Use ifdef notyet to disable for now since they may be used in the
future.

Also clarify a comment about MIPS ptrace.

It should also work on s390 but this has not been tested.
I have not added a compat mode to trace...

On s390, the struct is typedef'd without a name.

This should make it more obvious that you need to adjust maxseq
unless you have (virtually) unlim...

Also add check for python 3.10 and 3.11 and remove versions < 3.4.
Fixes building on Ubuntu 22.04.

Use PTRACE_SETREGSET with NT_ARM_SYSTEM_CALL instead just like we
would for a 64-bit binary. New...

This is more accurate since it actually uses the debug subsystem.

Mips is a bit different in that most Linux distros appear to use
the n32 ABI on 64-bit CPUs. We ...

Fixes rejection of commands due to policy on arm when in intercept mode.

This makes it easier to detect problems with the syscall rewrite code
when testing with test_ptrace.

Tested on ppc64 and ppc64le.

We need to swap the order of the two 32-bit addresses for big-endian.

Currently only affects i386.

We can't check *str for NUL since it may not have been written yet.

We allocate space for an extra pointer between argv and the string
table for compat binaries so t...

For compat binaries, use the upper 32-bits as the next word instead
of calling ptrace(2) to get i...

We align the start of the string table to a word boundary to help
prevent overlap when writing th...

In compat mode, if argc is odd, writing the last pointer of argv will
overlap with the address of...

If we try to use the compat word size we can end up in a situation
where a subsequent PTRACE_POKE...

We need to define the ptrace register struct ourselves for the
32-bit system since there is no go...

This will be used when running 32-bit binaries from a 64-bit sudo.

We need to continue the traced process even if there is a fatal
error. Otherwise, sudo will appe...

Unlike PTRACE_GETREGSET, PTRACE_GETREGS requires that we manually
map registers from 64-bit to 32...

This makes it possible to run sudo in ptrace intercept mode from within
a shell (or other process...

We need to deliver signals to the tracee as long as it is not
a group stop. Fixes a hang while t...

No real change other than a few debug statements.

Otherwise we may not reject an attempt to run a set-user-ID command.

For command_matches_all() we should only perform the setid check
if the file exists and intercept...

Otherwise, both sudo and the shell will report the error.

We can skip the policy check for the execve(2) of the initial command
since it has already been c...

This allows us to avoid logging the initial command twice regardless
of whether the kernel suppor...

This fixes a race condition in ptrace-based intercept mode when
running the command in a pty. It...

Currently only supports the native architecture.

The new argv is written below the tracee's stack and the system
call argument is replaced with th...

This has a better chance of working on things like user-mode Linux.

This will be used to perform a policy check in intercept mode.

We don't use it for anything other than a debug message and it will
cause problems when intercept...

This is required by the uncoming ptrace intercept code.

Fixes a bug in store-first relay mode where the commit point messages
sent by the server were inc...

GitHub issue #143

This will be used in the future by the ptrace intercept code.

Expand the Translations section in CONTRIBUTING.md.

The code to take back control of the tty before a policy check
doesn't appear to be needed. If t...

This should be replaced by a specialized autoconf macro when one
becomes available.

Starting with Python 3.11, backtraces may contain a line with '^'
characters to bring attention t...

Fixes CVE-2018-25032

If we're using Kerberos, don't overwrite a custom prompt

Thanks to @thend20 for testing this patch.

This is consistent with the vfprintf() call and fixes a problem
introduced by the last commit whe...

Bug #1026

This fixes output when the terminal is in raw mode and is consistent
with how sudo_conversation()...

Otherwise, it may be picked up by the signal handler instead of our
waitpid(2) call.
Don't warn i...

If there is a problem, we would have already warned, logged or mailed it.
The one exception is th...

Bug #1025.

We don't check the owner or permissions on a sudoers file that is
specified as an argument to vis...

This would have caught the recent bug in our getdelim replacement
when run under address-sanitize...

Coverity CID 250885

From Robert Manner.

Set the pointer to a struct stat on the stack if st is NULL.
Avoids a needless memcpy() at the end.

We store the line number *after* parsing the newline so we need to
subtract one.

This fixes the logging of parse errors when JSON logging is enabled.

The hook can be used to log parser errors (sudoers module) or keep
track of which files have an e...