Proto commits in sudo-project/sudo

These 19 commits are when the Protocol Buffers files have changed:

Commit:3cd9c5f
Author:Todd C. Miller

Stop sending an InterceptResponse to a PolicyCheckRequest for log_subcmds. There's no real reason for the command to wait for sudo send back a response that will always be a PolicyAcceptMessage.

The documentation is generated from this commit.

Commit:db75023
Author:Todd C. Miller

Avoid symbol name clash to fix --enable-static-sudoers linking.

Commit:9a690a8
Author:Todd C. Miller

Switch to a 128-bit token instead of a 64-bit secret. Protobuf doesn't have a 128-bit type so use two u64s. We now support partial reads of the token.

Commit:9137909
Author:Todd C. Miller

sudo_intercept.so: send the secret immediately after connecting. Sending the secret out of band, before the message size is read, should make it harder to mount a DoS attack.

Commit:168d5c4
Author:Todd C. Miller

Update runcwd in command_info[] before passing it to the audit plugin. Since sudoers does rejected commands itself the runcwd will still not be correct for those.

Commit:c465d89
Author:Todd C. Miller

Change intercept IPC to use a localhost socket instead of inherited fd. This allows intercept mode to work with shells that close all open fds upon startup. The ctor in sudo_intercept.so requests the port number and secret over the socket inherited from the parent then closes it. For each policy request, a TCP connection is made to the sudo parent process to perform the policy check. Child processes re-use the TCP socket to request the port number and secret just like the initial process started by sudo does.

Commit:eaf03a3
Author:Todd C. Miller

Pass a secret value to sudo_intercept.so and verify after policy check. The goal is to make it harder for someone to have a fake policy checker. This will not stop a determined adversary since the secret is present in the address space of the running process.

Commit:cede7dd
Author:Todd C. Miller

Define protocol for sudo <-> sudo_intercept.so communication. Uses google protocol buffers.

Commit:9d776b4
Author:Todd C. Miller

Allow multiple accept/reject messages during a logsrv conversation. The log server now advertises a subcommands flag if it supports logging subcommands (e.g. commands run from a sudo-spawned program like a shell). The client should only log additional commands during a session if this flag is set in the ServerHello message.

Commit:9779009
Author:Todd C. Miller

Add info_msgs to AlertMessage and populate it. This lets us log eventlog info along with the alert if it is available.

Commit:6901fc9
Author:Todd C. Miller
Committer:Todd C. Miller

Add a ClientHello message that client sends to the server. This makes it easier to detect a plaintext client sending to a TLS port. Without this, the TLS server will be silent as it waits for the client to initiate the TLS connection.

Commit:e5f8214
Author:Todd C. Miller
Committer:Todd C. Miller

Remove the tls parameter from the ServerHello message. The TLS connection is now initiated before ServerHello is received.

Commit:24c9438
Author:Laszlo Orban
Committer:Todd C. Miller

logserver option to disable certificate verification on server side and server authentication on client side

Commit:9935a7e
Author:Laszlo Orban
Committer:Todd C. Miller

Rename tls_checkpeer to tls_reqcert in ServerHello message

Commit:33f6a16
Author:Laszlo Orban
Committer:Laszlo Orban

extend ServerHello message with two fields (tls, tls_checkpeer)

Commit:58cede6
Author:Todd C. Miller

Move protobuf-c.c, log_server.proto, log_server.pb-c.[ch] to lib/logsrv

Commit:3b8011e
Author:Todd C. Miller

Add NumberList to InfoMessage. Also make comments fit in 80 columns when formatted as a man page.

Commit:077e9ae
Author:Todd C. Miller

Rename ExecMessage -> AcceptMessage and add RejectMessage

Commit:2272430
Author:Todd C. Miller

Import proof of concept sudo log server.