0.1 20230212 (unreleased), GCC 12.2.1 20230211, Clang 16.0.0_rc2, and Clang 15.0.7.

    Bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108796 Closes:
    https://github.com/sudo-project/sudo/issues/239 Fixes:
    e707ffe58b3ccfe5c72f54c38eac1d7069d5021e Fixes:
    16ae61dcd7d3cd8bf6eb10a22fa742d4505da4e9 [806b5f3a6485]

2023-02-14 Todd C. Miller
  • configure, configure.ac:
    Add missing ‘[’ to AS_IF() call. Fixes GitHub issue #238. [48372d73d4bb]
  • MANIFEST, plugins/sudoers/po/ka.mo:
    Add compiled version of the sudoers Georgian translation. [35007cc1c867]
  • .gitignore, .hgignore:
    Do not ignore .mo files. Otherwise we are likely to miss uncommitted changes in them. [d76a98baaf15]
  • plugins/sudoers/po/ru.mo, plugins/sudoers/po/zh_CN.mo, po/zh_CN.mo:
    Regenerate .mo files. [a7a708d8bf34]
2023-02-12 Todd C. Miller
  • MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/realpath.c, scripts/mkdep.pl:
    Add checks for realpath(3) and a version from NetBSD for those without it. [121fb2ed88de]
2023-02-09 Todd C. Miller
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    No longer need to define sudoers_recovery here. [11a365a8a218]
  • NEWS:
    Mention that a missing include file is no longer fatal. [ba0bd554435e]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/policy.c:
    Recover from missing include file unless error_recovery is disabled. It is still treated as an error from a logging perspective, and mail is still sent. [e1cac68917cc]
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, plugins/sudoers/logging.c:
    Add eventlog_mail() to send a log message via mail. This is used by mail_parse_errors() to send multi-line messages. Previously, the newlines would be escaped as control characters. [97e516576212]
  • lib/eventlog/eventlog.c:
    send_mail: pass a single string instead of using varargs These days we only ever pass in a const string. [700e72ca42c0]
2023-02-08 Todd C. Miller
  • configure, configure.ac, m4/sudo.m4, pathnames.h.in, plugins/sudoers/visudo.c:
    Substitute for _PATH_SUDO* variables in pathnames.h. Previously these were hard-coded with Makefile overrides. [53c8be4b6af3]
2023-02-05 Todd C. Miller
  • configure, configure.ac:
    Use AS_IF instead of if; then where possible. [56946f4ac23a]
2023-02-03 Todd C. Miller
  • plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/fur.mo, po/fur.po, po/ja.mo, po/ja.po, po/zh_TW.mo, po/zh_TW.po:
    Updated translations from translationproject.org [c3be19c34043]
  • src/exec_pty.c, src/tgetpass.c:
    Display error in error message if we can’t restore the terminal. [aa2c60802b33]
2023-02-02 Todd C. Miller
  • src/exec_pty.c, src/tgetpass.c:
    Display an error message if unable to restore terminal settings. [a1efb1dca169]
  • Makefile.in, etc/sudo.pp, plugins/sudoers/Makefile.in:
    Get rid of sudoersdir and just use sysconfdir. There is no need for sudoersdir when it is always just set to sysconfdir. [690b44edcec2]
  • src/exec_pty.c:
    pty_finish: only restore the terminal if sudo is the foreground process [357d90f11750]
  • src/exec_pty.c:
    Better background job detection when running a command in a pty. If sudo is not the process group leader and stdin is not a tty, we may be running as a background job via a shell script. Start the command in the background to avoid changing the terminal mode from a background process. GitHub issue #237 [6c74910ea869]
  • src/exec_pty.c:
    suspend_sudo_pty: stop the process group even if sudo is not the leader. When sudo is not the process group leader, we still need to stop sudo’s process group and not just the sudo process itself. If we only send the signal to sudo itself, the shell will not notice if it is not in monitor mode. This can happen when sudo is run from a shell script, for example. In this case we need to signal the shell itself. If the process group leader is no longer present, we must kill the command since there will be no one to resume us. [44bb3267a55e]
  • lib/util/term.c:
    Add debug tracing to tcsetattr_nobg(). [b7a17174f1cf]
2023-01-31 Todd C. Miller
  • plugins/sudoers/regress/fuzz/fuzz_policy.c:
    Avoid compilation errors if getaddrinfo() or freeaddrinfo() are macros. If this is the case we probably can’t stub out the functions but at least the fuzzer will compile. [2482db79d3b9]
  • src/net_ifs.c:
    Initialize the integer result parameter passed to SIOCGIFANUM. It appears that passing in a non-zero value causes the ioctl() to fail. From Tim Rice. [071633f9929c]
  • logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, plugins/sudoers/log_client.c:
    Protect use of AF_INET6 with HAVE_STRUCT_IN6_ADDR guards. From Tim Rice. [661c26064544]
  • config.h.in, configure, configure.ac, include/sudo_compat.h:
    Add configure test for NSIG, _NSIG or __NSIG. This is better than just defining NSIG in sudo_compat.h if it is not defined since signal.h may not have been included. [f1c94c5f825b]
  • logsrvd/logsrvd_conf.c:
    Avoid DNS lookups when fuzzing. [384ffdead655]
2023-01-30 Todd C. Miller
  • etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp, scripts/mkpkg, scripts/pp:
    No longer need to treat Rocky or Alma Linux specially. We now treat them the same as RHEL. [190afa102ca6]
2023-01-29 Todd C. Miller
  • Merge pull request #230 from trackers-lover/main

    Return value does not match [1dc4317beaf7]

2023-01-29 bianguangze@…
2023-01-27 Todd C. Miller
  • scripts/build_pkgs:
    Store conf hash in vm_servers instead of vmid. Add a shutdown command fallback to the conf file. [2f7eeb5c3f04]
  • plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/ru.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo, po/ro.po, po/sv.mo, po/sv.po, po/uk.mo, po/uk.po, po/zh_CN.po, po/zh_TW.po:
    Updated translations from translationproject.org [fa9569203e16]
  • config.h.in, configure, scripts/config.guess, scripts/config.sub:
    Regen with latest autoconf git. [9a0bbbb682fc]
  • etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp, scripts/mkpkg, scripts/pp:
    Recognize Alma Linux and Rocky Linux (Open Source RHEL clones) [b1dbb7b75824]
  • scripts/mkpkg:
    Fix determination of the number of CPU cores on Linux. [6ac6a9b074bf]
2023-01-26 Todd C. Miller
  • MANIFEST, plugins/sudoers/po/ka.po:
    New Georgian translation from translationproject.org [17681b870666]
  • Merge pull request #235 from kernelmethod/apparmor_dependencies

    Replace the Debian libselinux1 dependency with libapparmor1 [ca29638c5c34]

2023-01-26 kernelmethod
  • etc/sudo.pp:
    Replace the Debian libselinux1 dependency with libapparmor1

    Debian >= 10 uses AppArmor by default instead of SELinux, so SELinux-related sudo features are typically going to be unusable in Debian installs. This changes the dependency on libselinux1 to be a dependency on libapparmor1 for .deb packages built with make package. [5779ce23a161]

2023-01-25 Todd C. Miller
  • src/exec_ptrace.c:
    get_execve_info: defer setting pathname until argbuf is finalized If we reallocate the buffer (via growbuf()) in ptrace_read_vec(), the address of argbuf may change. If so, the value stored in pathname will no longer be valid. GitHub issue #194. [f75aa1eb5d95]
  • src/exec_intercept.c, src/exec_ptrace.c:
    Correct error message when command doesn’t exist in intercept mode. Previously, we would always use EACCES, even when ENOENT was appropriate. This also affected log_subcmds. [5bc0ecd5d4e6]
2023-01-24 Todd C. Miller
  • plugins/sudoers/po/sudoers.pot, po/sudo.pot:
    Update .pot files for 1.9.13 [c6a247e05a91]
2023-01-23 Todd C. Miller
  • src/exec_ptrace.h:
    Include elf.h, not linux/elf.h but define NT_ARM_SYSTEM_CALL if missing. Older kernel headers are missing the definition of EM_ARM in linux/elf.h. GitHub issue #232 [8bed5e7f8857]
  • lib/util/regress/regex/regex_test.c:
    Add tests for escaped digits. [7e5b7e5e2409]
  • lib/util/regex.c:
    check_pattern: handle escaped digits since GNU libc accepts them. [a20d5a047963]
2023-01-22 Todd C. Miller
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, plugins/sudoers/sudoreplay.c:
    Add eventlog_store_sudo() and use it in sudoreplay. This replaces the custom log formatting used by “sudoreplay -l”. [26dd2367fbdd]
2023-01-21 Todd C. Miller
  • scripts/build_pkgs, scripts/mkpkg:
    Add –build-only flag to skip building packages. [46c0213b2668]
2023-01-20 Todd C. Miller
  • scripts/mkpkg, scripts/pp:
    Suport building packages on DragonFly BSD. [65920923add2]
  • configure, configure.ac, m4/visibility.m4:
    Try to link a simple shared object with -Wl,–no-undefined. This only works for gcc-style compilers, which should not be a problem. The source uses environ (FreeBSD) and errno (OpenBSD). [1c2d9f90bc6d]
  • scripts/build_pkgs:
    Pass the name to the config.cache file to the build script. If –cache-file is not specified, no config.cache file will be used. Add an “omit_artifacts” setting for platforms where we don’t publish artifacts. [c87221f36bf4]
2023-01-19 Todd C. Miller
  • lib/util/regex.c:
    check_pattern: accept a backslash before the numeric bound like glibc. This helps avoid out-of-memory conditions when fuzzing on Linux. [07f14dba22ed]
  • configure, configure.ac:
    Don’t use -Wl,–no-undefined with the sanitizers/fuzzers. It breaks linking when using -fsanitize with clang at least. [a6331135bd73]
  • docs/SECURITY.md:
    Add a link to the sudo security advisories archive. [7137d1d214e5]
  • config.h.in, configure, configure.ac:
    Eliminate usage of obsolete 2-argument AC_CHECK_TYPE macro. [96b37c574fc2]
  • config.h.in, configure, configure.ac, plugins/sudoers/starttime.c, src/regress/ttyname/check_ttyname.c, src/ttyname.c:
    Add support for the struct kinfo_proc on Dragonfly BSD. [4c1a7d223d66]
  • configure, configure.ac:
    Need to link sudo and sudoers with -lutil on Dragonfly BSD. It is safer to just search for setusercontext() in libc and libutil instead of matching on the operating system. [b91a288c9968]
  • configure, configure.ac:
    Elminate the $OS variable, we can just use $host_os instead. [0293bf9d4dd4]
  • plugins/sudoers/editor.c:
    Restore the line that set errno to ENOENT when find_path() fails. This was inadvertently removed when the “goto bad” was added. [b957909a1a75]
  • configure, configure.ac, m4/ldap.m4:
    Add -Wl,–no-undefined to LDFLAGS if it is supported. This will find missing symbols at build-time instead of run-time. Don’t use it on FreeBSD where environ is filled in by the dynamic loader. We also need to pull in -llber with -lldap where possible (instead of relying on DT_NEEDED) to avoid undefined symbol errors when building with LDAP support. [c88bd9fd05c9]
  • plugins/sample/README:
    The sample plugin is now built by default to avoid bit rot. GitHub issue #234. [aac2a29136e1]
  • plugins/sample/sample_plugin.c:
    The change from sudo_printf -> sudo_plugin_printf was incomplete. Fixes GitHub issue #234. [4f8333e3f7b8]
2023-01-18 Todd C. Miller
  • configure, m4/pie.m4:
    Solaris: use lt_prog_compiler_pic instead of assuming -KPIC [36b94699ad63]
  • configure, m4/hardening.m4, m4/pie.m4:
    Solaris: the aslr, nxheap and nxstack link options are only for executables. Move them back to PIE_LDFLAGS, which is only used when linking a binary. [970d533cd9b2]
  • configure, m4/hardening.m4, m4/pie.m4:
    Solaris: move aslr linker option to hardening and try to build real PIEs These flags are specific to the Solaris linker. [c5439fec5cb3]
  • configure, m4/hardening.m4, m4/pie.m4:
    Enable non-executable heap and stack options for Solaris ld. [5be638b9bd79]
  • configure, configure.ac, m4/hardening.m4:
    Limit some of the hardening tests to compilers that define GNUC. This should avoid false positives on other compilers. [1b3b36a2ff2b]
  • plugins/python/regress/testdata/check_multiple_approval_plugin_and_a rguments.stdout:
    Update expected plugin version. [19b2963008a2]
  • docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/sudo.c, src/sudo.h, src/sudo_edit.c:
    Pass back the number of files to edit when using sudoedit. The sudo front-end can use this to determine where the list of files to edit begins. [c9c1e6e81438]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, include/sudo_lbuf.h, lib/eventlog/eventlog.c, lib/iolog/iolog_json.c, lib/util/lbuf.c, lib/util/util.exp.in, plugins/sudoers/sudoreplay.c:
    Escape control characters in log messages and “sudoreplay -l” output. The log message contains user-controlled strings that could include things like terminal control characters. Space characters in the command path are now also escaped.

    Command line arguments that contain spaces are surrounded with single quotes and any literal single quote or backslash characters are escaped with a backslash. This makes it possible to distinguish multiple command line arguments from a single argument that contains spaces.

    Issue found by Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com). [1cd37144190c]

2023-01-17 Todd C. Miller
  • configure, m4/hardening.m4:
    Add back the linker check for -fstack-clash-protection. This is expected to fix GitHub issue #231. [c08c0a7c8613]
2023-01-17 trackers-love
2023-01-16 Todd C. Miller
  • docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
    Stop using 8n width in tagged lists. Use either 4n, when the body is expected to wrap or the width of the longest tag when no wrapping is expected. [2b1bc5d31250]
  • docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
    Use -width Ds for the options list, not -width Fl. [598dbf3d2fea]
  • docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in:
    Reduce the offset of bullet lists to 1n. [893b6fd25564]
  • INSTALL.md:
    Shorten –with-passprompt and –with-mailsubject arguments to a single word. The script that generates the web version of this file doesn’t expect options to include whitespace. [063dc2c168aa]
2023-01-15 Todd C. Miller
  • INSTALL.md:
    Shorten –with-badpass-message argument to a single word. The fix_install script can’t deal with whitespace in options. [17761c19a4b8]
  • LICENSE.md:
    Make numbered lists more markdown-friendly. Also add line breaks when there are multiple authors. [d22146e06e27]
  • INSTALL.md:
    Make lists of directories more markdown-friendly. [b3295e422b33]
2023-01-12 Todd C. Miller
  • lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c:
    Check for errors when removing the temp directory. If we cannot remove the directory tree that may indicate a file or directory mode problem. [4a162644b61f]
  • lib/iolog/iolog_mkdtemp.c:
    iolog_mkdtemp: fix pasto in last commit Set mode to iolog_dirmode, not iolog_filemode [713773e23472]
  • plugins/sudoers/editor.c, plugins/sudoers/sudoers.c, plugins/sudoers/visudo.c:
    sudoedit: do not permit editor arguments to include “–” (CVE-2023-22809) We use “–” to separate the editor and arguments from the files to edit. If the editor arguments include “–”, sudo can be tricked into allowing the user to edit a file not permitted by the security policy. Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com) for finding this bug. [2ca90805f471]
2023-01-09 Todd C. Miller
  • lib/util/sha2.c:
    In SHA256Pad and SHA512Pad use 511 and 1023 respectively for bitwise AND. Previously we were using 504 and 1016 which still produces the correct result since padding is done in 8-bit bytes. However, using size-1 for the bitwise AND makes the intent clearer and likely would have prevented the previous bug in SHA512Pad. From Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com) [4b6a50800ecd]
  • plugins/sudoers/env.c:
    env_file_next_local: change the order of the val_len check. It makes more sense to verify that val_len > 1 before using it. This is not a problem in practice because val[val_len - 1] is guaranteed not to underflow but it can confuse reviewers and static analyzers. [9d6bed4e3fd0]
  • plugins/sudoers/env.c:
    Fix typo in check for environment variables that start with ‘=’. [6dc466c8bf82]
  • lib/util/lbuf.c:
    sudo_lbuf_print: no longer need to check for lbuf->len > 0. Now that lbuf length is unsigned the earlier check for len == 0 is sufficient. [bdfc863f5b5c]
  • lib/util/lbuf.c:
    Increase minimum allocation size from 256 to 1024 bytes. [0f49c8728151]
  • plugins/sudoers/sudoreplay.c:
    Fix IS_IDLOG macro, it was testing the wrong byte for the NUL. This causes the macro to evaluate to false even for valid TSIDs. [77686e4508d3]
2023-01-04 Todd C. Miller
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    sudoers_trace_print: this is a no-op if not debugging [df34de2e60f4]
  • lib/util/lbuf.c:
    sudo_lbuf_expand: don’t allocate less than 256 bytes at a time. [a747682156e6]
2023-01-03 Todd C. Miller
  • lib/util/lbuf.c:
    sudo_lbuf_expand: round nearest power of two instead of multiple of 256. [840855b501de]
  • include/sudo_lbuf.h, lib/util/lbuf.c:
    sudo_lbuf_expand: check for possible integer overflow The numeric fields in struct sudo_lbuf are now unsigned so that wraparound is defined, this make the overflow checks simpler. Problem deteced by oss-fuzz using the fuzz_sudoers fuzzer. [6dc670d15276]
  • MANIFEST, lib/iolog/iolog_json.c, lib/iolog/regress/iolog_json/test3.in, lib/iolog/regress/iolog_json/test3.out.ok:
    Decode \u00XX in a JSON string now that we escape control chars. We don’t write Unicode to the log.json file, only 8-bit ASCII. [83dcacb35309]
  • MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/hexchar.c, lib/util/regress/hexchar/hexchar_test.c, lib/util/util.exp.in, plugins/sudoers/Makefile.in, plugins/sudoers/hexchar.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/toke_util.c:
    Move hexchar() from the sudoers plugin to lib/util. [4a6c57c1b66a]
  • lib/util/mkdir_parents.c:
    sudo_open_parent_dir: adjust loop terminating condition Checking for ep < pathend should be a bit clearer than ep != ‘\0’ and has the advantage of working when pathend doesn’t point to a NUL byte. No intended change in behavior. [cee4e0c71070]
  • lib/iolog/iolog_mkdtemp.c:
    iolog_mkdtemp: fix failure when the specified path contains subdirectories. This fixes a bug introduced in sudo 1.9.12. [3a1d5b01b446]
  • lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c:
    check_iolog_mkpath: fix exit value [9ac13d6657f6]
2023-01-02 Todd C. Miller
  • Merge pull request #227 from sohomdatta1/integer_underflow

    Prevent integer underflow due to environment variable [c6c716352077]

2023-01-02 Sohom
  • plugins/sudoers/env.c:
    Prevent integer underflow due to environment variable

    Gaurd against replacing quotes when the environment variable val_len is 1. [1b926824dcf8]

2023-01-01 Todd C. Miller
  • lib/util/regex.c:
    glibc allows the ‘,’ in {low,high} to be escaped with a backslash. Adjust bound parsing to match this. [b2bbac2bab6a]
2022-12-31 Todd C. Miller
  • configure, configure.ac:
    Fix logic goof in 05781ba6f1f3, disable replacements when fuzzing. Not the other way around. [abcf2deb9d0e]
2022-12-30 Todd C. Miller
  • configure, configure.ac, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Substitute python plugin file name in sudo_plugin_python documentation. Also use prefix for group plugin fallback path section in sudoers manual. [e245808fbe74]
  • lib/iolog/Makefile.in, lib/iolog/regress/fuzz/fuzz_iolog_legacy.dict, lib/iolog/regress/fuzz/fuzz_iolog_timing.dict:
    Use correct dictionary file format. Also use the new dictionaries in the Makefile fuzz target. [c39e699cb9b6]
  • MANIFEST, lib/iolog/regress/corpus/seed/log_legacy/less.log, lib/iolog/regress/corpus/seed/log_legacy/smtpctl.log, lib/iolog/regress/corpus/seed/log_legacy/vi.log, lib/iolog/regress/corpus/seed/timing/timing.5, lib/iolog/regress/corpus/seed/timing/timing.6, lib/iolog/regress/corpus/seed/timing/timing.7, lib/iolog/regress/corpus/seed/timing/timing.8, lib/iolog/regress/corpus/seed/timing/timing.9:
    Add some addition entries for the I/O log fuzzer seed corpus. [51d4bf5f014c]
  • MANIFEST, lib/iolog/regress/fuzz/fuzz_iolog_legacy.dict, lib/iolog/regress/fuzz/fuzz_iolog_timing.dict:
    Add dictionaries for fuzz_iolog_legacy and fuzz_iolog_timing. [84d1e53ea8eb]
  • include/sudo_fatal.h:
    Don’t send warn/fatal output to the debug file when fuzzing. [968fedf79f23]
  • lib/util/getentropy.c:
    Back out the genentropy.c portion of c648cfe9ff0f We don’t need to special-case FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION now that we use the glibc arc4random() where available. [7d69e44e3e9b]
2022-12-29 Todd C. Miller
  • lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
    Use initprogname(), not setprogname() in the fuzzers. This results in better coverage for progname.c. [dede53f4b0db]
  • lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_conf/test1.out.ok, lib/util/regress/sudo_conf/test2.out.ok, lib/util/regress/sudo_conf/test3.out.ok, lib/util/regress/sudo_conf/test4.out.ok, lib/util/regress/sudo_conf/test5.out.ok, lib/util/regress/sudo_conf/test6.out.ok, lib/util/regress/sudo_conf/test7.out.ok:
    Add probe_interfaces and intercept_path. [f00ecf67a5e1]
  • lib/util/regress/fuzz/fuzz_sudo_conf.c:
    Exercise getter functions. [3208a9508724]
  • configure, configure.ac:
    Avoid using our function replacements when fuzzing (where possible). We don’t want to fuzz the function replacements themselves as this can skew the coverage reports. [05781ba6f1f3]
  • plugins/python/regress/check_python_examples.c:
    Disable sudo_debug tests when fuzzing. The debug code is disable when fuzzing is enabled to avoid coverage issues. [2c90549a0918]
  • lib/util/fatal.c, lib/util/getentropy.c, lib/util/sudo_conf.c:
    Avoid compiling some code paths that are unreachable when fuzzing. [c648cfe9ff0f]
  • plugins/sudoers/regress/serialize_list/check_serialize_list.c:
    Plug memory leak. [6189ff1db193]
2022-12-28 Todd C. Miller
  • plugins/sudoers/regress/fuzz/fuzz_policy.dict:
    Update fuzz_policy keywords to match current policy settings. [0db960f83cf1]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.dict:
    Add example users and groups to the dictionary. [6fd8ad758aed]
  • plugins/sudoers/env.c, plugins/sudoers/sudoers.c, src/parse_args.c:
    parse_args: an environment variable may not start with ‘=’. Also check VAR=val format in validate_env_vars() and add an error message if insert_env_vars() fails. [b9b9acae1671]
  • plugins/sudoers/env.c:
    rebuild_env: avoid a potential NULL dereference in fuzz_policy [90f5d579dd69]
  • plugins/sudoers/sudoers.c:
    sudoers_policy_main: plug memory leak of iolog_path on error. [99cbe3d513e6]
  • plugins/sudoers/env.c:
    rebuild_env: avoid a potential NULL dereference in fuzz_policy [de05b4f00f35]
  • plugins/sudoers/regress/fuzz/fuzz_policy.c:
    The contents of the env_add array should not include the leading “env=” prefix. The previous fix for this was incomplete. [849fee26133a]
  • plugins/sudoers/env.c:
    validate_env_vars: more efficient errbuf handling Also avoid appending to errbuf if it is already full. [1ffd174fa0ea]
2022-12-27 Todd C. Miller
  • docs/sudo.man.in, docs/sudo.mdoc.in:
    Document that -k does not interfere with sudo on other terminals. This should help clarify the difference between “sudo -k” and “sudo -K”. [589d750faf30]
  • lib/util/regex.c, lib/util/regress/regex/regex_test.c:
    Check for bound values larger than 255 and reject them. This is to prevent the fuzzers from running out of memory. [f172a6d64a34]
  • scripts/pp:
    Use the POSIX shell “command -v” instead of “which” to find programs. Fix false detection of init.d/service status. [aee53eddfc18]
  • etc/sudo.pp:
    Use sed instead of ed to modify the packaged sudoers file. Some Linux distros do not include /bin/ed by default. [217ef1afaacb]
2022-12-26 Todd C. Miller
  • docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in:
    Use @intercept_file@ and @noexec_file@ like the example file. [726e060da20e]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    There is a @pam_login_service@ substitution but no @pam_service@. Just use sudo instead of @pam_service@. [b16f28ccc847]
  • examples/sudo.conf.in:
    Use @sudoers_plugin@ instead of @sudoers_module@. [4c92b9ef93b5]
  • docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
    Use @sudoers_plugin@ instead of @sudoers_module@. [3c50a97c1bbd]
  • INSTALL.md, NEWS, config.h.in, configure, configure.ac, docs/UPGRADE.md, scripts/config.guess, scripts/config.sub:
    sudo 1.9.13 Document the changes to AIX plugins in docs/UPGRADE.md and regenerate configure using the latest autoconf from git. [b897ca965a0f]
  • scripts/build_pkgs:
    Remove anything after whitespace in MANIFEST when building tarball. This is consistent with how sudo’s Makefile builds the tarball. [db48ecf91964]
  • configure, configure.ac, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in, examples/sudo.conf.in, pathnames.h.in, src/load_plugins.c, src/preload.c:
    Use AIX-style shared libraries on AIX by default instead of SVR4-style. This removes the need to use the -brtl linker flag which can cause problems when there are both a .so and .a version of the same library but with different versions. This was particularly problematic when using the AIX freeware version of OpenSSL. The –with-aix-soname=svr4 option can be used to build SVR4-style shared libs instead. [268bd3bc7717]
  • lib/util/sudo_dso.c, src/load_plugins.c:
    sudo_dso_load: add AIX fallback path from shlib.so to shlib.a(shlib.so). If the .so file is missing but the .a file exists, try to dlopen() the AIX .a file using the .so name as the member. We need to avoid breaking existing configurations if the type of AIX shared library changes when sudo is upgraded. [f64cf05bb2c2]
  • plugins/sudoers/group_plugin.c, src/load_plugins.c:
    Remove the owner and mode checks when loading a sudo plugin. The sudo.conf file is considered a trusted source of information and these checks suffer from TOCTOU issues anyway. The checks complicate loading of shared objects since we need to perform fallback processing twice. [60a811d58138]
  • MANIFEST, plugins/python/Makefile.in, plugins/python/python_importblocker.c, plugins/python/python_plugin_common.c, plugins/python/regress/check_python_examples.c, plugins/python/regress/testdata/sudo.conf.developer_mode, plugins/python/regress/testdata/sudo.conf.normal_mode, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h, plugins/python/sudo_python_module.h:
    Remove the Python plugin import blocker code. The sudo.conf file is considered a trusted source of information and these checks suffer from TOCTOU issues anyway. [1d261d802b82]
  • MANIFEST, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, examples/sudo.conf.in, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.1, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.2, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.3, lib/util/regress/fuzz/fuzz_sudo_conf.dict, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_conf/test1.in, lib/util/regress/sudo_conf/test1.out.ok, lib/util/regress/sudo_conf/test2.out.ok, lib/util/regress/sudo_conf/test3.out.ok, lib/util/regress/sudo_conf/test4.out.ok, lib/util/regress/sudo_conf/test5.out.ok, lib/util/regress/sudo_conf/test6.out.ok, lib/util/regress/sudo_conf/test7.out.ok, lib/util/regress/sudo_conf/test8.err.ok, lib/util/regress/sudo_conf/test8.in, lib/util/regress/sudo_conf/test8.out.ok, lib/util/sudo_conf.c:
    Remove developer mode from sudo.conf, it is no longer used. [2b350bfe4d7c]
  • plugins/sudoers/sudoers_version.h:
    Bump SUDOERS_GRAMMAR_VERSION to 50 for the new list pseudo-command. [60e6e3b59b1e]
2022-12-25 Todd C. Miller
  • docs/Makefile.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in:
    Use “.Sy root” instead of “.Em root” when talking about the root user. Replace MANDOCPROG with “mandoc” now that MANDOCPROG has been removed. [a0b80a88eb7c]
2022-12-22 Todd C. Miller
  • Merge pull request #226 from rtczza/main

    debug_return_int use error [7743f67838ae]

2022-12-23 wanglujun
2022-12-22 Todd C. Miller
  • lib/util/sudo_dso.c, src/load_plugins.c:
    Fix support for AIX-style path(module) syntax in sudo.conf Plugin lines. [b8666283d2f2]
2022-12-20 Todd C. Miller
  • docs/sudo.man.in, docs/sudo.mdoc.in:
    Mention the “list” privilege in the description of the -U option. [f5416004ef2e]
  • docs/sudo.man.in, docs/sudo.mdoc.in, src/parse_args.c, src/sudo_usage.h.in:
    Add [arg …] after command in SYNOPSIS and usage output. Use Ar markup when referring to the command and args. [40fca0824680]
2022-12-17 Todd C. Miller
  • src/exec_preload.c:
    fmtstr: call va_arg() for %c when computing length. Even though we don’t need to read the actual char to know its length, we do need to consume it to get the correct value for the next format. [fadd0047868b]
  • configure, m4/sanitizer.m4:
    SUDO_CHECK_SANITIZER: quote “$3” in awk script so m4 doesn’t eat it. [fcf1661bfebd]
  • lib/util/regress/json/json_test.c:
    Add missing sudo_json_free(). [fa5e5af55927]
  • MANIFEST, lib/util/Makefile.in, lib/util/regex.c, lib/util/regress/regex/regex_test.c:
    check_pattern: check bounds as a repetition operator too. Add regess to verify check_pattern() via sudo_regex_compile(). [48cbddf476a5]
  • lib/util/regex.c:
    Instead of collapsing duplicate repetition characters, reject them. This is implementation-specific behavior–some regcomp(3) will reject duplicate repetition characters (BSD), others will try to support them (Glibc) but may allocate excessive amounts of memory. [a0cb75d9b5e5]
  • MANIFEST, docs/CONTRIBUTORS.md, po/sq.mo, po/sq.po:
    New Albanian translation from translationproject.org [4a8dedc6500d]
2022-12-15 Todd C. Miller
  • MANIFEST, include/sudo_json.h, lib/eventlog/eventlog.c, lib/iolog/iolog_loginfo.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/util/Makefile.in, lib/util/json.c, lib/util/regress/json/json_test.c, lib/util/util.exp.in, logsrvd/logsrvd_local.c, plugins/audit_json/audit_json.c, plugins/sudoers/cvtsudoers_json.c:
    Add basic regress for JSON functions. Fix a bug in escaped control character handling. Roll back changes to buffer if sudo_json_add_value() fails. [8b61266511fe]
  • plugins/python/regress/iohelpers.c, plugins/python/regress/testhelpers.c:
    Add missing memory allocation failure checks. Inspired by GitHub PR #221 [9f09479191e9]
2022-12-14 Todd C. Miller
  • lib/util/json.c:
    Escape control characters in strings. [9668cd68daee]
2022-12-12 Todd C. Miller
  • docs/sudo.man.in, docs/sudo.mdoc.in:
    Mention the audit plugin in the “Process model” section. Remove extraneous information describing how sudo may exec the command directly, this is already included in the non-pty section. [9d01a9682ed2]
2022-12-11 Todd C. Miller
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c:
    Plug a memory leak of list_cmnd in the fuzzers. [b413becfb8db]
  • plugins/sudoers/cvtsudoers.c:
    Suppress PVS Studio watning about reassigning a variable the same value. Working around the warning would result in more fragile code. [b4227e531fb7]
  • lib/util/regress/multiarch/multiarch_test.c:
    Fix memory leak in multiarch_test to quiet leak sanitizer. [1491ce67725c]
  • plugins/python/python_plugin_audit.c, plugins/python/python_plugin_common.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c:
    Fix some dead stores noted by PVS Studio. Since rc is initialized to SUDO_RC_ERROR there is no need to set it to SUDO_RC_ERROR again on failure if rc has not been changed since initialization. [f6c075dedfe3]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/logging.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Add “list” pseudo-command to allow a user to list another user’s privs. Previously, only root or a user with the ability to run any command as either root or the target user on the current host could use the -U option. For “sudo -l [-U otheruser] command”, NewArgv[0] is now set to “list” (just like “sudo -l”) and the actual command to be checked starts with NewArgv[1]. [225eac96d11f]
2022-12-09 Todd C. Miller
  • etc/codespell.exclude:
    Adjust a line to quiet codespell warning. [f920076a902d]
2022-12-08 Todd C. Miller
  • Makefile.in:
    Only build ChangeLog from a repo checkout, not a release tarball. The CODEOWNERS file is not present in the release tarball so we can use that when determining what is (or is not) a repo checkout. [290ce43f0f66]
  • docs/CODEOWNERS:
    Add CODEOWNERS file, currently all owned by @millert. [3becb02b5cd6]
  • .gitignore, .hgignore, Makefile.in:
    Only regenerate ChangeLog if there have been changes. Also check that “hg –version” or “git –version” works before using hg or git. Bug #1043. [d9a28bb02621]
2022-12-07 Todd C. Miller
  • plugins/sudoers/parse.c:
    Fix potential crash introduced in the fix for GitHub issue #134. If a user’s sudoers entry did not have any RunAs user’s set, running “sudo -U otheruser -l” would dereference a NULL pointer. We need to compare the default RunAs user if the sudoers entry does not specify one explicitly. Problem reported by Andreas Mueller who also suggested a different solution in PR #219. [3d12dfeef26b]
  • scripts/build_pkgs:
    Defer installing the SIGCHLD handler until after non-job commands run. Lock the socket dir to avoid races in open_persistent_connection(). Also avoid using “ssh -f” since that may return before the socket is created. Strip carriage returns from log when running in a pty. [d0da1a261fbc]
2022-12-06 Todd C. Miller
  • configure, m4/sudo.m4:
    Fix a typo in SUDO_CHECK_NET_FUNC. [08cb2ba84897]
  • configure, m4/sudo.m4:
    Initialize “found” in SUDO_CHECK_NET_FUNC. [a5daeb77e6bb]
  • configure, m4/sudo.m4:
    Fix pasto introduced in last commit. [7e1b09977be3]
  • lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
    Fix failure in check targets when there is no UTF-8 C locale. [721c8bdff28f]
  • configure, configure.ac, m4/sudo.m4:
    Add SUDO_CHECK_NET_FUNC to check functions in the network libraries. If a function is not found, check again with “-lsocket”, “-linet”, “-lsocket -lnsl”, or “-lresolv”. Also display network libs in final summary as well as the different linker flags. [a0ce3347cd8d]
  • configure, m4/sudo.m4:
    Make sure HAVE_MAILLOCK_H is defined on Solaris 10. [bb9f3a1beff5]
  • configure, configure.ac:
    Remove extraneous “(cached)” line when the -C option is used. We do not need to call AC_CACHE_VAL() to ensure that a variable is cached, its name just needs to match the pattern cv. [b8ffa09d0cd7]
  • configure, m4/sudo.m4:
    Make path checks in sudo.m4 cachable. [0bcfa73702d3]
  • configure, configure.ac:
    Use AC_PATH_PROGS_FEATURE_CHECK to find mandoc/nroff. We don’t use the NROFFPROG or MANDOCPROG any longer so no need to set those. [7d96680046a6]
  • configure, configure.ac:
    Don’t check for _sys_siglist if sys_siglist is found. [2c70aba3935c]
  • configure, configure.ac:
    Fix check for sys_sigabbrev. [b8537a76815f]
2022-12-05 Todd C. Miller
  • configure, configure.ac:
    Skip test for func on C99 and above, avoid extra _sys_signame test. [71f3497a6a3a]
  • MANIFEST, aclocal.m4, configure, configure.ac, m4/gettext.m4:
    Move gettext checks to m4/gettext.m4 [693029542e06]
  • MANIFEST, aclocal.m4, configure, configure.ac, m4/ldap.m4:
    Move LDAP library checks to m4/ldap.m4 and make more tests cacheable. [85fa1f49298a]
  • MANIFEST, aclocal.m4, configure, configure.ac, m4/openssl.m4:
    Move OpenSSL/wolfSSL checks to m4/openssl.m4 [08b90f3cef52]
  • MANIFEST, aclocal.m4, configure, configure.ac, m4/pie.m4:
    Move PIE executable checks to m4/pie.m4 [6b5cac6cecd5]
  • MANIFEST, aclocal.m4, configure, configure.ac, m4/sanitizer.m4:
    Move address sanitizer and fuzzer checks to m4/sanitizer.m4 [a6372917d53b]
  • MANIFEST, aclocal.m4, configure, configure.ac, m4/visibility.m4:
    Move symbol visibility checks to m4/visibility.m4 [4684049c2d2c]
  • MANIFEST, aclocal.m4, configure, configure.ac, m4/hardening.m4:
    Move hardening checks to m4/hardening.m4 [c03abb3c9f55]
  • configure, configure.ac, m4/sudo.m4:
    Make cpp variadic arguments check into a macro and move to sudo.m4. Also move the PVS-Studio.cfg generation to sudo.m4. [c1a8d3b46be1]
2022-12-03 Todd C. Miller
  • Merge pull request #218 from sohomdatta1/snprintf

    [snprintf] Check for ‘\0’ to prevent undef memory read [050882923c98]

2022-12-03 Sohom
  • lib/util/snprintf.c:
    [snprintf] Check for ‘\0’ to prevent undef memory read [aff60c479c10]
2022-12-01 Todd C. Miller
  • lib/eventlog/eventlog.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, src/parse_args.c, src/regress/noexec/check_noexec.c:
    Place C23 attributes before keywords in function declarations. In practice this means we must use “sudo_noreturn static foo(void)” instead of “static sudo_noreturn foo(void)”. [6c1836dcb2d6]
2022-11-30 Todd C. Miller
  • scripts/build_pkgs:
    Convert from using IPC::Open3 to IPC::Run. Run tests in a pty so check_ttyname works as expected. Explicitly set short command line options letters in GetOptions(). Add a debug flag to help see what is going on internally. Add hook for die() to kill running jobs when we are dying. SSH_AGENT_PID will not be present if the agent is forwarded. In close_persistent_connections() only close active connections. [d49e1ac7e2f2]
2022-11-29 Todd C. Miller
  • config.h.in, configure.ac, include/sudo_compat.h:
    Use C23 [[fallthrough]] and [[noreturn]] attributes if supported. If the C23 attributes are not supported, use gcc-style attributes where possible. [57676068e9a9]
  • configure, configure.ac:
    Move the check for the fallthrough attribute outside the warnings block. Use AX_APPEND_FLAG instead of addind to CFLAGS directly. [dc22d8238827]
2022-11-28 Todd C. Miller
  • scripts/build_pkgs:
    The distributed package build script I use to build all sudo packages. This is not included in the release tarball because it is of limited use to other people. [94c58cc272c8]
2022-11-25 Todd C. Miller
  • Makefile.in:
    Pass the list of files to include in the tarball on stdin. This avoids any limit on the size of argv. [0af8578c89fe]
2022-11-23 Todd C. Miller
  • Merge pull request #214 from BornThisWay/1124_repeated_invocation

    check_syntax(): Remove duplicate calls to init_defaults() [3383fb0a6f5f]

2022-11-24 modric
  • plugins/sudoers/visudo.c:
    check_syntax(): Remove duplicate calls to init_defaults() [048ccd968df9]
2022-11-22 Todd C. Miller
  • plugins/sample/sample_plugin.c:
    build_command_info: free command_info on failure. Once upon a time, command_info was a stack variable, now it is dynamically allocated. Coverity CID 299987. [a80110e49952]
  • plugins/sample/sample_plugin.c:
    Better handling of out-of-memory conditions. [ee3e47c4d272]
  • plugins/group_file/group_file.c:
    Keep group file open until the call to myendgrent(). This restores the previous behavior. [79751f7308d7]
  • lib/util/json.c, plugins/group_file/getgrent.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/env.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/log_client.c, plugins/sudoers/match_command.c, plugins/sudoers/strvec_join.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, src/sudo.c:
    Eliminate a few harmless dead stores. Quiets warnings from Infer. [8bed7579b75d]
  • plugins/sudoers/ldap_util.c:
    sudo_ldap_parse_option: add explicit NULL check for strchr(). This should not be needed since we only use the returned pointer if it is larger than the string passed to strchr(). Quiets a warning from Infer. [852aec3e0450]
  • logsrvd/logsrvd_journal.c:
    journal_fdopen: free journal_path and close journal before setting Fixes a potential resource leak that currently cannot happen. Quiets a warning from Infer. [bfe41e247c35]
  • plugins/sudoers/ldap.c:
    sudo_ldap_result_add_entry: check sudo_ldap_get_values_len() return value. Previously, we just compared the error code with LDAP_NO_MEMORY when checking for sudoOrder since this is the only error we care about. We now return NULL for LDAP_NO_MEMORY and ignore other errors. Quiets a warning from Infer. [6e5a490b735c]
  • plugins/group_file/getgrent.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/tsgetgrpw.h:
    Refactor code to open passwd/group file and add setpassent/setgroupent. This makes the “stayopen” semantics match the system passwd/group functions. The getpwent/getgrent functions now open the database if it is not already open. [27bfa97ad47c]
  • plugins/sudoers/Makefile.in, plugins/sudoers/gram.h:
    gram.h: #line directives should reference gram.h not y.tab.h. [7a2d4a24d839]
  • scripts/mkpkg:
    Use clang, not /usr/bin/cc on FreeBSD and macOS. While /usr/bin/cc is clang on those platforms, some static analyzers get confused if we don’t run it as clang. [d0c1f5940789]
2022-11-21 Todd C. Miller
  • Merge pull request #212 from BornThisWay/1122_null_deref

    sudo_rcstr_dup: Fix potential NULL pointer deref [58fcefa888fa]

2022-11-22 modric
  • lib/util/rcstr.c:
    sudo_rcstr_dup: Fix potential NULL pointer deref [f45acaded1e5]
2022-11-21 Todd C. Miller
  • plugins/sudoers/check.c:
    Add a reminder to the default lecture that the password will not echo. This line is only displayed when the pwfeedback option is disabled. GitHub issue #195. [7bc25043c760]
  • Merge pull request #210 from BornThisWay/1121_typo

    Fix some typos [9d1e9278effb]

2022-11-21 modric
  • plugins/python/regress/testhelpers.h, plugins/sudoers/parse.c:
    Fix some typos [d7d1c3ade748]
2022-11-20 Todd C. Miller
  • Merge pull request #208 from BornThisWay/1121_return

    intercept_read: Print and then return. [615c2d5fca36]

2022-11-21 modric
  • src/exec_intercept.c:
    intercept_read: Print and then return. [049547eb7ac0]
2022-11-20 Todd C. Miller
  • Merge pull request #205 from BornThisWay/1119_access_null_pointer

    sudo_mmap_strdup_v1: Fix potential NULL pointer deref [bad55afc72bb]

2022-11-19 modric
  • lib/util/mmap_alloc.c:
    sudo_mmap_strdup_v1: Fix potential NULL pointer deref [f8da23aff2ec]
2022-11-18 Todd C. Miller
  • src/sudo_intercept.c:
    copy_vector: plug memory leak in error path Only the array was being freed, not the contents. GitHub issue #202. [cd1407dbe65f]
2022-11-17 Todd C. Miller
  • scripts/mkpkg:
    Better matching of macOS version to SDK path. [db7f2cbdb023]
  • Merge pull request #200 from BornThisWay/fix_mem_leak_converse

    Fix memory leak of pass in converse(). [b411801abdf7]

  • plugins/sudoers/auth/passwd.c:
    sudo_passwd_cleanup: Set auth->data to NULL after freeing. GitHub issue #201 [e558188bd99d]
2022-11-17 modric
  • plugins/sudoers/auth/pam.c:
    Fix memory leak of pass in converse(). [052c99eaad8f]
2022-11-16 Todd C. Miller
  • config.h.in, configure, configure.ac:
    Use AC_SYS_YEAR2038 instead of setting _TIME_BITS by hand. [049113d798e9]
  • configure, m4/ax_append_flag.m4, m4/ax_check_compile_flag.m4, m4/ax_func_snprintf.m4, m4/ax_prog_cc_for_build.m4:
    Update macros from autoconf-archive. [48b960c883df]
  • plugins/sudoers/regress/corpus/seed/ldif/pr196.ldif, plugins/sudoers/regress/visudo/test3.sh:
    Fix typo; excerise -> exercise [42cdb396b72b]
  • config.h.in, configure, scripts/config.guess, scripts/config.sub:
    Regenerate with the autoconf 2.72a pre-release. [51d043878181]
  • configure.ac:
    Fix insufficient quoting in AC_CHECK_LIB() calls. [78d37b60a912]
  • autogen.sh:
    If AUTOCONF_VERSION is unset, use version 2.71 not 2.69. [108faf700aa7]
  • configure.ac, m4/ax_func_getaddrinfo.m4, m4/sudo.m4:
    Replace foo in descriptions with ‘foo’ [ba63cef7bbe8]
2022-11-15 Todd C. Miller
  • configure, configure.ac:
    Add -Wvla and -Walloca to –enable-warnings [7b9b59e35905]
2022-11-11 Todd C. Miller
  • plugins/sudoers/pwutil.c:
    sudo_debug_group_list: short-circuit if groups is NULL [0f8f11ef82b6]
  • configure, configure.ac:
    configure: only check for getauxval() if getentropy() is missing. [c056c2fc3898]
  • config.h.in, configure, configure.ac:
    Remove checks for random() and lrand48(), they are no longer used. Also remove duplicate checks for arc4random() and getentropy(). [e3433874211d]
  • configure, configure.ac:
    Skip check for cpp variadic macro support if the compiler supports C99. [42efc9934ef5]
  • configure, configure.ac:
    HI-UX/MPP is based on OSF-1, not HP-UX Completely untested. [c55ba59cd24d]
  • configure, configure.ac:
    Only check for utmps.h on HP-UX. [682bb16545cf]
  • configure, configure.ac:
    Only check for sys/syscall.h on Linux. We only use it in the Linux- specific getentropy() emulation code. [eac313bfc142]
  • config.h.in, configure, configure.ac:
    configure: avoid running unnecessary tests on modern systems. Remove AC_SYS_POSIX_TERMIOS, AC_TYPE_MODE_T, AC_TYPE_UID_T. Add missing checks for int16_t, uint16_t, int32_t, and int64_t. Only check for intmax_t, uintmax_t and bit-width types if missing both inttypes.h and stdint.h. Remove unused clockid_t replacement. [9f1f9d365f60]
  • MANIFEST, plugins/sudoers/regress/cvtsudoers/test40.out.ok, plugins/sudoers/regress/cvtsudoers/test40.sh:
    Add a regress check for the cvtsudoers filter crash. GitHub issue #198. [f0abea1f10d0]
  • Makefile.in, lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
    The name of the C locale w/ UTF-8 support is not always C.UTF-8. Use a pattern to find it (if present) and use that value instead of hard-coding C.UTF-8. This works around a leak sanitizer crash on certain inputs. [99aeb5a875f7]
2022-11-10 Todd C. Miller
  • plugins/sudoers/parse_ldif.c:
    Fix a potential use-after-free bug with cvtsudoers filtering. In role_to_sudoers() when merging a privilege to the previous one where the runas lists are the same we need to re-use the runas lists of the last command in the previous privilege, not the first. Otherwise, the check in free_cmndspec() will not notice the re-used runas lists. Reported/analyzed by Sohom Datta. GitHub issue #198. [29d1380d2fe0]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/corpus/seed/ldif/invalid_b64.ldif, plugins/sudoers/regress/corpus/seed/ldif/pr196.ldif, plugins/sudoers/regress/corpus/seed/ldif/sample.ldif, plugins/sudoers/regress/corpus/seed/ldif/valid_b64.ldif, plugins/sudoers/regress/cvtsudoers/test39.sh:
    Copy some LDIF test data from the cvtsudoers tests to the seed corpus. This includes a test to exercise the fix in PR #196. [f74d65cf34d1]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
    Set LDAP base for sudoers_parse_ldif(). Without this set the fuzzer will not exercise the dn parsing. [c154b1a5d287]
  • src/exec_ptrace.h:
    Include linux/elf.h, not elf.h to make sure we get NT_ARM_SYSTEM_CALL. The NT_PRSTATUS define is present in both files. [4a4e3142381a]
2022-11-09 Todd C. Miller
  • include/sudo_compat.h:
    Remove CMSG_* compatibility macros, they are no longer used. [5914434ecb5c]
  • lib/util/multiarch.c, lib/util/sudo_dso.c:
    Add missing include of sys/stat.h [d3b0f701c75f]
  • include/sudo_util.h:
    Move forward declaration of struct stat before its first use. [f3cc645d197c]
  • plugins/sudoers/regress/cvtsudoers/test28.sh, plugins/sudoers/regress/cvtsudoers/test29.sh, plugins/sudoers/regress/cvtsudoers/test33.sh, plugins/sudoers/regress/cvtsudoers/test39.sh:
    Use a consistent base when testing cvtsudoers conversion from ldif. [a22cb486b2a3]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/cvtsudoers/test39.out.ok, plugins/sudoers/regress/cvtsudoers/test39.sh, plugins/sudoers/regress/harness.in:
    Test parsing LDIF when a backslash is the last char of the file. If run with address sanitizer, this test will crash when the fix in ceaf706ab74b is reverted. [f50c78b7ed32]
  • Merge pull request #196 from sohomdatta1/main

    Prevent cvtsudoers from reading into undefined memory [f21c417bbbb3]

2022-11-09 Sohom
  • plugins/sudoers/parse_ldif.c:
    [cvtsudoers]: Prevent sudo from reading into undefined memory [ceaf706ab74b]
2022-11-08 Todd C. Miller
  • plugins/sudoers/auth/passwd.c:
    sudo_passwd_verify: zero out des_pass before returning. [c809232fdb7d]
2022-11-07 Todd C. Miller
  • src/exec_pty.c:
    Don’t kill the parent process group on suspend if it is not sudo’s pid. If sudo is not the process group leader we must only send the suspend signal to sudo itself. When sudo is run via a shell script, it usually has the same process group as the shell script interpreter. We do not want to suspend the script itself when the command run by sudo is suspended. [e6715ec62335]
  • src/exec_nopty.c, src/regress/intercept/test_ptrace.c, src/sudo_exec.h, src/suspend_nopty.c:
    Pass sudo’s process ID to suspend_sudo_nopty() since we already know it. Saves an unnecessary getpid(2) call. [1e12d9b0ce53]
  • src/exec_nopty.c:
    Call terminate_command() with use_pgrp = false when not running in a pty. When sudo runs a command in the user’s existing terminal the command is run in the same process group as sudo itself. The proper way to terminate it is to use kill(2), not killpg(3) [3d9862963e92]
  • src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h:
    Fix handling of signal forwarding when running commands in a script. We need to forward signals from a process in the same pgrp if the pgrp leader is not either sudo or the command itself. [d1bf60eac57f]
  • src/regress/intercept/test_ptrace.c:
    Make test_ptrace compile again after recent changes. [e766db5aa9d4]
  • src/exec_intercept.c, src/exec_intercept.h, src/exec_ptrace.c:
    Update the cwd for log_subcmds too. Fixes a problem for intercept_method=trace when running a relative command from a different directory than what sudo ws started from. GitHub issue #194 [b831f2397d9f]
2022-11-04 Todd C. Miller
  • NEWS, aclocal.m4, configure, configure.ac:
    sudo 1.9.12p1 [6268fbabdb16]
2022-11-03 Todd C. Miller
  • lib/iolog/host_port.c:
    Include time.h for struct timespec used by sudo_iolog.h. [369c8e799652]
  • src/sudo.c:
    Display sudo_mode in hex in debug log. This makes it easier to match against the MODE_ defines. [971e8f88bc12]
2022-11-01 Todd C. Miller
  • plugins/sudoers/auth/bsdauth.c:
    bsdauth_verify: do not write to prompt, it is now const [1969a562cf14]
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Store raw sudoers lines in the debug log. Also add a “sudoerslex” prefix to the token debug info in sudoers_trace_print(). [be03aef496cb]
2022-10-31 Todd C. Miller
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    The line numbers in sudoers_trace_print() were off by one. The line counter is incremented when a newline is seen so the output actually refers to the previous line. [a97182a63419]
  • plugins/sudoers/auth/API, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.h:
    Make the second arg to the sudo auth verify function const. This may be either a plaintext password or a password prompt. Either way it should not be modified by the verify function. [11aefc2bc3da]
2022-10-29 Todd C. Miller
  • plugins/sudoers/match.c:
    Move debugging info from hostname_matches() to host_matches(). [2a53d2dcd1f5]
2022-10-28 Todd C. Miller
  • plugins/sudoers/pwutil.c:
    Add debugging to sudo_set_grlist() and sudo_set_gidlist(). [620d6f7fb4f8]
  • plugins/sudoers/auth/passwd.c:
    Fix CVE-2022-43995, potential heap overflow for passwords < 8 characters. Starting with sudo 1.8.0 the plaintext password buffer is dynamically sized so it is not safe to assume that it is at least 9 bytes in size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz. [a6229aa26fbf]
2022-10-27 Todd C. Miller
  • configure, configure.ac:
    configure: better test for -fstack-clash-protection The gcc front- end may accept -fstack-clash-protection even if the machine-specific code does not support it. We use a test program with a large stack allocation to try to cause the compiler to insert the stack clash protection code, or fail if not supported. GitHub issue #191 [bbfbe758258c]
  • configure, configure.ac:
    Check that compiler accepts -fstack-clash-protection and -fcf- protection. Previously, we only checked that linker accepted them. GitHub issue #191 [7d36b89b6e4d]
2022-10-26 Todd C. Miller
  • src/exec_ptrace.c:
    Fix compilation error on Linux/mips. [ae4c28d8a050]
2022-10-21 Todd C. Miller
  • src/Makefile.in:
    Regenerate dependencies for src/sesh.c. [ada8f04afc6d]
  • plugins/audit_json/Makefile.in, plugins/sample_approval/Makefile.in:
    Sync clean target with other Makefile.in files. [8048628a554e]
  • Makefile.in, plugins/sample/Makefile.in:
    Build the sample plugin but do not install it by default. We no longer install the sample approval plugin. [a8644924b6a1]
  • plugins/sample/sample_plugin.c:
    Adapt to current plugin API and fix warnings. [d822f1a10361]
2022-10-20 Todd C. Miller
  • plugins/sudoers/sudoers.c:
    Disable admin_flag by setting to NULL, not false. Found by cppcheck. [6e32481e0555]
  • include/sudo_util.h, lib/util/fatal.c, lib/util/term.c, lib/util/util.exp.in, src/conversation.c:
    Only add trailing carriage return to messages if output is a raw tty. If output is being written to a terminal in “raw” mode, we need to add a carriage return after the newline to avoid “stair-step” output. However, we should not write the carriage return if the terminal is in “cooked” mode, output to a pipe, or output redirected to a file. Bug #1042. [14f5bf04245f]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Make it clear that runas_default sets the default user for Runas_Spec. Also use mention runas_default in other parts of the manual, use @runas_default@ instead of root and add markup around user names. GitHub issue #186. [73f0b82a2b22]
  • lib/util/multiarch.c, lib/util/sudo_dso.c:
    Fix a typo, muti-arch -> multi-arch GitHub issue #185 [d88270b9e98f]
2022-10-19 Todd C. Miller
  • plugins/sudoers/policy.c:
    Don’t NULL out the plugin close function when logging to a log server. If sudo calls execve(2) directly the accept info will not be sent. We also need the sudo front-end to wait until the command finishes to send the exit status. [11976aa84040]
2022-10-17 Todd C. Miller
  • INSTALL.md:
    Fix numbering in “Simple sudo installation” [695bec2a6223]
2022-10-14 Todd C. Miller
  • plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/fr.mo, po/fr.po, po/ja.mo, po/ja.po, po/ka.mo, po/ka.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo, po/ro.po, po/sr.mo, po/sr.po, po/sv.mo, po/sv.po, po/uk.mo, po/uk.po:
    Updated translations from translationproject.org [b1f28405c58d]
  • lib/zlib/zconf.h.in:
    Don’t define _LARGEFILE64_SOURCE or _LFS64_LARGEFILE. We don’t need them and the missing prototype for crc32_combine_gen64() issue has been fixed upstream. [39eb41f1dba4]
2022-10-13 Todd C. Miller
  • lib/zlib/compress.c, lib/zlib/crc32.c, lib/zlib/deflate.c, lib/zlib/deflate.h, lib/zlib/gzlib.c, lib/zlib/gzread.c, lib/zlib/gzwrite.c, lib/zlib/infback.c, lib/zlib/inflate.c, lib/zlib/inftrees.c, lib/zlib/inftrees.h, lib/zlib/trees.c, lib/zlib/uncompr.c, lib/zlib/zconf.h.in, lib/zlib/zlib.h, lib/zlib/zutil.c, lib/zlib/zutil.h:
    Update embedded copy of zlib to version 1.2.13. Fixes CVE-2022-37434. [737d6de5253c]
  • lib/util/fchownat.c:
    Add fchownat() for systems without it. [7c4aeda51522]
2022-10-10 Todd C. Miller
  • plugins/sudoers/po/sudoers.pot, po/sudo.pot:
    Update .pot files for 1.9.12 [179fba83936d]
  • src/selinux.c, src/sesh.c, src/sudo_edit.c:
    Use getopt() and getopt_long() for sesh command line options. [fbaa6c75e2ef]
  • plugins/sudoers/def_data.c, plugins/sudoers/def_data.in:
    Update the description of intercept_verify [63f80a7cd4a6]
2022-10-07 Todd C. Miller
  • src/load_plugins.c:
    Silence a warning from the Solaris Studio compiler. [49a3c72cb539]
  • docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, include/sudo_eventlog.h, include/sudo_json.h, include/sudo_plugin.h, lib/eventlog/eventlog.c, lib/iolog/iolog_loginfo.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/util/json.c, logsrvd/logsrvd_local.c, plugins/audit_json/audit_json.c, plugins/sudoers/sudoers.h, src/env_hooks.c, src/exec_intercept.c, src/net_ifs.c, src/sudo_intercept_common.c, src/sudo_plugin_int.h:
    Avoid a -Wshadow warning on Solaris 9. [e6bc419fa976]
  • lib/util/mmap_alloc.c:
    Fix a build error on Solaris 9. [679b60caf5a3]
2022-10-06 Todd C. Miller
  • plugins/sudoers/parse.c:
    Fix display of command tags and options in “sudo -l” when RunAs changes. A new line is started when RunAs changes which means we need to display the command tags and options again. GitHub issue #184 [3180777986de]
  • plugins/sudoers/fmtsudoers.c:
    Fix printing of MYSELF when listing another user’s privileges. We need to use list_pw if it is set instead of user_name. GitHub issue #183 [268044635b44]
  • MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/multiarch.c, lib/util/regress/multiarch/multiarch_test.c, lib/util/sudo_dso.c, lib/util/util.exp.in, src/load_plugins.c:
    Apply multiarch rules when loading plugins too. [f53fe06fce06]
2022-10-05 Todd C. Miller
  • lib/util/sudo_dso.c:
    sudo_dso_load: try multi-arch on Linux if we can’t load the path. For example, if loading /usr/lib/libsss_sudo.so fails, try again with /usr/lib/x86_64-linux-gnu/libsss_sudo.so. [4eabffa486b5]
  • MANIFEST, lib/util/Makefile.in, lib/util/regress/open_parent_dir/open_parent_dir_test.c:
    Add test for sudo open_parent_dir() [2d6b1be616c9]
  • MANIFEST, plugins/sudoers/regress/testsudoers/test19.out.ok, plugins/sudoers/regress/testsudoers/test19.sh:
    Add test for matching a literal "" command line argument as "" in sudoers. GitHub issue #182. [ccb5dc8b23ee]
2022-10-04 Todd C. Miller
  • docs/visudo.man.in, docs/visudo.mdoc.in, plugins/sudoers/visudo.c:
    Add -I flag to disable editing include files unless there is an error. This can be used when you only want to edit a single sudoers file unless there is a pre-existing syntax error. [18fbf720fdbf]
  • plugins/sudoers/match_command.c:
    Do not match a literal "" command line argument as "" in sudoers. If the empty string is specified in sudoers, no user args are allowed. GitHub issue #182. [5de0370eddcb]
  • lib/util/sudo_conf.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c:
    sudo_secure_open_{file,dir}: always check thatreturn value is not -1. Avoids false positives from static analyzers that can’t figure out that the fd is always valid when error is SUDO_PATH_SECURE. [f0ebb2b836b9]
  • lib/iolog/iolog_mkdtemp.c:
    Correct return value when mkdtempat() fails. [5a491fac8f49]
  • lib/util/mkdir_parents.c:
    sudo_open_parent_dir: stop before creating the last path component Fix a regression introduced in sudo 1.9.9 where the entire directory path was created instead of just the parent directory. [fdaa5aeb744b]
2022-10-01 Todd C. Miller
  • Makefile.in, scripts/log2cl.pl:
    Use “hg log –template” instead of “hg log –style”. [63f020404fbb]
2022-09-29 Todd C. Miller
  • plugins/sudoers/strlcpy_unesc.c, plugins/sudoers/sudoers.c, src/parse_args.c:
    Mark code that escapes/unescapes “sudo -s cmd args…” for removal. A future version of the plugin API will defer any such escaping to the policy plugin so it can be configurable. [658d1bba4319]
  • docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in:
    Improve the description of JSON output. [258b57ce22ab]
2022-09-28 Todd C. Miller
  • INSTALL.md, etc/codespell.ignore, lib/eventlog/eventlog.c, plugins/group_file/getgrent.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/tsgetgrpw.h, src/exec_nopty.c:
    Fix typos found by codespell 2.2.1. [3beaf856c861]
  • logsrvd/iolog_writer.c:
    Change max user-ID and group-ID from INT_MAX to UINT_MAX. [0971e5f9f398]
  • logsrvd/logsrvd_local.c:
    Add support for NumberList stored in an InfoMessage. [a762fe45e5cc]
  • logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd_local.c, plugins/sudoers/log_client.c:
    Add missing NULL checks for mandatory fields in protobuf messages. Also no longer reject an InfoMessage with an unknown value_case, just log and ignore it. [41c38e7f075b]
2022-09-27 Todd C. Miller
  • plugins/sudoers/log_client.c:
    Don’t send ttyname to log server if it is NULL. Otherwise the log server will reject the AcceptMessage because a NULL string is not allowed. [df7fea4bef26]
  • src/exec_nopty.c:
    HP-UX has struct winsize in termios.h. [5827a1f234fe]
  • plugins/python/Makefile.in, src/Makefile.in:
    Regen dependencies [817623addc62]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in, src/exec.c, src/exec_nopty.c, src/exec_pty.c, src/regress/intercept/test_ptrace.c, src/sudo_exec.h, src/suspend_nopty.c:
    Add support for logging stdin/stdout/stderr in the non-pty exec path. If we are logging I/O but not terminal input/output (either because no terminal is present or because that is what the plugin requested), the non-pty exec path is now taken. [205c68d452df]
  • MANIFEST, src/Makefile.in, src/exec.c, src/exec_iolog.c, src/exec_nopty.c, src/exec_pty.c, src/regress/noexec/check_noexec.c, src/sudo_exec.h, src/sudo_intercept_common.c:
    Move exec code to call into I/O log plugin to exec_iolog.c. This will be shared with exec_nopty.c in the future to log stdin/stdout/stderr without running the command in a pty. Both exec_pty.c and exec_nopty.c now use the same closure. [45a19e8e3721]
  • plugins/python/python_importblocker.c:
    Implement find_spec, not the deprecated find_module. Fixes a test failure due to find_module having removed from setuptools. [cc1e68c0ee1e]
2022-09-23 Todd C. Miller
  • plugins/sudoers/editor.c, plugins/sudoers/regress/editor/check_editor.c:
    copy_arg: fix copying an escaped backslash GitHub issue #179 [d21d95ec5cb0]
2022-09-22 Todd C. Miller
  • config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/mktemp.c:
    Use mkdtempat_np() and mkostempsat_np() on macOS [ad0cd430347e]
2022-09-21 Todd C. Miller
  • include/sudo_iolog.h, lib/iolog/iolog_mkdirs.c, lib/iolog/iolog_mkdtemp.c, lib/util/mkdir_parents.c, logsrvd/logsrvd.c, logsrvd/logsrvd_journal.c:
    Convert remaining uses of sudo_mkdir_parents() to sudo_open_parent_dir(). [62fd9644a605]
  • MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, scripts/mkdep.pl:
    Add fchownat() systems without it. [d51316f1026d]
  • config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/mktemp.c, plugins/python/regress/iohelpers.h:
    Add mkdtempat() and mkostempsat() for systems without them. [099468742d16]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in, include/sudo_util.h, lib/util/secure_path.c, lib/util/sudo_conf.c, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c:
    Use sudo_secure_open_file() instead of sudo_secure_file() where possible. Both sudo_secure_open_file() and sudo_secure_open_dir() are now passed a struct stat pointer like sudo_secure_file() and sudo_secure_dir(). [c4e4c3f74ea4]
  • include/sudo_util.h, lib/util/mkdir_parents.c, lib/util/secure_path.c, lib/util/util.exp.in, plugins/sudoers/timestamp.c:
    Fix potential TOCTOU when creating time stamp directory and file. [d36591f966c5]
  • lib/util/mkdir_parents.c:
    sudo_mkdir_parents: just use memcpy() to copy the path component. Using snprintf() for this is overkill, we need to do the same length check either way. [8ea754871a54]
2022-09-20 Todd C. Miller
  • lib/util/digest_gcrypt.c:
    Quiet libgcrypt run-time warning about not being initialized. Fixes Debian bug #1019428 and Ubuntu bug #1397663. [ebf9a6477d5d]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/audit.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.h, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Split log_{input,output} into log_{stdin,ttyin} and log_{ttyout,stdout,stderr} If log_input is set, log_{stdin,ttyin} will be set as well. If log_output is set, log_{stdout,stderr,ttyout} will be set as well. This provides more fine-grained control over I/O logging and makes it possible to disable logging piped or redirected intput or output. [5b7ea42ac63b]
  • LICENSE.md, include/protobuf-c/protobuf-c.h, lib/protobuf-c/protobuf-c.c:
    Update to protobuf-c 1.4.1 We already had all the relevant fixes so this is just cosmetic. [aa51e48afe49]
  • src/load_plugins.c:
    new_container: no need to initialize container pointer in declaration. From Li zeming. [729a8a417d88]
2022-09-15 Todd C. Miller
  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Use tcpgid if passed from sudo front-end and use it in tty_present(). This can be used as another indicator that a terminal is present without having to open /dev/tty. [b804b8b7fc03]
2022-09-13 Todd C. Miller
  • docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
    Remove most uses of the deprecated Li macro which has no effect. Also fix some other incorrect markup. [8f94cc555092]
2022-09-12 Todd C. Miller
  • Makefile.in, lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
    Use $(GREP) and $(EGREP) variables in Makefile.in files. [cf8d7fb45169]
  • Merge pull request #177 from a1346054/fixes

    Makefile.in: replace egrep and fix target name [751aa03eb470]

2022-09-12 a1346054
2022-09-11 Todd C. Miller
  • docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in:
    Document apparmor_profile, intercept_verify, and update_ticket. [d55caa1af788]
  • docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in:
    Fix some of the markup to be more consistent with sudo_plugin.mdoc.in. Also reword a few awkward phrases. [8682c067c38b]
  • docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in:
    Use correct markup of function arguments and struct members. Also remove most uses of the deprecated Li macro which has no effect. [59b01b9ff183]
  • docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in:
    Move the init_session() errstr description to where it belongs. [8c1e7cb23d1f]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Fix a typo [591b75013070]
2022-09-07 Todd C. Miller
  • plugins/sudoers/logging.c:
    log_parse_error: make errstr const to quiet a -Wwrite-strings warning [9827a2a01316]
  • config.h.in, configure.ac, include/sudo_compat.h, include/sudo_debug.h, include/sudo_fatal.h, include/sudo_lbuf.h, include/sudo_util.h, lib/eventlog/eventlog.c, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/defaults.c, plugins/sudoers/logging.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.h, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, src/parse_args.c, src/regress/noexec/check_noexec.c, src/sudo.h:
    Move gcc-style attribute macros to config.h.in Renamed __malloc -> sudo_malloclike, __printflike -> sudo_printflike, __printf0like -> sudo_printf0like. Add sudo_noreturn instead of attribute((noreturn)). We do not use stdnoreturn.h since it has been deprecated in C23 in favor of the [[noreturn]] attribute. [ad3c04a1bbb0]
  • plugins/sudoers/visudo.c:
    Add __printf0like to visudo_track_error(). [7a118c40d360]
2022-09-06 Todd C. Miller
  • plugins/sudoers/gram.y:
    Back out unintended change in last commit. [5d52c966212d]
  • plugins/sudoers/gram.y, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
    It is possibble for sudoerserrorf() to be called with a NULL format. So log_parse_error() needs to check fmt for NULL before using it. [5b779a6888c9]
2022-09-03 Todd C. Miller
  • docs/UPGRADE.md:
    Mention how to restore the historic core resource limit behavior. [bfd792bd9d07]
  • plugins/sudoers/audit.c:
    Set MODE_POLICY_INTERCEPTED for log_subcmds too. This fixes a problem where sub-commands were not being logged to the remote log server, if configured. Since we don’t go through sudoers_policy_main() again for log_subcmds, we set the flag in sudoers_audit_accept() instead. The reason this is complicated is that when I/O logging is enabled the initial accept message gets sent as part of the remote logging handshake. GitHub issue #174 [297fa6bbd769]
2022-09-02 Todd C. Miller
  • plugins/sudoers/sudoers.c:
    Only check the admin flag file once in intercept mode. [c439914e08e1]
  • docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in:
    Document cvtsudoers CSV output format [c5164466cae2]
2022-08-31 Todd C. Miller
  • docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in:
    Document cvtsudoers JSON output format [9fce227c2c61]
2022-08-30 Todd C. Miller
  • src/exec_ptrace.c:
    Zero out register struct before calling ptrace_getregs(). Quiets a spurious valgrind warning. [32f19e2e508f]
2022-08-29 Todd C. Miller
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    intercept_verify is fast, but the policy check is (relatively) slow. [0a120a78bd37]
  • src/exec_ptrace.c:
    Realloc the buffer used to store argv and envp as needed. We now store the vector immediately after the string table. It is possible for argv and its contents to be invalidated by realloc() when reading envp so we store the pointers as offsets until we are done allocating. [7620f3dceac4]
2022-08-28 Todd C. Miller
  • src/exec_ptrace.c, src/exec_ptrace.h:
    ptrace_verify_post_exec: use /proc/PID/cmdline and /proc/PID/environ There is no reason to read these directly from the tracee when we rely on /proc being mounted to access /proc/PID/exe. [5da938210647]
  • src/exec_ptrace.c:
    Protect ptrace_readv_string() with #ifdef HAVE_PROCESS_VM_READV [cc8e71c4c529]
2022-08-25 Todd C. Miller
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Rework the intercept section in “Preventing shell escapes”. [5e5b1ea90ce1]
  • .github/workflows/codeql-analysis.yml:
    Update CodeQL Action to v2 using current example config. [d0aa8b4dda28]
  • lib/util/arc4random.c:
    Suppress PVS-Studio false positive. [32fd02734378]
  • src/exec_intercept.c:
    intercept_check_policy_req: an empty argv[] is now supported [a668708cc0a9]
  • config.h.in, configure, configure.ac, src/exec_ptrace.c:
    Use process_vm_readv(2) and process_vm_writev(2) if available. This is faster than reading/writing from/to the remote process one word at a time using PTRACE_PEEKDATA and PTRACE_POKEDATA. [d0c5ed82738c]
  • plugins/sudoers/check.c:
    Skip all of check_user() for intercept unless intercept_authenticate set. Previously we were calling the PAM approval modules even in intercept mode which can take a lot of time. We may wish to make PAM approval configurable in intercept mode in the future. [e06fbc7e4ca6]
  • plugins/sudoers/sudoers.c:
    Only set MODE_POLICY_INTERCEPTED on subsequent policy checks. This fixes a bug where MODE_POLICY_INTERCEPTED was set too early if the intercept option was set globally in sudoers. It should only be set after the original command has executed. [8f5d47c2635a]
2022-08-23 Todd C. Miller
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    intercept_verify also compares the environment. Also mention the overhead involved in checking things. [44da04558285]
2022-08-22 Todd C. Miller
  • src/exec_ptrace.c:
    ptrace_getregs: make compat check more generic No need to use different checks for mips and non-mips, the compiler will optimize away the superfluous check. [0f2ff0f3f388]
  • src/preload.c:
    Correct type of sudoers_audit. GitHub issue #61 [17a7806ad3ba]
2022-08-20 Todd C. Miller
2022-08-19 Todd C. Miller
  • src/exec_ptrace.h:
    Fix shadowed variable warning on aarch64. [84169692bd1c]
  • src/regress/intercept/test_ptrace.c:
    Quiet another -Wwrite-strings warning. [ff2860056976]
  • src/exec_ptrace.c:
    ptrace_getregs: try to determine compat mode if caller doesn’t know. In ptrace_verify_post_exec(), we don’t know whether the executable that is now running is a native or compat binary. In most cases ptrace_getregs() will be able to figure it out for us. [fb0fa29ff554]
  • src/exec_ptrace.c:
    ptrace_intercept_execve: fail syscall rather than killing process on error. If the execve(2) args are bogus pointers, we should just return an error instead of killing the process. For consistency with the kernel, convert EIO from ptrace(2) to EFAULT. Also convert some ptrace(2) warnings to debug printfs so sudo is less chatty. [3d30c6d28005]
2022-08-18 Todd C. Miller
  • src/exec_ptrace.c:
    Treat argv and closure->run_argv of different sizes as a mismatch. If argv and closure->run_argv match up to the point where we hit a NULL but one of them has additional entries, we still need to rewrite argv. [91d522d9c3b6]
  • src/exec_ptrace.c:
    Handle the case where argc is 0 when allocating space for argv. We need to pass the pathname to the policy plugin in argv[0] so we must be sure to allocate space for it even if argc is 0. [953f92c9e7a5]
  • src/sudo_intercept.c:
    copy_vector: treat a NULL pointer as an empty vector. Linux execve(2) allows argv to be NULL so we must allocate an empty vector in this case and not return an error. [cf30608ed6cb]
  • src/exec_preload.c:
    Update debug_decl name for sudo_preload_dso -> sudo_preload_dso_alloc change. [b0db53a62c7a]
  • src/exec_intercept.c:
    Handle the case where argc is 0 when rebuilding argv. We need to pass the pathname to the policy plugin in argv[0] so we must be sure to allocate space for it even if argc is 0. [10358fc408a1]
  • src/exec_ptrace.c:
    Handle sysconf(_SC_ARG_MAX) failure, Coverity CID 276504. [ddb88da56bd7]
  • plugins/sudoers/match_digest.c:
    Avoid a Coverity false positive. [dd9fd747bd7f]
  • plugins/sudoers/getdate.c, plugins/sudoers/getdate.y:
    Remove cast from time_t to int to avoid a Coverity false positive. The cast should not be required. [a305b10eb17e]
2022-08-11 Todd C. Miller
  • docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/group_plugin.c:
    Use multilib rules to look for a 64-bit group plugin on failure. If sudo_dso_load() fails on a 64-bit system, try to load a 64-bit native version of the file using system-dependent multilib rules. If we don’t support multilib on the platform, check for a version of the file that ends in “64” before the .so suffix. [d36bcc89ee34]
2022-08-08 Todd C. Miller
  • plugins/sudoers/env.c, src/env_hooks.c:
    In putenv(3) replacement reject a string with no ‘=’ or that starts with one. [59c6e6e5232b]
2022-08-05 Todd C. Miller
2022-08-04 Todd C. Miller
  • configure, configure.ac:
    Use our own arc4random() in preference to the glibc version. The glibc arc4random() may fail in chroot on older kernels and exit. [9b4a62c9f468]
  • lib/util/sudo_dso.c:
    sudo_dso_load: restore original error for AIX on failure. For AIX, if dlopen() fails we try again with RTLD_MEMBER set and a default member (shr.o or shr_64.o). However, if that also fails, the user will receive a useless error message that doesn’t correspond to the actual problem. We now retry the original dlopen() if the fallback to RTLD_MEMBER fails, which has the effect of restoring the original error message. [ec539996a4aa]
2022-08-02 Todd C. Miller
  • Merge pull request #165 from bdrung/xdg-current-desktop

    Add XDG_CURRENT_DESKTOP to initial_keepenv_table [3d2e82e32ea8]

  • docs/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/python/regr ess/testdata/check_multiple_approval_plugin_and_arguments.stdout, src/exec.c:
    Bump the sudo plugin minor version. The “update_ticket” entry was added to the settings list and the “intercept_verify” entry was added to the command_info list. [3259f3199798]
  • docs/sudo.man.in, docs/sudo.mdoc.in, plugins/sudoers/check.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_usage.h.in:
    Add a way to run a command without updating the cached credentials. This can also be used to test for whether or not the user’s credentials are currently cached. [f5825a6f881b]
  • Merge pull request #168 from likunyur/lky

    Remove unnecessary initialization and casts. [fcb251c895ce]

  • Merge pull request #169 from kempstonjoystick/main

    Fix incorrect SHA384/512 digest calculation. [f016c3a37255]

2022-08-02 Tim Shearer
  • lib/util/sha2.c:
    Fix incorrect SHA384/512 digest calculation.

    Resolves an issue where certain message sizes result in an incorrect checksum. Specifically, when: (n*8) mod 1024 == 896 where n is the file size in bytes. [e9f235a8d432]

2022-08-01 Todd C. Miller
  • src/exec.c, src/selinux.c, src/sesh.c, src/sudo.c, src/sudo.h:
    Defer chdir(2) until sesh when running with SELinux. We need to be running with the correct security context or the chdir(2) may fail. GitHub issue #160. [a8713dd21be9]
2022-08-01 Li zeming
  • lib/util/arc4random.c:
    util/arc4random: (void*) type pointer passing address could remove cast

    Signed-off-by: Li zeming <zeming@…> [aa4e8c73f131]

  • lib/iolog/hostcheck.c:
    iolog/hostcheck: These two parameters do not need to be initialized and assigned, the following code is directly assigned

    Signed-off-by: Li zeming <zeming@…> [dd657435f277]

2022-07-31 Todd C. Miller
  • Merge pull request #166 from c4rlo/patch-1

    visudo.c: add nvim (Neovim) to lineno_editor list [97e0a7b00daa]

2022-07-31 Carlo Teubner
2022-07-29 Todd C. Miller
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Document the TOCTOU issue with intercept mode. Describe how intercept_verify attempts to reduce the risk. [b118de8d4c66]
  • etc/codespell.exclude, etc/codespell.ignore:
    Update a codespell exclude pattern. [3193ffb4c938]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/policy.c, src/exec_ptrace.c, src/sudo.c, src/sudo.h:
    Add intercept_verify sudoers option to control execve(2) argument checking. [79131cfb0125]
  • src/exec_ptrace.c:
    Use PTRACE_EVENT_EXEC to stop execution before return from execve(2). We can now verify that the arguments match what we accepted before the command actually runs. If there is a mismatch, the process is killed. Shell scripts must be handled specially since the path executed will be the interpreter, not the script name. Linux allows interpreters to be nested up to 4 deep. [5e7b1828dbb0]
  • plugins/sudoers/sudoers.c:
    Only set MODE_POLICY_INTERCEPTED if we are running a command. Fixes an error with “sudo -l” when intercept is enabled globally. [7a1d0ff5a498]
2022-07-29 Benjamin Drung
  • plugins/sudoers/env.c:
    Add XDG_CURRENT_DESKTOP to initial_keepenv_table

    Qt needs XDG_CURRENT_DESKTOP to be set to determine the correct theme.

    Since DISPLAY and XAUTHORITY are already in the default table of variables to preserve in the environment, just add XDG_CURRENT_DESKTOP to it.

    Bug: https://launchpad.net/bugs/1958055 Signed-off-by: Benjamin Drung <bdrung@…> [aa5132684c89]

2022-07-27 Todd C. Miller
  • src/exec_ptrace.c:
    The length returned by ptrace_read_string() include the NUL. We were wasting a extra byte in the string table for each entry. [b1220aae7141]
2022-07-26 Todd C. Miller
  • include/sudo_compat.h, include/sudo_util.h:
    Use gcc’s malloc attribute for malloc-like allocation functions. [bff3b0ab89c5]
  • src/exec_preload.c:
    fmtstr: add missing va_end() for the overflow case Coverity CID 275335 [42a4f4467ca5]
  • lib/util/sudo_debug.c:
    Fix potential NULL pointer deference found by clang-analyzer. [5b0a9c0f2e71]
  • src/sudo.c, src/sudo_intercept_common.c:
    Quiet some harmless PVS-Studio warnings. [9b9cc92f0585]
  • src/exec_intercept.c:
    Reject relative command paths if runcwd is not set. This is now treated as a policy rejection. [bf35a6818c77]
  • src/exec_intercept.c:
    intercept_check_policy: close saved_dir before returning [04adba5e85fa]
  • src/exec_intercept.c:
    Change to runcwd during the policy check where possible. Otherwise, attempts to run “./command” from a shell with intercept set will fail if the current working directory is different from the main sudo process. [cd218f081cf2]
2022-07-25 Todd C. Miller
  • include/sudo_util.h, lib/util/mmap_alloc.c, lib/util/util.exp.in, src/sudo_intercept.c:
    For preload DSO make copies of cmnd, argv, envp and map them read- only. [56a160c55e4c]
  • src/exec_preload.c, src/sudo_exec.h, src/sudo_intercept.c, src/sudo_intercept_common.c:
    Use sudo_mmap_alloc functions in DSO-based intercept code. [806dacd141ad]
  • lib/util/snprintf.c:
    Use sudo_mmap_alloc functions instead of private versions. We no longer need to keep track of the allocation size. [6f375ed7a927]
  • MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/mmap_alloc.c, lib/util/util.exp.in:
    Add sudo_mmap_{alloc,allocarrary,strdup,free} functions. These allocate memory via mmap anonymous regions and store the mapped size immediately before the returned pointer as an unsigned long. They are intended to be used in cases where malloc(3) and free(3) are unsuitable due to concerns about corrupting global state in multi- threaded programs or signal handlers. [803b4a82bedd]
  • docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in:
    Sync with schema.OpenLDAP for user/group utf8 support. [14705b52a4f9]
  • Merge pull request #163 from Firstyear/20220725-sudo-ldap-schema

    Update sudoUser to be utf8 in ldap schemas [91354fc2ed23]

  • src/sudo_intercept.c:
    resolve_path: skip non-regular files [2ed5efdb48ea]
2022-07-25 William Brown
  • docs/schema.OpenLDAP, docs/schema.iPlanet, docs/schema.olcSudo:
    Update sudoUser to be utf8 in ldap schemas

    In most unix-style LDAP servers, uid is a utf8 string defined by OID 1.3.6.1.4.1.1466.115.121.1.15. However, sudoUser was defined as an IA5 String (OID 1.3.6.1.4.1.1466.115.121.1.26) which meant that sudoUser could only represent a subset of possible values.

    In some cases when using sudoers.ldap, the uid from the machine which was utf8 was fed back into sudo which would then issue a search for sudoUsers. If this uid contained utf8 characters, the ldap server would refuse to match into sudoUsers because these were limited to IA5.

    This is a safe-forward upgrade as IA5 is a subset of UTF8 meaning that this change will not impact existing deployments and their rules. [7a47e711ca88]

2022-07-14 Todd C. Miller
  • src/exec_intercept.c, src/sudo.c:
    Make sure the plugin provides a command, argv and envp. [7e4e93118622]
  • lib/util/sudo_debug.c, src/exec_intercept.c, src/exec_preload.c, src/exec_ptrace.c, src/sudo_intercept.c, src/sudo_intercept_common.c:
    Linux execve(2) allows argv or envp to be NULL. Add checks to make sure we don’t deference a NULL pointer. [be380b71df62]
2022-07-13 Todd C. Miller
  • src/exec_intercept.c:
    intercept_check_policy: add oom label and fix approval failure case. If the approval plugin fails we need to set the state to POLICY_REJECT just like we do if the policy rejected the command. [e7ba37e32af7]
2022-07-09 Todd C. Miller
  • plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/def_data.in, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, src/apparmor.c:
    Fix a few whitespace issues. [deb6391a3ba0]
  • plugins/sudoers/regress/fuzz/fuzz_policy.c:
    Increase the realloc increment from 128 to 1024. The contents of the env_add array should not include the leading “env=” prefix. [d8c0067fc3fd]
  • plugins/sudoers/env.c:
    sudo_putenv_nodebug: require that the environment string include a ‘=’ [fb200f301070]
2022-07-08 Todd C. Miller
  • plugins/sudoers/visudo.c:
    If update_defaults() fails, treat it as a parse error. [d9860eb2257a]
  • plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Add additional PVS-studio suppression comments for generated code. [dfb89944dcce]
2022-07-07 Todd C. Miller
  • plugins/sudoers/match_command.c:
    Fix compilation error when SUDOERS_NAME_MATCH is defined. [3b76707bc5fa]
  • plugins/sudoers/match_command.c:
    Fix a NOPASSWD issue with a non-existent command when fdexec=always In command_matches_all(), if the command is fully-qualified and open_cmnd() return false, only treat it as an error if we are able to stat(2) the command. For “sudo ALL” a non-existent command is not an error. [e2d756137ce9]
  • plugins/sudoers/regress/testsudoers/test18.sh:
    Quote ^foo$ on command line to protect it from the shell. [0f1274e0be93]
2022-07-05 Todd C. Miller
  • lib/eventlog/regress/logwrap/check_wrap.c, lib/util/regress/closefrom/closefrom_test.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsig/strsig_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/strtofoo/strtobool_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/regress/strtofoo/strtomode_test.c, lib/util/regress/strtofoo/strtonum_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/uuid/uuid_test.c, logsrvd/regress/logsrvd_conf/logsrvd_conf_test.c, plugins/python/regress/check_python_examples.c, src/exec_ptrace.c:
    Add explicit include of unistd.h for getopt(3) and related variables. [e1c369cd5ae8]
2022-07-04 Todd C. Miller
  • plugins/sudoers/cvtsudoers.c, src/sudo_intercept_common.c:
    Merge pull request #161 from likunyur/lky

    sudoers/cvtsudoers: Remove the repeated ‘;’ from code [9b961a3b9c86]

2022-07-04 Li kunyu
  • src/sudo_intercept_common.c:
    src/send: Remove the repeated ‘;’ from code

    Signed-off-by: Li kunyu <kunyu@…> [6fc809eac0b1]

  • plugins/sudoers/cvtsudoers.c:
    sudoers/cvtsudoers: Remove the repeated ‘;’ from code

    Signed-off-by: Li kunyu <kunyu@…> [75582c880c30]

2022-07-01 Todd C. Miller
  • lib/util/timegm.c:
    In timegm() initialize tm_isdst to 0 like tzcode does. [d3f2d10c3559]
2022-06-30 Todd C. Miller
  • include/intercept.pb-c.h, include/sudo_event.h, src/exec_intercept.c, src/exec_intercept.h, src/intercept.pb-c.c, src/intercept.proto, src/sudo_intercept_common.c:
    Stop sending an InterceptResponse to a PolicyCheckRequest for log_subcmds. There’s no real reason for the command to wait for sudo send back a response that will always be a PolicyAcceptMessage. [d2fe28a652d0]
  • plugins/sudoers/sudoers.c:
    sudoers_main: defer setting return value until the end when running a command Otherwise, we could return success when there was an error from a system call or memory allocation failure. [bd993a2948ce]
  • plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Save the initial command run via sudo and use it when logging exit status. Otherwise, if we are in intercept mode or logging sub- commands the exit status will be logged with the wrong command. [54e3494473ac]
2022-06-29 Todd C. Miller
  • lib/zlib/zconf.h.in:
    Define _LARGEFILE64_SOURCE if _FILE_OFFSET_BITS == 64. Fixes a -Wwrite-strings warning on 32-bit systems. [61eff691496f]
  • lib/util/strsignal.c:
    Quiet another -Wwrite-strings warning. [a03bb85d581d]
  • lib/protobuf-c/protobuf-c.c:
    Fix a clang analyzer 14 warning about a possible NULL deref. [4c0db4ac3e1d]
  • lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/protobuf-c/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
    Regenerate dependencies [ff7de2b59097]
  • scripts/mkdep.pl:
    Do not check files generated by protbuf-c with PVS-Studio [86f56c21339f]
  • logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_queue.c, logsrvd/sendlog.c, logsrvd/tls_client.c, plugins/sudoers/log_client.c, src/sudo_intercept_common.c:
    Quiet some harmless PVS Studio warnings. [476fbef7a0c4]
  • logsrvd/logsrvd_conf.c, logsrvd/sendlog.c:
    Use “unable to allocate memory” warning on malloc failure. This is consistent with the rest of the sudo source code. [5954fc067647]
  • lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/iolog/host_port.c, lib/logsrv/Makefile.in, lib/protobuf-c/Makefile.in, lib/util/Makefile.in, lib/util/getentropy.c, lib/util/roundup.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_client.c, logsrvd/tls_init.c, plugins/sudoers/log_client.c, src/Makefile.in, src/apparmor.c:
    Add missing PVS Studio Open Source comments. Also avoid checking protobuf-c source and protobuf-c generated files. [e1277c1f6585]
  • lib/iolog/host_port.c, lib/iolog/hostcheck.c, lib/util/roundup.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/sendlog.h, logsrvd/tls_client.c, logsrvd/tls_common.h, logsrvd/tls_init.c, plugins/python/pyhelpers.h, plugins/python/regress/iohelpers.h, plugins/sudoers/log_client.c:
    Use #include <config.h> not #include “config.h” for consistency. Otherwise, some compilers may do the wrong thing in a build dir if there is a config.h file in the source dir too. [79aaab18dc6d]
2022-06-28 Todd C. Miller
  • plugins/sudoers/group_plugin.c:
    Update group_plugin_load() stub to match its prototype. [9ea7126e6d5c]
  • configure, configure.ac, include/sudo_iolog.h, lib/eventlog/eventlog.c, lib/eventlog/logwrap.c, lib/iolog/host_port.c, lib/iolog/regress/host_port/host_port_test.c, lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c, lib/util/aix.c, lib/util/getgrouplist.c, lib/util/getopt_long.c, lib/util/lbuf.c, lib/util/logfac.c, lib/util/logpri.c, lib/util/regress/progname/progname_test.c, lib/util/snprintf.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/audit_json/audit_json.c, plugins/python/python_convmessage.c, plugins/python/python_plugin_common.c, plugins/python/regress/check_python_examples.c, plugins/python/sudo_python_module.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/exptilde.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/insults.h, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/log_client.c, plugins/sudoers/logging.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/serialize_list/check_serialize_list.c, plugins/sudoers/regress/unescape/check_unesc.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_hooks.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/edit_open.c, src/exec_common.c, src/parse_args.c, src/regress/noexec/check_noexec.c, src/selinux.c, src/sudo.c, src/sudo_edit.c, src/sudo_intercept.c:
    Make sudo pass -Wwrite-strings [7ac3dd7b1634]
  • configure, configure.ac:
    A typo prevented -Wno-deprecated-declarations from being used on macOS. [4d6d4b9e7191]
2022-06-27 Todd C. Miller
  • lib/zlib/zconf.h.in:
    Define _LFS64_LARGEFILE, _LARGEFILE64_SOURCE if 64-bit or _LARGE_FILES set. autoconf does not define _LARGEFILE64_SOURCE by default but zlib expects it (its own configure script will define it). Fixes a missing prototype for crc32_combine_gen64() on AIX and HP-UX. [c5b314bebbcb]
  • configure, configure.ac, include/sudo_iolog.h, include/sudo_util.h, lib/iolog/host_port.c, lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/iolog/regress/iolog_timing/check_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, lib/util/regress/glob/globtest.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/strtoid.c, logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, logsrvd/sendlog.c, plugins/python/pyhelpers.c, plugins/python/python_plugin_approval.c, plugins/python/python_plugin_approval_multi.inc, plugins/python/python_plugin_audit.c, plugins/python/python_plugin_audit_multi.inc, plugins/python/python_plugin_common.c, plugins/python/python_plugin_group.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_io_multi.inc, plugins/python/python_plugin_policy.c, plugins/python/regress/check_python_examples.c, plugins/python/sudo_python_module.c, plugins/sudoers/audit.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/stubs.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestr.c, plugins/sudoers/tsgetgrpw.h, plugins/sudoers/unesc_str.c, src/copy_file.c, src/exec_ptrace.c, src/load_plugins.c, src/net_ifs.c, src/sudo.h, src/sudo_intercept.c, src/sudo_intercept_common.c, src/sudo_noexec.c:
    Make sudo pass -Wmissing-prototypes [195b024b9f54]
  • src/exec_ptrace.c:
    Include inttypes.h if stdint.h is not present. Bug #1035 [da6185c4c418]
2022-06-21 Todd C. Miller
  • src/exec_ptrace.c:
    readlink(2) does NUL-terminate the buffer, do it manually. Fixes a bug where the current working directory could include garbage in intercept mode using ptrace(2). [dc7c547f518f]
  • src/exec_preload.c, src/sudo_exec.h, src/sudo_intercept_common.c:
    sudo_preload_dso: make the envp function argument const This lets us fix an inappropriate cast in sudo_intercept_common.c. [c2fa860b684e]
  • src/exec_intercept.c:
    intercept_write: remove unused CD_USE_PTRACE code. It is not possible to end up in intercept_write when CD_USE_PTRACE is set. [f8bdc5e37294]
2022-06-20 Todd C. Miller
  • src/exec_intercept.c, src/sudo_intercept_common.c:
    Set TCP_NODELAY on the socket used for intercept IPC to reduce latency. On some systems, Nagle’s algorithm was delaying receipt of the data, causing commands with intercept or log_subcmds to run slowly. Related to Bug #1034. [11b129850ac1]
  • src/sudo_intercept_common.c:
    Use blocking I/O when talking to the sudo process. Also check for EAGAIN/EINTR when reading the message size. Fixes a problem seen on AIX where recv_intercept_response() could fail unexpectedly. Bug #1034. [8554618665a2]
  • src/exec_intercept.c:
    Add debug printfs when send/recv return EAGAIN or EINTR. These are not actually errors but can help gain insight into what is going on and, in the case of EAGAIN, whether or not there may be a kernel resource starvation problem. [fd2dee906d2f]
2022-06-14 Todd C. Miller
  • plugins/sudoers/logging.c:
    log_exit_status: make local variables match struct evlog members. [f93d5141e818]
2022-06-13 Todd C. Miller
  • lib/util/getgrouplist.c:
    Quiet a compiler warning on macOS. The getgrouplist() groups array on macOS is int * instead of gid_t *. [c64bf72a1416]
2022-06-12 Todd C. Miller
2022-06-11 Todd C. Miller
  • src/exec_ptrace.h:
    Fix compilation on Linux/x32; GitHub issue #158 [8cebfdd49205]
2022-06-10 Todd C. Miller
  • plugins/sudoers/policy.c:
    Fix pasto in comment after HAVE_PRIV_SET #endif [2275ab3b016d]
  • include/sudo_compat.h:
    Fix typo, we should define SSIZE_MAX if it is not defined. [51c68f801479]
2022-06-09 Todd C. Miller
  • plugins/sudoers/env.c:
    Change black list -> blocklist This was missed in the previous conversion. [da610ebb5cb1]
  • plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoers.h:
    Save a pointer to the event_alloc parameter in the plugin open function. That way we don’t need to pass event_alloc around to the log client functions. [a8a47f3770b3]
  • lib/protobuf-c/protobuf-c.c:
    Fix regression with zero-length messages introduced in protobuf-c PR 500. [42062b9f75d5]
2022-06-08 Todd C. Miller
2022-06-07 Todd C. Miller
  • src/exec_pty.c:
    Make read and write events persistent and disable as needed. For the read callback, disable reader when the buffer is full. For the write callback, disable writer when the buffer is consumed. [2b6953dc4224]
  • config.h.in, configure, configure.ac, src/sudo_exec.h, src/sudo_noexec.c:
    Check for SECCOMP_MODE_FILTER not SECCOMP_SET_MODE_FILTER. This matches the actual prctl() call we use. [4222768293d1]
  • Merge pull request #157 from 0x2b3bfa0/improve-tag-spec-ebnf-docs

    Improve Tag_Spec EBNF documentation [f528335aded5]

  • logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c:
    Treat EINTR in a callback like we do EAGAIN. We shouldn’t get EINTR in practice since we set SA_RESTART when registering signal handlers but it doesn’t hurt to be consistent. [acf3394e2df2]
  • Merge pull request #156 from delroth/aarch64-build

    exec_ptrace: fix missing sudo_pt_regs on aarch64 [a7062c609a96]

2022-06-07 Pierre Bourdon
  • src/exec_ptrace.h:
    exec_ptrace: fix missing sudo_pt_regs on aarch64

    AArch64 already had an existing “user_pt_regs” struct and didn’t need a struct alias before the renaming to “sudo_pt_regs”. Make the code build again by adding the now missing alias.

    Fixes: 2eb8ff17 [3b55f40e9b83]

2022-06-07 Helio Machado
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Improve Tag_Spec EBNF documentation [7e23ec31d124]
2022-06-07 Todd C. Miller
  • Merge pull request #154 from 0x2b3bfa0/fix-tag-spec-docs

    Add missing colon in Tag_Spec documentation [ec8f4610b677]

  • Merge pull request #152 from particleflux/fix-sudoers-typo

    Fix typo in sudoers comment [bbbcff4c14ba]

2022-06-07 Helio Machado
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Add missing colon in Tag_Spec documentation [e6f4c612e22a]
2022-06-07 Stefan Linke
  • plugins/sudoers/sudoers.in:
    Fix typo in sudoers comment

    Fix a typo in the sudoers comment about maxseq param.

    Introduced by 906eb19ece47023c659b4b3db2e7a6bb57dff0d9 in 1.9.11. [b38fae41b3eb]

2022-06-06 Todd C. Miller
  • lib/protobuf-c/protobuf-c.c:
    Only shift unsigned values to avoid implementation-specific behavior. This converts the arithmetic shifts to logical shifts. [e25aa8e9891a]
  • lib/protobuf-c/protobuf-c.c:
    Fix issue protobuf-c#499: unsigned integer overflow Signed-off-by:
    10054172 <hui.zhang@…> [f3637be4df4f]
  • include/sudo_event.h, lib/util/event_select.c:
    Fix building with select (not poll) when fd_set is not defined in sys/types.h. We can use a void * for the fd_set arrays and just add a cast when using the FD_SET macros. [5c636cbc11f0]
  • src/exec_pty.c:
    Reinstall the event handler if we get EAGAIN from read/write callback. The read and write events do not set SUDO_EV_PERSIST so we need to explicitly re-enable the event if there is still data to be read. Bug #963. [0006cb6531f4]
  • logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c:
    If write(2) returns EAGAIN just re-enter the event loop. This is consistent with how we handle EAGAIN for read(2). [e6478d917a0f]
  • docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in:
    Document how setting ModulePath affects the Python search path. Also advise the user to use a unique prefix to avoid name space collisions with installed Python modules. Bug #1031. [68a9d50d7806]
  • configure, configure.ac, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in:
    Add EXAMPLES variables for use in the man pages for the examples directory. [148272d9a6d3]
2022-06-04 Todd C. Miller
  • plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po:
    Updated translations from translationproject.org [985902730e5b]
  • plugins/sudoers/po/hr.mo, po/hr.mo:
    Rebuild Croatian message catalog. [438136f65c13]
2022-06-03 Todd C. Miller
  • .gitignore, .hgignore:
    Add new test binaries to the ignore files. [ea9de2ded48d]
  • po/cs.mo, po/cs.po:
    Updated translations from translationproject.org [eac0aba546ed]
  • lib/protobuf-c/protobuf-c.c:
    Define WORDS_BIGENDIAN on big endian systems. Instead of a configure check, we use endian.h (or a fallback). [4d5603a9528c]
  • include/intercept.pb-c.h, include/log_server.pb-c.h, include/protobuf-c/protobuf-c.h, lib/protobuf-c/protobuf-c.c, scripts/unanon:
    Update to protobuf-c 1.4.0 [47ff9b8bab21]
  • logsrvd/logsrvd.c, plugins/sudoers/cvtsudoers_csv.c:
    Quiet two clang analyzer false positives. [2c878f7853cc]
  • src/exec_intercept.c:
    Move a comment to the correct location. [caacb3fae078]
  • logsrvd/logsrvd.c:
    union sockaddr_union: pass in sockaddr_union * instead of sockaddr *. This eliminates the need for a few casts and is consistent with how create_listener() is written. [4def05f8d895]
  • src/exec_ptrace.c:
    Eliminate some dead stores that clang-analyzer complains about. [3aac29fe0101]
  • src/exec_ptrace.c:
    ptrace_read_vec: don’t try to free memory on the error path This is leftover from when ptrace_read_string() allocated its own memory. [7f5b5d21bce9]
  • config.h.in, configure, configure.ac, src/sudo_intercept.c:
    Avoid using vfork(2) in the DSO system(3) wrapper. Traditional vfork(2) semantics make it unsafe for use for more than just vfork(2) + execve(2). [9a8ce7aef55d]
2022-06-02 Todd C. Miller
  • po/vi.mo, po/vi.po:
    Updated translations from translationproject.org [e3197ef8a98d]
  • NEWS:
    Mention sudo_logsrvd.conf “log_server” parsing fix. [575a31b83bfd]
  • MANIFEST, logsrvd/Makefile.in, logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.1.in, logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.2.in, logsrvd/regress/logsrvd_conf/tls/sudo_logsrvd.conf.1.in, logsrvd/regress/logsrvd_conf/tls/sudo_logsrvd.conf.2.in:
    For logsrvd_conf_test include both tls and non-tls configs. [ec1815793aab]
  • MANIFEST, logsrvd/Makefile.in, logsrvd/regress/logsrvd_conf/cacert.pem, logsrvd/regress/logsrvd_conf/logsrvd_cert.pem, logsrvd/regress/logsrvd_conf/logsrvd_conf_test.c, logsrvd/regress/logsrvd_conf/logsrvd_dhparams.pem, logsrvd/regress/logsrvd_conf/logsrvd_key.pem, logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.1.in, logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.2.in:
    Add a simple regression test for logsrvd.conf parser. Unlike the parser fuzzer, this includes sample certs and keys. This test would have detected the BIO_new_file() bug in set_dhparams(). [7ddabb9d022f]
  • logsrvd/logsrvd_conf.c:
    Fix inverted logic when setting server_log. A value that starts with a ‘/’ should be treated as a path. [8941fd924fbf]
  • plugins/audit_json/Makefile.in, plugins/sample_approval/Makefile.in:
    Use abs_top_builddir instead of pwd/$(top_builddir). [0f4e20a7aeed]
2022-06-01 Todd C. Miller
  • lib/util/regress/parse_gids/parse_gids_test.c:
    Plug a memory leak. [8a9eb498ed55]
  • plugins/sudoers/parse_ldif.c:
    Fix bug in last commit, need to reinitialize role to NULL. [1e454b967993]
  • plugins/sudoers/parse_ldif.c:
    Simplify the check for when we can reuse the previous user and host specs. This makes the code easier to read and quiets a cppcheck false positive. [037c4943f1ac]
  • docs/Makefile.in:
    Install the plugin man pages in section 5 (or 4 for System V). The manual had the correct section in the text but was installed in the wrong directory. [5df7d3f9a010]
  • plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo, po/ro.po, po/uk.mo, po/uk.po:
    Updated translations from translationproject.org [9ac84e5c9250]
2022-05-31 Todd C. Miller
  • plugins/sudoers/log_client.c:
    Only display “unable to connect to log server” warning once. Previously, in intercept mode, if the log server is unreachable the message would be printed for each sub-command. [df4c53518bb7]
  • src/exec.c, src/exec_monitor.c, src/exec_nopty.c, src/sudo_exec.h:
    When using ptrace(2), push the point where we suspend into exec_cmnd(). This should reduce the amount of time the child has to wait for the parent to use PTRACE_SEIZE to seize control and then PTRACE_CONT to continue the child. [f9caab4bf18b]
  • config.h.in, configure, configure.ac, src/sudo_intercept.c:
    Add configure check for vfork(2) and fall back to fork(2) if missing. [ddfaba8d2a09]
  • docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, src/intercept.exp.in, src/sudo_intercept.c:
    Add support for intercepting the system(3) function. This also means we can log system(3) with log_subcmds. [aca241d96c0b]
  • include/compat/endian.h:
    Newer compilers define BYTE_ORDER and ORDER{BIG,LITTLE}ENDIAN Also add riscv the little endian list. [55731e5517fc]
2022-05-29 Todd C. Miller
2022-05-27 Todd C. Miller
  • plugins/sudoers/defaults.c:
    Fix potential signed integer overflow on 32-bit CPUs. Converting fractional minutes to nanoseconds could overflow a 32-bit integer, use long long instead. [b1d2afc0cc4d]
  • plugins/sudoers/Makefile.in:
    Fix path to example sudoers file, it is now in the build dir. [899850a04adf]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y:
    init_options: initialize apparmor_profile to NULL [ad0de9e0474f]
  • logsrvd/tls_init.c:
    Fix uninitialized use of ca_store when building with wolfSSL. [e7cc6d8d9f7e]
  • docker/debian/testing/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
    Newer Debian/Ubuntu uses libsepol-dev not libsepol1-dev. [b2c1326bfb0d]
  • configure, configure.ac, plugins/sudoers/def_data.h, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/toke.c, src/Makefile.in:
    Regenerate files after merging AppArmor integration. [d24fcec2cb87]
  • Merge pull request #148 from kernelmethod/apparmor_support

    Add AppArmor support to sudo [fcbfb2410afd]

  • docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/parse_args.c, src/sudo.c, src/sudo.h:
    Merge branch ‘main’ into apparmor_support [7832ecc5eb7f]
2022-05-26 Todd C. Miller
  • src/sudo_intercept.c:
    Pass envp, not environ, to real execve() from exec_wrapper() if possible. The replacement execve() function was passing the global environ to exec_wrapper() instead of the envp parameter. This caused the command to be run with the wrong environment on AIX systems, and possibly others, when intercept or log_subcmds was enabled. Bug #1030. [dc0187c68c1b]
  • plugins/sudoers/po/sudoers.pot, po/sudo.pot:
    Update .pot files for 1.9.11 [b4c8ec57842f]
  • src/exec_ptrace.c:
    Consolidate some translatable strings. [05dae7c3c8da]
  • logsrvd/logsrvd.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c, src/exec_intercept.c:
    Standardize protobuf “unable to unpack” warning messages. [6f4e026c7a02]
  • docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/python/regress/testdata/check_multipl e_approval_plugin_and_arguments.stdout, src/exec.c:
    Bump plugin minor version and document new intercept-related settings. There should have been a minor version bump for sudo 1.9.8 when intercept was originally implemented. [2b7591704df4]
2022-05-25 Todd C. Miller
  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Reset intercept_allow_setid if intercept_type changes from trace to dso. But only reset intercept_allow_setid if the user didn’t explicitly set it. [e398111d824e]
2022-05-24 Todd C. Miller
  • etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
    CentOS Stream only uses a major version number, no minor version. This prevents the packages from being created as foo.el.arch.rpm since we were assuming that the version number was two digits. [a3caed91ea8c]
  • src/exec_ptrace.c, src/exec_ptrace.h:
    Add support for running o32 and n32 binaries on mips64. [887ab363f2a4]
  • src/exec_ptrace.c, src/exec_ptrace.h, src/sudo_exec.h:
    Enable ptrace support for MIPS but only for log_subcmds. It is not possible to change the syscall return value on MIPS so we cannot support full intercept mode. Another complication on MIPS is that if a system call is invoked via syscall(_NR###), v0 holds __NR_O32_Linux and the real syscall is in the first arg (a0) and other args are shifted by one. [0345a4137047]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, src/exec_ptrace.c, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_exec.h:
    Add intercept_type sudoers option to set intercept/log_subcmds mechanism. [b97e461f7da1]
2022-05-23 kernelmethod
  • MANIFEST, include/sudo_debug.h, src/Makefile.in, src/apparmor.c, src/parse_args.c, src/sudo.c, src/sudo.h:
    Add an apparmor_profile sudo setting

    Define a new sudo setting, apparmor_profile, that can be used to pass in an AppArmor profile that should be used to confine commands. If apparmor_profile is specified, sudo will execute the command using the new apparmor_execve function, which confines the command under the provided profile before exec’ing it. [a54897efe031]

  • plugins/sudoers/check.c, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers.dict, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/toke.l:
    Add an APPARMOR_PROFILE user spec option to sudoers

    sudoers now supports an APPARMOR_PROFILE option, which can be specified as e.g.

    alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo ALL

    The line above says “user alice can run any command as any user/group, under confinement by the AppArmor profile ‘foo’.” Profiles can be specified in any way that complies with the rules of aa_change_profile(2). For instance, the sudoers configuration

    alice ALL=(ALL:ALL) APPARMOR_PROFILE=unconfined ALL

    allows alice to run any command unconfined (i.e., without an AppArmor profile), while

    alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo//&bar ALL

    tells sudoers that alice can run any command under the stacked AppArmor profiles ‘foo’ and ‘bar’.

    The intention of this option is to give sysadmins on Linux distros supporting AppArmor better options for fine-grained access control. Among other things, this option can enforce mandatory access control (MAC) over the operations that a privileged user is able to perform to ensure that they cannot privesc past the boundaries of a specified profile. It can also be used to limit which users are able to get unconfined system access, by enforcing a default AppArmor profile on all users and then specifying ‘APPARMOR_PROFILE=unconfined’ for a privileged subset of users. [2afe8c910959]

  • config.h.in, configure.ac, scripts/mkdep.pl, scripts/mkpkg:
    Add a –with-apparmor build flag

    Add a new build flag, –with-apparmor, that builds sudo with AppArmor support. Modify the build script for Debian and Ubuntu to enable this flag by default. [596b4e6dce4d]

  • INSTALL.md, docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Add documentation for AppArmor support

    • Document the AppArmor userspec option in the sudoers man pages.
    • Add information about the –with-apparmor build configuration option to INSTALL.md. [524dde965b94]
2022-05-22 kernelmethod
  • docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
    Add libapparmor-dev to the Debian and Ubuntu Dockerfiles

    Install libapparmor-dev on Debian- and Ubuntu-based Docker images so that they can build sudo with AppArmor support. [8491c8b6d240]

2022-05-19 Todd C. Miller
  • src/exec_nopty.c, src/exec_pty.c:
    Pass the WUNTRACED flag to waitpid() even if __WALL is present. Otherwise, we won’t get the wait status of a suspended command that is not being traced. [7c2b46ec73be]
  • configure, configure.ac, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
    Use explicit library dependencies instead of implicit. We now include all the dependent libraries when linking. Fixes a linking problem on CentOS Stream 9. [6f06cdbb1552]
  • plugins/sudoers/logging.c:
    mail_parse_errors: allocate the correct amount of space for mail body. Use strlen(), not sizeof(), on “problem parsing sudoers” since it is a tranlated string and not a constant. This was caught by the existing overflow checks. [5aa53136cd9d]
2022-05-18 Todd C. Miller
  • MANIFEST, src/Makefile.in, src/exec_nopty.c, src/exec_pty.c, src/regress/intercept/test_ptrace.c, src/sudo_exec.h, src/suspend_nopty.c:
    Move code to suspend sudo when no pty is in use to separate file. Use this in test_ptrace.c to be able to suspend just like sudo does. [ddef421918b7]
2022-05-17 Todd C. Miller
  • src/exec_nopty.c, src/exec_ptrace.c, src/exec_pty.c, src/regress/intercept/test_ptrace.c, src/sudo_exec.h:
    Fix suspending a sudo-run shell in ptrace intercept mode with no pty. When ptracing a process, we receive the signal-delivery-stop signal before the group-stop signal. If sudo is running the command in the same terminal, we need to wait until the stop signal is actually delivered to the command before we can suspend sudo itself. If we suspend sudo before receiving the group-stop, the command will be restarted with PTRACE_LISTEN too late and will miss the SIGCONT from sudo. [bf9a482ecddd]
  • docs/TROUBLESHOOTING.md, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in:
    OpenSSL 3.x requires the key usage extension be present in CA and certs. Certificates generated with a CA that doesn’t set the key usage extension will fail to validate if “tls_verify” is enabled. [3ae4ef1ecf57]
  • logsrvd/tls_init.c:
    Include the cert or ca file in error messages where applicable. [3e0558886a3d]
  • logsrvd/tls_init.c:
    Add missing include of string.h for strerror(3). [253a5634d441]
  • logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_client.c, logsrvd/tls_init.c, plugins/sudoers/log_client.c:
    If ERR_reason_error_string() returns NULL, fall back on strerror(errno). That way we get reasonable error messages for missing files, etc. [d2423ef0e284]
  • logsrvd/tls_init.c:
    set_dhparams: pass BIO_new_file() “r” for the file mode, not O_RDONLY. Unlike BIO_new_fp(), BIO_new_file() takes an fopen-style mode string. [7a67aec88cb4]
  • src/exec_ptrace.c:
    The set_sc_arg3, get_sc_arg3 and set_sc_arg4 functions are not used. Use ifdef notyet to disable for now since they may be used in the future. [99d2f2a42da5]
2022-05-16 Todd C. Miller
  • src/exec_ptrace.h, src/sudo_exec.h:
    Use x86_64 preprocessor symbol, not amd64 Also clarify a comment about MIPS ptrace. [b02ad513eb64]
  • src/exec_ptrace.h, src/sudo_exec.h:
    ptrace support has been tested on Debian/s390x. It should also work on s390 but this has not been tested. I have not added a compat mode to trace 31-bit binaries on s390x due to the lack of a test system. [3176433e7456]
  • src/exec_ptrace.h:
    Define sudo_pt_regs instead of user_pt_regs and include the struct keyword. On s390, the struct is typedef’d without a name. [b2b74f378eef]
  • src/exec_ptrace.h, src/sudo_exec.h:
    ptrace support has been tested on Debian/riscv64. [e1011074d984]
2022-05-15 Todd C. Miller
  • plugins/sudoers/sudoers.in:
    Add maxseq setting to log_output example. This should make it more obvious that you need to adjust maxseq unless you have (virtually) unlimited disk space. [5203240a248b]
  • scripts/mkpkg:
    Fix dependency check for libssl on Debian/Ubuntu with OpenSSL 3. Also add check for python 3.10 and 3.11 and remove versions < 3.4. Fixes building on Ubuntu 22.04. [c9114582911c]
2022-05-14 Todd C. Miller
  • src/exec_ptrace.h:
    Tracing 32-bit arm binaries from a 64-bit sudo works. [c1e1602874ed]
  • src/exec_ptrace.c:
    ptrace_write_string: the terminating NUL fix was reverted by mistake. [587dd11b2783]
  • src/exec_ptrace.h, src/sudo_exec.h:
    ptrace-based intercept has now been tested on 32-bit arm [493b17a89e63]
2022-05-13 Todd C. Miller
  • src/exec_ptrace.h:
    Don’t use PTRACE_SET_SYSCALL for 32-bit arm binaries running on aarch64. Use PTRACE_SETREGSET with NT_ARM_SYSTEM_CALL instead just like we would for a 64-bit binary. Newer Linux headers don’t define PTRACE_SET_SYSCALL for aarch64. [5930846e9c9e]
  • src/regress/intercept/test_ptrace.c:
    Replace verbose flag with debug flag. This is more accurate since it actually uses the debug subsystem. [dda8b8af8bd2]
  • src/exec_ptrace.h:
    Initial cut at MIPS support, untested. Mips is a bit different in that most Linux distros appear to use the n32 ABI on 64-bit CPUs. We don’t currently support tracing a 64-bit binary from a 32-bit sudo. We could suport tracing o32 ABI binaries in compat mode, though. [05e5e246463a]
2022-05-12 Todd C. Miller
  • src/regress/intercept/test_ptrace.c:
    Add have_seccomp_action(“trap”) call to check for SECCOMP_MODE_FILTER. [250c6b72c4f4]
  • src/exec_ptrace.c, src/exec_ptrace.h:
    Add arm-specific code to set the system call number. Fixes rejection of commands due to policy on arm when in intercept mode. [74c5bd26713b]
  • scripts/mkpkg:
    Fix OS major version detection on CentOS Stream [cd4d5aaf59a7]
  • src/exec_ptrace.c:
    Repair ptrace_write_vec() for compat binaries. [77ee302b0631]
  • src/regress/intercept/test_ptrace.c:
    Fix a crash when not run in verbose mode. [adf481623228]
  • src/exec_ptrace.c:
    ptrace_intercept_execve: read back the updated syscall args in test mode. This makes it easier to detect problems with the syscall rewrite code when testing with test_ptrace. [4eb9e09d90d9]
2022-05-11 Todd C. Miller
  • src/exec_ptrace.c, src/exec_ptrace.h, src/sudo_exec.h:
    Enable ptrace intercept on powerpc. Tested on ppc64 and ppc64le. [fbd12baa1a02]
  • src/exec_ptrace.c:
    Fix tracing compat binaries on big endian systems. We need to swap the order of the two 32-bit addresses for big-endian. [375004a3ef09]
  • src/exec_ptrace.c:
    Move code to write a string vector to ptrace_write_vec(). [8401e0397f11]
  • src/exec_ptrace.c:
    Fix compilation error on systems with no compat arch. Currently only affects i386. [b95c707298c5]
  • MANIFEST, src/Makefile.in, src/exec_intercept.h, src/exec_ptrace.c, src/regress/intercept/test_ptrace.c, src/sudo_exec.h:
    Add test_ptrace program to test ptrace-based intercept support. [5f7162bcdbfd]
  • src/exec_ptrace.c:
    Use unsigned long for addresses so we don’t have to worry about sign extension. [7a0d4ea2fa70]
2022-05-10 Todd C. Miller
  • src/exec_ptrace.c:
    ptrace_write_string: make sure we always write the terminating NUL. We can’t check *str for NUL since it may not have been written yet. [9d95217981ac]
  • src/exec_ptrace.c:
    Fix compilation error when SECCOMP_AUDIT_ARCH_COMPAT is not defined. [3162054bac24]
2022-05-09 Todd C. Miller
  • src/exec_ptrace.c, src/exec_ptrace.h:
    It is now safe to make WORDALIGN use compat (not native) aligment. We allocate space for an extra pointer between argv and the string table for compat binaries so there is no need to align address to sizeof(long). [898626f1cdf6]
  • src/exec_ptrace.c, src/exec_ptrace.h:
    Use the entire word in ptrace_get_vec_len() and ptrace_read_vec(). For compat binaries, use the upper 32-bits as the next word instead of calling ptrace(2) to get it. This reduces the number of ptrace(2) calls when reading argv and envp for compat binaries. [cf5d1ae47dbe]
2022-05-07 Todd C. Miller
  • src/exec_ptrace.c:
    We don’t need to align strings in the string table. We align the start of the string table to a word boundary to help prevent overlap when writing the pointers. However, the actual strings themselves don’t need to be aligned. [219a1a07fc2e]
2022-05-06 Todd C. Miller
  • src/exec_ptrace.c:
    Avoid potentially overwriting string table when writing argv. In compat mode, if argc is odd, writing the last pointer of argv will overlap with the address of argv[0], so leave an extra word in between. Also remove incorrect comments about PTRACE_PEEKDATA unaligned access. [13f7e63a31bd]
  • src/exec_ptrace.c, src/exec_ptrace.h:
    Use native word size for padding and when reading/writing strings. If we try to use the compat word size we can end up in a situation where a subsequent PTRACE_POKEDATA overwrites part of what we’ve already written since it always writes in sizeof(long) units. [e0d7fdc3f8e2]
2022-05-05 Todd C. Miller
  • src/exec_ptrace.c:
    ptrace_intercept_execve: rewrite path to exec if changed by the policy [089f0e32cf2a]
  • src/exec_ptrace.c:
    ptrace_intercept_execve: plug memory leak of get_execve_info() buffer [5ce2cf252c80]
  • MANIFEST, src/Makefile.in, src/exec_intercept.h, src/exec_ptrace.c, src/exec_ptrace.h:
    Move register definitions to exec_ptrace.h [59cc9bec6925]
  • src/exec_ptrace.c:
    Add support for intercepting 32-bit binaries on 64-bit systems. We need to define the ptrace register struct ourselves for the 32-bit system since there is no good way to get it from the system headers. Currently only implemented for x86_64 and aarch64. [a0407bb1fee0]
  • src/exec_ptrace.c:
    Add setters and getters for ptrace(2) register access. This will be used when running 32-bit binaries from a 64-bit sudo. [f7da9453d9fa]
  • src/exec_ptrace.c:
    exec_ptrace_handled: don’t return early if ptrace_intercept_execve() fails. We need to continue the traced process even if there is a fatal error. Otherwise, sudo will appear to hang as the running process is left in PTRACE_EVENT stop. [5b3bd75c4486]
  • src/exec_ptrace.c:
    Don’t use PTRACE_GETREGS, it is too complicated when runing compat binaries. Unlike PTRACE_GETREGSET, PTRACE_GETREGS requires that we manually map registers from 64-bit to 32-bit layouts when running, e.g. a 32-bit binary from a 64-bit sudo process. [bb3476230373]
2022-05-04 Todd C. Miller
  • docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/defaults.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, src/exec_nopty.c, src/exec_pty.c, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_exec.h:
    Initialize intercept_allow_setid to true if we use ptrace(2) and seccomp(2). [57e58c0ada44]
2022-05-03 Todd C. Miller
  • src/exec_nopty.c, src/exec_ptrace.c, src/exec_pty.c, src/sudo_exec.h:
    If the process is already being traced, just resume it and clear flags. This makes it possible to run sudo in ptrace intercept mode from within a shell (or other process) that is already being traced by sudo. [db4d7cd5f673]
  • src/exec_ptrace.c:
    exec_ptrace_handled: fix delivery of non-stop signals. We need to deliver signals to the tracee as long as it is not a group stop. Fixes a hang while tracing another sudo process. [4ede8b4cfbd9]
  • src/exec_nopty.c:
    Make SIGCHLD handler more consistent with the pty version. No real change other than a few debug statements. [bd52284b1e2a]
  • plugins/sudoers/parse.c:
    sudoers_lookup_check: preserve intercepted flag when reinitializing cmnd_info Otherwise we may not reject an attempt to run a set-user- ID command. [43d72d1537b2]
  • src/exec_nopty.c, src/exec_pty.c:
    Kill the command if intercept_setup() or ptrace_seize() fail. [1037f81b327b]
2022-05-02 Todd C. Miller
  • plugins/sudoers/match_command.c:
    Move intercept setid check out of do_stat() and into its own function. For command_matches_all() we should only perform the setid check if the file exists and intercept is enabled. Otherwise, we can end up returning an error if the fully-qualified command does not exist. Fixes a regression introduced in sudo 1.9.0 with the support for digests in conjunction with “sudo ALL”. [1b5f9ed2160a]
  • src/exec_ptrace.c:
    Add support for intercepting x32 binaries on Linux x64_64. [c5fc89f38c43]
2022-04-29 Todd C. Miller
  • plugins/sudoers/auth/kerb5.c, src/exec_ptrace.c:
    Fix typos [8ef3e84fc62e]
  • MANIFEST, docs/CONTRIBUTORS.md, po/ka.mo, po/ka.po:
    New Georgian translation from translationproject.org [f6b9c7d2192c]
  • src/exec_ptrace.c:
    Short-circuit the policy check if the command doesn’t exist. Otherwise, both sudo and the shell will report the error. [f16f1b6705d9]
  • src/exec_ptrace.c:
    Add support for replacing argv in ptrace intecept mode. The new argv is written below the tracee’s stack and the system call argument is replaced with the new argv address. [3974c784be8b]
  • src/exec_ptrace.c:
    Check architecture in the seccomp filter. Currently only supports the native architecture. [13f88e436ae0]
  • src/exec_common.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_ptrace.c:
    Suspend the child process and wait for SIGUSR when using ptrace. This fixes a race condition in ptrace-based intercept mode when running the command in a pty. It was possible for the monitor to receive SIGCHLD when the command sent itself SIGSTOP before the main sudo process did. [cf1f0bea9931]
  • plugins/sudoers/parse.c, src/exec.c, src/selinux.c, src/sudo.h:
    Enable intercept and log_subcmds for SELinux using ptrace and seccomp. [5d7a3df4457e]
  • src/exec_intercept.c, src/exec_intercept.h, src/exec_ptrace.c, src/sudo.c, src/sudo.h:
    For ptrace intercept mode, do not do a policy check for the initial command. We can skip the policy check for the execve(2) of the initial command since it has already been check. Otherwise, we would log the command twice. When using fexecve(2) due to a digest check, there should be no need to skip the initial command since it will be executed via execveat(2) not execve(2). However, on older kernels without execveat(2), glibc will emulate fexecve(2) using /proc which will result in the extra log entry. [e411d6bc3855]
  • docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Update intercept documentation. [f44f1cb2a5d2]
  • src/exec_intercept.c, src/exec_ptrace.c:
    In ptrace(2) intercept mode, add execveat to the seccomp(2) filter. This allows us to avoid logging the initial command twice regardless of whether the kernel supports execveat(2) or not. [d39bd5adac13]
  • src/exec_ptrace.c:
    Use PTRACE_GETREGS/PTRACE_SETREGS on platforms that support it. This has a better chance of working on things like user-mode Linux. [c53475bd4020]
  • MANIFEST, src/Makefile.in, src/exec_intercept.c, src/exec_intercept.h, src/exec_nopty.c, src/exec_ptrace.c, src/exec_pty.c, src/sudo_exec.h:
    Check the policy for ptrace-based intercept mode. [6eadd667ca6d]
  • src/exec_ptrace.c:
    Add support for getting the execve(2) arguments via ptrace(2). This will be used to perform a policy check in intercept mode. [84b23ae53e2f]
  • MANIFEST, src/Makefile.in, src/exec.c, src/exec_common.c, src/exec_intercept.c, src/exec_nopty.c, src/exec_ptrace.c, src/exec_pty.c, src/sudo.h, src/sudo_exec.h:
    Add scaffolding for ptrace-based intercept mode. [34a6269ac4eb]
  • include/sudo_compat.h, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c:
    Stop using the WCONTINUED flag with waitpid(2). We don’t use it for anything other than a debug message and it will cause problems when intercept mode starts using ptrace(2). [1f55993d68eb]
  • src/exec_nopty.c, src/exec_pty.c:
    Handle multiple child processes in the SIGCHLD handler. This is required by the uncoming ptrace intercept code. [6dd72fb8f53f]
2022-04-24 Todd C. Miller
  • logsrvd/iolog_writer.c, logsrvd/logsrvd_journal.c, plugins/sudoers/log_client.c:
    sudo_logsrvd: update elapsed time for winsize and suspend in journal mode Fixes a bug in store-first relay mode where the commit point messages sent by the server were incorrect. [5607e8c7b559]
2022-04-23 Todd C. Miller
  • docs/visudo.man.in, docs/visudo.mdoc.in:
    Fix typo; GitHub issue #144 [fb1a539569b4]
2022-04-20 Todd C. Miller
  • docs/TROUBLESHOOTING.md:
    Expand section about expired accounts to include /etc/shadow info. GitHub issue #143 [78368dadddfb]
  • src/exec_monitor.c:
    Add struct command details * to struct monitor_closure. This will be used in the future by the ptrace intercept code. [0603acf1ff96]
  • src/exec.c:
    Translate “unable to set limit privileges” strings. [a8426e224497]
  • ABOUT-NLS, MANIFEST, docs/CONTRIBUTING.md:
    Remove ABOUT-NLS file, it is no longer maintained as part of GNU gettext. Expand the Translations section in CONTRIBUTING.md. [b4f0269a8f13]
  • src/exec.c, src/exec_intercept.c:
    Don’t require a pty for intercept or log_subcmmds. The code to take back control of the tty before a policy check doesn’t appear to be needed. If the command is run in its own pty, sudo has control over the user’s tty. If the command is run in the user’s tty, sudo should be in the foreground process group. [bddcc0d9fee6]
2022-04-19 Todd C. Miller
  • config.h.in, configure, configure.ac:
    Define _TIME_BITS=64 on systems that define __TIMESIZE, like GNU libc. This should be replaced by a specialized autoconf macro when one becomes available. [f63b7f9ea5c2]
2022-04-11 Todd C. Miller
  • plugins/python/regress/testdata/check_example_group_plugin_is_able_t o_debug.log, plugins/python/regress/testhelpers.c:
    clean_output: prune lines that consisting of ‘^’ characters and whitespace. Starting with Python 3.11, backtraces may contain a line with ‘^’ characters to bring attention to the important part of the line. Also replace “REJECT” with “0” in backtrace output for Python 3.11. [f6a5d1c05b2b]
2022-04-04 Todd C. Miller
  • configure, configure.ac:
    Fix check for EVP_MD_CTX_new() when -pthread is in Libs.private. [4f3fd0d1fd34]
2022-04-01 Todd C. Miller
  • configure, configure.ac, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/protobuf-c/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
    Rename SSP_(C|LD)FLAGS -> HARDENING_(C|LD)FLAGS [92aa57606481]
  • INSTALL.md:
    Mention other hardening compilation and linker options. [7da9cf428e39]
2022-03-31 Todd C. Miller
  • configure, configure.ac:
    Fix check for EVP_MD_CTX_new using static libcrypto with dependencies. [c02d6b6e474c]
  • configure, m4/libtool.m4, m4/ltoptions.m4, m4/ltsugar.m4, m4/ltversion.m4, m4/lt~obsolete.m4, scripts/ltmain.sh:
    Update to libtool 2.4.7. [b8824f6b792c]
2022-03-30 Todd C. Miller
  • configure, configure.ac:
    –enable-openssl: don’t add non-existent directories to PKG_CONFIG_LIBDIR [daa9cab172da]
2022-03-29 Todd C. Miller
2022-03-28 Todd C. Miller
  • lib/zlib/crc32.c, lib/zlib/crc32.h, lib/zlib/deflate.c, lib/zlib/deflate.h, lib/zlib/gzguts.h, lib/zlib/gzlib.c, lib/zlib/gzread.c, lib/zlib/gzwrite.c, lib/zlib/infback.c, lib/zlib/inffast.c, lib/zlib/inflate.c, lib/zlib/inflate.h, lib/zlib/inftrees.c, lib/zlib/trees.c, lib/zlib/zlib.exp, lib/zlib/zlib.h, lib/zlib/zutil.c, lib/zlib/zutil.h:
    Update embedded copy of zlib to version 1.2.12. Fixes CVE-2018-25032 [3e2517079d86]
2022-03-16 Todd C. Miller
  • Merge pull request #138 from dfskoll/main

    If we’re using Kerberos, don’t overwrite a custom prompt [266b04c9ee0a]

2022-03-16 Dianne Skoll
  • plugins/sudoers/auth/kerb5.c:
    If we’re using Kerberos, don’t overwrite a custom prompt if one was given with -p

    Thanks to @thend20 for testing this patch. [e62136f88c3e]

2022-03-15 Todd C. Miller
  • src/conversation.c:
    Write the \r\n pair to ttyfp if possible, falling back on fp. This is consistent with the vfprintf() call and fixes a problem introduced by the last commit where the newline could be written before the message instead of after. [3aaebbec4ee5]
  • include/sudo_util.h, plugins/sudoers/regress/starttime/check_starttime.c:
    Adjust starttime test when run under Debian faketime. Bug #1026 [b8ac7dec6e11]
2022-03-14 Todd C. Miller
  • src/conversation.c:
    sudo_conversation_printf: convert trailing nl to cr + nl combo. This fixes output when the terminal is in raw mode and is consistent with how sudo_conversation() behaves. [e377f2a71021]
  • lib/eventlog/eventlog.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/tgetpass.c:
    Block SIGCHLD when forking the mailer. Otherwise, it may be picked up by the signal handler instead of our waitpid(2) call. Don’t warn if waitpid() returns 0 in a SIGCHLD handler. [e34a3f90de5b]
  • plugins/sudoers/sudoers.c:
    Do not warn, log or send mail for errors when reinitializing defaults. If there is a problem, we would have already warned, logged or mailed it. The one exception is the initial defaults, which should never fail. [0d273f4d307d]
  • plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/parse.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c:
    If there are multiple parse errors, send them in a single mail message. [5de37ad1101f]
  • lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
    Unset LANGUAGE when running tests, otherwise it may override LC_ALL. Bug #1025. [87573102f25b]
2022-03-11 Todd C. Miller
  • plugins/sudoers/visudo.c:
    Looser owner/permission checks for an uninstalled sudoers file. We don’t check the owner or permissions on a sudoers file that is specified as an argument to visudo by default. However, the owner and mode of files included via @includedir were still checked. This commit makes the owner and permissions checks for filed included via @includedir follow the same as for the original sudoers file. [db78857306d4]
  • lib/util/regress/getdelim/getdelim_test.c:
    getdelim_test: increase longstr to check end pointer after realloc This would have caught the recent bug in our getdelim replacement when run under address-sanitizer or valgrind. [6559a42a3205]
  • plugins/sudoers/check_aliases.c:
    Add missing va_start/va_end around call to sudoers_error_hook(). Coverity CID 250885 [49d026ba67b2]
  • lib/util/getdelim.c:
    Correctly update the end pointer when we expand the buffer. From Robert Manner. [99617ae8332d]
2022-03-10 Todd C. Miller
  • lib/util/secure_path.c:
    sudo_secure_path: pass the struct stat * argument directly to stat(2) Set the pointer to a struct stat on the stack if st is NULL. Avoids a needless memcpy() at the end. [11636745ce29]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y:
    Fix off-by-one when storing line number in userspec. We store the line number after parsing the newline so we need to subtract one. [40d6521a966e]
  • lib/eventlog/eventlog.c:
    For alert messages, the command or runuser may not be set. This fixes the logging of parse errors when JSON logging is enabled. [cfde228ef422]
  • plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/locale.c, plugins/sudoers/logging.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
    Pass file, line and column to sudoers defaults callbacks. [04a26b1a224c]
  • plugins/sudoers/audit.c, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/defaults.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/sudoers/test18.toke.ok, plugins/sudoers/regress/visudo/test2.err.ok, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c:
    Add a hook for sudoers parse errors (including defaults and aliases). The hook can be used to log parser errors (sudoers module) or keep track of which files have an error (visudo). Previously, we only kept track of a single parse error. [601915bb6265]
2022-03-09 Todd C. Miller
  • plugins/sudoers/file.c, plugins/sudoers/ldap.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/sudoers/test18.out.ok, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c:
    Add a source to struct sudo_nss and use it if getdefs() fails. Also remove useless “Problem with defaults entries” warning in testsudoers. [f9ba65e975a0]
2022-03-08 Todd C. Miller
  • lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/regress/getgrouplist/getgrouplist_test.c:
    Plug a few test memory leaks now that they return from main(). [dc4db97a1d57]
2022-03-06 Todd C. Miller
  • lib/eventlog/regress/logwrap/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c:
    Remove extra newline in sudo_warnx() calls. [3366401671fc]
  • plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c:
    Preserve the column and error message when there is a syntax error. This information is now included in the error mail sent to root. [a224b006bfb3]
  • plugins/python/python_plugin_common.c:
    Deinit python subinterpreters in reverse order (last to first). This appears to work around a crash on OpenBSD with Python 3.9.10. [ad4d7b33da9b]
2022-03-03 Todd C. Miller
  • lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
    For ‘make check-verbose’ run fuzzers with -verbose=1 This is the default for libFuzzer but not for the stub fuzzer lib. [7f2551a87c08]
2022-03-02 Todd C. Miller
  • INSTALL.md:
    INSTALL.md: Mention “make check” and “make check-verbose” [17a30e329ba7]
  • scripts/generate_test_coverage.sh:
    Repair generate_test_coverage.sh after move to scripts directory. [ffef93da0436]
  • Makefile.in, docs/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/protobuf-c/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
    Add check-verbose Makefile target that runs tests in verbose mode. [929d079dbfc7]
  • lib/eventlog/regress/logwrap/check_wrap.c, lib/iolog/regress/host_port/host_port_test.c, lib/iolog/regress/iolog_filter/check_iolog_filter.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_timing/check_iolog_timing.c, lib/util/regress/closefrom/closefrom_test.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/getdelim/getdelim_test.c, lib/util/regress/getgrouplist/getgids.c, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsig/strsig_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/strtofoo/strtobool_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/regress/strtofoo/strtomode_test.c, lib/util/regress/strtofoo/strtonum_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/uuid/uuid_test.c:
    Add -v option parsing to regress tests, currently a no-op. This will be used by a “check-verbose” target in the future. [9cdcc23e6a70]
2022-03-01 Todd C. Miller
  • plugins/python/regress/check_python_examples.c, plugins/python/regress/testhelpers.h:
    Less verbose output unless the -v option is used. Also display a test summary at the end. [b18a8f6526e9]
  • src/regress/net_ifs/check_net_ifs.c, src/regress/noexec/check_noexec.c, src/regress/ttyname/check_ttyname.c:
    verbose flag is boolean, not int [8663ac48be27]
  • plugins/sudoers/Makefile.in, src/Makefile.in:
    Regenerate dependencies. [f007ec225986]
  • MANIFEST, configure, configure.ac, lib/util/Makefile.in, lib/util/regress/closefrom/closefrom_test.c:
    Add sudo_closefrom() regression test. [14f4439a8437]
  • NEWS, config.h.in, configure, configure.ac, lib/util/closefrom.c:
    Use close_range(2) in closefrom() emulation if available. On Linux, prefer our own closefrom() emulation since the glibc version may fail if /proc is not present and close_range() is not supported. On FreeBSD, closefrom(3) will either call the closefrom or close_range system call, depending on which is available. [d84eff07783f]
  • configure, configure.ac:
    Repair –enable-pvs-studio on Linux. [add3c7fff7f5]
  • configure, configure.ac:
    Mention apple radar 3710161 in the comment about broken macOS poll(2). [ffb6c8c070dc]
2022-02-28 Todd C. Miller
  • src/regress/net_ifs/check_net_ifs.c, src/regress/noexec/check_noexec.c, src/regress/ttyname/check_ttyname.c:
    Only display test totals unless run in verbose mode. [f543b41f226e]
  • lib/util/regress/harness.in, plugins/sudoers/regress/harness.in:
    Allow test harness to be run from any directory. Also add missing copyright notice. [5e60bc5beb52]
  • lib/util/regress/harness.in:
    Adapt test harness for lib/util and move to regress directory. [f415d958bca7]
  • .gitignore, .hgignore, MANIFEST, configure, configure.ac, lib/util/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/harness.in, plugins/sudoers/regress/harness.in:
    Adapt test harness for lib/util and move to regress directory. [5f488712f797]
  • lib/fuzzstub/fuzzstub.c:
    Make fuzzer stub main() quiet by default. LLVM LibFuzzer displays the input and running time by default but we don’t care about that for the stub fuzzer library. [728005c2de78]
  • .gitignore, .hgignore, MANIFEST, configure, configure.ac, plugins/sudoers/Makefile.in, plugins/sudoers/harness.in:
    Move the cvtsudoers/sudoers/testsudoers/visudo tests into a script. It is easier to maintain these tests in script form. The output now more closely matches that of the other tests. The harness script can be invoked directly and supports running specific tests. [fbad6e93201e]
2022-02-27 Todd C. Miller
  • plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po:
    Updated translations from translationproject.org [b2622a56fcbc]
2022-02-25 Todd C. Miller
  • logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
    sudo_regex_compile_v1 stub: set errstr on error [2da61535e60d]
  • logsrvd/Makefile.in, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
    fuzz_logsrvd_conf: add stub version of sudo_regex_compile_v1(). We want to fuzz our parser, not the libc regular expression code. [2662a181acc8]
  • plugins/sudoers/regress/testsudoers/test18.out.ok, plugins/sudoers/regress/testsudoers/test18.sh:
    testsudoers/test18: don’t rely on /usr/bin/w being present Fixes a test failure on Alpine Linux. [5b3915cef32b]
2022-02-24 Todd C. Miller
  • configure, configure.ac:
    Add configure check for gzclearerr() when using system zlib. [388dd60cd577]
  • configure, configure.ac:
    Fix PVS-Studio platform check for macOS. [cc46ae5d60a3]
  • plugins/sudoers/ldap.c:
    sudo_ldap_parse_options: fix memory leak of sudoRole cn string. Coverity CID 249976 [bcf86c362e05]
  • src/sudo_intercept_common.c:
    command_allowed: plug memory leak on strdup() failure. Coverity CID 249972 [f15a58ed68d6]
2022-02-23 Todd C. Miller
  • plugins/sudoers/check.c:
    display_lecture: just return if callback is NULL [3e7352fbc28b]
  • lib/eventlog/eventlog.c:
    For alert messages it is possible for evlog to be NULL. Coverity CID 238641 [3e89523699fd]
  • logsrvd/logsrv_util.c:
    iolog_seekto: initialize struct timing_closure before using. Coverity CID 249977 [ea53680a2367]
  • logsrvd/iolog_writer.c:
    iolog_rewrite: initialize struct timing_closure before using. Coverity CID 249971 [d214237f3ce8]
  • scripts/mkpkg:
    Allow ARCH_FLAGS to be overridden and handle macOS 12. [f04f3405fa50]
  • scripts/mkpkg:
    Prefer if [ … ]; then over if test …; then. [4ba3e6ed7280]
  • .circleci/config.yml:
    Do not build with -Werror on macOS. Some macOS warnings are bogus, for instance it has an incorrect getgrouplist(3) definition. [7e5f469cb0ec]
  • .circleci/config.yml:
    Build and test macos with circleci. [fc62dc986646]
2022-02-22 Todd C. Miller
  • lib/iolog/regress/iolog_filter/check_iolog_filter.c:
    Fix compilation on systems without a real openat(2). [25067ad6772b]
  • plugins/sudoers/match_digest.c:
    Better warning message when the digest in sudoers is the wrong length. [c2043906f356]
  • lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
    Do not disable fuzzer output if SUDO_FUZZ_VERBOSE env variable is set. [fd3d5706ffda]
2022-02-21 Todd C. Miller
  • plugins/sudoers/auth/afs.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/timestamp.c:
    Display the lecture immediately before prompting for a password. This means we no longer display the lecture unless the user is going to enter a password. Authentication methods that don’t interact with the user via the terminal don’t trigger the lecture. [17ef981664c3]
  • NEWS, plugins/sudoers/logging.c:
    Add back warning when a user is not allowed to run a command. Previously, the warning was displayed when a user was not in the sudoers file, or was present but not listed for the local host. The new behavior is to display the warning if a command is denied and mail is sent to the administrator. Whether or not mail is sent is controlled by the “mail_*” flags in sudoers. The warning text is now “This incident has been reported to the administrator.” which is hopefully less confusing. The message will not be printed if either the “mailto” or “mailerpath” sudoers settings are disabled. [dcaeadb7e558]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Document that negating mailto or mailerpath disables sending mail. [02d8aabd9af3]
2022-02-20 Todd C. Miller
  • plugins/sudoers/logging.c:
    Don’t try to send mail if mailto not set or the mailer is not present. [37166e692a9c]
2022-02-18 Todd C. Miller
  • plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ja.mo, po/ja.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo, po/ro.po, po/sr.mo, po/sr.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
    Updated translations from translationproject.org [194b42011062]
  • MANIFEST, lib/iolog/Makefile.in, lib/iolog/regress/iolog_filter/check_iolog_filter.c, lib/iolog/regress/iolog_filter/test1/log, lib/iolog/regress/iolog_filter/test1/timing, lib/iolog/regress/iolog_filter/test1/ttyin, lib/iolog/regress/iolog_filter/test1/ttyin.filtered, lib/iolog/regress/iolog_filter/test1/ttyout, lib/iolog/regress/iolog_filter/test2/log, lib/iolog/regress/iolog_filter/test2/timing, lib/iolog/regress/iolog_filter/test2/ttyin, lib/iolog/regress/iolog_filter/test2/ttyin.filtered, lib/iolog/regress/iolog_filter/test2/ttyout, lib/iolog/regress/iolog_filter/test3/log, lib/iolog/regress/iolog_filter/test3/timing, lib/iolog/regress/iolog_filter/test3/ttyin, lib/iolog/regress/iolog_filter/test3/ttyin.filtered, lib/iolog/regress/iolog_filter/test3/ttyout:
    Add tests for iolog filtering. This is the functionality used by the log_passwords and passprompt_regex options. [07e587dfd765]
  • lib/iolog/iolog_filter.c:
    iolog_pwfilt_run: apply regex on ttyout even if we disabled filtering. The heuristic used to decide when to disable filtering is when we see another ttyout buffer or find a cr or nl in the ttyin buffer. However, we should also check the buffer that caused us to disable filtering for a matching regex that would re-enable filtering. Programs that prompt for a password twice might otherwise not have the second password filtered. [f34bf167c3b4]
2022-02-16 Todd C. Miller
  • INSTALL.md, README.LDAP.md, docs/TROUBLESHOOTING.md, docs/UPGRADE.md, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in, examples/sudo_logsrvd.conf.in:
    Avoid using “note that” and “note: " in documentation. [d75995c86fe0]
  • INSTALL.md, README.LDAP.md, README.md, docs/CONTRIBUTING.md, docs/CONTRIBUTORS.md, docs/SECURITY.md, docs/TROUBLESHOOTING.md, docs/UPGRADE.md, docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
    Remove “please” from the documentation, it is considered bad style. [9c4a7bc1b48c]
  • docs/UPGRADE.md:
    Mention regular expressions and “sudo -l -U user” behavior change. [9bf947ed3e30]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    Add security notes about regular expressions in sudoers rules. [1748e3a05906]
2022-02-15 Todd C. Miller
  • lib/eventlog/eventlog.c:
    do_logfile_sudo: plug memory leak of full_line Coverity CID 249329 [d1d2bc51077a]
  • plugins/sudoers/logging.c:
    log_server_alert: plug potential memory leak Coverity CID 249328 [4d01a8e7dffb]
  • plugins/sudoers/logging.c:
    fmt_authfail_message: compute the exact amount of space needed. Instead of truncating on overflow, warn and return NULL. [96542ddc9674]
  • plugins/sudoers/parse.c:
    Fix potential NULL deref if getpwuid(0) fails. Coverity CID 249326 [23249273cd01]
2022-02-14 Todd C. Miller
  • docs/sudo.man.in, docs/sudo.mdoc.in, plugins/sudoers/parse.c, plugins/sudoers/policy.c:
    Restrict “sudo -U other -l” to users with sudo ALL for root or “other”. Having “sudo ALL” permissions in no longer sufficient to be able to list another user’s privileges. The invoking user must now have “sudo ALL” for root or the target user. GitHub issue #134 [e2b4f8400599]
2022-02-13 Todd C. Miller
2022-02-12 Todd C. Miller
  • docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, lib/util/regex.c, po/sudo.pot:
    Limit regular expressions to 1024 characters each. Avoids a problem with the fuzzer creating large regular expressions that blow up the glibc regcomp(). [83b1cac11c79]
2022-02-11 Todd C. Miller
  • .gitignore, .hgignore, MANIFEST, configure, configure.ac, examples/Makefile.in, examples/sudo.conf.in, examples/syslog.conf, examples/syslog.conf.in:
    Substitute values in the example syslog.conf too. Also update ignore files for example changes [b13a7e6a630c]
  • MANIFEST, configure, configure.ac, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, examples/Makefile.in, examples/sudo_logsrvd.conf, examples/sudo_logsrvd.conf.in, examples/sudoers, examples/sudoers.in:
    Substitute paths set by configure in examples. Bug #1023 [f528fe7a8f88]
  • plugins/sudoers/po/sudoers.pot, po/sudo.pot:
    Update Project-Id-Version to 1.9.10. [0ad7934baa9f]
  • plugins/sudoers/po/sudoers.pot:
    Update .pot files for 1.9.10 [c7a477455e2e]
  • MANIFEST, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, include/sudo_util.h, lib/iolog/iolog_filter.c, lib/util/Makefile.in, lib/util/regex.c, lib/util/util.exp.in, plugins/sudoers/defaults.c, plugins/sudoers/match_command.c, plugins/sudoers/regress/sudoers/test28.in, plugins/sudoers/regress/sudoers/test28.json.ok, plugins/sudoers/regress/sudoers/test28.ldif.ok, plugins/sudoers/regress/sudoers/test28.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test28.out.ok, plugins/sudoers/regress/sudoers/test28.toke.ok, plugins/sudoers/sudoreplay.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c:
    Add helper function to compile a regex that supports (?i). [d680d423d2df]
2022-02-10 Todd C. Miller
  • MANIFEST, configure, configure.ac, docs/sudoers.man.in, docs/sudoers.mdoc.in, examples/sudoers, plugins/sudoers/fmtsudoers.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.h, plugins/sudoers/regress/sudoers/test28.in, plugins/sudoers/regress/sudoers/test28.json.ok, plugins/sudoers/regress/sudoers/test28.ldif.ok, plugins/sudoers/regress/sudoers/test28.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test28.out.ok, plugins/sudoers/regress/sudoers/test28.toke.ok, plugins/sudoers/regress/sudoers/test29.in, plugins/sudoers/regress/sudoers/test29.json.ok, plugins/sudoers/regress/sudoers/test29.ldif.ok, plugins/sudoers/regress/sudoers/test29.out.ok, plugins/sudoers/regress/sudoers/test29.toke.ok, plugins/sudoers/regress/testsudoers/test18.out.ok, plugins/sudoers/regress/testsudoers/test18.sh, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c:
    Add support for matching command and args using regular expressions. Either the command, its arguments or both may be (separate) regular expressions. [bef0b1a14771]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y:
    Clear sudoers_errstr after it is used. This way we avoid printing the same error message more than once if there are multiple ERROR tokens returned from the lexer. [8a7509cd1c46]
  • logsrvd/logsrvd_local.c:
    store_iobuf_local: fix potential double free on the error path. [f9a0e3cb3c7f]
  • docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
    Update links to sudo web site and reference markdown docs. [da9a9eb04f04]
  • docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
    Use a 4n indent for code blocks instead of the default 6n. [7322dd26a3d4]
  • plugins/sudoers/testsudoers.c:
    testsudoers: disable argument permutation in GNU getopt This makes it easier to test commands with arguments. [fb005b03a75e]
  • lib/iolog/iolog_filter.c:
    iolog_pwfilt_run: fix types in error return [663deea257d0]
  • lib/iolog/iolog_filter.c, plugins/sudoers/iolog.c:
    Free potential leaks of passprompt_regex_handle. Coverity CID 249057 [d562ea42ab66]
2022-02-09 Todd C. Miller
  • Merge pull request #133 from Dzejrou/main

    Do not unset user timeout when no default timeout is set. [58504381014e]

2022-02-09 Jaroslav Jindrak
  • plugins/sudoers/policy.c:
    Do not unset user timeout when no default timeout is set. [25f32be7d18d]
2022-02-08 Todd C. Miller
  • plugins/sudoers/fmtsudoers.c, plugins/sudoers/parse.h, plugins/sudoers/regress/sudoers/test2.in, plugins/sudoers/regress/sudoers/test2.json.ok, plugins/sudoers/regress/sudoers/test2.ldif.ok, plugins/sudoers/regress/sudoers/test2.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test2.out.ok, plugins/sudoers/regress/sudoers/test2.toke.ok:
    Don’t escape double quotes (”) in a command when printing it. Previously, cvtsudoers and “sudo -l” would escape double quotes in a command or command line argument, which is not valid sudoers syntax. [3bd0505b03e2]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in:
    A few minor (mostly cosmetic) fixes. Add missing ALL to Runas_Member and Host. Replace some tabs with spaces. Fix the syntax of a sudoedit example. [a943116eb35b]
2022-02-04 Todd C. Miller
  • Merge pull request #132 from ninedotnine/patch-1

    Sync example sudoers with default sudoers [8c903452e624]

2022-02-04 dan soucy
  • examples/sudoers:
    Sync example sudoers with default sudoers

    sudoers.in was changed by 1d13533 [f34657ff9345]

2022-02-04 Todd C. Miller
  • ABOUT-NLS, INSTALL.md, NEWS, README.LDAP.md, docs/CONTRIBUTING.md, plugins/sudoers/po/README, po/README:
    Upgrade http links to https where possible and fix some broken links. [e33d61fdafdb]
2022-02-03 Todd C. Miller
  • plugins/sudoers/logging.c:
    Remove “This incident will be reported.” from user warnings. This used to indicate that email had been sent to the administrator telling them that someone tried to run sudo. Whether or not sudo sends email is now configurable, so the warning may not be accurate. It is also confusing to the user since they will not know who the incident is being reported to. See also https://xkcd.com/838/ [b2860bb51393]
  • plugins/sudoers/sssd.c:
    Log fn_get_values() return code in the debug log on error. Also move a nested switch() statement out of ‘case 0’ for improved readability. [ad609804a70c]
  • plugins/sudoers/sssd.c:
    Do not return an error if we cannot connect to the SSSD connector. This may simply mean that nsswitch.conf lists sss as a sudoers source but SSSD is not configured for sudo. Otherwise, the user will receive a useless “problem with defaults entries” when the sssd backend tries to fetch the global defaults. Bug #1022. [60bb147ed3e6]
  • plugins/sudoers/log_client.c, plugins/sudoers/logging.c:
    Set client_closure to NULL after freeing it. [20da8f0c9226]
  • plugins/sudoers/log_client.c:
    client_closure_alloc: init write_bufs/free_bufs before other allocations. We must initialize the tail queues before any possible call to client_closure_free(), such as due to malloc() failure. [5dd7d1ba2b76]
  • logsrvd/logsrvd_journal.c:
    Add missing default return in last commit. [e17820ba6ff8]
  • logsrvd/logsrvd_journal.c:
    sudo_logsrvd: make sure journal exists before writing the alert message. Fixes a potential NULL dereference when journaling an alert message. [19d109fb1420]
  • include/sudo_compat.h:
    Fix compilation on Debian kFreeBSD. The configure script correctly detects that utimensat() and futimens() are missing but the headers define stub versions of the functions. Including sys/stat.h pulls in the system definitions so we can override them safely. Bug #1021. [10775e14164a]
2022-02-02 Todd C. Miller
  • src/ttyname.c:
    Add fallback if /proc/self/stat or /proc/pid/psinfo is missing or invalid. If the /proc file indicates no terminal is present there is no fallback. Bug #1020 [c32620c9f115]
2022-02-01 Todd C. Miller
  • docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/check.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c:
    Add sudoers option to perform authentication even in non-interative mode. If noninteractive_auth is set, authentication methods that do not require input from the user’s terminal may proceed. It is off by default, which restores the pre-1.9.9 behavior of “sudo -n”. [f06dcd0957d0]
  • MANIFEST, lib/iolog/iolog_filter.c, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.7:
    Work around a glibc regcomp() bug with repeated ‘+’ operators. Glibc regcomp() has a bug where it uses excessive memory for repeated ‘+’ ops. Collapse them to avoid running the fuzzer out of memory. [db423326311f]
  • logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.1, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.2, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.3, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.4, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.5, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.6:
    Rebase seed corpus on updated sudo_logsrvd.conf example. [1f30b95c6ce6]
  • logsrvd/logsrvd_conf.c:
    Fix parsing of “retry_interval” in the relay section. The setting was present but the callback was missing so it could not be parsed in the conf file. [09666425a392]
  • logsrvd/logsrvd_conf.c:
    Use TIME_T_MAX as the upper limit when parsing timeouts. [989eaa812d4e]
  • plugins/sudoers/auth/pam.c:
    converse: don’t set response pointer on error Linux pam_conv(3) says not to set the pointer on PAM_CONV_ERR. [79934c8631c0]
2022-01-31 Todd C. Miller
  • MANIFEST, plugins/sudoers/regress/cvtsudoers/sudoers4:
    Add missing sudoers4 test file for new cvtsudoers test. [5b9f3084d9e9]
  • MANIFEST, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/test38.out.ok, plugins/sudoers/regress/cvtsudoers/test38.sh:
    defaults_check_conflict: it is only really a conflict if the binding match If the Defaults name matched but the binding does not, we can simply leave it be. Fixes a problem where given two sudoers sources that have a host specified, if they contain conflicting Defaults entries we would drop one of the Defaults instead of keeping both after making them host-specific. [9b8ad3d1e163]
  • MANIFEST, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/sudoers1, plugins/sudoers/regress/cvtsudoers/sudoers2, plugins/sudoers/regress/cvtsudoers/sudoers3, plugins/sudoers/regress/cvtsudoers/test34.out.ok, plugins/sudoers/regress/cvtsudoers/test34.sh, plugins/sudoers/regress/cvtsudoers/test35.out.ok, plugins/sudoers/regress/cvtsudoers/test35.sh, plugins/sudoers/regress/cvtsudoers/test36.out.ok, plugins/sudoers/regress/cvtsudoers/test36.sh, plugins/sudoers/regress/cvtsudoers/test37.out.ok, plugins/sudoers/regress/cvtsudoers/test37.sh:
    Make it possible to merge a host-based Defaults with a global one. We convert the global Defaults to a host-based one with a single “ALL” member. Later, when we simplify the host list, we’ll convert this back to a global Defaults. [152c16a608c1]
2022-01-29 Todd C. Miller
  • logsrvd/logsrvd_conf.c:
    Check for garbage after [section] in sudo_logsrvd.conf. [46a222b60747]
  • logsrvd/regress/fuzz/fuzz_logsrvd_conf.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers.dict:
    Sync fuzzing dictionary with current configuration keyword list. [9af3929a2f6a]
2022-01-28 Todd C. Miller
  • docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_local.c:
    Add new log_passwords and passprompt_regex settings. When logging terminal input, if log_passwords is false and any of the regular expressions in the passprompt_regex list are found in the terminal output, terminal input will be replaced with ‘*’ characters until a newline or carriage return is found in the input or an output character is received. [1d07eaada99c]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, plugins/sudoers/regress/serialize_list/check_serialize_list.c, plugins/sudoers/regress/unescape/check_unesc.c, plugins/sudoers/serialize_list.c, plugins/sudoers/sudoers.h, plugins/sudoers/unesc_str.c:
    Escape/unescape commas when serializing/deserializing a stringlist. [17c422c0b236]
  • plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/locale.c, plugins/sudoers/logging.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
    Pass the operator to the Defaults callback too. That way we can tell what to do in callbacks for lists. [d541809b62bf]
  • MANIFEST, include/sudo_iolog.h, lib/iolog/Makefile.in, lib/iolog/iolog_filter.c:
    lib/iolog: add support for filtering password out of tty input If a password regex is found in the tty output, tty input will be replaced with ‘*’ chars until a newline or another tty output character is received. [19c3a58dfe29]
  • docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
    Add a new sudoers settings log_passwords and passprompt_regex. When logging terminal input, if log_passwords is disabled and any of the regular expressions in the passprompt_regex list are found in the terminal output, terminal input will be replaced with ‘*’ characters until a newline or carriage return is found in the input or an output character is received. [5fa969cfdef4]
  • plugins/sudoers/def_data.c, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h:
    Add a flag to avoid splitting list entries on white space. [32ac4cd5eae7]
2022-01-27 Todd C. Miller
  • docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in:
    “plain text” -> “plaintext” for consistency. [6cbefac27286]
2022-01-25 Todd C. Miller
  • po/ro.mo, po/ro.po:
    Updated translations from translationproject.org [c264de490846]
  • scripts/mkdep.pl:
    Fix potential infinite loop when trying to format long lines. [e17a3b7b657b]
2022-01-20 Todd C. Miller
  • docs/sudo.man.in, docs/sudo.mdoc.in:
    Document how commands are passed to the shell for the -i and -s options. The concatenation of command and arguments and escaping of special characters was not documented. Text adapted from GitHub issue #121 from Kris Rinzwind [852f803234af]
  • docs/TROUBLESHOOTING.md:
    Also mention no_new_privs error in the troubleshooting guide. [70cc0679098f]
  • INSTALL.md, docs/TROUBLESHOOTING.md, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
    Replace uid and gid with user-ID and group-ID in more places. [2b6bc95509fd]
2022-01-19 Todd C. Miller
  • INSTALL.md, README.LDAP.md, docs/HISTORY.md, docs/TROUBLESHOOTING.md, docs/UPGRADE.md:
    Use the Oxford comma consistently, it is helpful in technical documents. [3df4b26d035e]
  • docs/sudo.man.in, docs/sudo.mdoc.in:
    Document the error message when no_new_privs is set. [492a154dec10]
  • docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in:
    Sudo now recovers from sudoers syntax errors. [77d457c4e722]
  • docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in, examples/sudo.conf.in, examples/sudo_logsrvd.conf:
    Use the Oxford comma consistently, it is helpful in technical documents. [e8d29c772963]
  • plugins/sudoers/ldap_util.c:
    Quiet a cppcheck false positive. [023468af3269]
  • plugins/sudoers/sssd.c:
    Fix logic inversion when setting negated flag. [3e4051bc9f30]
  • src/sudo.c:
    Quiet a PVS-Studio format string warning. [77e953f3c46f]
2022-01-18 Todd C. Miller
  • plugins/sudoers/po/sudoers.pot, po/sudo.pot:
    Regen .pot files. [b999972bc90d]
  • plugins/sudoers/defaults.c:
    Don’t set/run early Defaults if a custom defaults_list is specified. Defaults settings passed in by the front end are already “early” so there is no need to treat any of them as special.

    Otherwise, we end up running the early defaults callbacks before sudoers has been parsed. This means that, for instance, it is not possible to disable the fqdn flag before its callback is run if sudo is build with the –with-fqdn option. Bug #1016. [8c6eaa503793]

  • plugins/sudoers/defaults.c, plugins/sudoers/defaults.h:
    Mark is_early_default(), run_early_defaults(), set_early_default() static. They are not used outside of defaults.c. [1045e8c7a92e]
  • plugins/sudoers/sssd.c:
    Add support in SSSD for negated users. [bca3d02cdd8b]
  • docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, plugins/sudoers/ldap.c:
    Add support in the LDAP filter for negated users. Based on a diff from Simon Lees [e1d48d44229e]
2022-01-12 Todd C. Miller
  • lib/util/mkdir_parents.c:
    Use PATH_MAX, not NAME_MAX+1 for the directory entry length. On some systems, such as Solaris, the max length of a directory entry is filesystem-dependent. We could use fpathconf() and dynamically allocate the name but it is simpler to just use PATH_MAX here. [d1a097783717]
  • plugins/python/python_plugin_common.c:
    Only emulate Py_FinalizeEx for Python 3.[0-5]. [b314942c0f2f]
  • lib/util/getcwd.c, lib/util/mkdir_parents.c:
    Use POSIX NAME_MAX, not the obsolete MAXNAMLEN define. Fixes compilation with musl libc. [a1609b2d968f]
2022-01-11 Todd C. Miller
  • src/limits.c:
    When applying fallback limits, make sure we don’t reduce rlim_max. Fixes a problem where sudo could reduce the max stack size on some systems if the original limit was higher than the fallback limit, but not unlimited/infinity. [1fef77204f17]
  • src/limits.c:
    Don’t modify the stack limit if it is >= SUDO_STACK_MIN. [b9e473780083]
  • plugins/sudoers/Makefile.in:
    The pre-install target requires visudo, add an explicit dependency. [b5b073d2fc9b]
2022-01-09 Todd C. Miller
  • src/sudo.c:
    If sudo is not set-user-ID root, check for the no_new_privs flag on Linux. This flag disables set-user-ID at execve(2) time and may be set by default for some containers. GitHub issue #129. [462249058274]
2022-01-08 Todd C. Miller
  • docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/auth/pam.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, src/parse_args.c:
    Add pam_askpass_service sudoers setting for “sudo -A”. This makes it possible to use a different PAM configuration for when “sudo -A” is used. The main use case is to only use PAM modules that can interact with the askpass program. GitHub issue #112. [5f59bc3f9d81]
2022-01-07 Todd C. Miller
  • lib/iolog/iolog_loginfo.c:
    Improve debugging info when fdopen() fails. [0d9711d8564a]
2022-01-06 Todd C. Miller
  • plugins/sudoers/sssd.c:
    sss_sudo_free_values() checks for NULL, no need to do it manually. [ccf012907a01]
  • plugins/sudoers/getdate.c, plugins/sudoers/getdate.y:
    Quiet a clang analyzer false positive. [90b6791616b0]
2022-01-05 Todd C. Miller
  • plugins/sudoers/getdate.c, plugins/sudoers/getdate.y:
    Quiet a clang analyzer false positive. [3c66e9be5f24]
  • plugins/sudoers/auth/sudo_auth.c:
    Fix return value for non-interactive mode for non-standalone auth methods. AUTH_NONINTERACTIVE was being stored in the wrong variable. [199a180e7fab]
  • plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, po/fi.mo, po/fi.po, po/ko.mo, po/ko.po, po/tr.mo, po/tr.po:
    Updated translations from translationproject.org [032877650fe6]
  • plugins/sudoers/cvtsudoers_merge.c:
    defaults_var_matches() should return bool, not enum match_result. Remove enum match_result as it is no longer used. [6559769ddcd1]
  • plugins/sudoers/audit.c, plugins/sudoers/auth/sudo_auth.c:
    Quiet two PVS-studio warnings. [3a7c89cff3d6]
  • plugins/sudoers/auth/pam.c:
    Remove PAM_TTY workaround for old, buggy PAM modules. In the past, some PAM modules assumed that PAM_TTY was set and would misbehave (or crash) if not. This was primarily obsolete versions of Linux- PAM, so it should now be safe to remove this. Setting PAM_TTY to an empty string can cause its own set of issues. GitHub issue #74 [491cb67ea43b]
2022-01-04 Todd C. Miller
  • plugins/sudoers/auth/API, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/logging.c, plugins/sudoers/sudoers.h:
    Push non-interactive mode checking down into the auth methods. For “sudo -n” we only want to reject a command if user input is actually required. In the case of PAM at least, we may not need to interact with the user. Bug #956, GitHub issue #83 [bc9653ffe82f]
2022-01-03 Todd C. Miller
  • plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/sudoers1, plugins/sudoers/regress/cvtsudoers/sudoers2, plugins/sudoers/regress/cvtsudoers/sudoers3, plugins/sudoers/regress/cvtsudoers/test34.out.ok, plugins/sudoers/regress/cvtsudoers/test35.out.ok, plugins/sudoers/regress/cvtsudoers/test36.out.ok:
    userspec_overridden: fix checks when there is more than one userspec [199996d29f50]
  • MANIFEST, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/test35.out.ok, plugins/sudoers/regress/cvtsudoers/test36.out.ok, plugins/sudoers/regress/cvtsudoers/test36.sh:
    Fix merging of global/ALL entries when each input file has a host. If a host is specified for the input file, cvtsudoers will bind global Defaults to that host and change host “ALL” in a userspec to the host name. However, if all the input files have matching hosts we can simplify the merged file by converting back to ALL after resolving conflicts. [bfdb2edfca71]
  • docs/Makefile.in:
    LICENSE.md moved to the top-level src dir. [b1c2687eef9d]
2021-12-22 Todd C. Miller
2021-12-22 Tyler887
2021-12-22 Todd C. Miller
  • NEWS, docs/UPGRADE.md, plugins/sudoers/policy.c, src/selinux.c, src/sudo.c:
    Back out changes to enable SELinux by default. This may return in a future release in a different form. [73e46fbe5c27]
  • LICENSE.md, MANIFEST, README.md, docs/LICENSE.md:
    Move LICENSE.md out of docs and back to the top-level. GitHub expects it to be in the top-level directory. [3c62dd396aff]
2021-12-20 Todd C. Miller
  • MANIFEST, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/test35.out.ok, plugins/sudoers/regress/cvtsudoers/test35.sh:
    cvtsudoers: fix a regression when merging matching Defaults. If a host is specified with a sudoers file, we have to treat Defaults as Defaults@host checking for duplicates. [9db413953938]
2021-12-18 Todd C. Miller
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y:
    add_defaults: add defs == NULL check to quiet coverity false positive [a534eee04069]
2021-12-17 Todd C. Miller
  • plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/test34.out.ok, plugins/sudoers/regress/cvtsudoers/test34.sh:
    When merging Defaults, allow a subsequent global Defaults (no binding) to override a prior Defaults setting with a binding. [0be52fa6d4d8]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y:
    add_defaults: defs can never be NULL [9ba97823b757]
  • plugins/sudoers/cvtsudoers_merge.c:
    Plug memory leak when making a default host-specific. We don’t need to allocate new space for the binding list, just the members of the list. [5667d09136f2]
2021-12-16 Todd C. Miller
  • MANIFEST, examples/Makefile.in, examples/cvtsudoers.conf:
    Add an example cvtsudoers.conf file. [aa738148e712]
  • docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h:
    Add group_file, match_local, and passwd_file to cvtsudoers.conf. Previously, these were only settable via command line options. [a7a8b0af3c42]
2021-12-12 Todd C. Miller
  • docs/TROUBLESHOOTING.md:
    Remove question about running Solaris 11 binaries on Solaris 10. Current versions of sudo use many APIs that are not present on Solaris 10. If you want a sudo Solaris 10 binary, build it on Solaris 10, not 11. [0346a46cf595]
  • MANIFEST, plugins/sudoers/regress/cvtsudoers/test34.out.ok, plugins/sudoers/regress/cvtsudoers/test34.sh:
    Add simple test for cvtsudoers merge functionality. [fda86b17249a]
  • plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ja.mo, po/ja.po, po/pl.mo, po/pl.po, po/sr.mo, po/sr.po, po/uk.mo, po/uk.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
    Updated translations from translationproject.org [edfdaac9b1e7]
  • MANIFEST, plugins/sudoers/po/es.mo, plugins/sudoers/po/es.po:
    Add sudoers Spanish translation from translationproject.org [502d45c0af5f]
2021-12-11 Todd C. Miller
  • lib/util/mkdir_parents.c:
    sudo_mkdir_parents: make sure the path we created is a directory For extra paranoia, verify that the directory we created is still a directory before we fchown() it. [75c23aaa9fca]
  • docs/sudo.man.in, docs/sudo.mdoc.in:
    In SECURITY NOTES, clarify that PATH may be overridden by the policy. Bug #1014 [4f7035d6b921]
  • MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, include/sudo_util.h, lib/util/Makefile.in, lib/util/mkdir_parents.c, lib/util/mkdirat.c, logsrvd/logsrvd.c, plugins/sudoers/timestamp.c, scripts/mkdep.pl:
    Avoid TOCTOU in sudo_mkdir_parents() using openat(2) and mkdirat(2). This also allows us to make path const as it should be. [46db77e4afb8]
  • plugins/sudoers/ldap_conf.c, plugins/sudoers/sudo_ldap_conf.h:
    Sudo parsed “deref” and “tls_reqcert” in ldap.conf but didn’t set the options. The switch() in the sudo_ldap_set_options_table() function needed to be updated to treat CONF_DEREF_VAL and CONF_REQCERT_VAL data types as int. Fix from Dennis Filder. Bug #1013. [5f5bdf9010d7]
2021-12-10 Todd C. Miller
  • docs/SECURITY.md:
    Minor formatting tweak so we can import into the sudo web site. [220c647b6635]
  • plugins/sudoers/defaults.c, plugins/sudoers/pwutil_impl.c:
    Fix CodeQL “Multiplication result converted to larger type” warnings. [a17db0b94018]
2021-12-09 Todd C. Miller
  • docs/SECURITY.md:
    Surround email addresses with angle brackets, not square backets. [b9514c0165f2]
2021-12-08 Todd C. Miller
  • plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, po/fa.mo, po/fa.po, po/fi.mo, po/fi.po, po/ja.mo, po/ja.po, po/sr.mo, po/sr.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
    Updated translations from translationproject.org [b2815226875b]
  • plugins/sudoers/po/sudoers.pot, po/sudo.pot:
    Update .pot files for 1.9.9 [e4e903808160]
2021-12-06 Todd C. Miller
  • README.LDAP.md, docs/CONTRIBUTING.md, docs/TROUBLESHOOTING.md, docs/UPGRADE.md:
    Minor formatting tweaks. [eee91b1fc68c]
2021-12-05 Todd C. Miller
  • INSTALL, INSTALL.md, MANIFEST, README, README.LDAP, README.LDAP.md, README.md, docs/CONTRIBUTING.md, docs/CONTRIBUTORS, docs/CONTRIBUTORS.md, docs/HISTORY, docs/HISTORY.md, docs/LICENSE, docs/LICENSE.md, docs/Makefile.in, docs/TROUBLESHOOTING, docs/TROUBLESHOOTING.md, docs/UPGRADE, docs/UPGRADE.md, etc/sudo- logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
    Convert README and docs files to markdown. This makes things look better on GitHub and we can use the markdown version directly in the new sudo web site. [1cdcbce74a73]
2021-12-04 Todd C. Miller
  • Merge pull request #124 from juspence/main

    Allow sudo -g anyone and sudo -u anyone -g anytwo [1a000f5aaba1]

2021-12-04 juspence
  • plugins/sudoers/sudoers.in:
    Allow sudo -g anyone and sudo -u anyone -g anytwo

    When only the user (ALL) is specified explicitly, and the group is implied, only sudo -u works. Specifying both the user and group, like (ALL:ALL), is required to:

    1. Use sudo -g by itself (with no -u user) 2) Use sudo -u and -g together, with a -g group that is different from the -u user’s primary group [ca31aaa0b074]
2021-12-02 Todd C. Miller
  • lib/util/Makefile.in:
    Add build dir to include search path for mksiglist.h and mksigname.h Fixes out of tree builds on systems without sys_siglist[] or sys_signame[]. GitHub issue #123. [fccd76813052]
2021-11-29 Todd C. Miller
  • MANIFEST, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/sudoers1, plugins/sudoers/regress/cvtsudoers/sudoers2, plugins/sudoers/regress/cvtsudoers/sudoers3:
    cvtsudoers: better merging of lists that are not exact duplicates When merging rules, if one list would be overridden by another, remove the overridden rule and continue merging. [19dc52bd9c6f]
2021-11-28 Todd C. Miller
2021-11-27 Todd C. Miller
  • src/edit_open.c:
    dir_is_writable: don’t treat EPERM from faccessat() as a fatal error. We can get EPERM on Linux with SELinux. GitHub issue #122. [25bbc56b2f6d]
2021-11-24 Todd C. Miller
  • docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_merge.c:
    cvtsudoers: add -l option to log merge actions The “-l logfile” option can be used to store a log of what actions cvtsudoers took when merging multiple files. For example, which aliases were renamed, which entries were overriden or removed as duplicated. [fa96976882aa]
2021-11-21 Todd C. Miller
  • MANIFEST, docs/CONTRIBUTORS, po/fa.mo, po/fa.po:
    New Persian (Farsi) translation from translationproject.org [3665533a7219]
2021-11-20 Todd C. Miller
  • plugins/sudoers/cvtsudoers_csv.c:
    Quiet a PVS Studio warning. The warning that need_comma is always false is correct but in this case it is better to use a consistent construct so that if the code is re-ordered no bugs are introduced. [5109a34444f5]
  • lib/util/getentropy.c:
    Pass correct size to free_zero(). Coverity CID 241233 [2ba51f57deb5]
  • plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/defaults.c, plugins/sudoers/fmtsudoers_cvt.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/parse_ldif.c:
    Add reference counting to Defaults bindings. Previously, we checked that the previous entry’s binding pointer was not the same while freeing. However, to be able to merge Defaults records we cannot rely on Defaults entries with the same binding being immediately adjacent. This removes the prev_binding checks in favor of a reference count which allows us to plug the memory leak in cvtsudoers when merging Defaults. [0a789516622b]
2021-11-19 Todd C. Miller
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/parse.h:
    cvtsudoers: merge aliases when multiple sudoers files are specified Duplicate aliases are remove. If there are conflicting alias names, the conflicts are renamed by appending a numerical suffix. For example, if there are two SERVERS Host_Aliases, the second one will be renamed to SERVERS_1. [d9b602626b8c]
  • plugins/sudoers/cvtsudoers_merge.c:
    cvtsudoers: merge Defaults when multiple sudoers files are specified If a hostname is specified with the sudoers file, it will be used to make the Defaults setting host-specific, if possible. Duplicate Defaults settings are removed and conflicts are warned about. It is not possible to resolve all conflicts automatically. [756b05304ccb]
  • plugins/sudoers/cvtsudoers_merge.c:
    cvtsudoers: merge userspecs when multiple sudoers files are specified If a hostname is specified with the sudoers file, it will be used to make the userspec host-specific, if possible. Duplicate userspecs are removed but conflicting entries are not currently pruned. [643b533bb4f4]
  • docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in:
    Document how to merge sudoers files with cvtsudoers. [241c3786f5a8]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sssd.c:
    init_parse_tree() now takes ownership of lhost and shost, if any. This means that lhost and shost in struct sudoers_parse_tree are no longer const and that free_parse_tree() will free lhost/shost. The only consumer that passed in lho.st/shost was the SSSD back-end which has been updated to avoid a double-free. [650bb75666fb]
  • plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_merge.c:
    cvtsudoers: use init_parse_tree() to initialize a parse tree. Also free the parse tree before exit. [9d8f8bb88192]
  • MANIFEST, Makefile.in, etc/macos-background.png, etc/sudo- logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
    Add a background image for the macOS installer. [39889307b278]
2021-11-18 Todd C. Miller
  • scripts/mkpkg:
    mkpkg: handle a macOS SDK that just uses the major version. For example, MacOSX11.sdk instead of MacOSX11.3.sdk. [ce41fc5aa672]
  • lib/util/Makefile.in:
    Add missing dependencies for timegm. [b20c4936504b]
2021-11-16 Todd C. Miller
  • plugins/sudoers/cvtsudoers.c:
    Add support for specifying the hostname as a prefix to the sudoers file. If present, the host name is copied into the struct sudoers_parse_tree. [e87e11cccb6e]
2021-11-11 Todd C. Miller
  • plugins/sudoers/cvtsudoers.c:
    cvtsudoers: parse multiple sudoers files and store them in a tail queue In the future the parsed files will be merged before they are output. [89c77b3f4157]
  • plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.h:
    Add sudoers_parse_tree_list, a tail queue of struct sudoers_parse_tree. This will be used to store multiple parse trees and merge them into a single sudoers_parse_tree. [073ada18f18b]
  • MANIFEST, docs/CONTRIBUTING.md:
    Add contributing guide. [a99f3a0757f6]
  • .github/workflows/codeql-analysis.yml:
    Create codeql-analysis.yml [efab25dab29c]
2021-11-10 Todd C. Miller
  • MANIFEST, docs/SECURITY.md:
    Add security doc, inspired by the Microsoft template. [0a8012f8ee35]
  • .gitignore, .hgignore, INSTALL, MANIFEST, Makefile.in, README, configure, configure.ac, doc/CONTRIBUTORS, doc/HISTORY, doc/LICENSE, doc/Makefile.in, doc/TROUBLESHOOTING, doc/UPGRADE, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, doc/fixman.sh, doc/fixmdoc.sed, doc/schema.ActiveDirectory, doc/schema.OpenLDAP, doc/schema.iPlanet, doc/schema.olcSudo, doc/sudo.conf.man.in, doc/sudo.conf.man.in.sed, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.man.in.sed, doc/sudo.mdoc.in, doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.man.in.sed, doc/sudoers.mdoc.in, doc/sudoers_timestamp.man.in, doc/sudoers_timestamp.mdoc.in, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.man.in, doc/visudo.mdoc.in, docs/CONTRIBUTORS, docs/HISTORY, docs/LICENSE, docs/Makefile.in, docs/TROUBLESHOOTING, docs/UPGRADE, docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/fixman.sh, docs/fixmdoc.sed, docs/schema.ActiveDirectory, docs/schema.OpenLDAP, docs/schema.iPlanet, docs/schema.olcSudo, docs/sudo.conf.man.in, docs/sudo.conf.man.in.sed, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.man.in.sed, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.man.in.sed, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in, etc/codespell.skip:
    Rename “doc” directory to “docs” for better GitHub compatibility. [1268c3ae0916]
  • lib/util/Makefile.in:
    Use $(SED), not sed, when generating mksiglist.h/mksigname.h [7a7b636a3f32]
  • configure, configure.ac, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
    Add configure check for sha1sum and use “openssh dgst -sha1” if missing. Only needed when building the seed corpus zip files. [3c74ceba0446]
  • include/sudo_compat.h:
    sudo_compat.h: include unistd.h regardless of OS type This helps to avoid issues with mismatched headers and libraries. [4a22435a2832]
2021-11-09 Todd C. Miller
  • plugins/sudoers/visudo.c:
    install_sudoers: fix return value when there is no temp file to install This can happen when no changes were made. Also preserve the edited temp file on error if we are unable to move it into place. [01c1052ac874]
  • plugins/python/regress/testdata/check_multiple_approval_plugin_and_a rguments.stdout:
    Bump plugin version in test data to 1.18. [138b9f6a6143]
  • plugins/sudoers/defaults.c:
    free_defs_val: free rlimits like strings (which they are). [ade32de829cb]
  • plugins/sudoers/visudo.c:
    Rename {check,set}_perms variable to {check,set}_mode. Avoids a name clash with the set_perms() function. [a2dfa0d36690]
  • src/edit_open.c:
    Avoid symbol name clash with is_writable() function variable. Rename “is_writable” variable to “writable”. [a52bd106933b]
  • doc/sudoers.man.in, doc/sudoers.mdoc.in:
    Document new resource limit settings. [022e51bff860]
  • doc/UPGRADE:
    Mention that the core dump size resource limit now defaults to 0. [22997e8008c9]
  • doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, src/exec.c:
    Document resource limit support in command_info[] and Bump plugin API minor. This is supported beginning with sudo 1.9.9 and plugin API 1.17. [2004a71a11b3]
2021-11-08 Todd C. Miller
  • config.h.in, configure, configure.ac, plugins/sudoers/defaults.c, src/limits.c:
    Use strtoul() on systems without strtoull(). We can assume that systems without strtoull() have 32-bit resource limits. [59c1be5a0387]
  • src/exec.c, src/limits.c, src/sudo.c, src/sudo.h:
    Add front-end support for setting resouce limits. The special value “user” means preserve the invoking user’s limit. The value “default” means don’t override the default limit for the user as assigned by the system (PAM, loging.conf, userdb, etc). [7ad6961d5d72]
  • plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/mkdefaults, plugins/sudoers/policy.c:
    Add basic support for setting resource limits in sudoers. The default for rlimit_core is “0,0” Resource limits are passed back to the front-end in command_info[] when set. [298d5e228635]
  • src/edit_open.c:
    switch_user_nonfatal: only define if using faccessat() [1a6b2c0240f5]
2021-11-06 Todd C. Miller
  • doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/visudo.c:
    visudo: add -O and -P options to check/set owner and permissions. This can be used in conjunction with the -c option to check that the sudoers file ownership and permissions are correct. Bug #1007 [1f20721148b0]
2021-11-05 Todd C. Miller
  • doc/UPGRADE:
    UPGRADE: mention SELinux behavior change. [0b8cef633225]
  • src/selinux.c, src/sudo.h, src/sudo_edit.c:
    Rename selinux_setcon -> selinux_setexeccon [50bde2e4d922]
  • src/selinux.c:
    In the SELinux role is “unconfined_r”, disable SELinux support. We only want to apply SELinux to confined users. This is a bit of a hack as unconfined_r is specific to the targeted policy. [aaa8ee97f31e]
  • src/exec_monitor.c, src/exec_nopty.c, src/selinux.c, src/sudo.c, src/sudo.h, src/sudo_edit.c:
    Separate out the code to compute the context from selinux_setup(). This makes it possible to determine whether we really need to execute the command via the sesh helper. What was left of selinux_setup() is now selinux_relabel_tty() and selinux_audit_role_change(). [687a81e59fdd]
  • plugins/sudoers/policy.c, src/selinux.c, src/sudo.c:
    Pass status of selinux sudoers setting to front-end as selinux-rbac. The front-end uses this to decide whether or not to enable SELinux. If selinux-rbac is true or if it is not present and selinux_role or selinux_type are set, SELinux support is enabled. Previously, SELinux support was only enabled if a role was specified. [2f21ae08ebbd]
  • src/edit_open.c:
    dir_is_writable: add fallback if changing UIDs fails The SELinux policy may not allow uid/gid changes which will break the writability checks and cause sudoedit to fail. [5c5928a0c314]
2021-11-04 Todd C. Miller
2021-11-01 Todd C. Miller
  • src/selinux.c:
    Make get_exec_context static, it is unused outside selinux.c. [be59f91e53dd]
  • doc/sudo.conf.mdoc.in:
    Fix lint warning: skipping paragraph macro: Pp before Bd [f84297a652d8]
2021-10-31 Todd C. Miller
  • doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in:
    Escape some minus signs (’-’) as required by newer groff. [4a1a2d6d5c19]
  • MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/timegm.c, plugins/sudoers/Makefile.in, plugins/sudoers/gentime.c, plugins/sudoers/gmtoff.c, plugins/sudoers/parse.h, scripts/mkdep.pl:
    parse_gentime: use timegm() to generate time since the epoch The timegm() function is non-standard but widely available. Provide an implementation for those systems that lack it. Bug #1006 [3ca20dfdb44c]
  • include/sudo_compat.h, lib/util/Makefile.in, scripts/mkdep.pl:
    Fix pasto in gmtime_r and localtime_r macros. Also add missing Makefile targets for them. [2310e188fdd4]
  • plugins/sudoers/gmtoff.c:
    Take daylight saving time into consideration when computing offset. Otherwise, the resulting time may be off by and hour, depending on whether DST is currently active compared to the target time. [20c60fe8e8fc]
2021-10-29 Todd C. Miller
  • scripts/mkpkg:
    Back out f2d82771e7dd, arm64e on macOS is still in preview state. Until arm64e on macOS is finalized, continue to build arm64 packages. [6c3bbd6ffc3a]
2021-10-27 Todd C. Miller
  • scripts/mkpkg:
    Build arm64e ABI binaries on macOS 11 and above. We originally used arm64 here but the correct ABI is arm64e. The arm64 arch will be removed in a future release. [f2d82771e7dd]
  • logsrvd/logsrvd_local.c:
    Use iolog_openat() when opening the log.json file in the I/O log dir. [9041b20b8d01]
2021-10-26 Todd C. Miller
  • logsrvd/tls_init.c:
    Use BIO_new_file() not BIO_new_fd() to read dhparams file. Older versions of OpenSSL and wolfSSL lack BIO_new_fd(). Also explicitly include openssl/bio.h and openssl/dh.h for wolfSSL. [8338f58d5ba0]
  • INSTALL, config.h.in, configure, configure.ac:
    wolfSSL not WolfSSL [4ee7f96ef87c]
  • .circleci/config.yml:
    Add wolfSSL variant to continuous integration tests. [dbbab23e069c]
  • docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
    Add libwolfssl-dev to Debian and Ubuntu Dockerfiles Fedora does not appear to have an official wolfssl package. [12c0feaa0ebb]
  • doc/sudoers.man.in, doc/sudoers.mdoc.in:
    White space in an include file path supported by sudo 1.9.1 or higher. [9a22034de181]
2021-10-25 Todd C. Miller
  • INSTALL, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/iolog/hostcheck.c, lib/util/digest_openssl.c, lib/util/getentropy.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/sendlog.h, logsrvd/tls_client.c, logsrvd/tls_common.h, logsrvd/tls_init.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h:
    Add support for WolfSSL’s OpenSSL compatibility layer. Based on changes from Hayden Roche [568557ecb77b]
  • lib/util/Makefile.in, plugins/sudoers/Makefile.in:
    regenerate dependencies [d36bf7724e49]
  • logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, logsrvd/sendlog.c, logsrvd/sendlog.h:
    Move include of log_server.pb-c.h into logsrvd.h and sendlog.h This way there is no include file order issue with the PROTOBUF_C_VERSION_NUMBER check. [23678487ffaf]
  • docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
    Add pkg-config to all Dockerfile [63457bb84c4d]
2021-10-24 Todd C. Miller
  • logsrvd/tls_init.c:
    Use SSL_FILETYPE_PEM with SSL_CTX_use_PrivateKey_file, not X509_FILETYPE_PEM While they are defined to the same value in OpenSSL one should not rely on this. [1a1557931dbf]
2021-10-23 Todd C. Miller
  • configure, configure.ac:
    Fix setting _PATH_ASAN_LIB, need to double up the square brackets. [98143164620a]
  • logsrvd/sendlog.c:
    sudo_sendlog: send runenv, rungid and runuid from log.json too With this change, sudo_sendlog can now round-trip sudo-style I/O logs that use the newer log.json format without losing any information. [d9d3dad6cca3]
2021-10-22 Todd C. Miller
  • config.h.in, configure, configure.ac, lib/util/arc4random.c:
    arc4random: need to include sys/random.h on Solaris too. This was removed when Linux genentropy() was disabled. [18ea9b386950]
2021-10-21 Todd C. Miller
  • lib/iolog/hostcheck.c, lib/util/inet_ntop.c, logsrvd/logsrv_util.h, plugins/sudoers/log_client.h:
    Make sure INET_ADDRSTRLEN and INET6_ADDRSTRLEN are defined. [e347465e0a05]
  • plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
    Only include log_client.h if SUDOERS_LOG_CLIENT is defined. [c318f74cf2a8]
  • Merge pull request #118 from larb0b/main

    Define MAP_FAILED where relevant if undefined [74f3e9f1a1f4]

2021-10-21 Larkin Nickle
  • lib/util/getentropy.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/snprintf.c:
    Define MAP_FAILED where relevant if undefined

    On systems such as HP-UX 10.20, MAP_FAILED is not defined. [9f4976caa567]

2021-10-20 Todd C. Miller
  • configure, m4/libtool.m4:
    Improve macOS version detection to support macOS 11 and simplify legacy logic From Jeremy Huddleston Sequoia [f09b45ab460a]
  • logsrvd/sendlog.c:
    sudo_sendlog: send multiple I/O log records together if possible Try to fill the write buffer and then send to the server instead of sending records one at a time. [0b084cd75d64]
  • logsrvd/sendlog.c, logsrvd/sendlog.h:
    sudo_sendlog: support multiple write buffers like sudo_logsrvd [a46b88eff200]
  • configure, configure.ac, lib/util/Makefile.in:
    Always link libsudo_util.so with libcrypto.so if using OpenSSL. We may need to use RAND_bytes() in the getentropy() emulation. [9c805a008d76]
  • config.h.in, configure, configure.ac, lib/util/getentropy.c, plugins/sudoers/boottime.c:
    Add an explicit check for sys/sysctl.h. This test needs to be done after AC_LANG_WERROR to avoid including sys/sysctl.h on systems where it is marked as deprecated via a #warning directive. [d9f1f97b0f37]
  • config.h.in, configure, configure.ac, lib/util/arc4random.c:
    Use our own getentropy() by default on Linux. The glibc getentropy() emulation will fail on older kernels that don’t support getrandom(). Also use sudo_fatal() instead of sending SIGKILL on getentropy() failure. GitHub issue #117. [1ca9d10ff780]
  • lib/util/getentropy.c:
    Use the OpenSSL RAND_bytes() function if getrandom() fails. [5f82f6d2ea36]
  • lib/util/Makefile.in, lib/util/arc4random_buf.c, scripts/mkdep.pl:
    Fix compilation of standalone arc4random_buf(). Apparently this code was never compiled anywhere. [a66c68c3a976]
  • lib/util/uuid.c:
    sudo_uuid_create: no longer need a union for the uuid. [a9277bf0078c]
2021-10-19 Todd C. Miller
  • lib/eventlog/eventlog_free.c:
    eventlog_free: free signal_name too [1da686483f2a]
  • lib/iolog/regress/fuzz/fuzz_iolog_json.dict:
    Add new log.json keywords [f4a30fc6c4ed]
  • lib/iolog/regress/fuzz/fuzz_iolog_json.c:
    fuzz_iolog_json: initialize exit_value to -1 [bac9826b95a1]
  • logsrvd/logsrvd.c:
    Fix potential use-after-free when calling iolog_flush_all(). We need to call iolog_flush_all() before scheduling the commit point. If we fail to schedule to commit point, the closure will be freed. Coverity CID 220557 [364736f15a06]
  • logsrvd/sendlog.c:
    sendlog: use runargv from log.json if available [88a0f4d7bb94]
  • logsrvd/sendlog.c:
    sudo_sendlog: send exit data in eventlog if present [fdacc0f68c56]
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_local.c, plugins/sudoers/logging.c:
    No longer need to pass exit params to eventlog_exit(), use struct eventlog. Now that struct eventlog includes the exit parameters we can simplify how eventlog_exit() is called. [8580c0e8334d]
  • include/sudo_eventlog.h, lib/iolog/iolog_json.c, lib/iolog/iolog_loginfo.c, logsrvd/iolog_writer.c:
    Read command run_time, signal and exit_value from I/O log log.json file. [05223c4cca0c]
  • logsrvd/logsrvd_local.c:
    Log the command run-time and exit status in the I/O log. [8b02b373f79b]
  • lib/eventlog/eventlog.c:
    format_json: fix pasto when setting dumped_core boolean [ca11285c088a]
2021-10-18 Todd C. Miller
  • lib/eventlog/eventlog.c, logsrvd/logsrvd_local.c:
    Handle a missing run_time in an ExitMessage. It is now possible to pass a NULL run_time to eventlog_exit(). [f3e989682931]
2021-10-16 Todd C. Miller
  • doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, logsrvd/logsrvd.c:
    No need to flush logs before commit point if we flush after each write. Also document that logs are flushed before sending a commit point even when flushing is disabled. [50323241569d]
2021-10-15 Todd C. Miller
  • MANIFEST, include/sudo_iolog.h, lib/iolog/Makefile.in, lib/iolog/iolog_conf.c, lib/iolog/iolog_flush.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h:
    Flush I/O logs before we send a commit point. The commit point message means we have written the data to disk so we should not be buffering it any longer. We do not currently fsync(2) the data after flushing, perhaps we should. [5233172b7531]
  • logsrvd/logsrv_util.c:
    Do not treat a resume point of [0, 0] as an error. If the connecton is interrupted before sudo sends back a commit_point message, resuming at [0, 0] is correct. Also add a warning on unexpected EOF parsing the timing file. [105f29878ad7]
2021-10-11 Todd C. Miller
  • plugins/sudoers/sudoers.c:
    Display a more helpful message if the user tries to run “sudo cd”. Since “cd” is a shell built-in command it cannot be run directly via sudo. The user either needs to spawn a shell via “sudo -s” or use the -D option to run a command in a specific directory. [4d45797dfb11]
  • configure, configure.ac:
    Don’t install sudoers.a when configured with –enable-static- sudoers. We already avoid installing it when –disable-shared-util is specified. [0d2022bc07cb]
2021-10-10 Todd C. Miller
  • scripts/mkpkg:
    mkpkg: preserve make exit value on exit Fixes a problem where the exit value from mkpkg was 0 even on error. [0d0f15bf10cf]
  • plugins/sudoers/cvtsudoers_csv.c:
    Fix typos in SELinux and Solaris priv support. [16b9a1459f1d]
  • MANIFEST, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_csv.c:
    cvtsudoers: initial support for CSV output For CSV output we double quotes strings that contain commas. For each literal double quote character present inside the string, two double quotes are output. [8f7763b74563]
  • lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
    regenerate dependencies [09d11b5c7d41]
  • docker/README, etc/codespell.ignore:
    Fix typo and avoid a codespell false positive. [81a365b29c3c]
2021-10-08 Todd C. Miller
  • .circleci/config.yml:
    Add build-nointercept and test-nointercept [d39877327ccc]
2021-10-07 Todd C. Miller
  • .circleci/config.yml:
    circleci: test multiple build options We now do separate builds with LDAP/SSSD enabled, logsrv client/server disabled, and static-sudoers enabled. [4d8a9b45156c]
  • configure, configure.ac, plugins/sudoers/Makefile.in:
    Fix fuzzer build with when –enable-static-sudoers is used. This introduces a sudoers-specific version of LT_STATIC instead of appending the –tag=disable-shared to SUDOERS_LDFLAGS. I’ve also removed the -static flag as it should not be needed. [864a2fd4e3f7]
2021-10-05 Todd C. Miller
  • docker/README:
    Mention –security-opt=seccomp=unconfined workaround for bleeding edge. May be needed for Fedora rawhide and Ubuntu testing, among others. [a465fdb0a7de]
  • configure, configure.ac:
    Try to handle the case where libasan.so is a linker script. Fixes check_noexec with ASAN on Fedora where libasan.so just includes the actual library file. [f96d1d0cea53]
  • .circleci/config.yml, docker/README, docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile:
    Enable address and undefined behavior sanitizers in CI builds. We need to disable leak sanitizer during “make check” because it uses ptrace which is not allowed for unprivileged containers. [9378e3856a60]
2021-10-04 Todd C. Miller
  • .circleci/config.yml:
    Switch to Ubuntu latest for circleci build. [1270ca1ba47d]
  • .circleci/config.yml, docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
    Add build user for circleci instead of running as root. [27dcb5218cb2]
  • .circleci/config.yml, MANIFEST, docker/README, docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
    Use circleci for continuous integegration. Build container descriptions are in the new docker directory. [d5b5b16b0624]
2021-10-03 Todd C. Miller
2021-10-01 Todd C. Miller
  • plugins/sudoers/sudoreplay.c:
    Sync “sudo -l” output with normal sudo log format. It now prints runchroot and runcwd (falling back on cwd). As a result, submithost is now printed first, matching sudo. Also avoid printing NULL pointers and skip entries that don’t have at least command, submituser and runuser set. [0d6b96ec88a1]
  • lib/iolog/iolog_json.c:
    iolog_parse_json_object: optimize for large argv [5fa1929189a3]
2021-09-29 Todd C. Miller
  • configure, configure.ac:
    Add “-fcf-protection” to SSP_CFLAGS and SSP_LDFLAGS if supported. Can be disabled via –disable-hardening. [589507ecadf4]
  • configure, configure.ac:
    Add “-z now” to hardened link options if supported. Can be disabled via –disable-hardening. [11ff1d86440b]
  • doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/editor.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c:
    find_editor: remove the env_error argument There is no case where we should fail to find an editor just because the values of EDITOR, VISUAL and SUDO_EDITOR are unavailable. Both sudoedit and the “env_editor” sudoers setting are documented as falling back on the hard-coded list of editors in the “editors” sudoers setting. Bug #1000 [caa529a0cab6]
  • plugins/sudoers/check_aliases.c:
    Use sudo_printf(SUDO_CONV_ERROR_MSG) instead of fprintf(stderr). Avoids extraneous output in the fuzzer. [981d3abd96c7]
  • plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
    Stub out sudo_printf() and avoid other use of stderr in fuzzers. This makes it possible to parse sudoers without using quiet mode, resulting in better coverage. [3215cad4174f]
2021-09-28 Todd C. Miller
  • lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
    Use a consistent version of fuzz_conversation() with all fuzzers. Also undo a change to fuzz_sudoers.c that snuck in to the last commit. [8a94b06302b7]
  • lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    Fuzzers should not produce output. Excessive output makes the fuzzer runs much less efficient. [b9c485009c0f]
  • logsrvd/logsrv_util.c:
    expand_buf: fix conditional for when we need to preserve existing data It is possible for the buffer offset to be zero when the length is non-zero. The proper value to use is the same as is used for the memcpy/memmove size. Fixes buffer corruption caused by a very long command line that usually results in a dropped connection. [59a4319b3463]
2021-09-27 Todd C. Miller
  • config.h.in, configure, configure.ac, lib/util/closefrom.c:
    Emulate closefrom() on macOS using proc_pidinfo(). This avoids relying on /dev/fd which may not exist in a chroot jail. Adapted from a change in OpenSSH by likan_999.student AT sina.com [2e86d4150ce5]
2021-09-26 Todd C. Miller
  • src/edit_open.c:
    Handle EMLINK and EFTYPE errno values for O_NOFOLLOW failure. FreeBSD returns EMLINK and NetBSD returns EFTYPE instead of ELOOP. This is only used to present the user with a more appropriate error message. [ca5499c8c40f]
2021-09-24 Todd C. Miller
  • plugins/sudoers/cvtsudoers.c:
    Fix typo in last commit, use boolean AND not bitwise. [685bd5d9ce6f]
  • doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h:
    Add the ability to filter/match by command via the -m option. For example “cvtsudoers -m cmd=/bin/ls” would only display entries that would allow /bin/ls to be allowed or denied. [3534a0170c59]
2021-09-23 Todd C. Miller
  • doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/pwutil.c:
    Add –group-file and –passwd-file options to cvtsudoers. These are based on the code in testsudoers. [3286dd5dd0bf]
2021-09-22 Todd C. Miller
  • lib/util/mkdir_parents.c:
    Move cppcheck suppression annotation to where it needs to be. [17d601bc91f3]
  • lib/util/mksigname.c:
    format string fix: print signal number as unsigned. Quiets a cppcheck warning; mksiglist.c already has this fixed. [a28b72dceec4]
  • plugins/sudoers/ldap_util.c:
    Fix memory leak on error path if snprintf() overflows. Coverity CID 188804 [73872d2e2cd0]
2021-09-21 Todd C. Miller
  • plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c:
    Avoid reinitializing other auth methods. [af0495460943]
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    expand_include: add bounds checking when expanding %h escape. [3c0ca1f0d4e5]
  • plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Check snprintf() return values even if we preallocated the correct amount. There are no remaining unchecked snprintf() that can actually overflow. [0eaf1d4daa84]
  • include/sudo_iolog.h, lib/iolog/iolog_nextid.c:
    iolog_nextid(): make iolog_dir argument const. We make a copy of the directory so there’s no real reason that parameter can’t be const. [f278847ca9aa]
  • plugins/sudoers/ldap_util.c:
    Amend truncation fix, the real problem was the size passed to snprintf(). sudo_rcstr_alloc() takes a length (not a size) parameter so when calling snprintf() we need to add one to the length. [92f8a8b86d20]
  • plugins/sudoers/ldap_util.c:
    Fix truncation of the last char of the sudoRole cn passed to append_default(). This string is primarily used for warning messages. Also check the snprintf() return value to avoid silent truncation. GitHub issue #115 [22b8d7bc62f8]
2021-09-20 Todd C. Miller
  • etc/codespell.exclude:
    Standardize on “front-end” not “front end” in the man pages. [b0ad634852e7]
  • logsrvd/logsrvd_journal.c:
    Reuse existing journal file for an accepted/rejected sub-command. Otherwise we end up with zero-length files in the incoming queue dir and may end up relaying one of those instead of the actual journal file. [545897a2761c]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    Re-enable error output for the sudoers parser. It is only the alias and defaults warnings we need to suppress. [114bd7756a7c]
  • src/exec_intercept.c:
    Add intercept_cleanup() stub for when building w/o intercept support. [bd6f32a90787]
  • src/exec_intercept.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h:
    Add intercept_cleanup() to free the closure used by intercept_accept_cb(). [55f6aea8b517]
  • plugins/sudoers/auth/pam.c:
    Don’t re-initialize PAM for sub-commands. [faa7aec4d145]
  • logsrvd/logsrvd_local.c:
    sudo_logsrvd: only send log ID for first command of a session There is no need to send the log ID for each sub-command. [625b18c5f821]
  • plugins/sudoers/log_client.c:
    Only store the first log id received from the server. Plugs a small memory leak in intercept mode if the log server sends the log ID again for sub-commands. [ca2ad5b219cd]
2021-09-19 Todd C. Miller
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    fuzz_sudoers: don’t warn about unknown defaults entries Some fuzzing inputs cause a huge number of warnings and displaying them all can result in the fuzz run timing out. If we disable the warnings we can avoid the timeout. [4823ee305937]
  • plugins/sudoers/defaults.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/policy.c:
    Limit paths for command, cwd and chroot to PATH_MAX bytes. This helps prevent the fuzzer from going off the rails. [9550fa76a645]
  • plugins/sudoers/sudoers.c:
    sudo -i: missing NULL terminator when moving argv to make room for –login Fixes a potential crash for “sudo -i” when the target user has bash as the shell (which needs the –login option). Bug #998. [4b297f2ead15]
  • lib/eventlog/eventlog.c:
    Only append argv[] to the log line if argv[0] is not NULL. It should not be possible to reach this point with a command defined but argv[] empty but it doesn’t hurt to check. [61f9cf744673]
2021-09-18 Todd C. Miller
  • plugins/sudoers/check_aliases.c:
    Only warn about an undefined alias or a cycle a single time. There’s no point in warning about the same problem multiple times. This implementation assumes a small number of warnings and so just uses a simple listed link. [4461f65d1bad]
  • configure, configure.ac:
    Remove now-unused CHECK_INTERCEPT variable. [447dbf8bea48]
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Quiet pvs-studio false positive: V557 Array overrun is possible. Make the zero length check explicit so as not to confuse static (or human) analyzers. [512ab29a9f28]
2021-09-17 Todd C. Miller
  • MANIFEST, plugins/sudoers/regress/testsudoers/test17.out.ok, plugins/sudoers/regress/testsudoers/test17.sh:
    Test that digest matching works with LDAP sudoCommand: ALL [f7ec49401d4f]
  • plugins/sudoers/ldap_util.c:
    Allow a digest to be specified with the “ALL” command for ldap/sssd back-ends. This has been possible with sudoers file entries since sudo 1.9.0 but no corresponding change was made for ldap/sssd. [89a30bbd7dac]
  • lib/eventlog/eventlog.c:
    Use localtime_r() not gmtime_r() when formatting the local time. This is consistent with how sudo formatted time stamps prior to the logging code being split off into libeventlog. We only need to use gmtime_r() for ISO 8601 time. [aee6e29ba9d6]
  • lib/eventlog/eventlog.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/sudo_debug.c, plugins/audit_json/audit_json.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/timestr.c:
    Check strftime(3) return value in all cases. Old versions of strftime(3) didn’t guarantee to NUL-terminate the buffer so we explicitly clear the last byte of the buffer and check it. [bc402e4bd4d2]
  • config.h.in, configure, configure.ac, logsrvd/tls_init.c:
    tls_init.c: use SSL_CTX_set0_tmp_dh_pkey if present. Fixes a warning on OpenSSL 3.0 and plugs a memory leak of dhparams on config reload. [02027ea86d3b]
  • configure, configure.ac, lib/util/digest_openssl.c:
    Use the EVP digest routines instead of calling SHA2 functions directly. Avoids compiler warnings with OpenSSL 3.0. EVP_MD_CTX_new() is only available for OpenSSL 1.1 and higher–we will fall back to sudo’s SHA2 code if necessary. [6fbac28175f9]
  • configure, configure.ac:
    When using pkg-config, don’t assume the names of the ssl and crypto libs. On the HP-UX build machines these are named libssl_pic.a and libcrypto_pic.a to avoid conflicting with the system libs. [a8eb772b3a4d]
  • lib/util/sudo_debug.c:
    Store milliseconds in the debug file timestamp. Sometime second granularity is not enough. [1df3e75f1133]
  • MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/gmtime_r.c, lib/util/localtime_r.c:
    Add gmtime_r and localtime_r tests and compat if missing. [709671c493a3]
  • lib/eventlog/eventlog.c, lib/iolog/iolog_path.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/sudo_debug.c, plugins/audit_json/audit_json.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gmtoff.c, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/timestr.c:
    Use gmtime_r() and localtime_r() instead of gmtime() and localtime(). [5758514b25cb]
  • doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in:
    Plugin lines are for approval and audit plugins too. [67bb7c0687f2]
  • doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/visudo.man.in, doc/visudo.mdoc.in:
    Standardize on “front-end” not “front end” in the man pages. [68748f8cc8a6]
  • MANIFEST, plugins/sudoers/regress/testsudoers/test16.out.ok, plugins/sudoers/regress/testsudoers/test16.sh:
    Add a test to exercise Bug #994 [eef2ece0e8d4]
  • scripts/mkpkg:
    mkpkg: limit the number of cores used to 16 [5b8f2aa834b8]
2021-09-16 Todd C. Miller
  • plugins/sudoers/ldap_util.c:
    Always allocate a struct sudo_command for the command, even for ALL. This was missed in the previous set of changes, resulting in a crash for LDAP and SSSD rules that give sudo “ALL” privileges. Bug #994. [91d0379b068a]
  • plugins/sudoers/Makefile.in:
    Add SUDOERS_LDFLAGS to FUZZ_LDFLAGS Fixes a fuzzer link error when building with ldap if the ldap libs are not in the default library search path. [a450881f9763]
  • configure, configure.ac:
    Fix the OpenSSL link order for the non-pkg-config case. Since -lssl depends on -lcrypto, -lcrypto must be listed after -lssl. Fixes linking of non-dynamic OpenSSL libs. [787724ab6e87]
2021-09-15 Todd C. Miller
  • src/sudo_intercept_common.c:
    sudo_interposer_init: verify message type from sudo We should only get a HelloResponse from sudo at this point. [a021319260b3]
  • include/intercept.pb-c.h, src/exec_intercept.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_intercept_common.c:
    Avoid symbol name clash to fix –enable-static-sudoers linking. [5cc5e415844f]
2021-09-14 Todd C. Miller
  • plugins/sudoers/defaults.c, plugins/sudoers/policy.c:
    append_defaults() should not be passed a value for boolean flags. The operation should simply be set to true/false. Also treat a NULL file as coming from the front-end. Bug #993. [86e69d358916]
2021-09-13 Todd C. Miller
  • configure, configure.ac, plugins/python/Makefile.in, scripts/mkdep.pl, src/Makefile.in:
    Teach mkdep.pl about –tag=disable-static in LTFLAGS. If static objs are disabled we need to add explicit dependencies for .o files. The OpenBSD libtool doesn’t use a pic object file when linking executables so we need to build the non-pic objects too. [cdefeeb41a64]
  • configure, configure.ac:
    Use SUDO_APPEND_LIBPATH when appending to LIBTLS and LIBMD. The OpenSSL pkgconfig files only include -L paths, not -R paths. Using SUDO_APPEND_LIBPATH ensures the rpath is set correctly so the binaries will run (not just link). [29d051972287]
  • INSTALL, configure, configure.ac:
    Add –enable-openssl-pkgconfig-template option. This can be used to find the correct openssl pkg-config file if it is not named “openssl” (also libcrypto). [77cd3463cefa]
  • plugins/sudoers/getdate.c, plugins/sudoers/getdate.y:
    Some POSIX yacc fixes for bison 3.8 yyerror() must be extern void declare tokens with type instead of using separate %type lines [c4e57f9e7df5]
2021-09-09 Todd C. Miller
  • .gitignore, .hgignore:
    Add src/intercept.exp to ignore files. [4eaa182a8808]
2021-09-08 Todd C. Miller
  • configure, configure.ac:
    Fix typo introduced in 1.9.7 that set SUDO_LDFLAGS to SUDOERS_LDFLAGS. Copy pasta is not always the best kind of pasta. [08188442f77b]
  • MANIFEST, configure, configure.ac, m4/sudo.m4, src/Makefile.in, src/intercept.exp, src/intercept.exp.in, src/sudo_intercept.c:
    sudo_intercept.so: only replace execvpe() if it is present. execvpe() is a GNU extension also found on *BSD (but not macOS). [26153ad9c6ca]
2021-09-07 Todd C. Miller
  • src/sudo_intercept.c:
    Implement simple PATH resolution for execvp(). We want to use PATH from the current value of the environment, not the initial value of PATH when the policy was opened. This is a little different from how real execvp() works since we use stat() instead of just execve(). [fae58e1962cc]
  • doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, src/intercept.exp, src/sudo_intercept.c:
    Add support for execl, execle, execlp, execvp, and execvpe. Currently, PATH traversal is handled by sudoers which uses the original PATH, not the one updated by the shell. [59dfbbd39bf6]
2021-09-03 Todd C. Miller
  • plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y:
    Remove conditional include of alloca.h, we don’t define HAVE_ALLOCA_H. The configure check for alloca() was removed long ago but this got missed. [4c64529df149]
  • doc/sudoers.man.in, doc/sudoers.mdoc.in:
    Define RBAC and mention incompatibility with intercept/log_subcmds. [a44d8f96cad6]
2021-09-02 Todd C. Miller
  • src/exec_intercept.c:
    Fix computation of the token address when handling a partial read. We want to treat it as an array of bytes, not an array of tokens. Coverity CID 240011 [0bb3fb3315ce]
  • plugins/sudoers/parse.c:
    Quiet a PVS-Studio format string warning. [4e445c646dc8]
  • plugins/sudoers/po/sudoers.pot, po/sudo.pot:
    Regen .pot files. [4cec17bc24da]
  • plugins/sudoers/po/cs.po:
    Updated translations from translationproject.org [62fdbab57411]
2021-09-01 Todd C. Miller
  • configure, configure.ac, lib/util/sudo_conf.c, scripts/mkdep.pl, src/Makefile.in, src/exec_common.c, src/exec_intercept.c:
    Do not compile intercept code if –disable-intercept is specified. [9d31e2822c24]
  • doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in:
    We now intercept execv() too. [f0eac891cb5c]
  • INSTALL:
    INSTALL: –disable-intercept will also disable “log_subcmds” [55ddfdae455d]
  • doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/parse.c:
    Can’t use intercept or log_subcmds with SELinux RBAC. SELinux policy will prevent the inherited socket from sudo from being used and may also restrict the ability to connect back to the sudo process. [b73409172859]
  • po/cs.mo, po/cs.po:
    Updated translations from translationproject.org [7543d0d50ee2]
  • include/intercept.pb-c.h, src/exec_intercept.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_exec.h, src/sudo_intercept_common.c:
    Switch to a 128-bit token instead of a 64-bit secret. Protobuf doesn’t have a 128-bit type so use two u64s. We now support partial reads of the token. [e39ece25fb3b]
2021-08-31 Todd C. Miller
  • MANIFEST, lib/util/Makefile.in, lib/util/regress/uuid/uuid_test.c, lib/util/uuid.c:
    Fix random uuid generation, no need to convert between byte order. Also add regression test. [fd2940acffc2]
  • include/intercept.pb-c.h, src/exec_intercept.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_intercept_common.c:
    sudo_intercept.so: send the secret immediately after connecting. Sending the secret out of band, before the message size is read, should make it harder to mount a DoS attack. [4c8b6577bd8c]
  • src/sudo_intercept_common.c:
    Handle reading large messages that don’t fit in a single recv(). We know the length of what we are receiving so just loop until we have it all, get EOF or an error. [1b8aa927ea83]
  • configure, configure.ac:
    Add checks for -fstack-clash-protection and -Wl,-z,noexecstack We use -Wc,-fstack-clash-protection as the linker flag to prevent libtool from removing it from the link line. [7cd701b5039e]
  • src/exec_intercept.c:
    Make the sudo side of the intercept socket non-blocking. [3fe7129ea1f2]
  • src/exec_intercept.c:
    Handle partial read/write by dropping back into the event loop. [fa216d963e18]
  • src/exec_intercept.c:
    intercept_check_policy: Fix double free introduced in last commit If the command is not accepted we don’t rebuild command_info[] and must not free it. It will be freed by the policy instead. [8bbd2af0924b]
2021-08-27 Todd C. Miller
  • include/intercept.pb-c.h, src/exec_intercept.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_intercept_common.c:
    Update runcwd in command_info[] before passing it to the audit plugin. Since sudoers does rejected commands itself the runcwd will still not be correct for those. [5462a5e1d760]
  • src/exec_preload.c:
    Fix LD_PRELOAD formatting when there is an existing LD_PRELOAD var. [04d8d7750ff6]
2021-08-26 Todd C. Miller
  • src/exec_intercept.c:
    intercept_check_policy: fix potential NUL dereference on the error path. [4d1b3f39ccb1]
  • NEWS, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/policy.c, src/exec.c, src/exec_common.c, src/exec_nopty.c, src/exec_pty.c, src/sudo.c, src/sudo.h:
    Rename log_children -> log_subcmds [abd73fc939c3]
  • plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
    Updated translations from translationproject.org [f948528780fb]
  • lib/util/sudo_debug.c:
    Add sudo_debug_register_v2() stub for fuzzing build. [ba522c0c2075]
  • src/exec_intercept.c:
    Fix use-after-free on error. Also remove useless free of a ptr that is always NULL on the error path. [75200535be80]
  • src/exec_common.c:
    No longer need to remap intercept fd but we do need to remap debug fd. The intercept fd is closed in the ctor but the debug fd will still be open. [b48125b884f3]
  • include/sudo_debug.h, lib/util/sudo_debug.c, lib/util/util.exp.in, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/audit_json/audit_json.c, plugins/python/sudo_python_debug.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, src/sesh.c, src/sudo.c, src/sudo_intercept_common.c:
    sudo_debug_register: add minfd argument to specify lowest fd number Use this in sudo_intercept.so to avoid allocating a low-numbered fd which the shell reserves for use by scripts. [50b23c4d0531]
  • src/exec_intercept.c:
    Fix command name of sub-command in logs when log_children is set. [c1b35686d8b4]
2021-08-25 Todd C. Miller
  • plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
    log_allowed: pass struct eventlog * instead of argv[] and envp[]. This lets us log based on the command_info[] list passed in from the front-end. Previously, much of the struct eventlog was constructed from internal sudoers state instead. [4c4a7ddfeba3]
  • include/sudo_compat.h:
    sudo_compat.h: include unistd.h on HP-UX to safely redefine pread/pwrite HP-UX 11.31 defines static functions for pread() and pwrite() which will conflict with our macros. [2dd64cdc261f]
  • config.h.in, configure, configure.ac, include/intercept.pb-c.h, src/exec_intercept.c, src/exec_nopty.c, src/exec_pty.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_exec.h, src/sudo_intercept_common.c:
    Change intercept IPC to use a localhost socket instead of inherited fd. This allows intercept mode to work with shells that close all open fds upon startup. The ctor in sudo_intercept.so requests the port number and secret over the socket inherited from the parent then closes it. For each policy request, a TCP connection is made to the sudo parent process to perform the policy check. Child processes re-use the TCP socket to request the port number and secret just like the initial process started by sudo does. [7e7e4a389f11]
  • src/exec_intercept.c:
    Add a state variable to intercept_closure, replaces policy_result. [60fae103a4cd]
  • plugins/sudoers/match_command.c:
    command_matches: avoid printf("%s") of NULL in debug for sudo ALL. [5c81c2c32b4c]
  • Merge pull request #111 from commodo/fix-cflags

    lib/util/Makefile.in: use host CFLAGS and CPPFLAGS for mksig{name,list} [ee86d28da792]

2021-08-25 Alexandru Ardelean
  • lib/util/Makefile.in:
    lib: util: Makefile.in: use host CFLAGS and CPPFLAGS for mksig{name,list}

    When cross-build support was added for mkig{name,list} was added, the CFLAGS and CPPFLAGS should have been updated to the HOSTCFLAGS/HOSTCPPFLAGS vars.

    In a cross-build scenario, some of these flags don’t match what the compiler can understand (because they may be architecture specific) and may fail the build.

    Using the HOSTCFLAGS/HOSTCPPFLAGS works and builds successfully. Also the output binary works on the target.

    This is in continuation of

    Signed-off-by: Alexandru Ardelean <ardeleanalex@…> [f76870e1a6c5]

2021-08-24 Todd C. Miller
  • src/exec_intercept.c:
    Fold intercept_closure_reset() into intercept_close(). [ff00ab240672]
  • src/exec_preload.c:
    Fix typo that caused SUDO_INTERCEPT_FD to overwrite LD_PRELOAD. [e4cd1043c7bb]
  • src/exec_preload.c:
    Fix off-by-one that could result in duplicate SUDO_INTERCEPT_FD vars. [9044d0dff708]
  • src/sudo_intercept.c:
    Fix typo in macOS execv change. [1c637d909382]
2021-08-21 Todd C. Miller
  • doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, src/intercept.exp, src/sudo_intercept.c:
    Add execv(3) support to sudo_intercept.so. This allows intercept to work with csh which uses execv(3) not execve(2). [690ebf72b6f8]
2021-08-20 Todd C. Miller
  • doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in:
    Sync the list of functions trapped by sudo_noexec.so. [b1f7799209ff]
  • doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in:
    Add a Debug example for sudo_intercept.so Don’t try to enumerate all the sudo programs that support debugging since all of them do. [9c1201eaaca2]
  • doc/sudoers.man.in, doc/sudoers.mdoc.in:
    Update sudoers Debug example to match the debug changes from sudo 1.8.12. [7c831aa9b6d5]
  • doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in:
    sudo_intercept.so only intercepts execve(2) for now. [7314abc72fb9]
  • plugins/sudoers/parse.c:
    Fix formatting for bound defaults with multiple entries in the binding. The entries in the binding were separated with " ," instead of “, “. [14442701f793]
  • MANIFEST, src/Makefile.in, src/intercept.exp:
    Add exports file for sudo_intercept.so that only exports execve() [ac97417435ab]
  • src/Makefile.in, src/sudo_intercept.c, src/sudo_intercept_common.c:
    Add some debugging to the sudo_intercept.so. [2dee003b5cc7]
  • config.h.in, configure, configure.ac:
    Use AC_FUNC_FSEEKO instead of AC_CHECK_FUNCS_ONCE([fseeko]). This will define _LARGEFILE_SOURCE, if needed, to make the prototype visible on older systems. [3f4314f6a795]
2021-08-19 Todd C. Miller
  • config.h.in, configure, configure.ac, include/sudo_compat.h:
    We still need the pread/pwrite hack for HP-UX 11.11 at least. This time around, avoid defining _LARGEFILE64_SOURCE and just declare pread64/pwrite64 ourselves. [66e01b14a10f]
  • include/sudo_compat.h:
    Fix prototypes for sudo_pread() and sudo_pwrite(). [15acfc576a71]
  • src/exec_intercept.c:
    intercept_fd_cb: store the passed fd in newfd, not fd only affects the old BSD-style fd passing code, not POSIX-style. [4b13aa4593ba]
  • lib/util/Makefile.in:
    Fix mksiglist and mksigname dependencies. [31519cc5ec2b]
  • doc/sudoers.man.in, doc/sudoers.mdoc.in:
    set-user-ID and set-group-ID not set user-ID and set group-ID. [0ddf5fedc896]
  • NEWS:
    The fix for bug #989 will make sudo 1.9.8. Also mention intercept_authenticate and intercept_allow_setid. [fa8b7444486b]
  • .gitignore, .hgignore, MANIFEST, aclocal.m4, configure, configure.ac, lib/util/Makefile.in, lib/util/mksiglist.c, lib/util/mksiglist.h, lib/util/mksigname.c, lib/util/mksigname.h, lib/util/sys_siglist.h, lib/util/sys_signame.h, m4/ax_prog_cc_for_build.m4:
    Cross-build support for mksigname and mksiglist We must build these with the host C compiler but use the target preprocessor to generate the output. [bf2919b63fb9]
2021-08-19 a1346054
  • .clang-format, INSTALL, MANIFEST, autogen.sh, doc/LICENSE, etc/sudo.pp, examples/Makefile.in:
    Minor cleanup (#110)
  • fix trivial shell script issues
2021-08-19 Todd C. Miller
  • logsrvd/logsrvd_conf.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/exptilde.c, plugins/sudoers/iolog.c, plugins/sudoers/logging.c, plugins/sudoers/mkdefaults, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/tsdump.c:
    Replace messages like “unknown foo: %s” with “unknown foo %s”. The colon really doesn’t belong there; we generally use a colon to separate a message from the warning detail. [a1b99c8821ae]
  • doc/sudoers.man.in, doc/sudoers.mdoc.in:
    log_server_peer_cert and log_server_peer_key are not required by default. They are only required if sudo_logsrvd has tls_checkpeer enabled. [0d9099ce5d74]
  • logsrvd/logsrvd_conf.c:
    Sync warning messages with sudoers/logging.c Avoids 3 translation strings that were effectively duplicated. [eb058a820998]
2021-08-18 Todd C. Miller
  • doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/match_command.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    Add intercept_allow_setid sudoers option, disabled by default. With this change, a shell in intercept mode cannot run a setuid or setgid binary by default. On most systems, the dynamic loader will ignore LD_PRELOAD for setuid/setgid binaries such as sudo which would effectively disable intercept mode. [cdb876f62882]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/match.c:
    Always allocate a struct sudo_command for the command, even for ALL. Previously we special-cased handling of ALL but this complicates some upcoming changes. [d552109d739c]
2021-08-16 Todd C. Miller
  • etc/codespell.exclude:
    Update TAGS_CHANGED macro based on parse.h [261e4bad3f55]
  • doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in:
    Better document the limitations of intercept mode. Also mention log_children under “Preventing shell escapes” [0dfca8d0672d]
  • plugins/sudoers/po/sudoers.pot, po/sudo.pot:
    Update .pot files for 1.9.8. [ed2582c37765]
  • doc/sudoers.man.in, doc/sudoers.mdoc.in:
    Try to clarify log_server_peer_key and log_server_peer_cert. These are client-side not server-side. [ffa4ee3e2557]
  • logsrvd/logsrvd_conf.c:
    Print the section when warning about an illegal key in the conf file. This should make it easier to tell when a setting is present in the wrong section. [8150a7775155]
2021-08-14 Todd C. Miller
  • lib/eventlog/eventlog.c:
    new_logline: limit offset to two significant digits after the decimal Now instead of TSID=0001L3@5.168230749 we would log TSID=0001L3@5.16. [089f7a1285cb]
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c:
    Set umask to be less restrictive before creating parent directories. Otherwise we could end up creating them with a more restrictive mode than indended. Coverity CID 221592 [1bbb3621106a]
  • lib/eventlog/eventlog.c:
    new_logline: handle case where evlog is NULL [e14ded2179e8]
  • logsrvd/logsrvd_local.c:
    store_alert_local: fix memory leak on error path Coverity CID 238642 [2a3c7fb50c38]
  • plugins/sudoers/audit.c:
    log_server_accept: fix memory leak of evlog when logging a sub- command. Coverity CID 238643 [36a7325b3dc2]
  • src/exec_intercept.c:
    Fix memory leak when client requests secret. Move closure allocation closer to where it is used. [773ffe0cb216]
  • logsrvd/logsrvd_local.c:
    store_accept_local: fix return value on error [de0d06a1ade2]
2021-08-13 Todd C. Miller
  • lib/eventlog/eventlog.c:
    Cast iolog_offset.tv_sec to long long for %lld printf format. Quiets a compiler warning on systems where tv_sec in struct timeval is not long long. [54d757357a00]
  • doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, lib/iolog/iolog_timing.c, plugins/sudoers/sudoreplay.c:
    Add support for an optional offset when parsing the ID to replay. The offset is a suffix in the form of @sec[.nanosec] [f8cda41ea0ae]
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_local.c, plugins/sudoers/logging.c:
    For intercepted commands, log an offset into the current I/O log. This can be used with sudoreplay to jump to when a specific command was executed within a session log. [fd9431d7c878]
  • logsrvd/logsrvd_local.c:
    Don’t overwrite closure->evlog for sub-commands. [925c97582b1d]
  • config.h.in, configure, configure.ac, include/sudo_compat.h:
    Older Solaris has getusershell() et al but does not declare it. [df4cd6a5e07f]
  • src/exec_intercept.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_intercept_common.c:
    Add missing stdint.h and sudo_rand.h includes. Needed for arc4random() and uin64_t. [47fd965524fe]
  • include/intercept.pb-c.h, src/exec_intercept.c, src/exec_nopty.c, src/exec_pty.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_exec.h, src/sudo_intercept_common.c:
    Pass a secret value to sudo_intercept.so and verify after policy check. The goal is to make it harder for someone to have a fake policy checker. This will not stop a determined adversary since the secret is present in the address space of the running process. [7938c63384df]
2021-08-11 Todd C. Miller
  • MANIFEST, src/Makefile.in, src/exec.c, src/exec_intercept.c:
    Split off intercept code into exec_intercept.c. [2c05715c4885]
  • scripts/mkpkg:
    Add trivial support for FreeBSD packages. The actual FreeBSD port supports multiple options but this is sufficient for testing purposes. [6bb8a1cdf26c]
  • scripts/pp:
    FreeBSD: Set default directory and file mode if not specified in %files Otherwise, a mode of 0 will be used, potentially rendering the system unusable. [a3be86a5f85f]
  • plugins/sudoers/logging.c:
    Use same check for intercepted commands as log_server_accept(). Previously, log_server_reject() and log_server_alert() just checked whether client_closure has been set. [41177f7c32f4]
  • logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c:
    Call shutdown() on sockets before closing() if they are connected. This should ensure that the other side sees any queued data before the connection is dropped. [beaafc6c17cf]
  • logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c:
    If SSL_shutdown() returns 0 it needs to be called one more time. [52bb0acfb659]
  • plugins/sudoers/editor.c:
    resolve_editor: sudoers_gc_remove(editor) before freeing it. [534cc939264f]
2021-08-10 Todd C. Miller
  • lib/util/mksigname.h, lib/util/siglist.in:
    Sync siglist.in with the generated files. The change to prefer SIGSYS over SIGUNUSED wasn’t made to siglist.in. Also, mksigname.c doesn’t need to explicitly set sudo_sys_signame[0]. [c331b05f8fc5]
  • plugins/sudoers/Makefile.in, plugins/sudoers/editor.c, plugins/sudoers/gc.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Add garbage collection to resolve_editor(). Fixes a leak when evaluating the policy multiple times if sudoedit is set. [ab011d864e87]
2021-08-09 Todd C. Miller
  • src/exec_common.c:
    Fix compilation when configure option –disable-shared is specified. [98687e01c8e4]
  • doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/check.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Add intercept_authenticate sudoers option, defaults to false. By default, sudoers will not require authentication of commands run via an intercepted session. To require authenticaton of subsequent commands, enable intercept_authenticate in sudoers. [b428c75da1ad]
  • config.h.in, configure, configure.ac, src/exec.c, src/sudo_intercept_common.c:
    If msg_control is not present in struct msghdr use msg_accrights instead. Fixes building on Solaris and probably others. It is possible to expose msg_control on Solaris but this requires a specific set of feature flag defines which can cause other complications. [6ee77b869a8c]
  • configure, configure.ac, src/exec_preload.c:
    Require that our dso be first in the list to make sure it takes effect. Otherwise, another dso could take precedence and ours would not be run. [58ba4086357c]
  • configure, configure.ac, pathnames.h.in, src/Makefile.in, src/exec_preload.c:
    If building with address sanitizer make sure its DSO is first. Address sanitizer requires that it be preloaded before any other DSO in LD_PRELOAD. This should not be required for clang, which links in asan statically by default. [a812062f42a8]
  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
    Plug some memory leaks when sudoers_policy_main is called multiple times. These would get cleaned up a policy close time but we don’t want to bloat sudo’s memory footprint when running a shell with multiple commands. [7fee001ffeae]
  • plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c:
    Fix logging intercepted commands to a log server in sudoers. Only available when the server supports the subcommands capability. [5975770561de]
  • plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
    Use a separate uuid for intercepted commands. We use the uuid to match the command with its exit status. [467f0db6e2c6]
  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
    Avoid some double frees in the fuzzer Now that sudoers free old values of NewArgv and command_info the fuzzer needs to reset those values. Otherwise we end up with stashed values that have already been garbage collected. [2a1b5808d272]
  • doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Add “intercept” Defaults setting to allow interception of sub- commands. This causes “intercept” to be set to true in command_info[] which the sudo front-end will use to determine whether or not to intercept attempts to run further commands, such as from a shell. Also add “log_children” which will use the same mechanism but only log (audit) further commands. [f42e11c0fde9]
  • INSTALL, configure, configure.ac, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, examples/sudo.conf.in, include/sudo_conf.h, lib/util/sudo_conf.c, lib/util/util.exp.in, pathnames.h.in, src/Makefile.in, src/exec.c, src/exec_common.c, src/selinux.c, src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_exec.h:
    Add support for loading the sudo_intercept.so DSO. [47d84cc8a8ed]
  • include/sudo_compat.h, src/exec.c, src/exec_common.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/selinux.c, src/sesh.c, src/sudo_exec.h:
    Allocate a socketpair to communicate with sudo_intercept.so over. This is used for the intercept and log_children options. [b40091760952]
  • plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/pam.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/file.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_ldap.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Make it possible to call the sudoers policy check function multiple times. We need to reset the Defaults values to their original state. [3187e87d7fb6]
  • plugins/sudoers/set_perms.c:
    Allow set_perms(PERM_INITIAL) to be called more than once. If the perm stack depth is non-zero when set_perms(PERM_INITIAL) is called, rewind it first and re-initialize the stack depth to 0. Fixes a user-after-free bug if set_perms(PERM_INITIAL) is called multiple times. [fdf9a2e07eb1]
  • plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
    Use run_argv and run_envp passed into the audit plugin for event logging. Previously we used NewArgv[] and env_get() but now that logging is performed via an audit plugin we should use the values passed in. [d8e031fc2389]
  • doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, include/log_server.pb-c.h, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, logsrvd/logsrvd.c:
    Allow multiple accept/reject messages during a logsrv conversation. The log server now advertises a subcommands flag if it supports logging subcommands (e.g. commands run from a sudo-spawned program like a shell). The client should only log additional commands during a session if this flag is set in the ServerHello message. [5b88982604e8]
  • MANIFEST, Makefile.in, configure, configure.ac, lib/logsrv/Makefile.in, lib/logsrv/protobuf-c.c, lib/protobuf-c/Makefile.in, lib/protobuf-c/protobuf-c.c:
    Add separate convenience lib for protobuf-c We need to use it for sudo <-> sudo_intercept.so communication. [9529d7f9db18]
  • MANIFEST, include/intercept.pb-c.h, src/Makefile.in, src/intercept.pb-c.c, src/intercept.proto:
    Define protocol for sudo <-> sudo_intercept.so communication. Uses google protocol buffers. [139ba292e226]
  • src/exec.c, src/sudo.c, src/sudo.h:
    Implement the sudo side of the sudo_intercept.so communication. [4a7face9ed17]
  • MANIFEST, src/Makefile.in, src/exec.c, src/exec_common.c, src/sudo_exec.h, src/sudo_intercept.c, src/sudo_intercept_common.c:
    Implement sudo_intercept.so. Uses protobuf to talk to main sudo process over a socketpair. [fc21ae0f663e]
  • src/sudo.c, src/sudo.h:
    Add return values for most of the plugin function wrappers that returned void. Previously, they would just exit if there was an error. Now the error is passed back up the stack so we can use them in sudo_intercept.so. [87cb4b0e7dff]
  • src/sudo.c:
    Reduce the number of function args passed to plugin wrappers. This makes sudo_settings, user_info, submit_argv, submit_envp and submit_optind global. This will be required for calling the wrapper from outside of sudo.c where we may not have access to those variables. [525bffcf911c]
  • src/exec.c, src/sudo.c, src/sudo.h:
    Call the approval plugin after the policy plugin accepts a command. Previously, for intercepted commands we only called the policy plugin. [4df18aaa8708]
  • src/exec.c:
    Take control of the tty and save its settings before doing a policy check. Otherwise the policy plugin won’t be able to read the password. [6a422974d472]
  • MANIFEST, src/Makefile.in, src/exec_common.c, src/exec_preload.c, src/sudo_exec.h, src/sudo_intercept.c, src/sudo_intercept_common.c:
    Move preload_dso() to its own file and rename to sudo_preload_dso(). It now takes an intercept fd as an optional argument instead of a list of extra variables to add. This lets us check whether it is already set to the expected value (and add it if not). sudo_intercept.so now uses sudo_preload_dso() to make sure that LD_PRELOAD and SUDO_INTERCEPT_FD are set properly before executing. [447e96378d01]
  • src/exec_preload.c, src/sudo_intercept_common.c:
    Add debug support to sudo_intercept.so [586ea125cebb]
  • src/exec.c, src/exec_nopty.c, src/exec_pty.c:
    Make the log_children option only log and not check policy. [0524c7e87174]
  • plugins/sudoers/prompt.c:
    expand_prompt: use correct strlcpy() size parameter The available size passed to strlcpy() was computed incorrectly. Switch to updating the length after writing to the new prompt instead of computing it each time. The actual buffer size is computed and allocated correctly so there is no real consequence to this bug. Found by Qualys. [c03f1c2f8f35]
2021-08-03 Todd C. Miller
  • doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf:
    The tls_verify setting only affects server behavior, not the client. Originally, there was a flag in the ServerHello message to indicate that the client should verify the server cert, but this was removed TLS was moved to a separate port. Client validation of the server certificate is now configured in the sudoers file instead. [344b51f3eee3]
2021-08-02 Todd C. Miller
  • scripts/mkpkg:
    On macOS, don’t disable tty tickets and set password timeout to 0. This more closely matches the options used by the macOS version of sudo. [bd21c492921c]
  • plugins/sudoers/find_path.c:
    Add some debugging info to find_path() [dd7aebb432d6]
2021-07-30 Todd C. Miller
  • lib/iolog/iolog_mkdtemp.c:
    iolog_mkdtemp: umask must not be more restrictive than the file modes. We need this even though we will be calling mkdtemp() since the umask affects the mode of any parent directories. [c545b3369eae]
2021-07-29 Todd C. Miller
  • plugins/sudoers/visudo.c:
    Plug memory leak in error path when sudoers cannot be opened. [3df6b32149b8]
  • plugins/sudoers/defaults.c:
    Trying to use “+=” or “-=” operators on a non-list is an error. Previously, they were simply treated as “=” for non-lists. [3e0d47d0b4ea]
  • src/regress/net_ifs/check_net_ifs.c:
    Plug a memory leak in check_net_ifs found by address sanitizer. [bff1ad993476]
  • configure, configure.ac:
    Prefix sanitizer and fuzzer options with -XCClinker in ASAN_LDFLAGS. Otherwise libtool may ignore the options when linking. [ed1120f3813d]
2021-07-27 Todd C. Miller
  • logsrvd/tls_init.c:
    Display the correct error message if X509_verify_cert() fails. We must use X509_STORE_CTX_get_error() and X509_verify_cert_error_string() instead of the generic OpenSSL error functions. [778bbbe68e28]
  • lib/eventlog/eventlog.c:
    In new_logline check for NULL args->reason for EVLOG_RAW. This can’t happen in practice since we never set EVLOG_RAW without passing in a reason. Coverity CID 237142 237143 [83f9038151db]
  • lib/eventlog/eventlog.c:
    format_json: don’t dereference evlog if it is NULL. Also silence a PVS Studio false positive. [150039f65d26]
2021-07-26 Todd C. Miller
  • config.h.in, configure, configure.ac, include/sudo_compat.h, logsrvd/tls_client.c, logsrvd/tls_init.c, plugins/sudoers/log_client.c:
    Use TLS_method() instead of TLS_client_method() throughout. OpenSSL returns an error for SSL_accept() if TLS_client_method() was used to generate the context (LibreSSL doesn’t care).

    Prior to sudo 1.9.7, TLS_client_method() and TLS_server_method() were used in the TLS client and server initialization code respectively. This was refactored in sudo 1.9.7 to allow the code to be shared. Bug #988 [1ca00726b4d6]

  • plugins/sudoers/regress/fuzz/fuzz_policy.c:
    Only replace getaddrinfo for FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION. This works around an issue on SCO which uses inline functions in the header files which call the actual, versioned, library function. [64cbf884b7f9]
2021-07-26 MertsA
  • src/utmp.c:
    Rewind utmp file pointer after searching for entry (#108)

    getutline() advances the file pointer until it matches or reaches EOF. pututline() starts from the current position in utmp. This rewinds the file pointer to the beginning to avoid allocating additional spurious utmp entries. [142555f7a47e]

2021-07-25 Todd C. Miller
  • configure, configure.ac, m4/sudo.m4:
    Use AC_CACHE_CHECK in place of AC_MSG_CHECKING + AC_CACHE_VAL where possible. [7b0fb8de8276]
  • config.h.in, configure, configure.ac, include/sudo_compat.h:
    Add configure check for va_copy instead of using #ifdef This prevents the va_copy compat #define from being used if sudo_compat.h is somehow included before stdarg.h. [fcfd53b859ac]
2021-07-23 Todd C. Miller
  • src/limits.c:
    Avoid using RLIM_INFINITY for the nofile soft limit to prevent closefrom_fallback() from closing too many file descriptors. [e807ca9bfb6a]
  • plugins/sudoers/logging.c:
    Include signal.h for SIG2STR_MAX and sig2str(). [ad17a1be07e2]
2021-07-15 Todd C. Miller
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/iolog_writer.c, plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h:
    Create a UUID and log it in the JSON version of the event log. [8a1ad98fac51]
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_local.c, plugins/sudoers/logging.c:
    Remove unused info_cb and info arguments from eventlog_exit() [c614ef1afa12]
2021-07-09 Todd C. Miller
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c:
    Add support for logging exit status events. For sudo-formatted logs, this is a record with “EXIT=number” and potentially “SIGNAL=name” after the command. For JSON-format logs, a new “exit” record is logged which contains an “exit_value” and potentially “signal” and “core_dumped”. JSON-format logs now incude a UUID to associate the “exit” record with the “accept” record. [52e40ae4b79a]
  • doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c:
    Add log_exit_status sudoers option to log when a command exits. This option defaults to off. [cac3ca7ad193]
  • doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_local.c:
    Add log_exit setting in the sudo_logsrvd.conf eventlog stanza This causes sudo_logsrvd to log a record with the exit status or terminating signal in response to an ExitMessage. [1a15f676974a]
2021-07-08 Todd C. Miller
  • plugins/python/python_plugin_common.c:
    Check that the python module we actually loaded is what we intended. This is intended to provide a more useful error message if the user defines a module which conflicts with a system python module. For example, a module called test.py would conflicts with the system python test module. [0676191e4741]
2021-07-02 Todd C. Miller
  • doc/CONTRIBUTORS:
    Mention that xkcd inspired the sandwich logo. [c7839328e21f]
  • doc/HISTORY:
    Mention log server and fuzzers under Quest contributions. [f4a081f75cd0]
2021-06-26 Todd C. Miller
  • src/sesh.c, src/sudo.c, src/sudo_edit.c:
    Don’t assume that the number of groups returned by getgroups() is static. On systems where getgroups() returns results based on more than just the per-process group vector in the kernel it is possible for the number of groups to change in between invocations. Based on GitHub PR #106 from Pierre-Olivier Martel. [dbc7a173a7b8]
  • doc/Makefile.in:
    Use “mandoc -Tlint -Wwarning” instead of -Wstyle. The style checks now include “referenced manual not found” warnings which is not helpful. [251757f22498]
2021-06-22 Todd C. Miller
2021-06-21 Todd C. Miller
  • lib/fuzzstub/fuzzstub.c:
    Change ms from size_t to long. Avoids a spurious test failure on Solaris 9 [c26f8d233ea9]
  • plugins/sudoers/interfaces.c, src/net_ifs.c:
    Move definition of INADDR_NONE from interfaces.c to net_ifs.c. Fixes compilation on Solaris 9. [9da2276cf944]
2021-06-19 Todd C. Miller
  • logsrvd/logsrvd.c:
    Fix dead store found by clang analyzer. [5c85aeef651e]
  • logsrvd/logsrvd_conf.c:
    Fix prefix skipping when the prefix is embedded and not separate. This doesn’t currently matter since the progname and the “: " are stored in separate messages. Found by clang analyzer. [321e90e1b347]
  • logsrvd/logsrvd_relay.c:
    Remove dead store found by clang analyzer. [5fd56f26e1ba]
2021-06-16 Todd C. Miller
  • plugins/audit_json/audit_json.c:
    Make sure we store an octal number (like umask) as a string. JSON doesn’t (portably) support octal numbers with a leading zero. [3ac37bb42f1e]
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
    Replace logsrvd_is_early() with logsrvd_warn_stderr(). This is now defined in logsrvd_conf.c which removes a dependency on another compilation unit for the fuzzer. [3594cf3ec397]
2021-06-15 Todd C. Miller
  • logsrvd/logsrvd_local.c:
    Silence a compiler warning on Solaris. [fd9ba461b601]
  • logsrvd/logsrvd.c:
    Reduce scope of errstr variable so it is only declared for OpenSSL. [eebe09a17f4b]
  • logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_init.c:
    Use sudo_warnx?() instead of sudo_debug_printf for errors. We now hook the warn functions so the messages are logged. The messages still show up in the debug log too. [9e25dc71b4cc]
2021-06-14 Todd C. Miller
  • MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/vsyslog.c, scripts/mkdep.pl:
    Remove vsyslog(3) emulation, it is no longer used. [7d1b78c2037a]
2021-06-13 Todd C. Miller
  • logsrvd/logsrvd_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
    If logsrvd_config not set fall back to using stderr for warnings. Also fix fuzz_logsrvd_conf link error. [eeaafe1b3e09]
  • doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
    Add support for logging server warning/error messages. We can use sudo_warn_set_conversation() to set a conversation function that either writes to a log file or calls syslog(). [5d8e13f053d0]
2021-06-11 Todd C. Miller
2021-06-09 Todd C. Miller
  • plugins/audit_json/audit_json.c:
    Check arrays that are passed in for NULL before using them. [925ba5b0f2cb]
  • configure, configure.ac:
    Disable nss_search()-based group lookups on HP-UX for now. There is a crash when “group: compat” is used in /etc/nsswitch.conf that I haven’t been able to debug. Since HP-UX doesn’t ship the appropriate headers it is likely that there is a mismatch between include/compat/nss_dbdefs.h and what HP actually uses. [28b00005c785]
2021-06-08 Todd C. Miller
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h:
    Remove logsrvd closure ERROR state and use a boolean flag instead. Fixes a bug where we would not insert a journal file that failed to relay into the queue because its state was changed from CONNECTING to ERROR after failing to connect. [638285a4bedb]
  • include/compat/nss_dbdefs.h, lib/util/getgrouplist.c:
    Add NSS_TRYAGAIN and correct buflen in struct nss_XbyY_buf_t. Add some function argument names. Also use struct nss_db_state * instead of void * in nss_db_root_t. We don’t define struct nss_db_state but since it is a pointer all we need is a forward declaration. [bc848fb97671]
2021-06-07 Todd C. Miller
  • lib/fuzzstub/fuzzstub.c, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in:
    Make sure we link with libsudo_util after libfuzzstub. This only affects builds with a static libsudo_util. Also fix a warning on HP- UX about main not being public. [18ff1f108c4e]
  • MANIFEST, lib/util/Makefile.in, lib/util/regress/getgrouplist/getgids.c:
    Add getgids utility to simular “id -G” using sudo_getgrouplist2() [aed11065818d]
  • lib/util/getgrouplist.c:
    Make sure we don’t read or write past the end of the group buffer. We need to leave room for the terminating NULL in gr_mem. It is possible for gbm->numgids > gbm->maxgids if we ran out of room. [25a3ee849fd4]
2021-06-04 Todd C. Miller
  • lib/util/getgrouplist.c:
    Add some debugging to sudo_getgrouplist2(). [4d79e92c8ee8]
2021-06-02 Todd C. Miller
  • src/load_plugins.c:
    Fix some debug_decl typos and remove an unneeded cast. [fafa91ac3def]
  • plugins/sudoers/defaults.h:
    T_TIMEOUT is not a bitwise flag so doesn’t need to be a power of 2. [66019af6d642]
2021-05-28 Todd C. Miller
  • src/load_plugins.c:
    sudo_stat_plugin(): set errno but do not warn if plugin path too long. The caller will display the warning (using errno) so there is no need to do it twice. [c8614b374a35]
2021-05-26 Todd C. Miller
  • doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in:
    sudoreplay does not parse sudoers to find the value of iolog_dir. The default value for the I/O log directory is set at build time. [3cf72612e992]
  • plugins/sudoers/policy.c:
    Fix group list ref leak in sudoers_policy_store_result() on error path. [34785448a275]
2021-05-24 Todd C. Miller
  • plugins/sudoers/policy.c:
    Update comment to match reality. [ec3e0a40d1ec]
2021-05-13 Todd C. Miller
  • configure, configure.ac, scripts/ltmain.sh, src/Makefile.in:
    Build sudo_noexec.so as a module on systems other then Darwin. On Darwin, shared modules and shared libraries are not interchangable and since we preload sudo_noexec.so via DYLD_INSERT_LIBRARIES it must be a library, not a module. We must relax the requirement that libraries begin with a “lib” prefix to work around this difference. This does mean you must use sudo’s libtool on Darwin (macOS) but that is already a requirement on other systems (notably HP-UX and SCO) due to a number of libtool patches we require that haven’t be accepted upstream. This is a different fix for PR #102. [2e5454c56d3c]
  • configure, configure.ac:
    Use -Wno-deprecated-declarations on macOS This quiets warnings about LDAP and audit libraries being deprecated. We will use them until they are removed in a future version of macOS. [6fbdf644865c]
2021-05-12 Todd C. Miller
  • plugins/sudoers/log_client.c:
    Don’t include errno in “unable to connect to log server” message. There should be a more specific message, usually with an error string, displayed earlier. [e599f9b0fd1c]
  • lib/iolog/hostcheck.c:
    Explicitly include netinet/in.h for struct sockaddr_in and sockaddr+_in6. Fixes a compilation problem on FreeBSD. [2277c8f37c34]
2021-05-10 Todd C. Miller
  • plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po:
    Updated translations from translationproject.org [3d6d49097b98]
  • plugins/sudoers/log_client.c:
    Better warning when close function is passed a non-terminal signal. [8b8628249e4d]
  • logsrvd/logsrvd_local.c:
    Remove line causing store_suspend_local() to return false on success. This is something that should have been removed as part of the local I/O logging refactor. [e8ae1e61b8b2]
  • src/exec_pty.c:
    Don’t set the command status in the closure when the command is suspended. This should only be set for signals that terminate the process. Fixes a bug where the sudo front-end could call the plugin close function with a non-terminal signal argument. [a95024bfb6e8]
2021-05-07 Todd C. Miller
  • plugins/python/pyhelpers.c, plugins/python/python_plugin_policy.c:
    Quiet -Wshadow warnings from gcc. [7ff2985ba650]
  • NEWS, doc/sudoers.man.in, doc/sudoers.mdoc.in:
    The -g option may also be used with any group the target user belongs to. The description in the Runas_Spec section incorrectly stated that the -g option could not be used if no runas group was set. Bug #975. [67d1948d1aa8]
  • configure, configure.ac:
    Remove redundant “configuring Sudo version X.YY” line. We now display this along with the summary info at the end. [0d7c908f8d4c]
  • configure, configure.ac:
    Don’t check for -Wl,-z,relro twice. [a30dce71fb26]
2021-05-06 Todd C. Miller
  • plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po:
    Updated translations from translationproject.org [9303a20fe480]
  • scripts/mkpkg:
    Build python plugin for RHEL 6 as well. [edaa6ec0e255]
  • configure, configure.ac:
    Remove shell-style quotes in configure warning/error/notice messages. Square bracket quotes are used, no need for shell-style double quotes. [e6de284df511]
  • NEWS, configure, configure.ac:
    Summarize configure settings after all tests have run. This makes it a lot easier to see what features have been enabled. [12ea96affed5]
2021-05-04 Todd C. Miller
  • INSTALL, configure, configure.ac:
    Remove –with-efence option, there are better options available. [78fd5ceb2c52]
  • NEWS:
    Move misplaced changes into the 1.9.7 section where they belong. [1519f7a4669b]
  • lib/util/regress/sudo_conf/conf_test.c:
    Awful hack to pass on macOS where group_source=dynamic by default. [b038bfab8c34]
  • plugins/sudoers/po/ca.mo, plugins/sudoers/po/ca.po, plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, po/ca.mo, po/ca.po, po/it.mo, po/it.po, po/sr.mo, po/sr.po:
    Updated translations from translationproject.org [7b156da85d13]
  • doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, logsrvd/sendlog.c, logsrvd/sendlog.h:
    sudo_sendlog: rename -m (max-time) to -s (stop-after). [4f016111b242]
  • logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_journal.c:
    Update closure->elapsed_time in journal_seek(). Otherwise the commit point messages won’t be accurate when restarting. [6cd4db44b8ee]
  • doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, logsrvd/sendlog.c, logsrvd/sendlog.h:
    Add “-m elapsed” option to specify the max elapsed time of records to send. Useful for testing the ability of the server to handle restarted log transfers. [cd9c9235e320]
2021-05-03 Todd C. Miller
  • logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c:
    Disable reading from client or relay when sending error to client. We treat an error from the relay as fatal and must stop processing data from both client and relay to make sure we don’t get out of sync. [258f9691b3d9]
  • logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd_local.c:
    Fix I/O log restart of locally-store logs. This got broken a while ago when evlog in struct connection_closure was changed to a pointer. [8b59122891f9]
  • scripts/pp:
    Fix detection of the volatile flag when other flags are present. Otherwise flags fields like “volatile,ignore-other” will be ignored by the Debian and BSD back ends. [0d120b9eab71]
  • src/limits.c:
    Fix debug message when prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) fails. GitHub issue #101 [7d266c174457]
  • logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_client.c, logsrvd/tls_common.h, plugins/sudoers/log_client.c:
    Don’t hard-code the TLS connect timeout, use normal connect timeout. For sudo_logsrvd, this is the relay connect_timeout setting. For sudoers, this is the log_server_timeout setting. [49e29f187f5a]
2021-05-02 Todd C. Miller
  • logsrvd/logsrvd_queue.c:
    Add missing closedir(3) in logsrvd_queue_scan(). Coverity CID 221591 [e9745c64a721]
  • configure, configure.ac, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, m4/sudo.m4, pathnames.h.in:
    Rename logsrvd log dir to /var/log/sudo_logsrvd. [fb979be9927e]
  • doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_queue.c:
    Make the failed relay retry interval configurable. This is the amount of time to wait before trying to resend a journal to the relay server after a connection error. [cbc04201a63e]
2021-05-01 Todd C. Miller
  • MANIFEST, logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c:
    Send outgoing messages to the relay server on startup. Also attempt to retry messages that could not be relayed periodically. [7ed12983af85]
  • lib/util/fatal.c:
    Avoid clobbering errno in warning(). [3282a7db7f51]
  • logsrvd/logsrvd_relay.c:
    Set relay name string to NULL after dropping the reference. Otherwise it is possible to decrement the reference more than once. [245d4e60ea21]
2021-04-30 Todd C. Miller
  • plugins/sudoers/iolog.c:
    Fix cut & pasto that prevented the verify_server option from being set. The “log_server_verify” setting passed from the policy plugin was applied to the “keepalive” option instead of “verify_server”. From Krisztian Kovacs. [06f716981ad0]
2021-04-29 Todd C. Miller
  • doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, logsrvd/logsrvd.c:
    Write client and server information to debug file on SIGUSR1 This can be used to debug client problems such as a connection not being closed as expected. [e6e3a4ba02f4]
  • doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in:
    Document journal file directories in store_first mode. [a08de0c20127]
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_journal.c:
    Create journal files in an incoming directory, move to outgoing when complete. This will make it possible to process completed journal files periodically if the relay server is down. [5ced00c6eb7e]
  • logsrvd/logsrvd_relay.c:
    Add missing connection_close() call for relay-only connections. For an immediate relay we will close the connection when the client disconnects (or there is a timeout). However, for store-and-forward mode the client has already disconnected at the time we are relaying. [e51e98489c6d]
2021-04-27 Todd C. Miller
  • logsrvd/logsrvd_conf.c:
    Replace non-ascii characters in warning string. [5e99ac170a15]
  • lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/tailq/hltq_test.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/regress/unescape/check_unesc.c:
    Quiet clang analyzer false positive in regress tests. [190ad1f287d8]
  • MANIFEST, logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_local.c:
    Move local iolog log functions to logsrvd_local.c [e16e2a1d8209]
  • logsrvd/logsrvd_relay.c:
    Better client error reporting on relay server connection error. More detailed error messages may be found in the debug log. [d0807790327d]
  • logsrvd/logsrvd.c:
    Update debug pid string when sudo_logsrvd becomes a daemon. [33069e2da7d5]
2021-04-26 Todd C. Miller
  • logsrvd/logsrvd.c:
    Must call SSL_shutdown() before closing the underlying socket. This got broken by some code rearrangement when relay mode was added. [a3a8c4d10565]
  • logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c:
    Recover if the client or relay server closes the TLS connection uncleanly. The other end of the connection should perform a proper TLS shutdown but as long as we are in the correct state there is no need to treat this as a user-visible error. [90887bc2235f]
  • NEWS, aclocal.m4, configure, configure.ac:
    Sudo 1.9.7 [c1ea457eca11]
  • MANIFEST, plugins/python/Makefile.in, plugins/python/lsan_suppr.txt:
    Add a suppression file for the libpython leaks. This is a big hammer but it seems like the best we can do for now. Allows “make check” to succeed when address sanitizer is used. [4500cd1e835e]
2021-04-25 Todd C. Miller
  • plugins/sudoers/Makefile.in, plugins/sudoers/editor.c, plugins/sudoers/regress/editor/check_editor.c:
    When spliting EDITOR check for escaped quote characters. Also add check_editor to sudoers “make check”. [0d8001299358]
2021-04-24 Todd C. Miller
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/editor.c, plugins/sudoers/regress/editor/check_editor.c:
    Treat a lone backslash at the end of a string as a literal backslash. GitHub issue #99 [40a53e523003]
  • doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in:
    Fix typo. [614379733a17]
2021-04-23 Todd C. Miller
  • plugins/python/pyhelpers.c:
    Avoid a potential NULL dereference when mutating args_str. Coverit CID 221401 [69f3c7f8e524]
  • logsrvd/logsrvd_journal.c:
    Avoid calling fread() with a NUL buffer if msg_len is 0. Coverity CID 221399 [ed605b7a3186]
  • logsrvd/logsrvd.c:
    Set a restrictive umask so new files are only read/write by owner. Coverity CID 221402 [595465e4baa2]
  • logsrvd/logsrvd.c:
    In connection_closure_free() only close sock if it is not -1. When relaying from a journal there will be no socket. Coverity CID 221403 [fd4f27067c3f]
  • logsrvd/logsrvd.c:
    Avoid potential NULL dereference in get_free_buf(). Coverity CID 221400 [6cb5491bf812]
  • logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c:
    Remove some now-dead code in the error path. Coverity CID 221397 and 221398 [edc860f72f98]
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_relay.c:
    Use function pointers for each client message type instead of conditionals. This separats out the message handler from the functions that store or relay the message contents. [f596480880fa]
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c:
    Add enqueue_error_message() helper function. Formats and enqueues an error message and enables the write event. [122bd89fe5e3]
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_relay.c:
    Forward the journaled entry after it has been stored locally. [a187d5a7ea28]
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_journal.c:
    Stash the value of the store_first config setting in connection_closure. If the configuration changes it should not affect a connection that is already in progress. [6617c2b7ece5]
  • MANIFEST, logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_relay.c:
    Journal messages to disk when store_first is set in the relay section. Instead of forwarding messages immediately, they are journaled locally in wire format. This will be used to implement relay store-and-forward mode. [aa0c537258e7]
  • INSTALL, configure, configure.ac, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudo_logsrvd.mdoc.in, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, m4/sudo.m4, pathnames.h.in:
    Add configuration for sudo_logsrvd store-and-forward mode. Adds “relay_dir” and “store_first” settings to sudo_logsrvd.conf in the [relay] section. Also adds a –with-relaydir configure argument to change the default value (usually /var/log/logsrvd-relay. [6f064ed6d20e]
  • src/signal.c:
    Make sure SIGCHLD is not ignored when sudo is executed. If SIGCHLD is ignored there is a race condition between when the process is executed and when the SIGCHLD handler is installed. This fixes the bug described by GitHub PR #98 [b4c91a0f72e7]
2021-04-20 Todd C. Miller
  • config.h.in, configure, configure.ac:
    Remove the HP-UX 11.0 pread64() hack, it causes problems on modern HP-UX. [fea8ebd0b88d]
  • src/limits.c:
    Add minimum value to consider when overriding resource limits. Currently only used for RLIMIT_DATA and RLIMIT_AS.

    This works around a problem on HP-UX where setting RLIMIT_DATA changes the resource limits for both 32-bit and 64-bit processes. HP-UX processes start out with RLIMIT_DATA set based on the values of the maxdsiz and maxdsiz_64bit kernel tunables, depending on whether they are 32-bit or 64-bit. By default this limit is 1GB for 32-bit processes and 4GB for 64-bit. However, once RLIMIT_DATA is changed, it does not appear to be possible to restore the old values. This can result in a 64-bit process that is executed by a 32-bit shell getting the 32-bit RLIMIT_DATA instead of the 64-bit one. Bug #973 [8778a27abfaf]

2021-04-19 Todd C. Miller
  • logsrvd/logsrvd_relay.c:
    Don’t use msg_len as a length after converting it to network byte order. [3f2496be1130]
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c:
    Use the packed message buffer when relaying if possible. There’s no need to rebuild the message buffer for anything but RestartMessage and ClientHello. [903fa50f48c9]
2021-04-18 Todd C. Miller
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c:
    Allocate the data buffer in get_free_buf() too. We always know the size of the data buffer we need at allocation time. [c02dc245aa40]
2021-04-17 Todd C. Miller
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c:
    Relay ChangeWindowSize and CommandSuspend events too. [cb20a1de47e3]
2021-04-16 Todd C. Miller
  • plugins/python/pyhelpers.c, plugins/python/regress/testdata/check_ex ample_debugging_c_calls@diag.log, plugins/python/regress/testdata/ch eck_example_debugging_c_calls@info.log, plugins/python/regress/testd ata/check_example_group_plugin_is_able_to_debug.log:
    Regenerate test output with python 3.10a7 Also adjust debug tests so they pass on older python versions [03aeda971872]
  • configure, m4/python.m4:
    determine Python (3.10) version number correctly. from upstream automake [1f4136509aca]
  • MANIFEST, aclocal.m4, m4/python.m4, m4/runlog.m4:
    Move python.m4 and runlog.m4 to the m4 directory. Previously they were inline in aclocal.m4. [6ec4c92539a7]
2021-04-15 Todd C. Miller
  • configure, configure.ac:
    Add hiuxmpp where we have hpux for special cases. Also move the HP- UX 11.00 pread(2) workaround into the section where pread(2) is tested for, not before it. [f6cc1820e0fb]
  • etc/sudo-logsrvd.pp, etc/sudo-python.pp:
    Only replace the last instance of “sudo” in example and doc dir. Otherwise we end up with weird paths for a prefix like /opt/sudo. [113bdf79f00f]
2021-04-13 Todd C. Miller
  • doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in:
    Mention relay mode and update TLS example. [a50a23542c05]
  • etc/sudo-logsrvd.pp, etc/sudo.pp:
    If libssl_dep was not passed in, use ldd to determine its value. Normally, mkpkg will figure this out, but if the user does “make package” outside of the mkpkg script, libssl_dep will not be set. [87329797daca]
2021-04-12 Todd C. Miller
  • INSTALL, configure, configure.ac, doc/UPGRADE:
    Enable the use of OpenSSL if log client/server not disabled. This adds a dependency on OpenSSL unless it is explicitly disabled (–disable-openssl) or the sudo log client and server are disabled (–disable-log-client and –disable-log-server). [618f504240d2]
2021-04-09 Todd C. Miller
  • etc/codespell.skip:
    configure aux scripts moved to the scripts directory [1cfcbfd128ed]
  • logsrvd/Makefile.in, logsrvd/logsrvd_conf.c:
    Set logsrvd_config to NULL in logsrvd_conf_cleanup() after freeing it. Fixes a double free in fuzz_logsrvd_conf (but not sudo_logsrvd itself). Also fix linking fuzz_logsrvd_conf with OpenSSL. [ad78729467d4]
  • logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.1, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.2, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.3, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.4, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.5, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.6, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.dict:
    Update sudo_logsrvd.conf fuzzer to match configuration changes. [85ae32ce6f44]
  • doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf:
    Document relay configuration changes. [d66eb842a6ef]
2021-04-08 Todd C. Miller
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c:
    Move relay configuration into its own section and add TLS options. TLS options in the relay section will be used if specified, otherwise the TLS options from the server section are used. [0695e9b9b067]
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c:
    Add “server” and “relay” to getters/callbacks specific to server and relay. [618b4fa5325c]
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c:
    Remove struct logsrvd_tls_config. Now that the SSL context is initialized in logsrvd_conf.c there’s no need to export TLS configuration other than tls_check_peer. [4fb0fdc417e1]
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c:
    No longer need struct logsrvd_tls_runtime, use SSL_CTX instead. [61e0bdf1499d]
  • logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c:
    Move allocation of the TLS context to logsrvd_conf_apply(). This way we get certificate errors at configuration time, not after. It also means that a change to the config file that renders the TLS settings invalid will no longer cause the server to exit. The new config will just be ignored as if there was a syntax error. [352ecb58618f]
  • logsrvd/tls_init.c:
    Only initialize the SSL library once. [e17215eec1d6]
2021-04-07 Todd C. Miller
  • plugins/sudoers/timestamp.c:
    Sanity check struct timespec in timestamp file. Coverity CID 220564 [68dfceeb105e]
  • plugins/sudoers/timestamp.c:
    Check lseek(fd, 0, SEEK_CUR) for -1 return value. Not actually possible in practice. Coverity CID 220568. [27105922d3be]
  • src/net_ifs.c:
    Check for NULL ifa->ifa_addr and ifa->ifa_netmask in both loops. [373961966099]
2021-04-07 Radovan Sroka
  • src/sudo_edit.c:
    Fixed bad condition for sesh args

    In selinux_edit_copy_tfiles() when there is only one file and the open() fails then number of arguments is lower than expected. Sudo should return error with or without “Defaults !sudoedit_checkdir” set.

    This was found with regression testing of CVE-2021-23240.

    Signed-off-by: Radovan Sroka <rsroka@…> [947ce862c0bf]

2021-04-06 Todd C. Miller
  • src/net_ifs.c:
    Plug memory leak on overflow; Coverity CID 220556 [86b71e5dec5c]
  • logsrvd/logsrvd.c:
    In schedule_commit_point() do not free the closure on error. It is the caller’s responsibility to free resources on error. Coverity CID 220557 [e6629496ab03]
  • plugins/sudoers/pwutil.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    Cast NULL terminator argument to char * when calling sudo_mkgrent(). Avoids a portability issue on systems where NULL is not a pointer. [cdb9cf0ad2ea]
  • logsrvd/tls_init.c:
    Rename LOGSRVD_DEFAULT_CIPHER_LST13 to DEFAULT_CIPHER_LST13 [a5d7da05cf09]
  • logsrvd/tls_client.c:
    Include string.h for strerror(3) prototype. [57f5cfe43a89]
  • logsrvd/logsrvd_relay.c:
    Move connect_relay_tls() so we don’t need a prototype for it. Fixes a warning when sudo is not configured to use OpenSSL. [0c73cfebf32b]
  • doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf:
    Document relay and connect_timeout server settings. [a101d54b451e]
  • MANIFEST, logsrvd/Makefile.in, logsrvd/logsrv_util.h, logsrvd/sendlog.c, logsrvd/sendlog.h, logsrvd/tls_client.c, logsrvd/tls_common.h:
    Move common TLS client code to tls_client.c and use it in sendlog.c. [5334b6c4bef8]
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
    Rename listen_address -> server_address and add reference counting. This will be used by the upcoming relay mode. [f8ef9c83c3c8]
  • logsrvd/logsrvd.c:
    Try to send an error message to client for some client_msg_cb() failures. [0805636e8114]
  • logsrvd/logsrvd.c:
    Split most of server_commit_cb() out into schedule_commit_point(). This allows it to be used by the relay code too. [c985c2f9e5d5]
  • MANIFEST, logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c:
    Add a relay mode to sudo_logsrvd where it forwards instead of stores. Relay hosts are be specified in the server section of sudo_logsrvd.conf. [071c231e76a9]
  • logsrvd/Makefile.in, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_common.h:
    Add support for relaying to another sudo_logsrvd via TLS. [c47397ce4098]
  • MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/rcstr.c, lib/util/util.exp.in, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/rcstr.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c:
    Move reference-counted string code from sudoers to libsudo_util. It will be used by sudo_logsrvd too. [d228aaf9b6fa]
  • logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c:
    Add sa_host to struct server_address as a ref counted string. Also convert sa_str to ref counted string. [4e8abb84c11d]
  • logsrvd/logsrvd_conf.c:
    Don’t allow a wildcard address for the relay parameter. [4a80d18d025b]
  • logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
    Add logsrvd_conf_cleanup() to free the conf data structures on exit. There is no longer a need to do anything in shutdown_cb() other than break out of the event loop. [9e4d7456fb7a]
  • src/tgetpass.c:
    Set user group list when executing the askpass helper. Under normal circumstances the existing group list will match the list fetched by sudo. However, if sudo is executed by a process that has changed the group list via setgroups(2) and “group_source” in sudo.conf is set to “dynamic” it is possible for them to be different.

    If group_source in sudo.conf is set to “dynamic” it is possible for the group list [2b1d4ffb9cf6]

  • logsrvd/logsrv_util.h, logsrvd/logsrvd.c, logsrvd/logsrvd.h:
    Use a tailq of write buffers instead of a single one per connection. This allows us to queue up multiple messages for writing like the sudoers client supports. Currently, each connection has its own free list. In the future we may want a single free list with low and high water marks. [b5df1b4d79c7]
  • configure.ac:
    Increase autoconf minimum version to 2.70. Some of the macros deprecated in 2.70 are required by older versions. For example, AC_PROG_CC now does the work of AC_PROG_CC_STDC. Bug #972 [223a584b6241]
  • MANIFEST, Makefile.in, config.guess, config.sub, configure, configure.ac, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, install-sh, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, ltmain.sh, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, scripts/config.guess, scripts/config.sub, scripts/install-sh, scripts/ltmain.sh, src/Makefile.in:
    Move autoconf auxiliary files to the scripts directory. [5ea8182c11d9]
2021-04-05 Todd C. Miller
  • doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in:
    Document SUCCESS=return support in sudoers nsswitch.conf entries. Based on a patch from Dennis Filder. Bug #971. [1d631d1b6244]
2021-04-01 Todd C. Miller
  • plugins/sudoers/audit.c:
    Move log_server_accept() out from under the #ifdef SUDOERS_LOG_CLIENT Fixes a link error when sudo is configured with –disable-log-client. [1bb7efdbddd5]
2021-04-01 Radovan Sroka
  • src/selinux.c:
    Removed depricated security_context_t

    Signed-off-by: Radovan Sroka <rsroka@…> [14aba55909fc]

2021-03-31 Todd C. Miller
  • logsrvd/sendlog.c:
    Return NULL if init_tls_client_context() fails. Otherwise, we will call SSL_new with a freed SSL context. Bug #970 [5fbadce88524]
2021-03-30 Todd C. Miller
  • src/parse_args.c:
    Use separate getopt config for sudoedit. Avoids a problem where the user gets an exclusive usage error message when using a sudo- specific option. GitHub issue #95 [b6207568e50a]
  • src/parse_args.c, src/sudo_usage.h.in:
    Add -h and -V to sudoedit usage and customize help output for sudoedit. Also add missing -B option to usage strings. [0d8fa214f8c3]
  • src/parse_args.c:
    Don’t report a usage error for “sudo -V”. GitHub issue #95 [a18573251751]
  • etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
    Do not include parent directories in rpm and deb files. Fixes a directory conflict with the AIX sudo rpm package. Other deb/rpm packages were not affected because parent dirs are omitted for a prefix of /usr. [f7d8db9670bb]
2021-03-29 Todd C. Miller
  • src/net_ifs.c:
    SCO OpenServer uses SIOCGIFANUM, not SIOCGIFNUM. On OpenServer, SIOCGIFNUM is the number of network interfaces, not the number of ifreq structs. [a992ea37b071]
2021-03-27 Todd C. Miller
  • src/net_ifs.c:
    Add support for HP-UX SIOCGLIFNUM and SIOCGLIFCONF ioctls. We need to use both SIOCGIFCONF and SIOCGLIFCONF since SIOCGLIFCONF only returns IPv6 addresses. [7a53304872b9]
2021-03-24 Todd C. Miller
  • src/net_ifs.c:
    Move get_net_ifs stub to the top and remove unused INET_ADDRSTRLEN def. [15bb7bc0ecb8]
  • src/net_ifs.c:
    No longer need ifr_tmp variable, just reuse ifr. Now that we store the string version of the address before fetching the netmask we can just re-use ifr. This simplifies things and is safer since if there is space for the address there must also be space for the mask. [89ade84d0a6d]
  • src/net_ifs.c:
    SCO OpenServer 5 returns a bogus value for SIOCGIFNUM. Gleaned from sendmail. [0616f2103f0b]
  • src/net_ifs.c:
    Use SIOCGSIZIFCONF or SIOCGIFNUM where available. Still falls back to a loop if not but now maxes out at 2048 interfaces instead of potentially looping forever. [f19cd2f827d5]
  • configure, configure.ac, src/net_ifs.c:
    Remove support for obsolete ISC UNIX and MIPS RISC/OS systems. They were getting in the way of net_its.c simplification. [4e2b7ce2fb7b]
2021-03-22 Todd C. Miller
  • src/net_ifs.c:
    Use SIOCGLIFCONF to get interface list where supported (Solaris). HP-UX has a SIOCGLIFCONF but it is incompatible (and appears to only return IPv6 addresses). Also add IPv6 support using SIOCGIFCONF (probably AIX only) and make sure ifr_tmpbuf[] is properly aligned. [d2eebba41618]
  • MANIFEST, src/Makefile.in, src/regress/net_ifs/check_net_ifs.c:
    Add simple regress check to display the network interfaces found. [6c1a5a50056e]
2021-03-19 Todd C. Miller
  • INSTALL:
    Suggest clang 11 or higher, some fuzzers may hang when used with clang 10. [abcf94949ca2]
2021-03-18 Todd C. Miller
  • MANIFEST, logsrvd/Makefile.in, logsrvd/regress/fuzz/fuzz_logsrvd_conf.dict:
    Add dictionary file for fuzz_logsrvd_conf. [f9e154751a5f]
  • Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
    Add a new “fuzz” target that executes the fuzzers for 8192 runs each. To run indefinately, set FUZZ_RUNS=-1, e.g. “make FUZZ_RUNS=-1 fuzz” [5fd3d7e9430f]
  • MANIFEST, lib/iolog/Makefile.in, lib/iolog/regress/corpus/log_json/id.json, lib/iolog/regress/corpus/log_json/ls.json, lib/iolog/regress/corpus/log_json/mailq.json, lib/iolog/regress/corpus/log_json/make.json, lib/iolog/regress/corpus/log_json/pkg_add.json, lib/iolog/regress/corpus/log_json/pkg_delete.json, lib/iolog/regress/corpus/log_json/printenv.json, lib/iolog/regress/corpus/log_legacy/id.log, lib/iolog/regress/corpus/log_legacy/ls.log, lib/iolog/regress/corpus/log_legacy/mailq.log, lib/iolog/regress/corpus/log_legacy/make.log, lib/iolog/regress/corpus/log_legacy/pkg_add.log, lib/iolog/regress/corpus/log_legacy/pkg_delete.log, lib/iolog/regress/corpus/log_legacy/printenv.log, lib/iolog/regress/corpus/seed/log_json/id.json, lib/iolog/regress/corpus/seed/log_json/ls.json, lib/iolog/regress/corpus/seed/log_json/mailq.json, lib/iolog/regress/corpus/seed/log_json/make.json, lib/iolog/regress/corpus/seed/log_json/pkg_add.json, lib/iolog/regress/corpus/seed/log_json/pkg_delete.json, lib/iolog/regress/corpus/seed/log_json/printenv.json, lib/iolog/regress/corpus/seed/log_legacy/id.log, lib/iolog/regress/corpus/seed/log_legacy/ls.log, lib/iolog/regress/corpus/seed/log_legacy/mailq.log, lib/iolog/regress/corpus/seed/log_legacy/make.log, lib/iolog/regress/corpus/seed/log_legacy/pkg_add.log, lib/iolog/regress/corpus/seed/log_legacy/pkg_delete.log, lib/iolog/regress/corpus/seed/log_legacy/printenv.log, lib/iolog/regress/corpus/seed/timing/timing.1, lib/iolog/regress/corpus/seed/timing/timing.2, lib/iolog/regress/corpus/seed/timing/timing.3, lib/iolog/regress/corpus/seed/timing/timing.4, lib/iolog/regress/corpus/timing/timing.1, lib/iolog/regress/corpus/timing/timing.2, lib/iolog/regress/corpus/timing/timing.3, lib/iolog/regress/corpus/timing/timing.4, lib/util/Makefile.in, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.1, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.2, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.3, lib/util/regress/corpus/sudo_conf/sudo.conf.1, lib/util/regress/corpus/sudo_conf/sudo.conf.2, lib/util/regress/corpus/sudo_conf/sudo.conf.3, logsrvd/Makefile.in, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.1, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.2, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.3, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.4, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.5, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.6, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.1, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.2, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.3, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.4, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.5, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.6, plugins/sudoers/Makefile.in, plugins/sudoers/regress/corpus/policy/policy.1, plugins/sudoers/regress/corpus/policy/policy.2, plugins/sudoers/regress/corpus/policy/policy.3, plugins/sudoers/regress/corpus/policy/policy.4, plugins/sudoers/regress/corpus/policy/policy.5, plugins/sudoers/regress/corpus/seed/policy/policy.1, plugins/sudoers/regress/corpus/seed/policy/policy.2, plugins/sudoers/regress/corpus/seed/policy/policy.3, plugins/sudoers/regress/corpus/seed/policy/policy.4, plugins/sudoers/regress/corpus/seed/policy/policy.5:
    Move corpus files to a seed subdirectory. [ba6dd7f30d22]
  • lib/fuzzstub/fuzzstub.c:
    We can now rely on LLVMFuzzerTestOneInput to flush stdout. [f20f353eeb87]
  • plugins/sudoers/Makefile.in:
    Fix fuzz_sudoers output comparison when fuzzing is enabled. libFuzzer outputs additional info to stderr that our stub doesn’t. [49434e4eceaa]
  • lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
    Flush stdout before successful return from LLVMFuzzerTestOneInput(). Fixes a problem with diag lines from libFuzzer being interspersed with test output. [f0b701120128]
  • configure, configure.ac:
    Use –allow-multiple-definition to work around an issue with ld.lld. For fuzz_policy we redefine getaddrinfo/freeaddrinfo to work around a DNS timeout problem with name resolution and CIfuzz. However, this causes a link failure when sanitizers are enabled on systems that use ld.lld as their linker. Use a big hammer to avoid the link error. [2b9df5329c0e]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/testsudoers.c, plugins/sudoers/testsudoers_pwutil.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/tsgetgrpw.h:
    Do not redefine system group and passwd functions for testsudoers. Instead, prefix the replacements with “testsudoers_” and use a custom pwutil backend so they get used. [6bfd2f8d01c0]
  • Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
    Rename “fuzz” makefile target to “check-fuzzer”. It’s purpose is to run the fuzzers are part of a normal “make check” to avoid bit rot, not to perform a fuzzer run. The fuzz_logsrvd_conf fuzzer was not wired up to “make check” previously. [01c03ccfd3f0]
2021-03-15 Todd C. Miller
2021-03-15 Alexandru Ardelean
  • plugins/sudoers/policy.c:
    plugins: sudoers: policy: add MODE_IMPLIED_SHELL to RUN_VALID_FLAGS

    Since this flag isn’t set, the sudo_mode variable gets invalidated and running the ‘sudo’ command seems to error out with message ‘sudoers_policy_check: invalid mode flags from sudo front end:
    0x80001”’ [b98b418f1997]

2021-03-13 Todd C. Miller
2021-03-10 Todd C. Miller
  • MANIFEST, logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h, logsrvd/tls_common.h, logsrvd/tls_init.c:
    Move common TLS initialization code to tls_init.c. [118c7d41ad48]
  • plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, po/tr.mo, po/tr.po:
    Updated translations from translationproject.org [cbc05710d6ba]
  • plugins/sudoers/Makefile.in, plugins/sudoers/gram.c:
    Use HAVE_STDINT_H instead of trying to guess based on STDC_VERSION. Fixes compilation with pre-C99 headers when the compiler supports C99. [05ebf79d02c7]
  • include/sudo_compat.h, lib/util/secure_path.c:
    Remove compatibility defines for POSIX sys/stat.h macros. Modern systems have them and we no longer support pre-POSIX systems. This fixes potential redefinition of the macros if sys/stat.h is included after sudo_compat.h. Bug #968. [d10d0b9b60e1]
  • lib/eventlog/logwrap.c, plugins/python/python_plugin_approval_multi.inc, plugins/python/python_plugin_audit_multi.inc, plugins/python/python_plugin_io_multi.inc, src/get_pty.c:
    Quiet a few Solaris Studio compiler warnings. [1d82509f2e44]
  • configure, configure.ac:
    Add -Wno-unknown-pragmas along with -Wall. We don’t want warnings about unknown pragmas in system headers. [ac15fa0e3d95]
  • scripts/pp:
    Solaris 11.4 removed /usr/bin/optisa, use /usr/bin/isainfo instead. [97d8bb91cf02]
2021-03-08 Todd C. Miller
  • configure, configure.ac:
    Compare OS name against freebsd* and netbsd* not freebsd and netbsd. Fixes an issue on NetBSD where host_os starts with netbsdelf. [2e813d52a7d6]
  • plugins/sudoers/Makefile.in:
    Add @SUDOERS_LIBS@ to FUZZ_LIBS for -lutil on FreeBSD and NetBSD [38a7b3a9eb90]
  • lib/util/Makefile.in, plugins/python/Makefile.in, src/Makefile.in:
    Set locale for all “make check” targets. [1a80048486d4]
2021-03-07 Todd C. Miller
  • configure, configure.ac:
    AIX 6.1 may have a broken fmemopen(). We only use it for the fuzzers so ignore it for AIX < 7.1. [ad909c1479ff]
2021-03-06 Todd C. Miller
  • scripts/pp:
    Only put specific directories in the ROOT section of the AIX package. Previously, /usr and /opt were placed in USR and everything else went in ROOT. Now, only /dev, /etc, /sbin and /var go in ROOT. [6f1fbe8fea31]
  • plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ja.mo, po/ja.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/uk.mo, po/uk.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
    Updated translations from translationproject.org [53c17c8d56e9]
2021-03-05 Todd C. Miller
  • logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c:
    Remove unused tls parameter, we now use a per-address tls flag. [2be727a37b9c]
2021-03-03 Todd C. Miller
  • doc/sudoers.man.in, doc/sudoers.mdoc.in:
    Document double escaping of backslashes. Bug #961. [ae51e4899555]
  • NEWS, configure, configure.ac:
    No longer need to define _DARWIN_UNLIMITED_GETGROUPS on macOS. We now define _DARWIN_C_SOURCE which accomplishes the same thing. [c233df4c1ae4]
  • plugins/sudoers/auth/pam.c:
    Fix a potential use-after-free in conversation function. The prompt passed in to sudo_pam_verify() will be freed later by check_user_interactive() so we need to reset the stashed value. From Pavel Heimlich. Bug #967. [86bc6ee3c493]
  • plugins/sudoers/pwutil.c:
    No need to update cp after storing gr->gr_name, it is not used, Coverity CID 219314 [27bace364dc9]
2021-03-02 Todd C. Miller
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h:
    Log peer address in sudo_logsrvd JSON-format logs. The peer that connected to us might not be the same host where the log entry originated. [4e2488efaf97]
  • NEWS, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, lib/util/sudo_conf.c:
    Make “group_source=dynamic” the default on macOS. Recent versions of macOS do not reliably return all of a user’s non-local groups via getgroups(2), even when _DARWIN_UNLIMITED_GETGROUPS is defined. Bug #946. [491720b06a68]
  • lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
    For regess/fuzz set LC_ALL to C.UTF-8 if possible, falling back on C. Works around a crash in leak sanitizer when the locale is set to C and TLS support is enabled. [4345912b9bd8]
2021-03-01 Todd C. Miller
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Initialize the lbuf used by sudoers_trace_print() in init_lexer(). Free the old buffer if there is one, otherwise it would never be freed. [1893ecc06718]
  • lib/util/lbuf.c:
    In sudo_lbuf_destroy(), reset error, len and size. [7a6f980c2215]
  • NEWS:
    Mention the integer overflow check in store_timespec(). [f41519e1dae9]
  • plugins/sudoers/regress/fuzz/fuzz_policy.c:
    In find_path() stub only make a copy in outfile if returning FOUND. Fixed a recently-introduced memory leak in the fuzzer. [2045b1afc0b5]
2021-02-28 Todd C. Miller
  • lib/util/sudo_debug.c:
    Disable debug code for FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION It will not be used and just confuses the coverage stats. [3307c855b77d]
  • plugins/sudoers/regress/fuzz/fuzz_policy.c:
    Expand stub getaddrinfo() to resolve “localhost”. [e1035616ad99]
  • plugins/sudoers/regress/fuzz/fuzz_policy.c:
    Improve fuzz_policy coverage and set defaults in setdefs not parse. Now exercises session open/close and set additional defaults to exercise more code paths. [2843a0b930fd]
  • plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c:
    Improve SUDOERS_NAME_MATCH support. Now supports digests and performs better directory matching. [2f2d63596256]
  • plugins/sudoers/policy.c:
    Add MODE_CHECK to LIST_VALID_FLAGS, fixes “sudo -l command”. [eff4cbe95d75]
2021-02-26 Todd C. Miller
  • MANIFEST, include/sudo_iolog.h, lib/iolog/Makefile.in, lib/iolog/iolog_clearerr.c, lib/iolog/iolog_close.c, lib/iolog/iolog_eof.c, lib/iolog/iolog_fileio.c, lib/iolog/iolog_gets.c, lib/iolog/iolog_mkdirs.c, lib/iolog/iolog_mkdtemp.c, lib/iolog/iolog_mkpath.c, lib/iolog/iolog_nextid.c, lib/iolog/iolog_open.c, lib/iolog/iolog_openat.c, lib/iolog/iolog_read.c, lib/iolog/iolog_seek.c, lib/iolog/iolog_swapids.c, lib/iolog/iolog_util.c, lib/iolog/iolog_write.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, logsrvd/iolog_writer.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
    Split iolog_fileio.c into multiple files. [9b7c4f1b781f]
  • plugins/sudoers/defaults.c:
    Correct the integer overflow check in store_timespec(). Fixes oss- fuzz issue #31463 [3765d5c4ecd3]
  • plugins/sudoers/regress/sudoers/test27.ldif2sudo.ok:
    Update file that was missed in test27 changes. [5824f54afa88]
  • MANIFEST, include/sudo_iolog.h, lib/iolog/Makefile.in, lib/iolog/iolog_conf.c, lib/iolog/iolog_fileio.c, lib/iolog/iolog_loginfo.c:
    Break out I/O log config handling into iolog_conf.c. [546f503f9bb4]
  • lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
    regen Makefile.in [43c54f94e9c8]
  • examples/Makefile.in, lib/eventlog/Makefile.in, plugins/sudoers/Makefile.in:
    Add some missing files to the clean target [20754fec5ff1]
  • plugins/sudoers/regress/sudoers/test27.in, plugins/sudoers/regress/sudoers/test27.json.ok, plugins/sudoers/regress/sudoers/test27.ldif.ok, plugins/sudoers/regress/sudoers/test27.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test27.out.ok, plugins/sudoers/regress/sudoers/test27.toke.ok:
    Add netgroup check to sudoers test27 [1b45a6794b2d]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok:
    Sync with fuzz_sudoers changes. [1481cef048ad]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    Fuzz with runuser and rungroup specified too. [2d8ceb465cea]
  • MANIFEST, plugins/sudoers/regress/sudoers/test27.in, plugins/sudoers/regress/sudoers/test27.json.ok, plugins/sudoers/regress/sudoers/test27.ldif.ok, plugins/sudoers/regress/sudoers/test27.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test27.out.ok, plugins/sudoers/regress/sudoers/test27.toke.ok:
    Add test to exercise RunasSpec without a RunasUser. [ee22ac488aca]
  • MANIFEST, plugins/sudoers/regress/sudoers/test22.sudo.ok, plugins/sudoers/regress/sudoers/test23.sudo.ok, plugins/sudoers/regress/sudoers/test24.sudo.ok, plugins/sudoers/regress/sudoers/test26.sudo.ok:
    Remove unused regress files. [71d943734bb8]
  • logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
    Don’t try to run getters if we failed to parse the config file. [734bb56c24ed]
2021-02-25 Todd C. Miller
  • plugins/sudoers/regress/fuzz/fuzz_policy.c:
    Add a stub getaddrinfo(3) to avoid a DNS timeout in CIfuzz. [5f725de1e3ad]
  • plugins/sudoers/regress/fuzz/fuzz_policy.c:
    Fix runchroot, runcwd, tty_tickets. Add timestampowner. [d8a945bea98d]
  • plugins/sudoers/policy.c:
    Only add command_info to garbage collector on successful return. Otherwise it will be freed on failure. [c3d0461efaa1]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    Add user millert to group sudo, which is often the exempt group. [fac833a2cf3b]
  • plugins/sudoers/regress/fuzz/fuzz_policy.c:
    Add some defaults settings in sudo_file_parse(). We don’t have a real policy file but we still want to exercise callbacks in sudoers.c. [9f3d3f668973]
  • plugins/sudoers/sudoers.c:
    Do not free sudo_user.iolog_{file,path} in sudo_user_free(). They are not dynamically allocated. [59c102ba67cf]
  • lib/iolog/regress/fuzz/fuzz_iolog_timing.c:
    Remove unnecessary warnings, we want to fail silently. [4b1ee5dd2cb4]
  • logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
    No longer need to stub out eventlog config functions. [08c40b6a63c9]
  • MANIFEST, logsrvd/Makefile.in, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.4, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.5, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.6, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
    Call public getters in logsrvd.conf fuzzer and add to corpus. Now exercises the syslog config erorr path. [0b314e4e0696]
  • plugins/sudoers/regress/fuzz/fuzz_policy.c:
    Add more passes to policy fuzzer Now execises list, list other user and show_version. [21a1cc9665ec]
  • plugins/sudoers/defaults.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c:
    Implement sudoers_policy_deregister_hooks() Register/deregister hooks in fuzz_policy and also call show_version(). [8849644a75de]
  • plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
    Add sudoers debug register/deregister. [5fba9b19c6fa]
  • plugins/sudoers/defaults.c:
    Remove unnecessary break statement. [aa18c2957f82]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok, plugins/sudoers/regress/sudoers/test14.in, plugins/sudoers/regress/sudoers/test14.json.ok, plugins/sudoers/regress/sudoers/test14.ldif.ok, plugins/sudoers/regress/sudoers/test14.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test14.out.ok, plugins/sudoers/regress/sudoers/test14.toke.ok:
    Include a sha384 digest in the test corpus. [6c405febff10]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    Parse sudoers file in the C locale. [82d6afbe499b]
  • MANIFEST, plugins/sudoers/regress/sudoers/test26.in, plugins/sudoers/regress/sudoers/test26.json.ok, plugins/sudoers/regress/sudoers/test26.ldif.ok, plugins/sudoers/regress/sudoers/test26.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test26.out.ok, plugins/sudoers/regress/sudoers/test26.sudo.ok, plugins/sudoers/regress/sudoers/test26.toke.ok:
    Add regress test with all current Defaults settings. Currently skips SELinux and Solaris privilege settings. [79e82a58ccde]
2021-02-24 Todd C. Miller
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/env.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_hooks.c:
    Move env hooks into sudoers_hooks.c. [7296d05b9206]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    No need to call check_defaults() and check_aliases() in quiet mode. [0d0f93849388]
  • plugins/sudoers/gc.c:
    sudoers_gc_init() is not currently used [e74d2870ae25]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/fmtsudoers.c, plugins/sudoers/fmtsudoers_cvt.c:
    Split fmtsudoers.c into the parts used by sudoers plugin and cvtsudoers. Only testsudoers and cvtsudoers use the full set of formatting functions. [8c57e80ae655]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    Check defaults settings too. [7dc7d66f47e7]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
    Add fuzzer-specific stubs source file. [815c28958d42]
  • Makefile.in:
    Do not overwrite existing ChangeLog file if there is no hg/git dir. We don’t want “make install” from a source tarball to nuke the ChangeLog. [f7aba6a01d85]
  • lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
    Remove fuzzer targets in “make clean” [25b068bc254b]
  • lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
    Set program name in fuzzers so we get consisten warnings. [1ee4b5478d1c]
  • plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_policy.c:
    Use real eventlog config fuctions instead of stubs. [eed6fc4df1f6]
  • include/sudo_iolog.h, lib/iolog/iolog_fileio.c, lib/iolog/iolog_loginfo.c:
    Move iolog info log writing to iolog_loginfo.c [292915dae440]
  • MANIFEST, lib/iolog/Makefile.in, lib/iolog/iolog_loginfo.c, lib/iolog/iolog_timing.c, lib/iolog/iolog_util.c, lib/iolog/regress/iolog_timing/check_iolog_timing.c, lib/iolog/regress/iolog_util/check_iolog_util.c:
    Split iolog_util.c into iolog_loginfo.c and iolog_timing.c. Also rename check_iolog_util -> check_iolog_timing. [5b5249e4aa96]
  • MANIFEST, lib/iolog/Makefile.in, lib/iolog/iolog_legacy.c, lib/iolog/iolog_util.c:
    Move legacy I/O log info file parsing to iolog_legacy.c [94b767bb56c7]
  • MANIFEST, include/sudo_eventlog.h, lib/eventlog/Makefile.in, lib/eventlog/eventlog.c, lib/eventlog/eventlog_conf.c:
    Move eventlog config code into eventlog_conf.c [656d65215e50]
  • MANIFEST, lib/eventlog/Makefile.in, lib/eventlog/eventlog.c, lib/eventlog/eventlog_free.c:
    Move eventlog_free() into its own file. [a5ff36ac0ebb]
  • logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
    Stub out eventlog and iolog configuration setters. [cc32ba7436cd]
  • MANIFEST, plugins/sudoers/defaults.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok:
    Update Defaults settings after parsing sudoers. Also stub out dump_defaults when fuzzing as it is not used. [fa1e7c7b42c2]
  • plugins/sudoers/Makefile.in, plugins/sudoers/b64_decode.c, plugins/sudoers/b64_encode.c, plugins/sudoers/base64.c:
    Split base64 encode/decode functions into separate source files. They are independent functions. [ab0904c5122c]
  • plugins/sudoers/regress/fuzz/fuzz_policy.c:
    fuzz_printf and fuzz_conversation can be stubs. [9b11c9a3f3c3]
2021-02-23 Todd C. Miller
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    Exercise tilde expansion if used in runcwd or runchroot. [a6f0995c6a55]
  • plugins/sudoers/check_aliases.c:
    Move alias checking code out of visudo.c and into check_aliases.c. [5c0a91978441]
  • plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    Check aliases in fuzz_sudoers if the policy parsed correctly. [b272e634f204]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/parse.h, plugins/sudoers/visudo.c:
    Move alias checking code out of visudo.c and into check_aliases.c. [b9c23c958935]
  • plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    We don’t need to link fuzz_sudoers with file.c. [4fcd15e8cdcf]
  • lib/iolog/regress/fuzz/fuzz_iolog_json.dict, lib/util/regress/fuzz/fuzz_sudo_conf.dict, plugins/sudoers/regress/fuzz/fuzz_policy.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.dict:
    Strings in dictionary files need to be quoted. [8a95ea335d2d]
  • MANIFEST, lib/iolog/Makefile.in, lib/iolog/regress/fuzz/fuzz_iolog_json.dict, lib/util/Makefile.in, lib/util/regress/fuzz/fuzz_sudo_conf.dict, plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_policy.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.dict:
    Add dictionary files for fuzzers where possible. [4d9147fd50fd]
2021-02-22 Todd C. Miller
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    Also free safe_cmnd so it doesn’t leak. [5071a1ffa5d0]
  • plugins/sudoers/stubs.c, plugins/sudoers/testsudoers.c:
    Return NOT_FOUND from the set_cmnd_path() stub since we don’t set user_cmnd. The purpose of set_cmnd_path() is to reset user_cmnd based on a new runchroot. For the stub version we don’t modify user_cmnd and so must not return a status of FOUND. Fixes oss-fuzz issue #31250 which only affected the fuzzer and not sudo. [36fe416668df]
  • plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok:
    Fix fuzz_sudoers output matching. [6cec1e5aa799]
  • lib/fuzzstub/fuzzstub.c:
    Print “running” and “executed” lines to stderr like libfuzzer does. [b76b7a4a6ff3]
  • plugins/sudoers/pwutil_impl.c:
    Support passing sudo_make_gidlist_item() an array of gids. The gids are formatted as strings, not gid_t. [d1608f63ae91]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok:
    Prime user/group cached and set the interface list. Also match parsed policy against multiple users. [ec19b5658a2a]
  • plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.h:
    Add sudo_mkgrent(), to be used to prime the group cache in tests/fuzzers. [333f0887abbc]
2021-02-21 Todd C. Miller
  • plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    Perform matching in fuzz_sudoers for inputs that parse correctly. The fuzzer now exercised the normal match code as well as the pseudo-command (list, validate, etc) match code. Privileges are also listed for well-formed sudoers file. [8caf505d7341]
  • plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h:
    Add back SUDOERS_NAME_MATCH and enable it when fuzzing. This avoids the test environment from influencing sudoers matching. [496b3a7184a8]
  • plugins/sudoers/match_command.c:
    Add missing globfree(3) in command_matches_glob() when matching a directory. [1d6d28d6eb61]
2021-02-19 Todd C. Miller
  • lib/util/sudo_dso.c:
    Add support on AIX for loading plugins that are .a (not .so) files. It is possible to specify the member name in parens after the path, e.g. sudoers.a(shr.o) for 32-bit or sudoers.a(shr_64.o) for 64-bit. If no member is specified in the path and dlopen() fails with ENOEXEC, try again with an explicit member, either shr.o or shr_64.o. [90d975989148]
  • Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
    Add clean rules to .PHONY target. [dea3468f3f7b]
2021-02-18 Todd C. Miller
  • Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
    Add install-fuzz Makefile target to install the fuzzers and seed corpus. The FUZZ_DESTDIR make variable needs to be set in the environment or on the command line. [89c4dc1e8cb0]
  • plugins/sudoers/Makefile.in:
    Only display fuzz_policy output if the fuzzer exits with an error. [c6927227be4a]
  • plugins/sudoers/regress/corpus/policy/policy.1, plugins/sudoers/regress/fuzz/fuzz_policy.c:
    Call list, validate and invalidate entry points too. We need a separate open/close for each one. [fbbc5bdb4541]
  • INSTALL, configure, configure.ac:
    Add –disable-ssp configure option. This allows for disabling -fstack-protector without turning off the other hardening options. [1d9ca18e4fa9]
  • lib/util/regress/getdelim/getdelim_test.c:
    Test the error case by closing the underlying fd. Note that we don’t use ferror() here since our getdelim() has no way to set the error flag if there is a memory allocation error. [df0464968e2c]
  • lib/util/regress/getdelim/getdelim_test.c:
    Test the case where getdelim() must reallocate the buffer. Reproduces Bug #960. [df4dbc0830be]
  • lib/eventlog/eventlog.c:
    When logging JSON to syslog, wrap the contents in a “sudo” object. This makes it easier for log parsers to identify what is a sudo log entry. [2c96aeaabc8e]
  • plugins/sudoers/regress/fuzz/fuzz_policy.c:
    Restore the check for sudoers_policy.close == NULL. The fuzzers run as part of “make check” too in which case NO_LEAKS won’t be defined and the close function will be set to NULL. [8418ff5f6dfb]
  • lib/iolog/iolog_json.c:
    Use %td when printing the difference of two pointers. [608de9ab3902]
  • plugins/sudoers/parse.c:
    Don’t print a NULL as a string if role/type/privs/limitprivs is not set. We can’t rely on printf("%s”, NULL) not crashing. [4a04efbcbff9]
  • plugins/sudoers/sudoers.c:
    Fix compilation error on Solaris introduced with sudo_user_free(). [0ce4e0ac807e]
2021-02-17 Todd C. Miller
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Distinguish between EOF and error using feof(3), not ferror(3). Our getdelim(3) emulation won’t set the error flag if the error is due to an allocation failure. This explains the premature EOF without error seen in Bug #960. [5a70875f92fa]
  • lib/util/getdelim.c:
    Reset end pointer when reallocing the line buffer in getdelim(). Fixes excessive memory allocations for long lines. Bug #960. [d6dd6893b38a]
  • lib/eventlog/Makefile.in, lib/iolog/Makefile.in, plugins/sudoers/Makefile.in:
    Remove duplicated MALLOC_OPTIONS and MALLOC_CONF env variables. [2f7695aadad9]
  • lib/iolog/iolog_json.c:
    On parse error, display line and column instead of the offending line. [bbda04a5b05d]
  • logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
    regen [20e093fd76f0]
2021-02-16 Todd C. Miller
  • lib/iolog/iolog_json.c, lib/iolog/iolog_util.c:
    Pass I/O log memory allocation errors up to the caller. [4777add71679]
  • INSTALL, config.h.in, configure, configure.ac, doc/sudoers.man.in, doc/sudoers.mdoc.in, pathnames.h.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/timestamp.c:
    Add admin_flag sudoers option and make –enable-admin-flag take a path. It is now possible to disable the Ubuntu admin flag in sudoers or change its location. GitHub issue #56 [d77c3876fa95]
  • plugins/sudoers/exptilde.c, plugins/sudoers/regress/exptilde/check_exptilde.c:
    Fix tilde expansion of paths with no user like ~/foo. The ‘/’ separator was missing in the resulting path. [dbba61f76d6c]
  • doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, lib/util/sudo_conf.c, plugins/sudoers/policy.c:
    Limit max_groups in sudo.conf to 1024. The max_groups setting should no longer be needed anyway. [aee7843e0c7d]
  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
    In sudoers_policy_close() call sudoers_cleanup() instead of sudo_user_free(). If we didn’t call sudoers_policy_main() due to an early error there may be more things to clean up. [683d69d84aa6]
  • plugins/sudoers/policy.c:
    Check for invalid flag combinations from front-end for all cases. The checks are now performed in the check_policy, list, validate and invalidate functions instead of as part of the open function. We can’t perform the checks in open because we don’t yet know what operation is going to be performed. [b09105b3bb42]
  • plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c:
    Always dynamically allocate user_cmnd, it is freed in sudo_user_free(). Instead of setting user_cmnd in the policy functions, always set argv. Calling sudoers_policy_main() with argc of 0 is no longer allowed. [820f1f4e5c44]
  • plugins/sudoers/policy.c:
    No need for sudoers_cleanup() in sudoers_policy_invalidate(). The sudoers close() function is now called even for “sudo -k”. Also no need to set user_cmnd, it is not used in this code path. [c2c9832c32f4]
2021-02-15 Todd C. Miller
  • MANIFEST, logsrvd/Makefile.in, logsrvd/logsrvd_conf.c, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.1, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.2, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.3, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
    Add simple fuzzer for sudo_logsrvd.conf parser. [8b5cd9e24656]
  • lib/iolog/regress/fuzz/fuzz_iolog_timing.c:
    Fix unlinking of timing temp file. [8b0ce6d777c8]
  • lib/eventlog/Makefile.in, lib/iolog/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in:
    Set MALLOC_OPTIONS and MALLOC_CONF for all regress targets. [47e8b85d1d9a]
  • MANIFEST, lib/util/Makefile.in, lib/util/regress/corpus/sudo_conf/sudo.conf.1, lib/util/regress/corpus/sudo_conf/sudo.conf.2, lib/util/regress/corpus/sudo_conf/sudo.conf.3, lib/util/regress/fuzz/fuzz_sudo_conf.c:
    Add simple fuzzer for sudo.conf parser. [8a530402f936]
  • plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Free struct sudo_user in sudoers_policy_close() and sudoers_cleanup(). Also, do not NULL out the close function if NO_LEAKS is defined. [f3fbf78e6e41]
  • MANIFEST, lib/iolog/Makefile.in, lib/iolog/regress/corpus/log_legacy/id, lib/iolog/regress/corpus/log_legacy/id.log, lib/iolog/regress/corpus/log_legacy/ls, lib/iolog/regress/corpus/log_legacy/ls.log, lib/iolog/regress/corpus/log_legacy/mailq, lib/iolog/regress/corpus/log_legacy/mailq.log, lib/iolog/regress/corpus/log_legacy/make, lib/iolog/regress/corpus/log_legacy/make.log, lib/iolog/regress/corpus/log_legacy/pkg_add, lib/iolog/regress/corpus/log_legacy/pkg_add.log, lib/iolog/regress/corpus/log_legacy/pkg_delete, lib/iolog/regress/corpus/log_legacy/pkg_delete.log, lib/iolog/regress/corpus/log_legacy/printenv, lib/iolog/regress/corpus/log_legacy/printenv.log, plugins/sudoers/Makefile.in:
    For “make fuzz” only fuzz the seed corpus. This way we avoid files generated by the fuzzer itself. [42ace1dec313]
2021-02-14 Todd C. Miller
  • plugins/sudoers/env.c, plugins/sudoers/gc.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Fix sudoers garbage collection and run it in policy fuzzer. [c0d572fd9921]
  • plugins/sudoers/policy.c:
    Do not include errno string for invalid params from front-end. [2d0b55b3041f]
  • plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c:
    Always dynamically allocate user_role, user_type, user_privs, user_limitprivs [f5992824219d]
  • plugins/sudoers/policy.c:
    Remove dead code, front-end does not set runas_privs or runas_limitprivs [6ce3da323452]
  • plugins/sudoers/iolog.c:
    Plug memory leak if there are duplicate user_info or command_info entries. [21865246a4dc]
2021-02-13 Todd C. Miller
  • plugins/sudoers/check.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/timestamp.c:
    Move create_admin_success_flag() to timestamp.c. [0675f230288c]
  • configure, configure.ac:
    Error out if fuzzer/sanitizer enabled but not supported by the compiler. [289afba93f79]
  • plugins/sudoers/regress/fuzz/fuzz_policy.c:
    The push() function was not updating the size after reallocating. [e089aaeee3b2]
  • plugins/sudoers/pwutil_impl.c, src/sudo.c:
    If sudo_getgrouplist2() returns -1, clamp ngroups based on max_groups. The ngroups parameter is an out parameter that is filled in with the actual number of groups, which may be less than the static number allocated when max_groups is set in sudo.conf. Fixes a potential out of bounds read found by LLVM libFuzzer. [a26461ccf891]
2021-02-12 Todd C. Miller
  • plugins/sudoers/policy.c:
    Reset sudoers path, owner and mode before parsing plugin arguments. This is only needed when calling sudoers_policy_deserialize_info() more than once, which is true for the policy fuzzer. [a25a6210f48c]
  • plugins/sudoers/sudoers.c:
    Cleanup sudoers sources on denial and error too. [454b7adcfa21]
  • plugins/sudoers/pwutil.c:
    Fix sudo_getgrgid reference count bug when gid doesn’t exist. This one was missed when the other user/group lookup functions were fixed. [20e3fad6768b]
  • plugins/sudoers/policy.c:
    Plug memory leak if there are duplicate user_info entries. [b8ddcfa0a051]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/corpus/policy/policy.1, plugins/sudoers/regress/corpus/policy/policy.2, plugins/sudoers/regress/corpus/policy/policy.3, plugins/sudoers/regress/corpus/policy/policy.4, plugins/sudoers/regress/corpus/policy/policy.5, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c:
    Fuzz sudoers policy module API. Includes a test case to reproduce CVE-2021-3156. [576d065759cf]
  • lib/iolog/Makefile.in, plugins/sudoers/Makefile.in:
    Make fuzz targets depend on fuzzer stub library. We really want a dependency on $(LIB_FUZZING_ENGINE) but that could be a flag like “-fsanitize=fuzzer” instead of a path. [0963418f1cf9]
  • MANIFEST, plugins/sudoers/Makefile.in:
    Move audit.c from libparsesudoers to the sudoers module itself. Now that audit.c contains the audit module it doesn’t belong in libparsesudoers. [3df4f6e10f54]
  • configure, configure.ac:
    Do not pass AX_APPEND_FLAG more than a single flag. GitHub issue #92 [ed9ccdd41231]
2021-02-10 Todd C. Miller
  • lib/eventlog/Makefile.in, lib/iolog/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
    Fix up some .la file library dependencies. libsudo_iolog.la already depends on libsudo_util.la and libsudo_eventlog.la so we don’t need to list those explicitly when libsudo_iolog.la is listed. [d8b55cf698b5]
  • lib/eventlog/eventlog.c, lib/util/Makefile.in, lib/util/progname.c, lib/util/regress/progname/progname_test.c, lib/util/sudo_conf.c, lib/util/util.exp.in, plugins/sudoers/audit.c, plugins/sudoers/find_path.c, plugins/sudoers/iolog.c, plugins/sudoers/match_command.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/sudo_edit.c, src/sudo_noexec.c:
    Use sudo_basename() instead of doing the equivalent manually. [67e2b5d68a73]
  • MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/basename.c, lib/util/util.exp.in:
    Add a GNU-compatible version of basename(3). Unlike POSIX basename(3), the GNU variant does not modify its argument. Note that basename of a path ending in “/” returns an empty string. [693e1d39718a]
2021-02-09 Todd C. Miller
  • lib/iolog/iolog_fileio.c:
    feof(3) returns non-zero at EOF, not necessarily 1. On Illumos at least it returns a value other than 1. [fc2242fe7c6e]
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Portable workaround for getdelim(3) implementations modify buf on EOF. We should assume that the contents of buf are undefined when getdelim(3) returns -1. We now peek ahead one char and skip the getdelim(3) call if EOF is detected. This will preserve the original value of the last line. [1e353f05a0fa]
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Some getdelim(3) implementations write a NUL to the buffer on EOF. AIX and Illumos appear to have this behavior. We now preserve the first character of the buffer on EOF to work around this. Fixes reporting of syntax errors on the last line of a file. [22611c14c1d1]
  • plugins/sudoers/Makefile.in:
    Fuzz the example sudoers file, not the default one. The default sudoers uses @includedir which can result in different output, depending on the permissions of /etc/sudoers.d. [1b325a1d0e0a]
  • configure, configure.ac:
    illumos has a broken fmemopen(3), don’t use it. [d297ee0339e6]
2021-02-08 Todd C. Miller
  • config.h.in, configure, configure.ac, include/sudo_compat.h:
    Add configure check for SSIZE_MAX [ca7699154705]
  • lib/iolog/iolog_json.c:
    Suppress PVS Studio false positives. [6d8fcec047e5]
  • plugins/sudoers/toke_util.c:
    Silence a clang analyzer false positive. [2489166fc372]
  • lib/fuzzstub/fuzzstub.c:
    Fix CID 217123, size check always false on 64-bit systems. [3c018b5d43a8]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
    Make open_sudoers() always return NULL like fuzz_sudoers.c [042de90307ae]
  • plugins/sudoers/regress/sudoers/test4.toke.ok, plugins/sudoers/regress/sudoers/test5.toke.ok, plugins/sudoers/regress/sudoers/test7.toke.ok, plugins/sudoers/regress/sudoers/test8.toke.ok:
    Update *.toke.ok now that lexer doesn’t call sudoerserror() itself. [d60c0d33b5b4]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l:
    The lexer now sets an error string before returning ERROR. The parser will use that when reporting on an ERROR state. This prevents the lexer from reporting errors about tokens that are not actually consumed by the parser and we don’t have to worry about both the lexer and the parser reporting errors. It also means we only get one error per sudoers line. [7ffb0d28862f]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Go back to storing the last error file/line in sudoerserrorf(). This is still the best way to avoid displaying more than one error per line. [21da59d69c5f]
  • configure, configure.ac:
    Add -fsanitize=fuzzer-no-link to ASAN_LDFLAGS too, not just ASAN_CFLAGS. [d3c719c72d79]
  • MANIFEST, Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok, plugins/system_group/Makefile.in, src/Makefile.in:
    Add fuzz Makefile target and run fuzzer corpus in make check. [a66085f05dea]
2021-02-07 Todd C. Miller
  • MANIFEST, Makefile.in, configure, configure.ac, lib/fuzzstub/Makefile.in, lib/fuzzstub/fuzzstub.c, lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
    Add stub library that just feeds files to the fuzzing target. This will allow the fuzzers to be run as part of “make check”. [aa8fda20c3f8]
  • scripts/mkpkg:
    Append to CFLAGS and LDFLAGS instead of overriding them when adding -m64. [d02cf3c28198]
  • config.h.in, configure, configure.ac, lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
    Fall back to a temp file if fmemopen() is not available(). [87f804b98c18]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y:
    Add missing return statement when NO_LEAKS is not defined. [25b8e1041b62]
  • lib/eventlog/Makefile.in:
    Remove remnants of liblogsrv. [5030114bb12f]
  • INSTALL, configure, configure.ac, lib/iolog/Makefile.in, plugins/sudoers/Makefile.in:
    Add –enable-fuzzer-linker and –enable-fuzzer-engine options. These will allow the fuzzers to be built as part of oss-fuzz. [c3176bd8b95b]
2021-02-06 Todd C. Miller
  • plugins/sudoers/Makefile.in:
    Fix linking of sudoers fuzzers with static libsudo_util. [86d07a5a671d]
  • INSTALL, configure, configure.ac, lib/iolog/Makefile.in, plugins/sudoers/Makefile.in:
    Add –enable-fuzzer option to use when building fuzzers [01e31362c2b0]
  • INSTALL, configure, configure.ac:
    Replace –enable-asan with –enable-sanitizer It is not possible to set the sanitizer flags at configure time. [115d869e1d55]
2021-02-06 Anton Bershanskiy
2021-02-06 Todd C. Miller
  • lib/iolog/Makefile.in, lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
    Build (but don’t run) fuzzers as part of “make check”. Uses a stub to make it possible to link w/o libfuzzer. The goal is to ensure the fuzzers are always buildable and avoid bit rot. [9186e252b8bf]
  • lib/iolog/Makefile.in, plugins/sudoers/Makefile.in:
    Add libsudo_eventlog.la as a dependency of libsudo_iolog.la No longer need to link against libsudo_eventlog.la in sudoers. [508097f86035]
2021-02-05 Todd C. Miller
  • MANIFEST, lib/iolog/regress/corpus/log_json/id.json, lib/iolog/regress/corpus/log_json/ls.json, lib/iolog/regress/corpus/log_json/mailq.json, lib/iolog/regress/corpus/log_json/make.json, lib/iolog/regress/corpus/log_json/pkg_add.json, lib/iolog/regress/corpus/log_json/pkg_delete.json, lib/iolog/regress/corpus/log_json/printenv.json, lib/iolog/regress/corpus/log_legacy/id, lib/iolog/regress/corpus/log_legacy/ls, lib/iolog/regress/corpus/log_legacy/mailq, lib/iolog/regress/corpus/log_legacy/make, lib/iolog/regress/corpus/log_legacy/pkg_add, lib/iolog/regress/corpus/log_legacy/pkg_delete, lib/iolog/regress/corpus/log_legacy/printenv, lib/iolog/regress/corpus/timing/timing.1, lib/iolog/regress/corpus/timing/timing.2, lib/iolog/regress/corpus/timing/timing.3, lib/iolog/regress/corpus/timing/timing.4:
    Add more test files for fuzzers. [22256acfbe23]
2021-02-05 Daniel Milnes
2021-02-04 Todd C. Miller
  • MANIFEST, lib/iolog/regress/fuzz/fuzz_iolog_timing.c:
    fuzzer for I/O log timing files [7b32f8eecfd6]
  • lib/iolog/iolog_json.c:
    In JSON, name/value pairs must be separated by a comma. Previously we didn’t require the comma to be there. [bb70cecf6360]
  • lib/iolog/iolog_json.c:
    Detect integer overflow when converting JSON_ARRAY to string vector. Extremely unlikely to happen but better safe than sorry. [60a7a4d3a1d8]
2021-02-03 Todd C. Miller
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Only strip double quotes from an include path if len >= 2. Found locally using libfuzzer/oss-fuzz. [274d0a05081b]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    Don’t allow the sudoers fuzzer to open include files. If we allow the fuzzer to choose include paths it will include random files in the file system. This leads to bug reports that cannot be reproduced. [b8ffce94f30a]
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    If getdelim() returns a string with embedded NULs, truncate on first one. This should avoid some issues with the fuzzer. [e90e61d4bb0e]
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Reallocate the buffer correctly when appending a newline. Fixes a potential buffer overflow introduced in the last commit. [50b0f77aed5f]
  • plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y:
    Don’t free the alias name in alias_add() if the alias already exists. We need to be able to display it using alias_error(). Only free what we actually allocated in alias_add() on error and let the caller handle cleanup. Note that we cannot completely fill in the alias until it is inserted. Otherwise, we will have modified the file and members parameters even if there was an error. As a result, we have to remove those from the leak list after alias_add(), not before. [6a920646d7d1]
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Fix NUL termination when parsing a sudoers file with no ending newline. oss-fuzz issue #30252 [5c75d8e15966]
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    sudoersrestart() does not reset state to INITIAL, do it in init_lexer(). Fixes spurious errors from fuzz_sudoers, which calls the parser multiple times. [bf2c1c3b82e6]
  • plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c:
    Push lexer leak tracking down into check_fill.c. This lets us track things correctly when buffers are realloc()d. Rewrote fill() and append() to be more readable. [a1e61a4a7aad]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c:
    Use sudoersrestart() in fuzz_sudoers.c Since we run the parser multiple times we need to restart it each time. [64792d363f62]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    Parser needs user_shost for the %h escape in @include expansion. Fixes oss-fuzz issue #30238 [b043e413be31]
  • INSTALL:
    The –disable-leaks option is not recommended for production use. [cb37a56f4e99]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y:
    Remove options from the leak list before freeing them. Should fix oss-fuzz issue #30236 [1ee6dac8c027]
  • MANIFEST, include/sudo_iolog.h, lib/iolog/iolog_util.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c:
    Add fuzzer for legacy I/O log info file. [3f4ed83660ca]
  • doc/Makefile.in, plugins/sudoers/Makefile.in:
    Fix uninstall target; there were missing line continuation chars. GitHub issue #87 [02cffb51c15c]
2021-02-02 Todd C. Miller
  • plugins/sudoers/cvtsudoers.c, plugins/sudoers/parse_ldif.c:
    Don’t close fp in sudoers_parse_ldif() The caller should be the one to handle this. [e8d830851379]
  • plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y:
    Got back to calling alias_free() on alias_add() failure. We now need to remove the name and members from the leak list before calling alias_add() since alias_add() will consume them for both success and failure. [65c95a84f8ca]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    close sudoersin, not fp, and reset it to be safe [f616d1c7c09a]
  • lib/iolog/regress/fuzz/fuzz_iolog_json.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
    Add missing fclose(3) of fmemopen(3) stream; it does not modify the data. [9207901dcccd]
  • lib/iolog/iolog_json.c:
    Check for unexpected value after checking the name, not before. [6f973cc4378d]
  • lib/util/progname.c:
    Allow getprogname() to succeed as long as __progname is present. Also simplify the progname code so we only need a single implementation. [300a29bd117e]
  • lib/iolog/iolog_json.c:
    Fix potential leak of evlog->runuser. Also warn if we find an unexpected JSON type. [0ec615b3d4e0]
2021-02-01 Todd C. Miller
  • plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
    Parse into a local parse_tree and add missing cleanup. Since parsed_policy is for the sudoers parser we should declare our own. [c418d65e7bb4]
  • plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
    Call init_parser() after parsing to clean up completely. [2063d26ab401]
  • MANIFEST, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/sudoers/test25.in, plugins/sudoers/regress/sudoers/test25.json.ok, plugins/sudoers/regress/sudoers/test25.ldif.ok, plugins/sudoers/regress/sudoers/test25.out.ok, plugins/sudoers/regress/sudoers/test25.toke.ok, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c:
    Plug a few more parser leaks. [c9478efdd65d]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y:
    Make parser_leak_remove(type, NULL) a no-op. [7699e99a028a]
  • MANIFEST, lib/iolog/regress/fuzz/fuzz_iolog_json.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
    Add initial fuzzers to be used by oss-fuzz. These are not yet hooked up to the sudo build. [5593a755f359]
  • plugins/sudoers/gc.c, plugins/sudoers/sudoers.h:
    Garbage collect unused gc_remove() function. [ff561edd846e]
  • plugins/sudoers/Makefile.in, plugins/sudoers/regress/testsudoers/test11.sh, plugins/sudoers/regress/testsudoers/test12.sh, plugins/sudoers/regress/testsudoers/test13.sh, plugins/sudoers/regress/testsudoers/test4.sh, plugins/sudoers/regress/testsudoers/test5.sh:
    The parser should be leak free, re-enable leak detection in ASAN. [a89599540a5a]
  • plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c:
    Add garbage collection to the sudoers parser to clean up on error. This makes it possible to avoid memory leaks when there is a parse error. [ef739da324bb]
2021-01-31 Todd C. Miller
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c, plugins/sudoers/sudo_ldap.h:
    Move new_member_all to ldap_util.c, it is only used by ldap/sssd. [9df2efb6956a]
2021-01-30 Todd C. Miller
  • lib/iolog/iolog_json.c:
    Fix crashes trying to parse invalid JSON. Found locally using libfuzzer/oss-fuzz. [b74c8c260d60]
  • lib/iolog/iolog_json.c:
    Plug memory leak if a key is listed more than once in the log.json file. [764ef247f13e]
  • lib/iolog/regress/iolog_json/check_iolog_json.c:
    Fix crash when file does not exist. [55a46b75e6ed]
  • plugins/sudoers/gentime.c:
    Strict tz offset parsing. Fixes an out of bounds read found locally using libfuzzer/oss-fuzz. [72266f1af75d]
  • plugins/sudoers/ldap_util.c:
    Don’t leak memory for duplicate command options. The last option wins but we also now warn about the duplicate. Found locally using libfuzzer/oss-fuzz. [f1cd342e62f7]
  • plugins/sudoers/ldap_util.c:
    Copy command options when converting a sudoRole with multiple sudoCommands. A sudoRole with multiple sudoCommands is converted to a privilege with multiple cmndspecs. However, we were not copying some of the command options to subsequent cmndspecs in the list. [d8309574a756]
  • plugins/sudoers/parse_ldif.c:
    Fix memory leak if the last line is folded. Fixes issue 30080 by ClusterFuzz-External [404f38aa19a6]
  • INSTALL, configure, configure.ac:
    Add –disable-leaks configure option. This enables the extra freeing of memory before exit also enabled by –enable-asan. To be used by oss-fuzz. [faddd42273a4]
  • plugins/sudoers/gentime.c:
    Stricter parsing of generalized time. Fixes potential out of bounds read found by libfuzzer/oss-fuzz. [4548e29ea5e0]
2021-01-29 Todd C. Miller
  • plugins/sudoers/parse_ldif.c:
    Don’t bother calling ldif_to_sudoers() if there are no roles to convert. [242394d46fb1]
  • lib/iolog/iolog_json.c:
    In json_stack_push() treat stack exhaustion like memory allocation failure. Return NULL instead of treating as a fatal error. This should make life a little easier for oss-fuzz. [84c7c3b7971a]
  • plugins/sudoers/sudoers.c:
    Update comment about return values for resolve_host(). [0e92fe582db1]
  • plugins/sudoers/logging.c, plugins/sudoers/policy.c:
    Fix NO_ROOT_MAILER, broken by the eventlog refactor in sudo 1.9.4. init_eventlog_config() is called immediately after initializing the Defaults settings, which is before struct sudo_user is setup. This adds a call to eventlog_set_mailuid() if NO_ROOT_MAILER is defined after the invoking user is determined. Reported by Roman Fiedler. [e0d4f196ba02]
2021-01-28 Todd C. Miller
  • plugins/sudoers/strvec_join.c, plugins/sudoers/sudoers.c:
    Fix compilation on systems without a native strlcpy() function. [7b28feb4350a]
  • logsrvd/logsrvd.c, logsrvd/sendlog.c:
    Break up the long help string into multiple printf() statements. AIX xlc compiler doesn’t like cpp directives in between strings. Also fixes a complaint from cppcheck and makes translation easier. [e55b4061f598]
  • plugins/sudoers/regress/unescape/check_unesc.c, plugins/sudoers/strvec_join.c, plugins/sudoers/sudoers.h:
    strvec_join: free result on error and actually use separator char [801546807a8a]
2021-01-27 Todd C. Miller
  • plugins/sudoers/Makefile.in, plugins/sudoers/regress/unescape/check_unesc.c:
    Test strvec_join() using strlcpy_unesc(). Emulates an overflow like:
    sudoedit -s ‘' perl -e 'print "A" x 65536' [8d9a063adde5]
  • plugins/sudoers/Makefile.in, plugins/sudoers/strvec_join.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Refactor code to flatten an argument vector into a string. This is used when building up the user_args string. [a6ae655d91a1]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/unescape/check_unesc.c, plugins/sudoers/strlcpy_unesc.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Add strlcpy_unescape() function to undo escaping from front-end. Includes unit test. [abfaa390d275]
  • plugins/sudoers/parse_ldif.c:
    Add missing check for reallocarray() failure. Found by OSS-Fuzz. [fcda06966ed7]
2021-01-26 Todd C. Miller
  • plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_convmessage.c, plugins/python/sudo_python_module.c:
    Remove Py_SSIZE2SIZE to quiet cppcheck warnings. Tuple size cannot be negative and we already handle the case where it is zero. [d6ec5e558a0e]
  • src/parse_args.c:
    The program name may now only be “sudo” or “sudoedit”. We no longer need to check for any string that ends in “edit”. [caed524c6ba0]
2021-01-23 Todd C. Miller
  • plugins/sudoers/timestamp.c:
    Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL. We want to zero the struct starting at flags, not type (which was just set). Found by Qualys. [09f98816fc89]
  • src/parse_args.c:
    Don’t assume that argv is allocated as a single flat buffer. While this is how the kernel behaves it is not a portable assumption. The assumption may also be violated if getopt_long(3) permutes arguments. Found by Qualys. [c125fbe68783]
  • src/parse_args.c:
    Reset valid_flags to MODE_NONINTERACTIVE for sudoedit. This is consistent with how the -e option is handled. Also reject -H and -P flags for sudoedit as was done in sudo 1.7. Found by Qualys, this is part of the fix for CVE-2021-3156. [9b97f1787804]
  • plugins/sudoers/policy.c:
    Add sudoedit flag checks in plugin that are consistent with front- end. Don’t assume the sudo front-end is sending reasonable mode flags. These checks need to be kept consistent between the sudo front-end and the sudoers plugin. [a97dc92eae6b]
  • plugins/sudoers/sudoers.c:
    Fix potential buffer overflow when unescaping backslashes in user_args. Also, do not try to unescaping backslashes unless in run mode and we are running the command via a shell. Found by Qualys, this fixes CVE-2021-3156. [049ad90590be]
2021-01-22 Fabrice Fontaine
  • lib/eventlog/Makefile.in:
    lib/eventlog/Makefile.in: fix static build without closefrom

    Since version 1.9.4 and https://github.com/sudo- project/sudo/commit/bd1ca79cca827a92e904f022e49df121931d4ff5, when closefrom is not available, libsudo_eventlog.a depends on libsudo_util.a. So reflect this dependency in the libtool file to avoid the following static build failure of logsrvd:

    /bin/bash ../libtool –tag=disable-static –mode=link /home/buildroot/autobuild/instance-1/output-1/host/bin/powerpc- linux-gcc -o sudo_logsrvd logsrv_util.o iolog_writer.o logsrvd.o logsrvd_conf.o -static -Wl,–enable-new-dtags -Wl,-z,relro ../lib/iolog/libsudo_iolog.la ../lib/eventlog/libsudo_eventlog.la ../lib/logsrv/liblogsrv.la /bin/bash ../libtool –tag=disable-static –mode=link /home/buildroot/autobuild/instance-1/output-1/host/bin/powerpc- linux-gcc -o sudo_sendlog logsrv_util.o sendlog.o -static -Wl,– enable-new-dtags -Wl,-z,relro ../lib/iolog/libsudo_iolog.la ../lib/eventlog/libsudo_eventlog.la ../lib/logsrv/liblogsrv.la libtool: link:
    /home/buildroot/autobuild/instance-1/output-1/host/bin/powerpc- linux-gcc -o sudo_logsrvd logsrv_util.o iolog_writer.o logsrvd.o logsrvd_conf.o -static -Wl,–enable-new-dtags -Wl,-z -Wl,relro ../lib/iolog/.libs/libsudo_iolog.a /home/buildroot/autobuild/instanc e-1/output-1/build/sudo-1.9.5p1/lib/util/.libs/libsudo_util.a -lpthread -lz ../lib/eventlog/.libs/libsudo_eventlog.a ../lib/logsrv/.libs/liblogsrv.a /home/buildroot/autobuild/instance-1/output-1/host/opt/ext- toolchain/bin/../lib/gcc/powerpc-buildroot-linux- uclibc/8.3.0/../../../../powerpc-buildroot-linux-uclibc/bin/ld:
    ../lib/eventlog/.libs/libsudo_eventlog.a(eventlog.o): in function send_mail.constprop.1': eventlog.c:(.text+0x149c): undefined reference to sudo_closefrom’ collect2: error: ld returned 1 exit status

    Fixes:

    Signed-off-by: Fabrice Fontaine <fontaine.fabrice@…> [4e42d276c336]

2021-01-21 Todd C. Miller
  • plugins/sudoers/log_client.c:
    Do not add an unfinished write buffer to the queue if it is already present. In client_msg_cb() we only remove a buffer from the queue when it is finished. Inserting the buf again can cause a cycle in the queue. [b398dcc0933d]
2021-01-20 Todd C. Miller
  • plugins/sudoers/log_client.c:
    Fix problem when SSL_read() returns SSL_ERROR_WANT_WRITE. This can happen when the socket cannot be written to immediately. We need to set the read_instead_of_write flag in that case, not write_instead_of_read. Also sync comments with sendlog.c. Bug #954 [e4239bb932aa]
2021-01-18 Pavel Březina
  • plugins/sudoers/auth/pam.c:
    pam: pass KRB5CCNAME to pam_authenticate environment if available

    If a PAM module wants to authenticate user using GSSAPI, the authentication is broken if non-default ccache name is used in KRB5CCNAME environment variable.

    One way to mitigate this would be to add this to env_keep, but this also makes the variable available in the executed command which may not be always desirable.

    This patch sets KRB5CCNAME for pam_authenticate only, if it is available and not yet set. [90aba6ba6e03]

2021-01-15 Todd C. Miller
  • lib/util/progname.c:
    Fix setprogname() emulation on systems without it. For fully- qualified paths, store the string starting after the last slash, not at the slash itself. [111fde52d116]
2021-01-11 Todd C. Miller
  • src/sudo_edit.c:
    Run the editor with the user’s real and effective uid and gid. Fixes a bug introduced in sudo 1.9.5 where the editor was run setuid root unless SELinux RBAC was in use. [30fe53c07aa7]
  • src/copy_file.c, src/edit_open.c:
    Add casts to quiet two warnings on Solaris. [f76126f6d68d]
2021-01-09 Todd C. Miller
  • plugins/sudoers/po/sudoers.pot, po/sudo.pot:
    Update .pot files for 1.9.5. [49dae07bda23]
2021-01-08 Todd C. Miller
  • NEWS, configure, configure.ac, doc/LICENSE, etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
    Sudo 1.9.5 [3a0e500981a8]
  • doc/sudoers.man.in, doc/sudoers.man.in.sed, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/policy.c:
    Allow SELinux support to be disabled via the sudoers file. Defaults to true if sudo is built with SELinux support and SELinux is not disabled on the system. [c457eaae8692]
2021-01-06 Todd C. Miller
  • plugins/python/python_importblocker.c:
    Add a comment to verify_import() to clarify its purpose. [30ef680f4104]
  • lib/eventlog/eventlog.c, lib/util/arc4random.c, lib/util/sudo_debug.c, plugins/audit_json/audit_json.c, plugins/python/python_convmessage.c, plugins/sudoers/auth/pam.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/rcstr.c, plugins/sudoers/redblack.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c, src/exec_common.c, src/sesh.c, src/sudo.c, src/sudo_edit.c:
    Suppress PVS Studio false positives. [077f46549351]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y:
    Plug a memory leak in sudoerserrorf(). [a3c14cf0283e]
  • plugins/sudoers/editor.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap_util.c, plugins/sudoers/parse.h, plugins/sudoers/starttime.c, plugins/sudoers/tsgetgrpw.c, src/ttyname.c:
    Quiet a few harmless cppcheck warnings. [ab123790b3fd]
  • src/copy_file.c, src/sudo_edit.c:
    In sudoedit, use sudo_check_temp_file() for non-SELinux too. [b5d5bd506487]
  • MANIFEST, src/Makefile.in, src/edit_open.c, src/sesh.c, src/sudo_edit.c, src/sudo_edit.h, src/sudo_exec.h:
    Move safe open code out of sudo_edit.c and into edit_open.c. [108fcca05798]
  • src/Makefile.in, src/edit_open.c, src/sesh.c, src/sudo_edit.c, src/sudo_edit.h:
    Add directory writability checks for SELinux RBAC sudoedit. These were never added to the SELinux RBAC path. [0d4f28b5a8e2]
  • src/edit_open.c, src/exec.c, src/exec_pty.c, src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_edit.h, src/tgetpass.c:
    Add struct sudo_cred to hold the invoking or runas user credentials. We can use this when we need to pass around credential info instead of the user_details and command_details structs. [20594f3f00c1]
  • src/edit_open.c, src/sesh.c, src/sudo_edit.c, src/sudo_edit.h:
    Rename run_cred -> cur_cred and stash existing creds in set_tmpdir(). For sudo_edit_open() et al what we need is a copy of the current cred to restore after dir_is_writable() changes to the user cred. [dcfce8a11282]
  • configure, configure.ac, include/sudo_compat.h, lib/util/progname.c:
    Add setprogname(3) for those without it. [e2f1d1ecedb0]
  • src/sesh.c, src/sudo_edit.c:
    Split up sesh_sudoedit() so it is organized more like sudo_edit.c. The new sesh_edit_create_tfiles() and sesh_edit_copy_tfiles() functions are analogous to sudo_edit_create_tfiles() and sudo_edit_copy_tfiles(). Also use “sudoedit” in the warning/error messages from sesh_sudoedit(). Otherwise, the user gets a mix of messages from sudoedit and sesh. [5510be4b2129]
  • Makefile.in, lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
    Remove the –force option from the cppcheck args, it causes errors. [57f2ad72e874]
  • include/sudo_util.h, lib/util/progname.c, lib/util/util.exp.in, src/sudo.c:
    For sudo, only allow “sudo” or “sudoedit” as the program name. The program name is also used when matching Debug lines in sudo.conf. We don’t want the user to be able to influence sudo.conf Debug matching. The string “sudoedit” is treated the same as “sudo” in sudo.conf. Problem reported by Matthias Gerstner of SUSE. [1d32c53859f9]
  • lib/iolog/iolog_fileio.c, lib/util/sudo_debug.c, plugins/group_file/getgrent.c, plugins/sudoers/linux_audit.c, plugins/sudoers/tsgetgrpw.c:
    Check the return value of fcntl() when setting FD_CLOEXEC. This should never fail unless the fd is invalid. Problem reported by Matthias Gerstner of SUSE. [f1ca39a0d870]
  • src/sudo_edit.c:
    Fix potential directory existing info leak in sudoedit. When creating a new file, sudoedit checks to make sure the parent directory exists so it can provide the user with a sensible error message. However, this could be used to test for the existence of directories not normally accessible to the user by pointing to them with a symbolic link when the parent directory is controlled by the user. Problem reported by Matthias Gerstner of SUSE. [ea19d0073c02]
  • src/copy_file.c, src/sesh.c, src/sudo_edit.c, src/sudo_exec.h:
    Add security checks before using temp files for SELinux RBAC sudoedit. Otherwise, it may be possible for the user running sudoedit to replace the newly-created temporary files with a symbolic link and have sudoedit set the owner of an arbitrary file. Problem reported by Matthias Gerstner of SUSE. [8fcb36ef422a]
  • plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, po/ko.mo, po/ko.po, po/sr.mo, po/sr.po, po/sv.mo, po/sv.po:
    Updated translations from translationproject.org [e68c92c767f1]
2021-01-04 Todd C. Miller
  • plugins/sudoers/sudoers.c:
    Use debug_return_int() not debug_return_bool() to return -1. Found by PVS Studio. [f1f67ca51aeb]
  • plugins/sudoers/logging.c:
    Fix a crash introduced in 1.9.4 when running “sudo -i” as an unknown user. [d1a3f0f4d0f9]
2021-01-03 Todd C. Miller
  • plugins/sudoers/check.c:
    Make sure lecture file is a regular file before reading it. [c9c68eff1e45]
2021-01-02 Todd C. Miller
  • Makefile.in, lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/group_file/plugin_test.c, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/parse.h, plugins/system_group/Makefile.in, src/Makefile.in:
    Minor fixes pointed out by cppcheck. Also add compareBoolExpressionWithInt to suppression list. [52316819700e]
  • logsrvd/logsrvd.c:
    Avoid potential use after free with eventlog-only connections. Coverity CID 215884. [cca5cffabe42]
  • src/exec.c:
    Cannot do direct exec of a command when SELinux RBAC is enabled. [2706b0fc1451]
  • MANIFEST, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/pread.c, lib/util/pwrite.c, scripts/mkdep.pl:
    Add emulation of pread(3) and pwrite(3) for systems without them. This makes it possible to remove some ugly #ifdefs and only affects very old systems. [1c2a31bda598]
  • lib/iolog/iolog_fileio.c, plugins/sudoers/match_command.c, plugins/sudoers/timestamp.c:
    Remove #ifdefs around code using pread(3) and pwrite(3). [3830fdf650df]
  • plugins/sudoers/Makefile.in:
    Regen now that ldap.c and sssd.c no longer need gram.h [5cc4e107f301]
2020-12-30 Todd C. Miller
  • lib/util/fatal.c:
    Fix deregistration of a callback that is not at the head of the list. The SLIST_FOREACH_PREVPTR macro doesn’t work the way I thought it did. Just store our own prev pointer and use that instead. [04c290fe1fcb]
2020-12-21 Todd C. Miller
  • src/net_ifs.c:
    Fix the buffer size parameter when serializing the interface list. Problem reported by Matthias Gerstner of SUSE. [b0cae3ac8e46]
2020-12-20 Todd C. Miller
  • plugins/sudoers/sudoers.c:
    The runas user must be set before applying runas-based Defaults. This effectively backs out changeset f738f5ac5350, which made it possible to log the command when an invalid user was specified. The policy plugin API doesn’t supply the command until the check function, at which point we’ve already denied the command due to the invalid user. Bug #951. [8a415f555cf9]
2020-12-18 Todd C. Miller
  • etc/uncrustify-small.cfg, etc/uncrustify.cfg:
    Don’t enable mod_remove_empty_return We like to use an empty return for stub functions. [018ef129dc24]
2020-12-16 Todd C. Miller
  • plugins/sudoers/policy.c:
    The lower bounds for the “closefrom” option is 3, not 4. This is a regression introduced in sudo 1.8.9 with the strtonum() conversion. Bug #950. [fb06603b9a12]
2020-12-15 Todd C. Miller
2020-12-11 Todd C. Miller
  • doc/sudoers.man.in, doc/sudoers.mdoc.in:
    Direct execution of a command is incompatible with using a log server. [91afbbde217a]
  • plugins/sudoers/audit.c:
    Set sudoers_audit.close to NULL if not using a log server. [231abb92a3b2]
2020-12-08 Todd C. Miller
  • config.guess, config.h.in, config.sub, configure, configure.ac:
    Regenerate configure script with autoconf 2.71. Also fix some warnings from the new version. [cd1c7615e861]
2020-12-07 Todd C. Miller
  • config.h.in, configure, configure.ac, src/sudo.c:
    Define _DARWIN_UNLIMITED_GETGROUPS on macOS to suport > 16 groups. On macOS 10.6 and above, getgroups(2) can return more than NGROUPS_MAX if _DARWIN_UNLIMITED_GETGROUPS or _DARWIN_C_SOURCE is defined. Bug #946 [2e7d3c3cf18b]
2020-12-05 Todd C. Miller
  • doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, examples/sudo.conf.in:
    Comment out the default plugin lines in the example sudo.conf. Fixes a problem when there are multiple versions of sudo installed and not all suport the audit plugin, such as on macOS. GitHub issue #75 [aaed5d7a3471]
  • plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Store the user-provided runas user and group name in struct sudo_user. This makes it available for event logging in case the name doesn’t resolve. [98d70ba8a2a6]
  • plugins/sudoers/logging.c:
    Log submit group to event log. [3e7ace99f7f8]
  • plugins/sudoers/logging.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Store iolog_path in struct sudo_user for use in the event log. [35bc39ec8ad5]
2020-12-04 Todd C. Miller
  • plugins/sudoers/logging.c, plugins/sudoers/sudoers.c:
    Defer lookup of runas user until sudoers_main() for better logging. The log message now includes user info and the command attempted. [f738f5ac5350]
  • lib/eventlog/eventlog.c:
    Don’t assume that just because command is non-NULL, argv is non- NULL. [4fac4ae88e4e]
  • plugins/sudoers/logging.c:
    Fix a crash introduced in 1.9.4 when running command as an unknown user. Bug #948 [8b24c140ec7c]
2020-12-03 Todd C. Miller
  • logsrvd/logsrvd.c:
    When shutting down the server, close non-I/O log connections immediately. Avoids a timeout during server shutdown while the server waits for active connections to close. [26bfda2c8f67]
  • src/sudo.c:
    Audit errors from policy_init_session(), audit_accept(), and audit_reject(). [638e583754ac]
  • src/sudo.c:
    Do not run the command if the audit accept function fails. Also add warnings if the audit reject or error functions fail. [ca94ef438961]
  • plugins/sudoers/log_client.c:
    Reduce the number of error messages when we can’t connect to the audit server. Add the error string to “unable to connect to log server” instead of using an extra error message for the connect(2) failure. [25ac7ac5bfdf]
  • plugins/sudoers/log_client.c:
    Use correct error message when the TLS connection is dropped. Was:
    “recv: Unknown error 0”, now: “lost connection to log server”. [5c3f319b1f75]
2020-12-02 Todd C. Miller
  • plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.h:
    Change alias_add() to return bool and set errno on failure. This fixes a localization problem where the error message could have been reported in the wrong locale. [1859fe3da40c]
2020-11-30 Todd C. Miller
  • lib/eventlog/eventlog.c:
    Fix build when configured using –without-sendmail Bug #947 [41db1aad85bb]
2020-11-29 Todd C. Miller
  • plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/hr.mo, po/hr.po:
    Updated translations from translationproject.org [96a5cfe3c66b]
2020-11-24 Todd C. Miller
  • logsrvd/logsrvd.c:
    Don’t try to unlink a NULL pointer. [95babad9636a]
  • doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c:
    If pid_file is set to an empty value, disable the use of a pid file. [d4462105ab4b]
  • doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, logsrvd/logsrvd.c:
    Don’t overwrite sudo_logsrvd.pid if it is a symbolic link. [d79f97a0a533]
  • INSTALL, configure, configure.ac, etc/codespell.exclude, plugins/sudoers/env.c:
    Fix typo detected by codespell 2.0.0 Also avoid some new false positives [d973f44e2396]
2020-11-23 Todd C. Miller
  • plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/hr.mo, po/hr.po, po/it.mo, po/it.po:
    Updated translations from translationproject.org [156162e6e07e]
2020-11-18 Todd C. Miller
  • lib/util/sudo_conf.c:
    Fix calling sudo_conf_read() multiple times with different conf_types. The change to reinitialize the configuration data when sudo_conf_read() is called again didn’t take into account that sudo calls sudo_conf_read() twice–once for the debug info and once for everything else. [b6869b7da3c2]
2020-11-17 Todd C. Miller
  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
    Don’t free the private copy of the environment until the close function. We may need to use it when logging from the audit reject function. [5118eb5797fb]
  • plugins/sudoers/log_client.c:
    It is possible for evlog->argv or evlog->envp to be NULL. [798ff96301bf]
  • src/exec_pty.c, src/sudo.c, src/sudo.h:
    Pass command_info[] to audit plugin on I/O log plugin reject or error. The audit plugin should cope with a NULL command_info but there’s no reason not to pass the info when we have it. [e361897d0192]
  • doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, plugins/sudoers/audit.c:
    For the audit plugin, command_info may be NULL. Fixes a NULL dereference in sudoers_audit when an I/O logging plugin rejects input/output or returns an error. [9abee774e7e1]
  • plugins/sudoers/defaults.c:
    Add missing initialization of def_log_format to sudo. [8c824f6dcfdd]
2020-11-16 Todd C. Miller
  • config.h.in, configure, configure.ac:
    Newer LibreSSL has SSL_CTX_set_ciphersuites but it is not enabled. Add a check for the function declaration in openssl/ssl.h. [d6d0665572ec]
  • doc/sudoers.man.in, doc/sudoers.mdoc.in:
    Event log data is sent to sudo_logsrvd even when not I/O logging. [d720f4ad3d40]
2020-11-14 Todd C. Miller
  • plugins/sudoers/po/sudoers.pot:
    Regenerate sudoers.pot for 1.9.4 [127283726e97]
  • NEWS, configure, configure.ac:
    Update for sudo 1.9.4. [2cb747911aef]
  • plugins/sudoers/audit.c:
    Update struct eventlog based on command_info[] from front-end. The I/O log path is not known until the I/O log plugins have run and other plugins may alter the execution environment. [3ad14a88052e]
  • plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/logging.h, plugins/sudoers/regress/testsudoers/test13.out.ok, plugins/sudoers/toke.h:
    Add sudoerserrorf(), a printf-style yyerror() function. Use this to display a better error message when using a reserved work in an alias definition. [1bb3915f61b6]
2020-11-13 Todd C. Miller
  • scripts/mkpkg:
    Build universal binaries on macOS 11.0 and higher. The resulting package should work on Macs based on Apple Silicon. [91cdeda79e66]
2020-11-12 Todd C. Miller
  • plugins/sudoers/editor.c:
    Support EDITOR environment variable that includes quotes. Quote support is limited to the beginning of a word. Also handles characters escaped with a backslash. [ebb7f3c6240c]
2020-11-11 Todd C. Miller
  • plugins/python/Makefile.in, plugins/python/pyhelpers.c, plugins/python/python_plugin_common.c, plugins/python/regress/iohelpers.h, plugins/python/regress/testdata/ check_example_debugging_c_calls@diag.log, plugins/python/regress/tes tdata/check_example_debugging_c_calls@info.log, plugins/python/regre ss/testdata/check_example_debugging_plugin@info.log, plugins/python/ regress/testdata/check_example_debugging_py_calls@diag.log, plugins/ python/regress/testdata/check_example_debugging_py_calls@info.log, p lugins/python/regress/testdata/check_example_group_plugin_is_able_to debug.log, plugins/python/regress/testdata/check_example_io_plugin command_log.stored, plugins/python/regress/testdata/check_example_io _plugin_command_log_multiple1.stored, plugins/python/regress/testdat a/check_example_io_plugin_command_log_multiple2.stored, plugins/pyth on/regress/testdata/check_example_io_plugin_failed_to_start_command. stored, plugins/python/regress/testdata/check_example_io_plugin_fail s_with_python_backtrace.stderr, plugins/python/regress/testdata/chec k_example_policy_plugin_validate_invalidate.log, plugins/python/regr ess/testdata/check_loading_fails_not_owned_by_root.stderr, plugins/p ython/regress/testdata/check_loading_fails_wrong_classname.stderr, p lugins/python/regress/testdata/check_loading_fails_wrong_path.stderr , plugins/python/regress/testdata/check_multiple_approval_plugin_and _arguments.stdout, plugins/python/regress/testdata/check_python_plug ins_do_not_affect_each_other.stdout, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h:
    Back out regex use in python tests, filter the output instead. This makes it possible to regenerate the test output again. Also adds an update_test_data target to the Makefile. [3837f51a8072]
  • plugins/sudoers/ldap.c:
    Ignore sudoNotBefore and sudoNotAfter unless ldap.conf contains SUDOERS_TIMED This is consistent with the pre-1.8.24 behavior. Bug #945 [d1e1bb5a6cc1]
  • src/sudo.c:
    Stay setuid until just before executing the command. Fixes a problem with pam_xauth which checks effective and real uids to get the real identity of the user. [2c6fef0107c8]
2020-11-10 Todd C. Miller
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c:
    Introduce new_member_all() for code that doesn’t include gram.h. The ldap and sssd back-ends no longer require gram.h which fixes a compilation issue with IBM LDAP. [1729532cda27]
  • lib/util/sudo_conf.c, lib/util/sudo_debug.c, logsrvd/logsrvd.c:
    On SIGHUP, deregister the old debug instance before registering a new one. Otherwise, if debugging is enabled we will get an extra log instance each time sudo_logsrvd reeives SIGHUP which results in duplicate lines in the debug log. [538633994d8a]
2020-11-09 Todd C. Miller
  • plugins/sudoers/log_client.c, plugins/sudoers/log_client.h:
    Refactor code to format the client message after the hello. [12d29d129166]
  • doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, include/log_server.pb-c.h, lib/eventlog/eventlog.c, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, plugins/sudoers/log_client.c:
    Add info_msgs to AlertMessage and populate it. This lets us log eventlog info along with the alert if it is available. [493a047a4463]
  • plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
    Use sudoers_to_eventlog() and init_log_details() in sudoers_audit_accept(). log_deserialize_info() can be private to iolog.c again. [0b4e03904f3d]
  • plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
    Log reject and alert messages to the log server if one is defined. [087cf87d10af]
  • plugins/sudoers/logging.c:
    Treat an authentication failure as a reject, not an alert. This matters when logging via sudo_logsrvd. It also lets us remove a special case in vlog_warning(). [ae489d3f20a8]
  • MANIFEST, config.h.in, configure, configure.ac, plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h, plugins/sudoers/log_client.c, plugins/sudoers/sudoers.c:
    Rename iolog_client -> log_client. The logsrvd client code is now used for more than just I/O logging. [ea47ce43bbee]
  • MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_plugin.h, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h:
    Rename iolog_plugin.h to log_client.h. It is no longer I/O log specific and is used by sudoers_audit too. [cde784a59490]
  • configure, configure.ac:
    Remove hack to define YYTOKENTYPE, it breaks newer bison. [8b919ef33db7]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.h:
    Regenerate with bison 3.7.3 [9fb81b933c43]
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c:
    Use struct eventlog *evlog, not struct eventlog *details. [a9b5f3c2902f]
2020-11-06 Todd C. Miller
  • lib/eventlog/eventlog.c:
    For logsrvd AlertMessages, evlog will be NULL. [d048f7b429d5]
  • lib/eventlog/eventlog.c:
    Append errstr to reason for alert and reject events if specified. Previously, we logged the error string separately but this is not consistent with how it is logged in other formats. [68c76e530248]
  • plugins/sudoers/logging.c:
    Fix cut & pasto in debug subsystem. [c39dd60b6d2d]
2020-11-04 Todd C. Miller
  • plugins/sudoers/iolog_client.c:
    Refactor code to format InfoMesage array into fmt_info_messages(). Add free_info_messages() to free the array. [e6223d325c77]
  • plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
    Log accept messages in sudoers_audit if not I/O logging. [cdb5c443c97d]
  • plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
    Refactor sudoers_io_open_remote() into log_server_open(). Also rename client_close() to log_server_close(). This keeps more of the client code details out of iolog.c and will be used when logging accept messages from the audit plugin. [e3f6ba6768b8]
  • plugins/sudoers/iolog.c:
    Move argv and envp setting into iolog_deserialize_info(). [613b97f1d7bc]
  • logsrvd/logsrvd.c:
    Avoid early return in handle_accept() if expect_iobufs not set. [918adc8234f0]
2020-11-02 Todd C. Miller
  • doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/python/regress/testdata/check_multipl e_approval_plugin_and_arguments.stdout, src/exec.c, src/load_plugins.c:
    Add event_alloc to the audit plugin API. The sudoers audit plugin will use this to communicate with sudo_logsrvd. [c2fc2911476b]
  • logsrvd/sendlog.c, plugins/sudoers/iolog_client.c:
    Set server_name before initiating TLS connection so verify function works. Fixes a crash in the SSL_VERIFY_PEER callback. Also call inet_ntop(3) with addr pointer, not sockaddr pointer so we get the correct IP address. [7a7dcebbe889]
  • plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/regress/sudoers/test18.toke.ok, plugins/sudoers/regress/sudoers/test2.ldif.ok, plugins/sudoers/regress/sudoers/test3.ldif.ok, plugins/sudoers/regress/sudoers/test6.ldif.ok, plugins/sudoers/regress/visudo/test2.err.ok, plugins/sudoers/regress/visudo/test3.err.ok, plugins/sudoers/visudo.c:
    Store column number for aliases, defaults and userspecs too. This is used to provided the column number along with the line number in error messages. For aliases we store the column of the alias name, not the value since that is what visudo generally needs. [1c9d86b88517]
2020-11-01 Todd C. Miller
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/regress/testsudoers/test12.out.ok, plugins/sudoers/regress/testsudoers/test13.out.ok:
    Display column number in parse error messages too. Bug #841 [0aea28dec8f2]
  • plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
    Move tls initialized flag into client_closure. We may call tls_init() from multiple places in the future so a static initialized flag will cause problems. [00b2b02c24c5]
  • plugins/sudoers/cvtsudoers_json.c:
    Fix -Wshadow warnings caused by json enum member. [ea336980bb6a]
2020-10-30 Todd C. Miller
  • ABOUT-NLS, INSTALL, NEWS, configure.ac, doc/UPGRADE, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoers_timestamp.man.in, doc/sudoers_timestamp.mdoc.in, doc/visudo.man.in, doc/visudo.mdoc.in, examples/sudo.conf.in, include/compat/getaddrinfo.h, install-sh, lib/util/getaddrinfo.c, lib/util/getentropy.c, lib/util/regress/sudo_conf/test1.in, lib/util/regress/sudo_parseln/test1.in, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/strtoid.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c, m4/sudo.m4, plugins/group_file/group_file.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.in, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog_client.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c, src/load_plugins.c, src/sudo.c, src/sudo_noexec.c, src/tgetpass.c:
    Apply Google inclusive language guidelines. Also replace backwards with backward. [678fbce6054f]
2020-10-29 Todd C. Miller
  • doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in:
    Refernce IBM LDAP libs, not Tivoli since that is how it is packaged. We still use Tivoli when talking about the server itself but refer to it as the “IBM Tivoli Directory Server”. [9f97a7e6b67a]
  • doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in:
    Add a newline before “This option is …” [853f819f0241]
2020-10-28 Todd C. Miller
  • lib/eventlog/regress/logwrap/check_wrap.c, lib/eventlog/regress/logwrap/check_wrap.in, lib/eventlog/regress/logwrap/check_wrap.out.ok:
    Test eventlog_writeln() when word wrap is disabled. [73acb7fbef59]
  • configure, configure.ac:
    Bison generates an extra enum containing the parser tokens. This conflicts with the IBM ldap.h at least. Prevent it from being exposed by defining YYTOKENTYPE. [f3445ad76687]
  • configure, configure.ac:
    IBM LDAP packages use a lib64 directory for 64-bit libraries. We need to add this to LDFLAGS so the linker is able to find the correct libs when building 64-bit binaries. [701b83f6cd13]
  • config.h.in, configure, configure.ac, plugins/sudoers/ldap.c:
    Use ssl_err2string() in message on ldap_ssl_client_init() failure. Displaying SSL reason code directly is not user-friendly. [aaf272403f3e]
2020-10-27 Todd C. Miller
  • lib/eventlog/eventlog.c:
    For JSON logs, write the most important log elements first. This is important for syslog where the record could be truncated. [58fc957c41bb]
  • doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/logging.c, plugins/sudoers/sudoers.c:
    Add log_format sudoers setting to select sudo or json format logs. Defaults to sudo-format logs. [2936d2750af0]
  • include/sudo_json.h, lib/eventlog/eventlog.c, lib/util/json.c:
    Support “minimal” JSON which skips all non-essention whitespace. This replaces the old “compact” mode which is only used for syslog. [be07bca67019]
  • plugins/sudoers/logging.c:
    Don’t warn about log failure more than once. [b4dc59a58d1d]
2020-10-26 Todd C. Miller
  • lib/eventlog/eventlog.c:
    Check for fdopen(3) failure in send_mail(). [e08b17bf26ce]
  • MANIFEST, include/sudo_eventlog.h, lib/eventlog/Makefile.in, lib/eventlog/eventlog.c, lib/eventlog/logwrap.c, lib/eventlog/regress/logwrap/check_wrap.c, lib/eventlog/regress/logwrap/check_wrap.in, lib/eventlog/regress/logwrap/check_wrap.out.ok, plugins/sudoers/Makefile.in, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/logwrap.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/logging/check_wrap.in, plugins/sudoers/regress/logging/check_wrap.out.ok, plugins/sudoers/sudoers.c:
    Add support for file log line wrapping in libeventlog. [935c30cf7633]
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_conf.c, plugins/sudoers/defaults.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c:
    Use real setters for the eventlog config. This makes it possible to have a base config that the callers can modify instead of replacing the config wholesale. [2ca1e7d376c2]
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/defaults.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
    Use libeventlog in sudoers instead of doing our own logging. [d8306755201a]
  • lib/eventlog/eventlog.c, plugins/sudoers/logging.c:
    Log the short version of the tty in sudoers-format logs. This is consistent with historical practice. [69440e4659a8]
  • lib/eventlog/eventlog.c:
    Add default values in eventlog_setconf(). [582d359a8ec0]
  • include/sudo_eventlog.h, lib/eventlog/Makefile.in, lib/eventlog/eventlog.c, logsrvd/logsrvd.c, plugins/sudoers/Makefile.in, plugins/sudoers/defaults.c, plugins/sudoers/logging.h:
    Add support for mailing eventlog entries and for logging raw messages. These will be used by the sudoers plugin. [acab8209ddd0]
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, lib/iolog/iolog_fileio.c:
    If no JSON callback is provided, store the contents of struct eventlog. This moves the JSON formatting of struct eventlog out of libsudo_iolog and into libsudo_eventlog where it belongs. [260a7ec65485]
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd.c:
    struct eventlog contains submit_time, no need to pass it in directly. [a3ac404e6a59]
  • include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd.c:
    Add an errstr argument to eventlog_alert(). [e2afd2f1c092]
  • plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
    Make a copy of the strings stored in iolog_details and struct eventlog. Previously, we just made the strings const and relied on the front-end not changing them. Now the sudoers I/O log plugin behavior is consistent with the policy plugin. [406632298bd5]
  • plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
    Use struct eventlog in iolog_details. [c22e05f420fe]
  • include/sudo_eventlog.h, include/sudo_iolog.h, lib/eventlog/eventlog.c, lib/iolog/Makefile.in, lib/iolog/iolog_fileio.c, lib/iolog/iolog_json.c, lib/iolog/iolog_util.c, logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoreplay.c:
    Use struct eventlog in place of struct iolog_info. [9fef7a5f077b]
  • logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
    No longer need eventlog-related getters in logsrvd.c [e3ab80a9a892]
  • MANIFEST, logsrvd/Makefile.in, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
    Use libeventlog in sudo_logsrvd. [3dd22be50c30]
  • MANIFEST, Makefile.in, configure, configure.ac, include/sudo_eventlog.h, lib/eventlog/Makefile.in, lib/eventlog/eventlog.c, logsrvd/logsrvd.h:
    Refactor eventlog code into a library [2e02c25be009]
2020-10-20 Todd C. Miller
  • lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
    regen Makefiles [d9064a0c53ae]
2020-10-16 Todd C. Miller
  • plugins/sudoers/Makefile.in:
    Explicitly set umask when running tests. Some tests create files that must not be world-writable. [9186ea1d2696]
  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    sudoers_policy_store() -> sudoers_policy_store_result() [3dad5322916b]
2020-10-14 Todd C. Miller
  • plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
    Rename sudoers_policy_exec_setup() -> sudoers_policy_store(). It is called even when there is no command to execute. Also pass in status of whether or not the command was accepted. [a0ded23e81c4]
2020-10-10 Todd C. Miller
  • plugins/sudoers/Makefile.in, plugins/sudoers/regress/cvtsudoers/test1.sh, plugins/sudoers/regress/cvtsudoers/test10.sh, plugins/sudoers/regress/cvtsudoers/test11.sh, plugins/sudoers/regress/cvtsudoers/test12.sh, plugins/sudoers/regress/cvtsudoers/test13.sh, plugins/sudoers/regress/cvtsudoers/test14.sh, plugins/sudoers/regress/cvtsudoers/test15.sh, plugins/sudoers/regress/cvtsudoers/test16.sh, plugins/sudoers/regress/cvtsudoers/test17.sh, plugins/sudoers/regress/cvtsudoers/test18.sh, plugins/sudoers/regress/cvtsudoers/test19.sh, plugins/sudoers/regress/cvtsudoers/test2.sh, plugins/sudoers/regress/cvtsudoers/test20.sh, plugins/sudoers/regress/cvtsudoers/test21.sh, plugins/sudoers/regress/cvtsudoers/test22.sh, plugins/sudoers/regress/cvtsudoers/test23.sh, plugins/sudoers/regress/cvtsudoers/test24.sh, plugins/sudoers/regress/cvtsudoers/test25.sh, plugins/sudoers/regress/cvtsudoers/test26.sh, plugins/sudoers/regress/cvtsudoers/test27.sh, plugins/sudoers/regress/cvtsudoers/test28.sh, plugins/sudoers/regress/cvtsudoers/test29.sh, plugins/sudoers/regress/cvtsudoers/test3.sh, plugins/sudoers/regress/cvtsudoers/test30.sh, plugins/sudoers/regress/cvtsudoers/test31.sh, plugins/sudoers/regress/cvtsudoers/test32.sh, plugins/sudoers/regress/cvtsudoers/test33.sh, plugins/sudoers/regress/cvtsudoers/test4.sh, plugins/sudoers/regress/cvtsudoers/test5.sh, plugins/sudoers/regress/cvtsudoers/test6.sh, plugins/sudoers/regress/cvtsudoers/test7.sh, plugins/sudoers/regress/cvtsudoers/test8.sh, plugins/sudoers/regress/cvtsudoers/test9.sh, plugins/sudoers/regress/testsudoers/test1.sh, plugins/sudoers/regress/testsudoers/test10.sh, plugins/sudoers/regress/testsudoers/test11.sh, plugins/sudoers/regress/testsudoers/test12.sh, plugins/sudoers/regress/testsudoers/test13.sh, plugins/sudoers/regress/testsudoers/test14.sh, plugins/sudoers/regress/testsudoers/test15.sh, plugins/sudoers/regress/testsudoers/test2.sh, plugins/sudoers/regress/testsudoers/test3.sh, plugins/sudoers/regress/testsudoers/test4.sh, plugins/sudoers/regress/testsudoers/test5.sh, plugins/sudoers/regress/testsudoers/test6.sh, plugins/sudoers/regress/testsudoers/test7.sh, plugins/sudoers/regress/testsudoers/test8.sh, plugins/sudoers/regress/testsudoers/test9.sh, plugins/sudoers/regress/visudo/test1.sh, plugins/sudoers/regress/visudo/test10.sh, plugins/sudoers/regress/visudo/test2.sh, plugins/sudoers/regress/visudo/test3.sh, plugins/sudoers/regress/visudo/test4.sh, plugins/sudoers/regress/visudo/test5.sh, plugins/sudoers/regress/visudo/test6.sh, plugins/sudoers/regress/visudo/test7.sh, plugins/sudoers/regress/visudo/test8.sh, plugins/sudoers/regress/visudo/test9.sh:
    Pass path to testsudoers, visudo or cvtsudoers in the environment. Falls back on the unqualified command if the environment variable is not set. [a7b8c413b66d]
2020-10-09 Todd C. Miller
  • plugins/sudoers/sssd.c:
    Init cmnds to NULL in rule_to_priv() so we don’t free a bogus pointer. In the sssd backend, the rule_to_priv() cleanup code assumes cmnds can be passed to fn_free_values(), which was not the case if we receive an error getting values for “sudoCommand”. This is a regression introduced in sudo 1.9.1. Fix from Ron Bowes. GitHub issue #67. [a3fe4615f039]
2020-10-06 Todd C. Miller
  • plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h:
    Pass runchroot to match_digest() too. We use the open fd for the actual I/O but having runchroot makes it possible to report the correct file name in error messages. [2e1d142e2fe5]
2020-10-04 Todd C. Miller
2020-09-29 Todd C. Miller
  • plugins/sudoers/def_data.h, plugins/sudoers/mkdefaults:
    Fix indentation of enum def_tuple. [237db08cc1a3]
2020-09-28 Todd C. Miller
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Remove special case EOF handling; lines now always end in a newline. Previously we needed to emulate some of the state transitions that happen at end-of-line at end-of-file as well. Those are no longer needed now that we are guaranteed to always have a newline at the end. [4c0c21b081f7]
2020-09-27 Todd C. Miller
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Increment sudolinebuf.size after realloc(). [b871905c3442]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/regress/sudoers/test13.toke.ok, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Add a newline at end of line if one is missing. This is simpler than having to support entries that end at EOF too. [cb335acb1064]
  • MANIFEST, plugins/sudoers/regress/testsudoers/test14.out.ok, plugins/sudoers/regress/testsudoers/test14.sh, plugins/sudoers/regress/testsudoers/test15.out.ok, plugins/sudoers/regress/testsudoers/test15.sh:
    Add tests for entries without a newline. [98a50d8301a8]
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Fix handling of a command spec without a newline at the end. For include files, we may need to inject a newline token now that the grammar requires lines to end with a newline or EOF. There is no END (EOF) token processed after popping off an include file since everything is just treated as one big file. [3e6c62ea7237]
  • plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Mark sudoerserror() messages for translation. [d6a173cea48b]
  • plugins/sudoers/regress/sudoers/test8.toke.ok, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Fix line number accounting when a string contains a newline. Strings are not allowed to span multiple lines without a continuation character. Also provide a better error message if we are in the middle of a string and hit EOF. [cf34b0a3beba]
2020-09-26 Todd C. Miller
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
    Use sudoerschar (yychar) instead of last_token. The parser already provides a way to examing the last token processed, we don’t need to add our own. [ba35fe36bd56]
2020-09-25 Todd C. Miller
  • lib/util/closefrom.c, lib/util/getentropy.c, lib/util/pipe2.c, lib/util/term.c, lib/util/ttyname_dev.c, plugins/sudoers/auth/pam.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/env.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gmtoff.c, plugins/sudoers/locale.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/starttime.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, plugins/system_group/system_group.c, src/load_plugins.c, src/sudo.c, src/sudo_plugin_int.h, src/tgetpass.c, src/ttyname.c:
    Fix -Wshadow warnings. [5480e97a1160]
  • configure, configure.ac:
    Add -Wshadow to warning flags if the compiler supports it. [6f29b5ebc2b8]
  • MANIFEST, plugins/sudoers/regress/testsudoers/test13.out.ok, plugins/sudoers/regress/testsudoers/test13.sh:
    Add test for syntax error when defining an alias using a reserved word. [4c90b3952ed1]
  • doc/sudoers.man.in, doc/sudoers.mdoc.in:
    Fix pasto, TIMEOUT not CMND_TIMEOUT. [842ad3a578f2]
  • NEWS, doc/UPGRADE, doc/sudoers.man.in, doc/sudoers.man.in.sed, doc/sudoers.mdoc.in:
    Document reserved words that cannot be used as alias names. Bug #941 [4b37a2174cd2]
  • plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/sudoers_version.h:
    Detect when a reserved word is used when declaring an alias. Now instead of “syntax error, unexpected CHROOT, expecting ALIAS” the message is “syntax error, reserved word used as an alias name” Bug #941 [dfc55de5526c]
2020-09-23 Todd C. Miller
  • plugins/sudoers/sudoers.c:
    Fix potential NULL deref in debug code. [c6b8910ac7dc]
  • plugins/sudoers/getspwuid.c:
    Close the passwd db before calling getpwnam_shadow(3). Otherwise, we will get the non-shadow passwd entry (”*") since we called setpassent(3) earlier to keep the passwd db open. [71ee5e16e4c5]
  • configure, configure.ac:
    Fix configure test for crypt(3) when it is present in libc. Fixes a regression introduced in sudo 1.9.3. [0d77733de667]
  • plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c:
    Add SLOG_AUDIT flag for log_warningx() to also audit the message. This lets us combine audit_failure() and log_warningx() calls with the same message. [23a8a5eab2ff]
  • plugins/sudoers/sudoers.c:
    Log when user-specified command line options are rejected by sudoers. We already audit those but in some cases they were not logged as well. [30d991993763]
  • NEWS, configure, configure.ac:
    Update for sudo 1.9.3p1 [0cbbb7608c3f]
2020-09-20 Todd C. Miller
  • configure, configure.ac:
    Move warning about plaintext password to the end of configure. It is unlikely to be noticed at the beginning of the output. [b3b5abcedc73]
2020-09-19 Todd C. Miller
  • plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po:
    Updated translations from translationproject.org [54b5484b2756]
2020-09-18 Todd C. Miller
  • config.h.in, configure, configure.ac, plugins/sudoers/auth/passwd.c:
    Use a simple string compare on systems without crypt(3). This is only used on systems without PAM, BSD authentication or AIX authentication. Bug #940. [aed39197f364]
2020-09-17 Todd C. Miller
  • src/sudo_edit.c:
    Only use faccessat(3) if AT_EACCESS is defined. Apparently Android (bionic) has faccessat() but not AT_EACCESS. Bug #940. [18604919a023]
  • src/utmp.c:
    Guard use of ttyslot() with HAVE_TTYSLOT, fix guard for utmp_setid(). This should make it easier to compile sudo on Android which doesn’t provide a way to write to the utmp file. Bug #940. [69fe5b8426cd]
2020-09-16 Todd C. Miller
  • po/zh_CN.mo, po/zh_CN.po:
    Updated translations from translationproject.org [ef72535d71a5]
  • plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/it.mo, po/it.po, po/ja.mo, po/ja.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/sr.mo, po/sr.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/zh_TW.mo, po/zh_TW.po:
    Updated translations from translationproject.org [48fdb293a803]
  • configure, configure.ac, plugins/sudoers/po/sudoers.pot:
    Back out sudo 1.9.3b1 version change. [70cee88da8b1]
2020-09-14 Todd C. Miller
  • NEWS, configure, configure.ac, plugins/sudoers/defaults.c, plugins/sudoers/po/sudoers.pot:
    Fix typo in warning for T_CHPATH, list ‘~’ not ‘*’ twice. Bug #938 [d516bebe9644]
2020-09-12 Todd C. Miller
  • plugins/sudoers/po/sudoers.pot, po/sudo.pot:
    Update .pot files for 1.9.3. [47cedd231dd6]
2020-09-10 Todd C. Miller
  • plugins/sudoers/iolog_client.c:
    Add missing check for strdup() failure. Coverity CID 214243 [86cf4da0cd81]
  • examples/sudoers:
    Sync example sudoers with manual page. [1ccf32907f11]
2020-09-09 Todd C. Miller
  • doc/sudoers.man.in, doc/sudoers.mdoc.in:
    Add simple runchroot and runcwd examples. Also document the limitation of command-based Defaults settings. [6a610884670c]
  • plugins/sudoers/sudoers.c:
    Add callback for runchroot Defaults and require password -D/-R checks. Using a command-based Default for runchroot will still only work for paths that exist both in and outside the chroot. [a50148e16b89]
  • plugins/sudoers/defaults.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c:
    Pass a struct to the match functions to track the resolved command. This makes it possible to update user_cmnd and cmnd_status modified by per-rule CHROOT settings. [c71faa1f5ea1]
  • plugins/sudoers/defaults.c, plugins/sudoers/editor.c, plugins/sudoers/find_path.c, plugins/sudoers/goodpath.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
    Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule. [d8765611b48c]
2020-09-06 Todd C. Miller
  • configure, configure.ac:
    Remove closefrom_fallback() from lib/util/util.exp. It is a static function and should not be exported. [dc09dc563197]
2020-09-06 Evan Anderson
  • configure, m4/sudo.m4:
    configure: Fix runstatedir handling for distros that do not support it

    runstatedir was added in yet-to-be released autoconf 2.70. Some distros are shipping this addition in their autoconf packages, but others, such as Fedora, are not. This causes the rundir variable to be set incorrectly if the configure script is regenerated with an unpatched autoconf since the runstatedir variable set is deleted after regeneration. This change works around that problem by checking that runstatedir is non-empty before potentially using it to set the rundir variable [35c1eb25dd9d]

2020-09-05 Todd C. Miller
  • lib/util/Makefile.in:
    We need to link with NET_LIBS for gai_strerror() on some systems. From Tim Rice [b10aeb7ec2ed]
  • ltmain.sh:
    Fix sco library versioning; fallout from frebsd-elf reorg. From Tim Rice [072a37c2d3cb]
  • configure, configure.ac:
    SVR4/5 fixes and long password support for OpenServer 6 & 5. From Tim Rice [8622970c77c3]
  • lib/logsrv/protobuf-c.c:
    Use config.h to handle systems without inline function support. [1ba5301de713]
  • configure, configure.ac:
    Prefer dlopen() over shl_load() on HP-UX 11.11 and higher. [065316970f79]
  • include/sudo_fatal.h, lib/util/fatal.c:
    Define sudo_wa