summaryrefslogtreecommitdiff
path: root/usr.bin/doas
AgeCommit message (Collapse)Author
2017-04-06a little const here and there to prevent rules from changingTed Unangst
2017-04-06prepenv can take a const ruleTed Unangst
2017-03-20simplify example. list of ports variables was non-exahustive, which meansTed Unangst
what exactly? there should be a better place for such lists.
2017-03-09exit test for -L was reversed. spotted by Michael ForneyTed Unangst
2017-01-14add a geteuid check to make sure we're root before plowing into setauth.Ted Unangst
spare some debugging effort in case doas is not installed setuid.
2017-01-02envlist and arglist are both string lists; simplifyTed Unangst
ok benno
2016-12-29it has been six months and two days... remove keepenv { obsolete } syntaxTed Unangst
2016-12-05Be more explicit about the "args" syntax.Ingo Schwarze
In part from a patch from Anton dot Lindqvist at gmail dot com. OK tedu@
2016-11-10missing semicolon at end of rule. yacc doesn't seem to mind, though.Ted Unangst
from Edakawa
2016-10-05Add back the call to yyparse() that was accidentally dropped in theTheo Buehler
previous commit. Fortunately, doas fails closed... ok tedu
2016-10-05move yyparse decl next to yyfpTed Unangst
2016-10-05as a result of the env rework, arraylen() is only used in parse.y.Ted Unangst
move it there and make it static.
2016-09-15use static in the right places to seperate modules betterTheo de Raadt
ok tedu
2016-09-04-L means no commandTed Unangst
2016-09-04don't allow combining nopass and persist in a single ruleTed Unangst
2016-09-03the sudo timeout was 5 minutes i believe, so we'll match that.Ted Unangst
2016-09-02clarify that -L will exit without running a command.Ted Unangst
2016-09-02add support for the verified auth ioctls using 'persist' rules.Ted Unangst
ok deraadt henning
2016-09-01unconst these parameters; i won't be changing bsd auth today.Ted Unangst
2016-09-01move the authentication code to a functionTed Unangst
2016-07-18The string with path to shell could be taken directly from struct passwd.Vadim Zhukov
At some point later the data it points to is overridden by getpwuid() call, resulting in garbage. The problem could be easily demonstreated by double doas call: $ doas doas -su _sndio doas: mpty: command not found The fix is easy: just strdup() the pw_shell field value. okay tedu@, tweaks from & okay natano@
2016-07-12add "recvfd" to doas(1) for use with skey.Sebastien Marie
ok tb@ deraadt@
2016-07-10rename variable for consistencyTed Unangst
2016-06-27minor tweaks; ok teduJason McIntyre
2016-06-27somehow nopass snuck onto the :wheel example. i think it's better without.Ted Unangst
2016-06-27revise environment handling.Ted Unangst
Add a setenv keyword for manipulating the environment. keepenv now means only retain everything. (for one release, the old use of keepenv will still work.) Allow setting variables to new or existing values, and also removing vars when keepenv is used. ok djm martijn tb
2016-06-24move a space to the correct spotTed Unangst
2016-06-19Move the RB_ code from doas.h to env.c, and limit the environment interface to aMartijn van Duren
simple prepenv function. OK tedu@
2016-06-16the environment handling code was showing its age. just because environTed Unangst
is a char** array doesn't mean we must exclusively operate on such. convert to a red-black tree, manipulate as desired, then flatten to array. potentially overkill for the current operations, but reading the tea leaves i see that more manipulations are desired. ok tb (and some thought provoking disagreement from martijn)
2016-06-11don't use specified twice in a sentence, noticed by jmcTed Unangst
2016-06-11clarify some wordingTed Unangst
2016-06-11specify that default is deny if no rule matchesTed Unangst
2016-06-11expand contractionsTed Unangst
2016-06-11tighten up some wordingTed Unangst
2016-06-07revert recent changes to allow setenv. everybody now has an idea aboutTed Unangst
how to do things better, so let's take a step back and reconsider.
2016-06-07merge setenv feature into keepenv. less grammar, more better.Ted Unangst
minimal changes to implementation for now, but some refinement to the way in which the new environment is constructed would be nice. ok djm
2016-06-05spelling fix;Jason McIntyre
2016-06-05add a doas.conf setenv directive that allows setting environmentDamien Miller
variables explicitly and by copying existing environment variables of a different name. E.g. permit nopass setenv { PS1=$SUDO_PS1 FOO=bar } keepenv :wheel ok tedu@ benno@
2016-04-28set progname to doas so users can't create bizarro fake logsTed Unangst
2016-04-27adjust yyerror() to precede with "progname: " the error message stringGleydson Soares
OK tedu@ phessler@
2016-02-15Do a carriage return before password prompt.martijn
OK tedu@
2016-02-07require a tty for the password.Ted Unangst
sudo regression noted by miod, fix by millert
2016-01-24make sure of cleaning rbuf with explicit_bzero(3)Gleydson Soares
OK tedu@
2016-01-02tweak previous;Jason McIntyre
2016-01-01doas.conf lives in /etc. from Amit KulkarniTed Unangst
2015-12-08semarie noticed that auth failures don't set errno. just print a genericTed Unangst
message and leave it to the user to find the tea leaves.
2015-12-08Support -a <auth_style> in doas(1). Allows specifying a non-default authStuart Henderson
style, for example if you have "auth-doas=yubikey,passwd" in login.conf, doas will usually want yubikey authentication, but will allow a fallback of "doas -a passwd". Avoids the need for sudo in a number of cases, at the expense of 5 added lines of code (and one of those is only to avoid >80 columns). Adapted from a diff by Renaud Allard, ok dlg@ tedu@
2015-12-04espie reminds me that EOF can happen for errors as well, so check for thatTed Unangst
happening and print a message.
2015-12-03use the more direct auth interfaces so we can provide a custom passwordTed Unangst
prompt to the user (including username and host) so it's always clear what program is asking. request from henning with a hint from millert. ok deraadt jung zhuk
2015-11-27after reading a too long line, restart at the beginning of the buffer soTed Unangst
we don't keep writing past the end. (the perils of trying to recover from parse errors.) noticed by Jan Schreiber