The patch from master branch, somehow lost during su refactoring
rebase.
Reported-by: Tobias Stöckmann <tobias@stoeckmann.org>
Signed-off-by: Karel Zak <kzak@redhat.com>
* setup logindefs loader by function rather than by global pointer
* move basic booleans to the su_context struct
Signed-off-by: Karel Zak <kzak@redhat.com>
Yes, I know... this patch is horrible. We all hate this in git
history, but the original indention from coreutils has been so
crazy...
Signed-off-by: Karel Zak <kzak@redhat.com>
changed in include/c.h and applied via sed:
sed -i 's/fprintf.*\(USAGE_MAN_TAIL.*\)/printf(\1/' $(git ls-files -- "*.c")
sed -i 's/print_usage_help_options\(.*\);/printf(USAGE_HELP_OPTIONS\1);/' $(git ls-files -- "*.c")
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
Consolidate --help and --version descriptions. We are
now able to align them to the other options.
We changed include/c.h. The rest of this patch was
generated by sed, plus manually setting the right
alignment numbers. We do not change anything but
white spaces in the --help output.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
We are using better/shorter error messages and somtimes
also errtryhelp().
Here we fix all cases where the usage function took
an int argument for exit_code.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
(Original patch and commit message edited by Rudi.)
gcc-7 adds -Wimplicit-fallthrough=3 to our default flag -Wextra.
This warning can be silenced by using comment /* fallthrough */
which is also recognized by other tools like coverity. There are
also other valid comments (see man gcc-7) but we consolidate this
style now.
We could have also used __attribute__((fallthrough)) but the comment
looks nice and does not need to be ifdef'ed for compatibility.
Reference: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=7652
Reference: https://developers.redhat.com/blog/2017/03/10/wimplicit-fallthrough-in-gcc-7/
Reviewed-by: Ruediger Meier <ruediger.meier@ga-group.nl>
Suggested-by: Karel Zak <kzak@redhat.com>
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Hopefully these changes are unreachable code, but better safe than sorry
when dealing with setuid root code that is installed everywhere. Quite
obviously the introduced abort() calls protect from impossible inputs.
Secondly set all possible data to be read-only in attempt to make it more
difficult to alter anything at all.
Reference: https://www.securecoding.cert.org/confluence/display/c/DCL00-C.+Const-qualify+immutable+objects
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
text-utils/tailf.c:69:21: warning: Using plain integer as NULL pointer
Since many 'struct option' has used zero as NULL make them more readable in
same go by reindenting, and using named argument requirements.
Reference: https://lwn.net/Articles/93577/
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Now the build will fail on many non-Linux systems because
utmpx.h is available everywhere but we still use non-POSIX
features. We'll fix this next commit.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
_HAVE_UT_TV is glibc only. Moreover we want to move to utmpx where
timeval is standard.
Now utmp/subsecond (1173d0a6) should work on all supported systems.
CC: Sami Kerola <kerolasa@iki.fi>
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
This patch add libseccomp based syscalls filter to disable TIOCSTI
ioctl in su/runuser children.
IMHO it is not elegant solution due to dependence on libseccomp
(--without-seccomp if hate it)... but there is nothing better for now.
Addresses: CVE-2016-2779
Signed-off-by: Karel Zak <kzak@redhat.com>
Try all standard terminal input/output file descriptors when finding tty
name in get_germinal_name(). This should make all invocations of the
function as robust as they can get.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Fix various typos in error messages, warnings, debug strings,
comments and names of static functions.
Signed-off-by: Sebastian Rasmussen <sebras@gmail.com>
This patch does not change any su/runuser behaviour, code changes:
* don't use huge groups[NGROUPS_MAX]; the array has 256k, but we need
it only occasionally when -G/-g specified.
* the current code uses groups[0] for -g and the rest for -G, this patch adds
'gid' to remember -g argument to avoid memmove()
* add function add_supp_group() to simplify su_main()
* add note about -G and -g relation to the man pages (undocumented now)
Signed-off-by: Karel Zak <kzak@redhat.com>
OpenPAM is compatible with util-linux, with a few changes, namely
using OpenPAM's conversation function, openpam_ttyconv.
We check for Linux-PAM by querying for security/pam_misc.h, and OpenPAM
by querying for security/openpam.h.
Signed-off-by: Will Johansson <will.johansson@gmail.com>
An example is, in one terminal "sudo su -; echo $$", and in
another terminal, "kill -9 $PID" (the pid of the su -). It
should not print "(core dumped)", unless the kill signal
specified so, e.g. kill -7 or kill -11.
Signed-off-by: pcpa <paulo.cesar.pereira.de.andrade@gmail.com>
Fixing plain typos, miswordings, inconsistent periods, some missing
angular brackets, and a proper pluralization (even when it involves
a constant, because for some languages the precise value matters).
Signed-off-by: Benno Schulenberg <bensberg@justemail.net>
The current code uses kill(0, caught_signal) after regular
signal cleanup and before exit (all just to make shells happy).
Unfortunately, kill(0, ...) is a bad idea. It seems better to use
kill(getpid(), ...) otherwise we kill our parent process too.
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1063887
Signed-off-by: Karel Zak <kzak@redhat.com>
The su(1) logging code mix ups "old" and "new" passwd structs. The
result is things like
Sep 9 11:50:45 x2 su: (to kzak) kzak on none
in /var/log/messages. The right log entry is
Sep 9 11:50:45 x2 su: (to root) kzak on pts/3
The bug has been introduced by commit c74a7af17c.
References: https://bugzilla.redhat.com/show_bug.cgi?id=1005194
Signed-off-by: Karel Zak <kzak@redhat.com>
The 'Last login:' messages from PAM lastlogin module is unexpected
for non-login sessions or when -c <command> executed.
For example:
$ su - -c id
Last login: Wed Jul 24 08:36:28 CEST 2013 from dhcp-25-161.brq.redhat.com on pts/18
uid=0(root) gid=0(root) skupiny=0(root)
this makes 'su' useless in scripts.
This patch suppress all PAM_TEXT_INFO messages for -c and for
non-login session ('-' is not specified) after pam_authenticate() and
pam_acct_mgmt().
Note that the new PAM conversation function checks the first message
in the msg[] array only. It seems good enough as PAM internally uses
pam_info() function that does not use multiple messages for one conv
call.
References: https://bugzilla.redhat.com/show_bug.cgi?id=987787
Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak
Ruediger Meier
Sami Kerola
Sebastian Rasmussen
Will Johansson
pcpa
Benno Schulenberg
Ondrej Oprala