| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2016-09-04 | -L means no command | Ted Unangst | |
| 2016-09-04 | don't allow combining nopass and persist in a single rule | Ted Unangst | |
| 2016-09-03 | the sudo timeout was 5 minutes i believe, so we'll match that. | Ted Unangst | |
| 2016-09-02 | clarify that -L will exit without running a command. | Ted Unangst | |
| 2016-09-02 | add support for the verified auth ioctls using 'persist' rules. | Ted Unangst | |
| ok deraadt henning | |||
| 2016-09-01 | unconst these parameters; i won't be changing bsd auth today. | Ted Unangst | |
| 2016-09-01 | move the authentication code to a function | Ted Unangst | |
| 2016-07-18 | The string with path to shell could be taken directly from struct passwd. | Vadim Zhukov | |
| At some point later the data it points to is overridden by getpwuid() call, resulting in garbage. The problem could be easily demonstreated by double doas call: $ doas doas -su _sndio doas: mpty: command not found The fix is easy: just strdup() the pw_shell field value. okay tedu@, tweaks from & okay natano@ | |||
| 2016-07-12 | add "recvfd" to doas(1) for use with skey. | Sebastien Marie | |
| ok tb@ deraadt@ | |||
| 2016-07-10 | rename variable for consistency | Ted Unangst | |
| 2016-06-27 | minor tweaks; ok tedu | Jason McIntyre | |
| 2016-06-27 | somehow nopass snuck onto the :wheel example. i think it's better without. | Ted Unangst | |
| 2016-06-27 | revise environment handling. | Ted Unangst | |
| Add a setenv keyword for manipulating the environment. keepenv now means only retain everything. (for one release, the old use of keepenv will still work.) Allow setting variables to new or existing values, and also removing vars when keepenv is used. ok djm martijn tb | |||
| 2016-06-24 | move a space to the correct spot | Ted Unangst | |
| 2016-06-19 | Move the RB_ code from doas.h to env.c, and limit the environment interface to a | Martijn van Duren | |
| simple prepenv function. OK tedu@ | |||
| 2016-06-16 | the environment handling code was showing its age. just because environ | Ted Unangst | |
| is a char** array doesn't mean we must exclusively operate on such. convert to a red-black tree, manipulate as desired, then flatten to array. potentially overkill for the current operations, but reading the tea leaves i see that more manipulations are desired. ok tb (and some thought provoking disagreement from martijn) | |||
| 2016-06-11 | don't use specified twice in a sentence, noticed by jmc | Ted Unangst | |
| 2016-06-11 | clarify some wording | Ted Unangst | |
| 2016-06-11 | specify that default is deny if no rule matches | Ted Unangst | |
| 2016-06-11 | expand contractions | Ted Unangst | |
| 2016-06-11 | tighten up some wording | Ted Unangst | |
| 2016-06-07 | revert recent changes to allow setenv. everybody now has an idea about | Ted Unangst | |
| how to do things better, so let's take a step back and reconsider. | |||
| 2016-06-07 | merge setenv feature into keepenv. less grammar, more better. | Ted Unangst | |
| minimal changes to implementation for now, but some refinement to the way in which the new environment is constructed would be nice. ok djm | |||
| 2016-06-05 | spelling fix; | Jason McIntyre | |
| 2016-06-05 | add a doas.conf setenv directive that allows setting environment | Damien Miller | |
| variables explicitly and by copying existing environment variables of a different name. E.g. permit nopass setenv { PS1=$SUDO_PS1 FOO=bar } keepenv :wheel ok tedu@ benno@ | |||
| 2016-04-28 | set progname to doas so users can't create bizarro fake logs | Ted Unangst | |
| 2016-04-27 | adjust yyerror() to precede with "progname: " the error message string | Gleydson Soares | |
| OK tedu@ phessler@ | |||
| 2016-02-15 | Do a carriage return before password prompt. | martijn | |
| OK tedu@ | |||
| 2016-02-07 | require a tty for the password. | Ted Unangst | |
| sudo regression noted by miod, fix by millert | |||
| 2016-01-24 | make sure of cleaning rbuf with explicit_bzero(3) | Gleydson Soares | |
| OK tedu@ | |||
| 2016-01-02 | tweak previous; | Jason McIntyre | |
| 2016-01-01 | doas.conf lives in /etc. from Amit Kulkarni | Ted Unangst | |
| 2015-12-08 | semarie noticed that auth failures don't set errno. just print a generic | Ted Unangst | |
| message and leave it to the user to find the tea leaves. | |||
| 2015-12-08 | Support -a <auth_style> in doas(1). Allows specifying a non-default auth | Stuart Henderson | |
| style, for example if you have "auth-doas=yubikey,passwd" in login.conf, doas will usually want yubikey authentication, but will allow a fallback of "doas -a passwd". Avoids the need for sudo in a number of cases, at the expense of 5 added lines of code (and one of those is only to avoid >80 columns). Adapted from a diff by Renaud Allard, ok dlg@ tedu@ | |||
| 2015-12-04 | espie reminds me that EOF can happen for errors as well, so check for that | Ted Unangst | |
| happening and print a message. | |||
| 2015-12-03 | use the more direct auth interfaces so we can provide a custom password | Ted Unangst | |
| prompt to the user (including username and host) so it's always clear what program is asking. request from henning with a hint from millert. ok deraadt jung zhuk | |||
| 2015-11-27 | after reading a too long line, restart at the beginning of the buffer so | Ted Unangst | |
| we don't keep writing past the end. (the perils of trying to recover from parse errors.) noticed by Jan Schreiber | |||
| 2015-10-24 | setusercontext() may still need "getpw" pledge rights; unbreaks doas on yp | Miod Vallat | |
| accounts after 1.43; found the hard way by matthieu@ | |||
| 2015-10-22 | copying of the environment can be done later, as the user running | Ted Unangst | |
| 2015-10-22 | pledge in doas. startup pledge "stdio rpath getpw proc exec id". 4 | Theo de Raadt | |
| more times after that more attributes are dropped: "proc" after bsd auth has spawned/received result from the login_* program; "getpw" after the final getpwent lookup, "id" after the final uid changing, and "rpath" after constructing getcwd. leaving only "exec", for the ride into execve(). | |||
| 2015-09-19 | doas doesn't need any files to be passed in. closefrom STDERR+1. ok benno | Ted Unangst | |
| 2015-09-03 | replace permfail calls with errc. the permfail calls had been retained for | Ted Unangst | |
| clarity and/or future use, but if people send me diffs fixing it, it's not worth fighting for. from Martin Natano | |||
| 2015-09-01 | increment the line number after the line continuation; ok tedu | Mike Belopuhov | |
| 2015-09-01 | only need to restrict exec path if the rule specifies a command. | Ted Unangst | |
| add a hint about path restrictions to man page. ok deraadt espie | |||
| 2015-08-28 | Document an example that lets root run unrestricted doas commands as | Reyk Floeter | |
| root ("permit nopass keepenv root as root"), matching the old behaviour from OpenBSD's sudoers file ("root ALL=(ALL) SETENV: ALL"). OK sthen@ | |||
| 2015-08-27 | add a type of "auth-doas" to the perm check to allow login.conf fiddling | Ted Unangst | |
| originally proposed by halex | |||
| 2015-08-22 | Add cwd context to syslog entry. | Doug Hogan | |
| input + ok tedu@, ok benno@ | |||
| 2015-08-20 | Show program name for permission failure messages. | Rafael Zalamena | |
| ok espie@, tedu@. | |||
| 2015-08-13 | and now we can unify the code. okay tedu@ | Marc Espie | |
| err() suggestion by Martijn van Duren | |||
| 2015-08-12 | more explicit warnings. Okay tedu@ | Marc Espie | |
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |